Juniper Networks J-Series Family of Service Routers
running JUNOS 7.3R2.14 Security Target
Version 1.0
April 3, 2006
Prepared for:
Juniper Networks
1194 North Mathilda Avenue
Sunnyvale, California 94089 USA
Prepared By:
Science Applications International Corporation
Common Criteria Testing Laboratory
7125 Columbia Gateway Drive, Suite 300
Columbia, MD 21046
Security Target Version 1.0
1. SECURITY TARGET INTRODUCTION...........................................................................................................1
1.1 SECURITY TARGET, TOE AND CC IDENTIFICATION .......................................................................................1
1.2 CONFORMANCE CLAIMS.................................................................................................................................1
1.3 STRENGTH OF ENVIRONMENT.........................................................................................................................2
1.4 CONVENTIONS, TERMINOLOGY, ACRONYMS..................................................................................................2
1.4.1 Conventions ...........................................................................................................................................2
1.4.2 Acronyms ...............................................................................................................................................2
2. TOE DESCRIPTION..........................................................................................................................................3
2.1 PRODUCT TYPE...............................................................................................................................................3
2.2 PRODUCT DESCRIPTION..................................................................................................................................3
2.3 PRODUCT FEATURES.......................................................................................................................................4
2.4 SECURITY ENVIRONMENT TOE BOUNDARY...................................................................................................4
2.4.1 Physical Boundaries ..............................................................................................................................5
2.4.2 Logical Boundaries................................................................................................................................5
3. SECURITY ENVIRONMENT...........................................................................................................................6
3.1 THREATS TO SECURITY...................................................................................................................................6
3.1.1 TOE Threats...........................................................................................................................................6
3.2 ORGANIZATION SECURITY POLICIES ..............................................................................................................6
3.3 SECURE USAGE ASSUMPTIONS .......................................................................................................................6
3.3.1 Physical Assumptions ............................................................................................................................6
3.3.2 Personnel Assumptions..........................................................................................................................6
3.3.3 IT Environment Assumptions.................................................................................................................7
4. SECURITY OBJECTIVES ................................................................................................................................7
4.1 IT SECURITY OBJECTIVES FOR THE TOE........................................................................................................7
4.2 IT SECURITY OBJECTIVES FOR THE ENVIRONMENT........................................................................................7
4.3 NON-IT SECURITY OBJECTIVES FOR THE ENVIRONMENT ...............................................................................7
5. IT SECURITY REQUIREMENTS....................................................................................................................7
5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS ...............................................................................................7
5.1.1 User data protection (FDP)...................................................................................................................8
5.1.2 Identification and authentication (FIA).................................................................................................9
5.1.3 Security management (FMT) ...............................................................................................................10
5.1.4 Protection of the TOE security functions (FPT) ..................................................................................11
5.2 IT ENVIRONMENT SECURITY FUNCTIONAL REQUIREMENTS ........................................................................11
5.2.1 Identification and authentication (FIA)...............................................................................................11
5.3 TOE SECURITY ASSURANCE REQUIREMENTS ..............................................................................................11
5.3.1 Configuration Management (ACM).....................................................................................................12
5.3.2 Delivery and Operation (ADO) ...........................................................................................................13
5.3.3 Development (ADV).............................................................................................................................14
5.3.4 Guidance Documents (AGD)...............................................................................................................15
5.3.5 Security Testing (ATE).........................................................................................................................17
6. TOE SUMMARY SPECIFICATION..............................................................................................................21
6.1 TOE SECURITY FUNCTIONS .........................................................................................................................21
6.1.1 User Data Protection...........................................................................................................................21
6.1.2 Identification and Authentication ........................................................................................................21
6.1.3 Security Management ..........................................................................................................................22
6.1.4 Protection of Security Functions .........................................................................................................22
6.2 TOE SECURITY ASSURANCE MEASURES......................................................................................................22
6.2.1 Process Assurance...............................................................................................................................23
© 2003 Juniper Inc.
All Rights Reserved.
ii
Security Target Version 1.0
6.2.2 Delivery and Guidance........................................................................................................................23
6.2.3 Development ........................................................................................................................................23
6.2.4 Tests.....................................................................................................................................................24
6.2.5 Vulnerability Assessment.....................................................................................................................24
7. PROTECTION PROFILE CLAIMS...............................................................................................................25
8. RATIONALE.....................................................................................................................................................26
8.1 SECURITY OBJECTIVES RATIONALE..............................................................................................................26
8.1.1 Security Objectives Rationale for the TOE and Environment..............................................................26
8.2 SECURITY REQUIREMENTS RATIONALE........................................................................................................28
8.2.1 Security Functional Requirements Rationale ......................................................................................28
8.3 SECURITY ASSURANCE REQUIREMENTS RATIONALE....................................................................................29
8.4 REQUIREMENT DEPENDENCY RATIONALE....................................................................................................29
8.5 EXPLICITLY STATED REQUIREMENTS RATIONALE........................................................................................30
8.6 STRENGTH OF FUNCTION RATIONALE ..........................................................................................................30
8.7 TOE SUMMARY SPECIFICATION RATIONALE ...............................................................................................30
8.8 PP CLAIMS RATIONALE................................................................................................................................31
LIST OF TABLES
Table 1 Security Functional Components..................................................................................................................8
Table 2 EAL2 Assurance Components....................................................................................................................12
Table 3 Environment to Objective Correspondence ..............................................................................................26
Table 4 Objective to Requirement Correspondence...............................................................................................28
Table 5 Requirement Dependency Rationales ........................................................................................................30
Table 6 Security Functions vs. Requirements Mapping.........................................................................................31
© 2003 Juniper Inc.
All Rights Reserved.
iii
Security Target Version 1.0
1. Security Target Introduction
This section identifies the Security Target and Target of Evaluation (TOE) identification, ST conventions, ST
conformance claims, and the ST organization. Juniper Networks provides the TOE, which is the Juniper Networks
J-Series Family of Service Routers running JUNOS 7.3R2.14. The Security Target contains the following additional
sections:
• TOE Description (Section 2)
• Security Environment (Section 3)
• Security Objectives (Section 4)
• IT Security Requirements (Section 5)
• TOE Summary Specification (Section 6)
• Protection Profile Claims (Section 7)
• Rationale (Section 8)
1.1 Security Target, TOE and CC Identification
ST Title – Juniper Networks J-Series Family of Service Routers running JUNOS 7.3R2.14 Security Target
ST Version – Version 1.0
ST Date – April 3, 2006
TOE Identification – All Juniper Networks J-Series Family of Service Routers running JUNOS 7.3R2.14
• Model numbers J2300, J4300, J6300
CC Identification – Common Criteria for Information Technology Security Evaluation, Version 2.2, Revision 256,
January 2004
1.2 Conformance Claims
This TOE is conformant to the following CC specifications:
• Common Criteria for Information Technology Security Evaluation Part 2: Security Functional
Requirements, Version 2.2, Revision 256, January 2004.
• Common Criteria for Information Technology Security Evaluation Part 3: Security Assurance
Requirements, Version 2.2, Revision 256, January 2004.
• Part 3 Conformant
• Evaluation Assurance Level 2 (EAL2)
© 2003 Juniper Inc.
All Rights Reserved.
1
Security Target Version 1.0
1.3 Strength of Environment
The Juniper Networks J-Series Family of Service Routers provides routing solutions for connected networks. In
order to successfully maintain control over the routing configuration in a volatile network environment, the Juniper
Networks J-Series Family of Service Routers must be protected from physical attacks. Access, therefore, is
restricted to authorized users. Additionally, it is required that the Juniper Networks J-Series Family of Service
Routers remain physically connected to the networks on which they route.
To ensure that the design of the IT networks is acknowledged and that the risks to the target environment are
adequately addressed, the assurance requirements for EAL2, and the minimum strength of function, SOF-Basic,
were chosen.
1.4 Conventions, Terminology, Acronyms
This section specifies the formatting information used in the Security Target.
1.4.1 Conventions
The following conventions have been applied in this document:
• Security Functional Requirements – Part 2 of the CC defines the approved set of operations that may be
applied to functional requirements: iteration, assignment, selection, and refinement.
o Iteration: allows a component to be used more than once with varying operations. In the ST,
iteration is indicated by a letter placed at the end of the component. For example FDP_ACC.1a
and FDP_ACC.1b indicate that the ST includes two iterations of the FDP_ACC.1 requirement, a
and b.
o Assignment: allows the specification of an identified parameter. Assignments are indicated using
bold and are surrounded by brackets (e.g., [assignment]).
o Selection: allows the specification of one or more elements from a list. Selections are indicated
using bold italics and are surrounded by brackets (e.g., [selection]).
o Refinement: allows the addition of details. Refinements are indicated using bold, for additions,
and strike-through, for deletions (e.g., “… all objects …” or “… some big things …”).
• Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such as
captions.
1.4.2 Acronyms
The acronyms used within this Security Target:
ACM Access Control Management
AGD Administrator Guidance Document
BGP Border Gateway Protocol
CC Common Criteria
CD-ROM Compact Disk Read Only Memory
CLI Command Line Interface
CM Control Management
DAC Discretionary Access Control
DO Delivery Operation
© 2003 Juniper Inc.
All Rights Reserved.
2
Security Target Version 1.0
EAL Evaluation Assurance Level
FIPS Federal Information Processing Standards Publication
GB Gigabyte
I/O Input/Output
MPLS Multiprotocol Label Switching
NIST National Institute of Standards and Technology
OSPF Open Shortest Path First
PIM Pluggable Interface Module
PP Protection Profile
RADIUS Remote Authentication Dial In User Service
RIP Routing Information Protocol
SF Security Functions
SFR Security Functional Requirements
ST Security Target
TACACS+ Terminal Access Controller Access Control System Plus
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
TSC TSF Scope of Control
2. TOE Description
The TOE is all Juniper Networks J-Series Family of Service Routers running JUNOS 7.3R2.14, hereafter called
JNR. The products are designed by Juniper Networks, located at 1194 North Mathilda Avenue, Sunnyvale,
California 94089.
2.1 Product Type
The TOE is a services router providing a wide variety of services to the user. JNRs route IP traffic over any type of
network, with increasing scalability of the traffic volume with each router model. All packets on the monitored
network are scanned and then compared against a set of rules to determine where the traffic should be routed, and
then passes it to the appropriate destination.
2.2 Product Description
The TOE platforms are designed to be efficient and effective IP router solutions. The TOE comprises of two
separate functions: the Routing Function and Packet forwarding Function that make up the router platform itself.
PIMs are the physical network interfaces that allow the TOE to be customized to the intended environment and they
are part of the Packet Forwarding Engine. The J4300 and J6300 models use a common set of PIMs whereas the
physical network interface modules are in-built, part of the J2300 model of routers..
© 2003 Juniper Inc.
All Rights Reserved.
3
Security Target Version 1.0
Intel x86 based Central Processor Complex
Routing Component Forwarding Component
(includes route daemon) (Includes Forwarding
daemon and fixed Network
Interfaces and/or PIMs)
J Series Router
The TOE platforms are designed as hardware devices, which perform all routing functions internally to the device.
All TOE platforms are powered by JUNOS software, which provides both management functions as well as all IP
routing functions.
The TOE supports numerous routing standards, allowing it to be flexible as well as scalable. These functions can all
be managed through the JUNOS software, either from a connected terminal console or via a network connection.
Network management can be secured using ssl, SNMP v3, and ssh protocols. All management, whether from an
administrator connecting to a terminal or from the network, requires successful authentication.
2.3 Product Features
The TOE implements the following features:
Modularity - JUNOS software employs a modular software design, providing resilience and ensuring that new
capabilities such as IPv6, and new PIMs, can be easily integrated
Routing expertise - Juniper Networks IP routing expertise delivers a full complement of routing protocols
Standards-based - adherence to industry standards for routing, MPLS, and availability mechanisms such as
Protocol Graceful Restart translates to improved stability and reduced operational complexity for customers
Security - JUNOS software adds intelligent packet processing to offer customers a potent IP security toolkit
Service richness - JUNOS IP services portfolio enables customers to deliver assured experiences to end users of any
profile
Policy and control - Juniper Networks Command Line Interface (CLI) allows customer to invoke and control these
JUNOS capabilities; in addition, Juniper Networks JUNOScript XML interface simplifies and accelerates OSS
integration
Scalability – the ability of the TOE to scale to the highest levels of throughput to handle backbone level traffic
Flexibility – the ability of the TOE to handle multiple types of network interfaces, from T1 to OC-192 through the
PIM interface
2.4 Security Environment TOE Boundary
The TOE includes both physical and logical boundaries.
© 2003 Juniper Inc.
All Rights Reserved.
4
Security Target Version 1.0
2.4.1 Physical Boundaries
The TOE physical boundary is the router itself (including any installed PIMs as in the case of the J4300 and J6300).
The TOE is completely self-contained, housing the software and hardware necessary to perform all router functions.
The hardware has two components: the router itself and the PIMs that have been placed into the router. The various
PIMs that have been placed into the router allow it to communicate with the different types of networks that may be
required within the environment where the router will be used.
The interfaces to the TOE are twofold: the network interface, as enumerated through the PIMs, and the
administrative interface, enumerated through the administrative network connection as well as the terminal console.
The PIMs are used for all the routing functions, connecting the TOE to all the environments networks. The
administrative network and the terminal console are used solely for the administration of the router.
2.4.2 Logical Boundaries
The logical boundaries of the TOE include the functions of the TOE interfaces. These functions include User Data
Proteection for network information flows, Identification and Authentication for the administrative functions, the
management of the security configurations and the self-protection of the TOE itself.
2.4.2.1 User Data Protection
The TOE is designed to forward network packets (i.e., information flows) from source network entities to
destination network entities based on available routing information. This information is either provided directly by
TOE administrators or indirectly from other network entities (outside the TOE) configured by the TOE
administrators.
2.4.2.2 Identification and Authentication
The TOE requires users to provide unique identification and authentication data before any administrative access to
the system is granted. The TOE provides the ability to define levels of authority for users, providing administrative
flexibility. Full administrators have the ability to define groups and their authority and they have complete control
over the TOE.
The TOE also requires that applications exchanging information with the TOE successfully authenticate prior to any
exchange. This covers all services used to exchange information, including telnet, ssh, ssl, and ftp.
Authentication services can be handled either internally (fixed passwords) or through an authentication server in the
IT environment, such as a RADIUS or TACACS+ server (the external authentication server is considered outside
the scope of the TOE). Public Key Authentication such as RSA can be used for the validation of the user credentials,
but the user identity and privileges are still handled internally.
2.4.2.3 Security Management
The TOE is managed through a Command Line Interface (CLI), or optionally using XML (Junoscript) or HTTPS (J-
Web) interfaces which provide equivalent management functionality. Through these interfaces all management can
be performed, including user management and the configuration of the router functions. The CLI interface is
accessible through ssh and telnet sessions, as well as a local terminal console.
2.4.2.4 Protection of Security Functions
The TOE provides protection mechanisms for its security functions. One of the protection mechanisms is that users
must authenticate before any administrative operations can be performed on the system, whether those functions are
related to the management of user accounts or the configuration of routes. Another protection mechanism is that all
functions of the TOE are confined to the device itself. The TOE is completely self-contained, and are therefore
maintains its own execution domain.
© 2003 Juniper Inc.
All Rights Reserved.
5
Security Target Version 1.0
3. Security Environment
The TOE security environment describes the security aspects of the intended environment in which the TOE is to be
used and the manner in which it is expected to be employed.
The statement of TOE security environment defines the following:
• Threats that the product is designed to counter
• Assumptions made on the operational environment and the method of use intended for the product,
• Organizational security policies with which the product is designed to comply.
3.1 Threats to Security
The following are threats identified for the TOE. The TOE itself has threats and the TOE is also responsible for
addressing threats to the environment in which it resides.
3.1.1 TOE Threats
T.PRIVIL An unauthorized user may gain access to the TOE and exploit system privileges to gain
access to TOE security functions and data, inappropriately changing the configuration
data for TOE security functions.
T.OPS An unauthorized process or application may gain access to the TOE security functions
and data, inappropriately changing the configuration data for the TOE security functions.
3.2 Organization Security Policies
The following policies apply to the TOE and the intended environment of the TOE.
P.FLOW The TOE shall ensure that information flows from source to destination according to
available routing information.
P.MANAGE The TOE shall provide effective management functions that can only be utilized by
authorized users.
P.PROTECT The TOE shall be protected from unauthorized accesses and disruptions of TOE data
and functions.
3.3 Secure Usage Assumptions
The following usage assumptions are made about the intended environment of the TOE.
3.3.1 Physical Assumptions
A.LOCATE The processing resources of the TOE will be located within controlled access facilities,
which will prevent unauthorized physical access.
3.3.2 Personnel Assumptions
A.NOEVIL The authorized administrators are competent, not careless, willfully negligent, or hostile,
and will follow and abide by the instructions provided by the TOE documentation.
© 2003 Juniper Inc.
All Rights Reserved.
6
Security Target Version 1.0
3.3.3 IT Environment Assumptions
A.EAUTH External authentication services will be available via either RADIUS, TACACS+, or both.
4. Security Objectives
This section defines the security objectives of the TOE and its supporting environment. Security objectives,
categorized as either IT security objectives or non-IT security objectives, reflect the stated intent to counter
identified threats and/or comply with any organizational security policies identified. All of the identified threats and
organizational policies are addressed under one of the categories below.
4.1 IT Security Objectives for the TOE
The following security objectives are intended to be satisfied by the TOE.
O.FLOW The TOE must use available routing information to forward network packets to the
appropriate destination.
O.PROTECT The TOE must protect itself from unauthorized modifications and access to its functions
and data.
O.EADMIN The TOE must provide services that allow effective management of its functions and
data.
O.ACCESS The TOE must only allow authorized users and processes (applications) to access
protected TOE functions and data.
4.2 IT Security Objectives for the Environment
The following security objectives for the IT environment of the TOE must be satisfied in order for the TOE to fulfill
its own security objectives.
OE.EAUTH A RADIUS server, a TACACS+ server, or both must be available for external
authentication services.
4.3 Non-IT Security Objectives for the Environment
O.PHYCAL Those responsible for the TOE must ensure that those parts of the TOE critical to
security policy are protected from any physical attack.
O.MANAGE Authorized administrators are non-hostile and follow all administrator guidance.
5. IT Security Requirements
This section provides a list of all security functional requirements for the TOE.
5.1 TOE Security Functional Requirements
This section specifies the security functional requirements (SFRs) for the TOE. This section organizes the SFRs by
CC class. Table 1 identifies all SFRs implemented by the TOE and indicates the ST operations performed on each
requirement.
Security Functional Class Security Functional Components
© 2003 Juniper Inc.
All Rights Reserved.
7
Security Target Version 1.0
Security Functional Class Security Functional Components
Subset information flow control (FDP_IFC.1)
User data protection (FDP)
Simple security attributes (FDP_IFF.1)
User attribute definition (FIA_ATD.1)
Timing of authentication (FIA_UAU.1)
Identification and authentication (FIA)
Timing of identification (FIA_UID.1)
Static attribute initialization (FMT_MSA.3)
Management of TSF data (Router Information)
(FMT_MTD.1a)
Management of TSF data (User Data) (FMT_MTD.1b)
Specification of Management Functions (FMT_SMF.1)
Security management (FMT)
Security roles (FMT_SMR.1)
Protection of the TSF (FPT) TSF domain separation (FPT_SEP.1)
Table 1 Security Functional Components
5.1.1 User data protection (FDP)
5.1.1.1 Subset information flow control (FDP_IFC.1)
5.1.1.1.1 FDP_IFC.1.1
The TSF shall enforce the [UNAUTHENTICATED SFP] on
a.) [subjects:
• unauthenticated external IT entities that send and receive information through the
TOE to one another;
b.) information:
• network traffic sent through the TOE from one subject to another
c.) operation:
• pass information].
5.1.1.2 Security attribute based access control (FDP_IFF.1)
5.1.1.2.1 FDP_IFF.1.1
The TSF shall enforce the [UNAUTHENTICATED SFP] based on the following types of subject and information
security attributes:
a.) subject security attributes:
• presumed address
b.) information security attributes:
• presumed address of source subject
• presumed address of destination subject
• transport layer protocol
• TOE interface on which traffic arrives and departs
• service] (per International Interpretation #104)
© 2003 Juniper Inc.
All Rights Reserved.
8
Security Target Version 1.0
5.1.1.2.2 FDP_IFF.1.2
The TSF shall permit an information flow between a controlled subject and controlled information via a controlled
operation if the following rules hold:
a.) [subjects on an internal network can cause information to flow through the TOE to
another connected network if:
• all the information security attribute values are unambiguously permitted by the
information flow security policy rules, where such rules may be composed from all
possible combinations of the values of the information flow security attributes,
created by the authorized administrator
• the presumed address of the source subject, in the information, translates to an
internal network address
• and the presumed address of the destination subject, in the information, translates
to an address on the other connected network
b.) Subjects on the external network can cause information to flow through the TOE to
another connected network if:
• all the information security attribute values are unambiguously permitted by the
information flow security policy rules, where such rules may be composed from all
possible combinations of the values of the information flow security attributes,
created by the authorized administrator
• the presumed address of the source subject, in the information, translates to an
external network address
• and the presumed address of the destination subject, in the information, translates
to an address on the other connected network.]
5.1.1.2.3 FDP_IFF.1.3
The TSF shall enforce the [no additional UNAUTHENTICATED SFP rules].
5.1.1.2.4 FDP_IFF.1.4
The TSF shall provide the following [no additional UNAUTHENTICATED SFP capabilities].
5.1.1.2.5 FDP_IFF.1.5
The TSF shall explicitly authorise an information flow based on the following rules: [no additional rules that
explicitly authorise information flows].
5.1.1.2.6 FDP_IFF.1.6
The TSF shall explicitly deny an information flow based on the following rules: [no additional rules that explicitly
deny information flows].
5.1.2 Identification and authentication (FIA)
5.1.2.1 Timing of authentication (FIA_UAU.1)
5.1.2.1.1 FIA_UAU.1.1
The TSF shall allow [no administrative actions] on behalf of the user to be performed before the user is
authenticated.
5.1.2.1.2 FIA_UAU.1.2
The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on
behalf of that user.
© 2003 Juniper Inc.
All Rights Reserved.
9
Security Target Version 1.0
5.1.2.2 User attribute definition (FIA_ATD.1)
5.1.2.2.1 FIA_ATD.1.1
The TSF shall maintain the following list of security attributes belonging to individual users: [
a) User identity;
b) Authentication data;
c) Privileges].
5.1.2.3 Timing of identification (FIA_UID.1)
5.1.2.3.1 FIA_UID.1.1
The TSF shall allow [no administrative actions] on behalf of the user to be performed before the user is identified.
5.1.2.3.2 FIA_UID.1.2
The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on
behalf of that user.
5.1.3 Security management (FMT)
5.1.3.1 Static attribute initialization (FMT_MSA.3)
5.1.3.1.1 FMT_MSA.3.1
The TSF shall enforce the [UNAUTHENTICATED SFP] to provide [permissive] default values for security
attributes that are used to enforce the SFP.
5.1.3.1.2 FMT_MSA.3.2
The TSF shall allow the [Authorized Administrators] to specify alternative initial values to override the default
values when an object or information is created.
5.1.3.2 Management of TSF data (Router Information) (FMT_MTD.1a)
5.1.3.2.1 FMT_MTD.1a
The TSF shall restrict the ability to [modify router information] to [Authorized Administrators].
5.1.3.3 Management of TSF data (User Data) (FMT_MTD.1b)
5.1.3.3.1 FMT_MTD.1b
The TSF shall restrict the ability to [modify user account data] to [Authorized Administrators].
5.1.3.4 Specification of Management Functions (FMT_SMF.1)1
5.1.3.4.1 FMT_SMF.1.1
The TSF shall be capable of performing the following security management functions:[modify router information
and modify user account data].
1
This requirement has been added to comply with International Interpretation #65
© 2003 Juniper Inc.
All Rights Reserved.
10
Security Target Version 1.0
5.1.3.5 Security roles (FMT_SMR.1)
5.1.3.5.1 FMT_SMR.1.1
The TSF shall maintain the roles [Authorized Administrator].
5.1.3.5.2 FMT_SMR.1.2
The TSF shall be able to associate users with roles.
5.1.4 Protection of the TOE security functions (FPT)
5.1.4.1 TSF domain separation (FPT_SEP.1)
5.1.4.1.1 FPT_SEP.1.1
The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by
untrusted subjects.
5.1.4.1.2 FPT_SEP.1.2
The TSF shall enforce separation between the security domains of subjects in the TSC.
5.2 IT Environment Security Functional Requirements
This section specifies the security functional requirements (SFRs) for the IT Environment. This section organizes
the SFRs by CC class. Table 2 identifies all SFRs implemented by the IT Environment and indicates the ST
operations performed on each requirement.
Security Functional Class Security Functional Components
Identification and authentication (FIA) Multiple authentication mechanisms (FIA_UAU.5)
Table 2 EAL2 Assurance Components
5.2.1 Identification and authentication (FIA)
5.2.1.1 Multiple authentication mechanisms (FIA_UAU.5)
5.2.1.1.1 FIA_UAU.5.1
The TSF shall provide [internal fixed password mechanism and external server (RADIUS or TACACS+)
mechanism] to support user authentication.
5.2.1.1.2 FIA_UAU.5.2
The TSF shall authenticate any user’s claimed identity according to the [authentication mechanism specified by
an authorized administrator].
5.3 TOE Security Assurance Requirements
The security assurance requirements for the TOE are the Evaluation Assurance Level (EAL) 2 components as
specified in Part 3 of the Common Criteria. The minimum strength of function for mechanisms used within the TOE
is SOF-Basic. No operations are applied to the assurance components.
Assurance Class Assurance Components
Configuration Management (ACM) ACM_CAP.2 Configuration items
© 2003 Juniper Inc.
All Rights Reserved.
11
Security Target Version 1.0
ADO_DEL.1 Delivery procedures
Delivery and Operation (ADO)
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal Function Specification
ADV_HLD.1 Descriptive high-level design
Development (ADV)
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
Guidance Documents (AGD)
AGD_USR.1 User guidance
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
Tests (ATE)
ATE_IND.2 Independent testing - sample
AVA_SOF.1 Strength of TOE security function evaluation
Vulnerability assessment (AVA)
AVA_VLA.1 Developer vulnerability analysis
Table 3 EAL2 Assurance Components
5.3.1 Configuration Management (ACM)
5.3.1.1 Configuration Items (ACM_CAP.2)
5.3.1.1.1 ACM_CAP.2.1D
The developer shall provide a reference for the TOE.
5.3.1.1.2 ACM_CAP.2.2D
The developer shall use a CM system.
5.3.1.1.3 ACM_CAP.2.3D
The developer shall provide CM documentation.
5.3.1.1.4 ACM_CAP.2.1C
The reference for the TOE shall be unique to each version of the TOE.
5.3.1.1.5 ACM_CAP.2.2C
The TOE shall be labeled with its reference.
5.3.1.1.6 ACM_CAP.2.3C
The CM documentation shall include a configuration list.
5.3.1.1.7 International Interpretation #3
The configuration list shall uniquely identify all configuration items that comprise the TOE.2
5.3.1.1.8 ACM_CAP.2.4C
The configuration list shall describe the configuration items that comprise the TOE.
2
This requirement has been added to comply with International Interpretation #3
© 2003 Juniper Inc.
All Rights Reserved.
12
Security Target Version 1.0
5.3.1.1.9 ACM_CAP.2.5C
The CM documentation shall describe the method used to uniquely identify the configuration items.
5.3.1.1.10 ACM_CAP.2.6C
The CM system shall uniquely identify all configuration items.
5.3.1.1.11 ACM_CAP.2.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.2 Delivery and Operation (ADO)
5.3.2.1 Delivery Procedures (ADO_DEL.1)
5.3.2.1.1 ADO_DEL.1.1D
The developer shall document procedures for delivery of the TOE or parts of it to the user.
5.3.2.1.2 ADO_DEL.1.2D
The developer shall use the delivery procedures.
5.3.2.1.3 ADO_DEL.1.1C
The delivery documentation shall describe all procedures that are necessary to maintain security when distributing
versions of the TOE to a user's site.
5.3.2.1.4 ADO_DEL.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.2.2 Installation, generation, and start-up procedures (ADO_IGS.1)
5.3.2.2.1 ADO_IGS.1.1D
The developer shall document procedures necessary for the secure installation, generation, and start-up of the TOE.
5.3.2.2.2 ADO_IGS.1.1C
The installation, generation and start-up documentation shall describe all the steps necessary for secure
installation, generation, and start-up of the TOE.3
5.3.2.2.3 ADO_IGS.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.2.2.4 ADO_IGS.1.2E
The evaluator shall determine that the installation, generation, and start-up procedures result in a secure
configuration.
3
This requirement has been modified to comply with International Interpretation #51.
© 2003 Juniper Inc.
All Rights Reserved.
13
Security Target Version 1.0
5.3.3 Development (ADV)
5.3.3.1 Informal Function Specification (ADV_FSP.1)
5.3.3.1.1 ADV_FSP.1.1D
The developer shall provide a functional specification.
5.3.3.1.2 ADV_FSP.1.1C
The functional specification shall describe the TSF and its external interfaces using an informal style.
5.3.3.1.3 ADV_FSP.1.2C
The functional specification shall be internally consistent.
5.3.3.1.4 ADV_FSP.1.3C
The functional specification shall describe the purpose and method of use of all external TSF interfaces, providing
details of effects, exceptions and error messages, as appropriate.
5.3.3.1.5 ADV_FSP.1.4C
The functional specification shall completely represent the TSF.
5.3.3.1.6 ADV_FSP.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.3.1.7 ADV_FSP.1.2E
The evaluator shall determine that the functional specification is an accurate and complete instantiation of the TOE
security requirements.
5.3.3.2 Descriptive high-level design (ADV_HLD.1)
5.3.3.2.1 ADV_HLD.1.1D
The developer shall provide the high level design of the TSF.
5.3.3.2.2 ADV_HLD.1.1C
The presentation of the high level design shall be informal.
5.3.3.2.3 ADV_HLD.1.2C
The high level design shall be internally consistent.
5.3.3.2.4 ADV_HLD.1.3C
The high level design shall describe the structure of the TSF in terms of subsystems.
5.3.3.2.5 ADV_HLD.1.4C
The high level design shall describe the security functionality provided by each subsystem of the TSF.
© 2003 Juniper Inc.
All Rights Reserved.
14
Security Target Version 1.0
5.3.3.2.6 ADV_HLD.1.5C
The high level design shall identify any underlying hardware, firmware, and/or software required by the TSF with a
presentation of the functions provided by the supporting protection mechanisms implemented in that hardware,
firmware, or software.
5.3.3.2.7 ADV_HLD.1.6C
The high level design shall identify all interfaces to the subsystems of the TSF.
5.3.3.2.8 ADV_HLD.1.7C
The high level design shall identify which of the interfaces to the subsystems of the TSF are externally visible.
5.3.3.2.9 ADV_HLD.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.3.2.10 ADV_HLD.1.2E
The evaluator shall determine that the high level design is an accurate and complete instantiation of the TOE
security functional requirements.
5.3.3.3 Informal correspondence demonstration (ADV_RCR.1)
5.3.3.3.1 ADV_RCR.1.1D
The developer shall provide an analysis of correspondence between all adjacent pairs of TSF representations that are
provided.
5.3.3.3.2 ADV_RCR.1.1C
For each adjacent pair of provided TSF representations, the analysis shall demonstrate that all relevant security
functionality of the more abstract TSF representation is correctly and completely refined in the less abstract TSF
representation.
5.3.3.3.3 ADV_RCR.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.4 Guidance Documents (AGD)
5.3.4.1 Administrator Guidance (AGD_ADM.1)
5.3.4.1.1 AGD_ADM.1.1D
The developer shall provide administrator guidance addressed to system administrative personnel.
5.3.4.1.2 AGD_ADM.1.1C
The administrator guidance shall describe the administrative functions and interfaces available to the administrator
of the TOE.
© 2003 Juniper Inc.
All Rights Reserved.
15
Security Target Version 1.0
5.3.4.1.3 AGD_ADM.1.2C
The administrator guidance shall describe how to administer the TOE in a secure manner.
5.3.4.1.4 AGD_ADM.1.3C
The administrator guidance shall contain warnings about functions and privileges that should be controlled in a
secure processing environment.
5.3.4.1.5 AGD_ADM.1.4C
The administrator guidance shall describe all assumptions regarding user behavior that are relevant to secure
operation of the TOE.
5.3.4.1.6 AGD_ADM.1.5C
The administrator guidance shall describe all security parameters under the control of the administrator, indicating
secure values as appropriate.
5.3.4.1.7 AGD_ADM.1.6C
The administrator guidance shall describe each type of security-relevant event relative to the administrative
functions that need to be performed, including changing the security characteristics of entities under the control of
the TSF.
5.3.4.1.8 AGD_ADM.1.7C
The administrator guidance shall be consistent with all other documents supplied for evaluation.
5.3.4.1.9 AGD_ADM.1.8C
The administrator guidance shall describe all security requirements on the IT environment that are relevant to the
administrator.
5.3.4.1.10 AGD_ADM.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence
5.3.4.2 User Guidance (AGD_USR.1)
5.3.4.2.1 AGD_USR.1.1D
The developer shall provide user guidance.
5.3.4.2.2 AGD_USR.1.1C
The user guidance shall describe the functions and interfaces available to the non-administrative users of the TOE.
5.3.4.2.3 AGD_USR.1.2C
The user guidance shall describe the use of user-accessible security functions provided by the TOE.
5.3.4.2.4 AGD_USR.1.3C
The user guidance shall contain warnings about user-accessible functions and privileges that should be controlled in
a secure processing environment.
© 2003 Juniper Inc.
All Rights Reserved.
16
Security Target Version 1.0
5.3.4.2.5 AGD_USR.1.4C
The user guidance shall clearly present all user responsibilities necessary for secure operation of the TOE, including
those related to assumptions regarding user behavior found in the statement of TOE security environment.
5.3.4.2.6 AGD_USR.1.5C
The user guidance shall be consistent with all other documentation supplied for evaluation.
5.3.4.2.7 AGD_USR.1.6C
The user guidance shall describe all security requirements on the IT environment that are relevant to the user.
5.3.4.2.8 AGD_USR.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.5 Security Testing (ATE)
5.3.5.1 Evidence of coverage (ATE_COV.1)
5.3.5.1.1 ATE_COV.1.1D
The developer shall provide evidence of the test coverage.
5.3.5.1.2 ATE_COV.1.1C
The evidence of the test coverage shall show the correspondence between the tests identified in the test
documentation and the TSF as described in the functional specification.
5.3.5.1.3 ATE_COV.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.5.2 Functional testing (ATE_FUN.1)
5.3.5.2.1 ATE_FUN.1.1D
The developer shall test the TSF and document the results.
5.3.5.2.2 ATE_FUN.1.2D
The developer shall provide test documentation.
5.3.5.2.3 ATE_FUN.1.1C
The test documentation shall consist of test plans, test procedure descriptions, expected test results and actual test
results.
5.3.5.2.4 ATE_FUN.1.2C
The test plans shall identify the security functions to be tested and describe the goal of the tests to be performed.
© 2003 Juniper Inc.
All Rights Reserved.
17
Security Target Version 1.0
5.3.5.2.5 ATE_FUN.1.3C
The test procedure descriptions shall identify the tests to be performed and describe the scenarios for testing each
security function. These scenarios shall include any ordering dependencies on the results of other tests.
5.3.5.2.6 ATE_FUN.1.4C
The expected test results shall show the anticipated outputs from a successful execution of the tests.
5.3.5.2.7 ATE_FUN.1.5C
The test results from the developer execution of the tests shall demonstrate that each tested security function
behaved as specified.
5.3.5.2.8 ATE_FUN.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.5.3 Independent testing – sample (ATE_IND.2)
5.3.5.3.1 ATE_IND.2.1D
The developer shall provide the TOE for testing.
5.3.5.3.2 ATE_IND.2.1C
The TOE shall be suitable for testing.
5.3.5.3.3 ATE_IND.2.2C
The developer shall provide an equivalent set of resources to those that were used in the developer’s functional
testing of the TSF.
5.3.5.3.4 ATE_IND.2.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.5.3.5 ATE_IND.2.2E
The evaluator shall test a subset of the TSF as appropriate to confirm that the TOE operates as specified.
5.3.5.3.6 ATE_IND.2.3E
The evaluator shall execute a sample of tests in the test documentation to verify the developer test results.
5.3.5.4 Strength of TOE security function evaluation (AVA_SOF.1)
5.3.5.4.1 AVA_SOF.1.1D
The developer shall perform a strength of TOE security function analysis for each mechanism identified in the ST as
having a strength of TOE security function claim.
© 2003 Juniper Inc.
All Rights Reserved.
18
Security Target Version 1.0
5.3.5.4.2 AVA_SOF.1.1C
For each mechanism with a strength of TOE security function claim the strength of TOE security function analysis
shall show that it meets or exceeds the minimum strength level defined in the PP/ST.
5.3.5.4.3 AVA_SOF.1.2C
For each mechanism with a specific strength of TOE security function claim the strength of TOE security function
analysis shall show that it meets or exceeds the specific strength of function metric defined in the PP/ST.
5.3.5.4.4 AVA_SOF.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
5.3.5.4.5 AVA_SOF.1.2E
The evaluator shall confirm that the strength claims are correct.
5.3.5.5 Developer vulnerability analysis (AVA_VLA.1)
5.3.5.5.1 AVA_VLA.1.1D
The developer shall perform and document an analysis of the TOE deliverables searching for obvious ways in which
a user can violate the TSP. The developer shall perform a vulnerability analysis.4
5.3.5.5.2 AVA_VLA.1.2D
The developer shall document the disposition of obvious vulnerabilities. The developer shall provide vulnerability
analysis documentation. 5
5.3.5.5.3 AVA_VLA.1.1C
The documentation shall show, for all identified vulnerabilities, that the vulnerability cannot be exploited in the
intended environment for the TOE. The vulnerability analysis documentation shall describe the analysis of the
TOE deliverables performed to search for obvious ways in which a user can violate the TSP.6
5.3.5.5.4 AVA_VLA.1.2C
The vulnerability analysis documentation shall describe the disposition of obvious vulnerabilities.7
5.3.5.5.5 AVA_VLA.1.3C
The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the vulnerability
cannot be exploited in the intended environment for the TOE. 8
5.3.5.5.6 AVA_VLA.1.1E
The evaluator shall confirm that the information provided meets all requirements for content and presentation of
evidence.
4
This requirement has been modified to comply with International Interpretation #51.
5
This requirement has been modified to comply with International Interpretation #51.
6
This requirement has been modified to comply with International Interpretation #51.
7
This requirement has been added to comply with International Interpretation #51.
8
This requirement has been added to comply with International Interpretation #51.
© 2003 Juniper Inc.
All Rights Reserved.
19
Security Target Version 1.0
5.3.5.5.7 AVA_VLA.1.2E
The evaluator shall conduct penetration testing, building on the developer vulnerability analysis, to ensure obvious
vulnerabilities have been addressed.
© 2003 Juniper Inc.
All Rights Reserved.
20
Security Target Version 1.0
6. TOE Summary Specification
This chapter describes the security functions and associated assurance measures.
6.1 TOE Security Functions
Each of the security function descriptions is organized by the security requirements corresponding to the security
function. Hence, each function is described by how it specifically satisfies each of its related requirements. This
serves to both describe the security functions and rationalize that the security functions are suitable to satisfy the
necessary requirements.
6.1.1 User Data Protection
FDP_IFC.1 Subset information flow control and FDP_IFF.1 Simple security attributes
The TOE is designed primarily to route unauthenticated network traffic. Network traffic represents information
flows between source and destination network entities. The specific routing of traffic is based on the routing
configuration data that has been created by the TOE administrators or has been collected (e.g., ARP) from network
peers as defined by the TOE administrators.
6.1.2 Identification and Authentication
FIA_ATD.1 User Attribute Definition
User accounts in the TOE have the following attributes: user name, authentication data (password or an
authentication server in the IT environment), and their privileges. Locally stored authentication data for fixed
password authentication is a case-sensitive, alpha-meric value that can be up to 128 characters in length. While
passwords longer than 128 characters can be used, they do not contribute to the password mechanism strength of
function, only the first 128 characters are checked during authentication.
Authentication data can be stored either locally or on a separate server. The separate server must support either the
RADIUS or TACACS+ protocol to be supported by the TOE.
Public Key authentication, such as RSA, is supported using the authentication server in the IT environment for
authentication to the TOE.
FIA_UAU.1 Timing of Authentication and FIA_UID.1 Timing of Identification
JNR requires users to provide unique identification and authentication data (passwords) before any administrative
access to the system is granted. If the identify specified is defined locally, the TOE will successfully authenticate
that identity if the authentication data provided matches that stored in conjunction with the provided identity.
Alternately, if the TOE is configured to work with a RADIUS or TACACS+ server, the identity and authentication
data is provided to the server and the TOE enforces the result returned from the server. Regardless, no
administrative actions are allowed until successful authentication as an authorized administrator.
User or application authentication can occur through several mechanisms, including ftp, telnet and ssh. These
programs all require successful authentication prior to giving a user access to the system. The ssh application also
supports Public Key authentication to the system, for both the connecting client (computer where the administrator
is connecting from) and the user. These mechanisms are used for administration of the routing functions as well as
the administration of the user accounts used for management.
For non-administrative functions no authentication is required. The primary non-administrative function of the TOE
is to route IP packets between PIMs. This passes the packets from one network to a destination network, enabling
network connectivity.
© 2003 Juniper Inc.
All Rights Reserved.
21
Security Target Version 1.0
6.1.3 Security Management
FMT_MSA.3 Static attribute initialization
The TOE restricts the ability to administer through the CLI interface (or optionally using XML (Junoscript) or
HTTPS (J-Web) interfaces which provide equivalent management functionality) the router configuration data to
only authorized administrators and authenticated applications. The TOE automatically routes traffic based on
available routing information, much of which is automatically collected from the TOE environment.
FMT_MTD.1a Management of TSF Data (Router Information)
The TOE restricts the ability to administer through the CLI interface (or optionally using XML (Junoscript) or
HTTPS (J-Web) interfaces which provide equivalent management functionality)the router configuration data to only
authorized administrators and authenticated applications. The CLI provides authorized administrators with a text-
based interface from which the router configuration can be managed and maintained. From this interface all router
functions, such as BGP, RIP and MPLS protocols can be managed, as well as PIM configurations and TCP/IP
configurations.
FMT_MTD.1b Management of TSF Data (User Data)
The TOE restricts the ability to administer through the CLI interface (or optionally using XML (Junoscript) or
HTTPS (J-Web) interfaces which provide equivalent management functionality)user data to only authorized
administrators. The CLI provides authorized administrators with a text-based interface from which all user data can
be managed. From this interface new accounts can be created, and existing accounts can be modified or deleted.
This interface also provides the authorized administrator the ability to configure an external authentication server,
such as a RADIUS or TACACS+ server, for a user. When this is assigned, a user can be authenticated to the
external server instead of to directly to the TOE.
FMT_SMF.1 Management of Security Functions
The TOE provides the ability to manage the following security functions: user data (authentication data, roles) and
router information. All security function management is done through the CLI (or optionally using XML
(Junoscript) or HTTPS (J-Web) interfaces which provide equivalent management functionality), and is restricted
only to authorized administrators.
FMT_SMR.1 Security Roles
The TOE has one pre-defined role, Authorized Administrator. When a new user account is created, it must be
assigned this role.
• Authorized Administrator: this role can perform all management functions on the TOE. A user with
this role can manage user accounts (create, delete, modify), view and modify the router configuration
information.
6.1.4 Protection of Security Functions
FPT_SEP.1 TSF Domain Separation
The TOE is an appliance in which all operations are self-contained, with all administration and configuration
operations are performed within the physical boundary of the TOE. All user and router data can be manipulated via
the CLI. However, the traffic directed through the product is routed according to it’s configuration but not otherwise
subject to security mechanisms. The JUNOS software within the TOE controls all operations. The TOE operates
solely as a router and neither performs nor supports other non-router related functions.
6.2 TOE Security Assurance Measures
The following assurance measures are applied to satisfy the Common Criteria EAL2 assurance requirements:
• Process Assurance;
• Delivery and Guidance;
© 2003 Juniper Inc.
All Rights Reserved.
22
Security Target Version 1.0
• Design Documentation;
• Tests; and
• Vulnerability Assessment.
6.2.1 Process Assurance
6.2.1.1 Configuration Management
The configuration management measures applied by Juniper ensure that configuration items are uniquely identified,
and that documented procedures are used to control and track changes that are made to the TOE. Juniper ensures
changes to the implementation representation are controlled and that TOE associated configuration item
modifications are properly controlled. Juniper performs configuration management on the TOE implementation
representation, design, tests, user and administrator guidance, and the CM documentation. These activities are
documented in:
• Juniper Configuration Management Manual
The Configuration Management assurance measure satisfies the ACM_CAP.2 assurance requirements
6.2.2 Delivery and Guidance
Juniper provides delivery documentation that explains how the TOE is delivered and procedures to identify the
TOE, allow detection of unauthorized modifications of the TOE and installation and generation instructions at start-
up. Juniper’s delivery procedures describe the steps to be used for the secure installation, generation, and start-up of
the TOE along with configuration settings to secure the TOE privileges and functions. These procedures are
documented in:
• Juniper Delivery and Operation Procedures
Juniper provides administrator guidance in the installation and initialization procedures. The installation and
generation procedures, included in the administrator guidance, describe the steps necessary to install and operate
Juniper products in accordance with the evaluated configuration, detailing how to establish and maintain the secure
configuration. Since the only users with an interface are administrators, that is the only guidance provided. Non-
administrative users have no direct access to the TOE, only using it as a generic network connection component
when communicating across connected networks.
The administrator guidance is documented in:
• Juniper Configuration and Management Guide
The Delivery and Guidance assurance measure satisfies the following Assurance requirements:
• ADO_DEL.1;
• ADO_IGS.1;
• AGD_ADM.1; and,
• AGD_USR.1.
6.2.3 Development
The Design Documentation provided for JNR is provided in two documents:
• Juniper Functional Specification
• Juniper High-level Design
These documents serve to describe the security functions of the TOE, its interfaces both external and between
subsystems, the architecture of the TOE (in terms of subsystems), and correspondence between the available design
© 2003 Juniper Inc.
All Rights Reserved.
23
Security Target Version 1.0
abstractions (including the ST). The Design Documentation security assurance measure satisfies the following
security assurance requirement:
• ADV_FSP.1;
• ADV_HLD.1; and,
• ADV_RCR.1.
6.2.4 Tests
The Test Documentation is found in the following documents:
• Juniper Test Coverage
• Juniper Test Plan
• Juniper Test Procedures
These documents describe the overall test plan, testing procedures, the tests themselves, including expected and
actual results. In addition, these documents describe how the functional specification has been appropriately tested.
The Tests assurance measure satisfies the following assurance requirements:
• ATE_COV.1;
• ATE_FUN.1; and,
• ATE_IND.2.
6.2.5 Vulnerability Assessment
Each probabilistic or permutational mechanism used by the TOE must satisfy the SOF-Basic requirements. The only
probabilistic or permutational mechanism used in the TOE is the authentication mechanism. Juniper has performed
a strength of function analysis that indicates that the authentication mechanism fulfills at least SOF-Basic. Similarly,
Juniper performed a vulnerability analysis of the TOE to identify weaknesses that can be exploited in the TOE. Both
the strength of function analysis and the vulnerability analysis are documented in:
• Juniper Vulnerability Assessment
The Vulnerability Assessment assurance measure satisfies the following assurance requirements:
• AVA_SOF.1; and,
• AVA_VLA.1.
© 2003 Juniper Inc.
All Rights Reserved.
24
Security Target Version 1.0
7. Protection Profile Claims
There are no PP claims for this evaluation.
© 2003 Juniper Inc.
All Rights Reserved.
25
Security Target Version 1.0
8. Rationale
This section provides the rationale for completeness and consistency of the Security Target. The rationale addresses
the following areas:
• Security Objectives;
• Security Functional Requirements;
• Security Assurance Requirements;
• TOE Summary Specification;
• Security Functional Requirement Dependencies; and
• Internal Consistency.
8.1 Security Objectives Rationale
This section shows that all secure usage assumptions, security threats and organizational security policies are
completely covered by security objectives. In addition, each objective counters or addresses at least one assumption
or organizational security policy.
8.1.1 Security Objectives Rationale for the TOE and Environment
This section provides a mapping of TOE security objectives to those threats that the security objectives that the TOE
is designed to counter, assumptions about secure usage, and organizational security policies that the TOE must
enforce..
O.PROTECT
O.EADMIN
O.ACCESS
O.PHYCAL
OE.EAUTH
O.FLOW
O.MANAGE
A.LOCATE X
A.NOEVIL X
A.EAUTH X
T.PRIVIL X X
T.OPS X X
P.FLOW X
P.MANAGE X X
P.PROTECT X X
Table 4 Environment to Objective Correspondence
8.1.1.1 A.LOCATE
The processing resources of the TOE will be located within controlled access facilities, which will prevent
unauthorized physical access.
The O.PHYCAL provides for the physical protection of the TOE.
© 2003 Juniper Inc.
All Rights Reserved.
26
Security Target Version 1.0
8.1.1.2 A.NOEVIL
The authorized administrators are competent, not careless, willfully negligent, or hostile, and will follow
and abide by the instructions provided by the TOE documentation.
The O.MANAGE objective ensures that only non-hostile, competent administrators (following guidance) manage
the TOE.
8.1.1.3 A.EAUTH
External authentication services will be available via RADIUS and TACACS+.
The OE.EAUTH objective supports this assumption by requiring that the environment provide RADIUS or
TACACS+ services for external authentication.
8.1.1.4 T.PRIVIL
An unauthorized user may gain access to the TOE and exploit system privileges to gain access to TOE
security functions and data, inappropriately changing the configuration data for TOE security functions.
The O.ACCESS objective requires that only authorized users and processes be allowed to access the TOE security
functions. The O.PROTECT objective addresses this threat by providing TOE self-protection.
8.1.1.5 T.OPS
An unauthorized process or application may gain access to the TOE security functions and data,
inappropriately changing the configuration data for the TOE security functions.
The O.PROTECT objective ensures the TOE protects itself from unauthorized modification of security data or
functions. The O.ACCESS objective requires that only authorized users and processes be allowed to access the TOE
security functions.
8.1.1.6 P.FLOW
The TOE shall ensure that information flows from source to destination according to available routing
information.
The O.FLOW object supports this policy by ensuring that information is allowed to flow through the TOE based on
available routing information.
8.1.1.7 P.MANAGE
The TOE shall provide effective management functions that can only be utilized by authorized users.
The O.ACCESS objective supports this policy by only allowing authorized and processes users access to the TOE.
O.EADMIN ensures there is a set of management functions for administrators to use.
8.1.1.8 P. PROTECT
The TOE shall be protected from unauthorized accesses and disruptions of TOE data and functions.
The O.ACCESS objective supports this policy by only allowing authorized users and processes access to the TOE.
The O.PROTECT objective addresses this policy by providing TOE self-protection.
© 2003 Juniper Inc.
All Rights Reserved.
27
Security Target Version 1.0
8.2 Security Requirements Rationale
This section provides evidence supporting the internal consistency and completeness of the components
(requirements) in the Security Target. Note that Table 5 indicates the requirements that effectively satisfy the
individual objectives.
The purpose for the environmental objectives is to provide protection for the TOE that cannot be addressed through
IT measures. The defined objectives provide for physical protection of the TOE, proper management of the TOE,
and interoperability requirements on the TOE. Together with the IT security objectives, these environmental
objectives provide a complete description of the responsibilities of TOE in meeting security needs.
8.2.1 Security Functional Requirements Rationale
All Security Functional Requirements (SFR) identified in this Security Target are fully addressed in this section and
each SFR is mapped to the objective for which it is intended to satisfy.
O.FLOW
O.PROTECT
O.EADMIN
O.ACCESS
OE.EAUTH
FDP_IFC.1 X
FDP_IFF.1 X
FIA_UAU.1 X X
FIA_UAU.5 X
FIA_ATD.1 X
FIA_UID.1 X X
FMT_MSA.3 X
FMT_MTD.1a X
FMT_MTD.1b X X
FMT_SMF.1 X
FMT_SMR.1 X X
FPT_SEP.1 X
Table 5 Objective to Requirement Correspondence
8.2.1.1 O.FLOW
The TOE must use available routing information to forward network packets to the appropriate destination.
The TOE must enforce a policy and set of rules for information flow ensuring that information is only forwarded to
the appropriate destination[FDP_IFC.1, FDP_IFF.1]. The TOE must ensure that appropriate default security
attributes are associated with information flows [FMT_MSA.3].
8.2.1.2 O.PROTECT
The TOE must protect itself from unauthorized modifications and access to its functions and data.
The TOE is required to authenticate all users prior to any administrative access. [FIA_UAU.1, FIA_UID.1] The
TOE requires that users be assigned to roles to determine the level of access granted to the TOE. [FMT_SMR.1]
The TSF must be protected from interference that would prevent it from performing its functions [FPT_SEP.1].
© 2003 Juniper Inc.
All Rights Reserved.
28
Security Target Version 1.0
8.2.1.3 O.EADMIN
The TOE must include a set of services that allow effective management of its functions and data.
The TOE must provide the authorized administrators the ability to manage the user accounts of the TOE.
[FMT_MTD.1b, FMT_SMF.1] The TOE must provide the authorized administrators and authenticated applications
the ability to manage the router configuration. [FMT_MTD.1a, FMT_SMF.1] The TOE allows that privileges be
assigned the authorized administrator role, which are then assigned to users, providing a method for ensuring
effective management. [FMT_SMR.1] The TOE must provide administrative functions to manage both router
functions as well as user data. [FMT_SMF.1]
8.2.1.4 O.ACCESS
The TOE must allow authorized users to access only appropriate TOE functions and data.
Users authorized to access the TOE are defined using an identification and authentication process [FIA_UID.1,
FIA_UAU.1]. The TOE requires that all users of the TOE be unique and have unique data. [FIA_ATD.1] Only
authorized administrators of the System may manage the TOE data [FMT_MTD.1b]. Only authorized administrators
and authenticated applications of the System may manage the TOE data [FMT_MTD.1a]. All user accounts have
specific data that must be stored to ensure individual identities as well as unique authentications. [FIA_ATD.1]
8.2.1.5 OE.EAUTH
External authentication services will be available via either RADIUS, TACACS+, or both.
Users can be authenticated to the TOE via two separate authentication mechanisms: the internal fixed password
mechanism and the authentication server in the IT environment [FIA_UAU.5].
8.3 Security Assurance Requirements Rationale
This ST contains the assurance requirements from the CC EAL2 assurance package and is based on good
commercial development practices. This ST has been developed for a generalized environment with a medium level
of risk to the assets. The security environment assumes physical protection and the TOE itself offers only a very
limited interface and can only be configured during initialization, offering essentially no opportunity for an attacker
to subvert the security policies without physical access. As such, it is believed that EAL 2 provides an appropriate
level of assurance in the security functions offered by the TOE.
8.4 Requirement Dependency Rationale
The ST satisfies all the requirement dependencies of the Common Criteria, except as noted below. Table 6
Requirement Dependency Rationale lists each requirement from Section 5.1 with a dependency and indicates which
requirement was included to satisfy the dependency, if any. For each dependency not included, a justification is
proved.
Functional Component Dependency Included
FDP_IFC.1 FDP_IFF.1 YES
FDP_IFC.1 YES
FDP_IFF.1
FMT_MSA.3 YES
FIA_UAU.1 FIA_UID.1 YES
FMT_MSA.1 NO
FMT_MSA.3
FMT_SMR.1 YES
FMT_SMF.1 YES
FMT_MTD.1a
FMT_SMR.1 YES
FMT_SMF.1 YES
FMT_MTD.1b
FMT_SMR.1 YES
FMT_SMR.1 FIA_UID.1 YES
© 2003 Juniper Inc.
All Rights Reserved.
29
Security Target Version 1.0
Table 6 Requirement Dependency Rationales
Note that FMT_MSA.1 is not included in this ST given that FMT_MTD.1.a addresses managing router information.
8.5 Explicitly Stated Requirements Rationale
There are no explicitly stated requirements.
8.6 Strength of Function Rationale
The TOE minimum strength of function is SOF-Basic.
This security target includes a probabilistic or permutational function. The list of relevant security functions and
security functional requirements includes:
• Identification and Authentication
o FIA_UAU.1 - Timing of authentication
The password used at administrator interface via a client application providing a CLI login is
the only probabilistic or permutational function on which the strength of the authentication
mechanism depends.
The system places the following restrictions on the passwords selected by the user:
• The password must be at least six long;
The password space is calculated as follows:
Patterns of human usage are important considerations that can influence the approach to searching a password space,
and thus affect SOF. Assuming the worst case scenario and the user chooses a number comprising only six
characters, the number of password permutations is:
52 alpha characters (upper and lower)
10 digits
+ 16 special characters ( !, @, #, $, %, ^, &, *, (, ), +, =, <, >, :, ;)
78 possible values
78^6 = (78*78*78*78*78*78) = 225,199,600,704
The amount of time it takes to manually type a password given that authentication can only occur based upon
manual input is 7 seconds. An attacker can at best attempt (60/7= 8.6 password entries every minute, or 514
password entries every hour.
On average, an attacker would have to enter (225,199,600,704/ 2 = 112,599,800,352) passwords, over
(112,599,800,352/ 514) 219,065,759.44 hours, before entering the correct password. The average successful attack
would, as a result, occur in slightly less than:
(219,065,759.44 / 24 / 365 =) 25,007.51 years
In accordance with annex B.3 in the CEM, the elapse time of attack is not practical and thus results in a High
strength of function rating, which exceeds SOF-Basic.
8.7 TOE Summary Specification Rationale
Each subsection in Section 6, the TOE Summary Specification, describes a security function of the TOE. Each
description is followed with rationale that indicates which requirements are satisfied by aspects of the corresponding
security function. The set of security functions work together to satisfy all of the security functions and assurance
© 2003 Juniper Inc.
All Rights Reserved.
30
Security Target Version 1.0
© 2003 Juniper Inc.
All Rights Reserved.
31
requirements. Furthermore, all of the security functions are necessary in order for the TSF to provide the required
security functionality.
This Section in conjunction with Section 6, the TOE Summary Specification, provides evidence that the security
functions are suitable to meet the TOE security requirements. The collection of security functions work together to
provide all of the security requirements. The security functions described in the TOE summary specification are all
necessary for the required security functionality in the TSF. Table 7 Security Functions vs. Requirements
Mapping demonstrates the relationship between security requirements and security functions.
USER
DATA
PROTECTION
IDENTITY
&
AUTHENTICATION
SECURITY
MANAGEMENT
PROTECTION
OF
SECURITY
FUNCTIONS
FDP_IFC.1 X
FDP_IFF.1 X
FIA_UAU.1 X
FIA_ATD.1 X
FIA_UID.1 X
FMT_MSA.3 X
FMT_MTD.1 X
FMT_SMF.1 X
FMT_SMR.1 X
FPT_SEP.1 X
Table 7 Security Functions vs. Requirements Mapping
8.8 PP Claims Rationale
See section 7, Protection Profile Claims.