Stonesoft StoneGate Firewall v.2.0.5 COMMON CRITERIA SECURITY TARGET VERSION 3.13 Shari Galitzer August 7, 2003 Suite 100 West♦7927 Jones Branch Drive♦McLean, VA 22102-3305♦703 848-0883♦Fax 703 848-0960 TABLE OF CONTENTS SECTION PAGE 1 SECURITY TARGET INTRODUCTION 7 1.1 SECURITY TARGET IDENTIFICATION 7 1.2 SECURITY TARGET OVERVIEW 7 1.3 COMMON CRITERIA CONFORMANCE CLAIMS 8 1.4 TERMINOLOGY 8 2 TOE DESCRIPTION 11 2.1 PRODUCT TYPE 11 2.2 TOE SECURITY FUNCTIONS 12 2.3 TOE SCOPE AND EVALUATED CONFIGURATION 14 3 TOE SECURITY ENVIRONMENT 16 3.1 SECURE USAGE ASSUMPTIONS 16 3.2 ORGANIZATIONAL SECURITY POLICIES 17 3.3 THREATS TO SECURITY 17 4 SECURITY OBJECTIVES 19 4.1 SECURITY OBJECTIVES FOR THE TOE 19 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT 20 5 IT SECURITY REQUIREMENTS 22 5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS 22 5.1.1 FAU – Audit 23 5.1.2 FCS – Cryptographic Support 25 5.1.3 FDP – User Data Protection 27 5.1.4 FIA – Identification and Authentication 29 5.1.5 FMT – Security Management 30 5.1.6 FPT – Protection of the TOE Security Functions 32 5.1.7 FRU – Resource Utilization 33 5.1.8 FTP – Trusted path/channels 33 5.1.9 Strength of Function Requirement 33 5.2 SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT 33 5.3 TOE SECURITY ASSURANCE REQUIREMENTS 36 6 TOE SUMMARY SPECIFICATION 38 6.1 IT SECURITY FUNCTIONS 38 6.1.1 Audit 39 6.1.2 Cryptographic Functionality (CRYPTO-1) 40 6.1.3 User Data Protection 41 6.1.4 High Availability (HA-1) 44 6.1.5 Identification and Authentication (I&A-1) 44 6.1.6 Security Management and Protection of Security Functions 45 6.2 ASSURANCE MEASURES 45 7 PP CLAIMS 49 8 RATIONALE 50 8.1 SECURITY OBJECTIVES RATIONALE 50 iii 8.1.1 Policies 51 8.1.2 Threats 51 8.2 SECURITY REQUIREMENTS RATIONALE 53 8.2.1 Assurance Rationale 58 8.2.2 SOF Rationale 58 8.2.3 Security Requirements are Justified 59 8.2.4 Justification for explicit requirements 60 8.2.5 Rationale for SAR Dependencies 60 8.3 RATIONALE FOR TOE SUMMARY SPECIFICATION 61 8.4 RATIONALE FOR PP CONFORMANCE 62 9 ACRONYMS 63 10 REFERENCES 64 iv TABLE OF FIGURES PAGE FIGURE 2.1 TOE OPERATING ENVIRONMENT ...............................................................................................12 FIGURE 2.2 TOE BOUNDARY AND IT ENVIRONMENT...................................................................................15 v TABLE OF TABLES TABLE PAGE TABLE 5.1 – FUNCTIONAL COMPONENTS..........................................................................................................22 TABLE 5.2 – TOE AUDITABLE EVENTS.............................................................................................................23 TABLE 5.3 – TSF DATA MANAGEMENT ............................................................................................................30 TABLE 5.4 – MANAGEMENT SERVER AUDITABLE EVENTS...............................................................................34 TABLE 5.5 - ASSURANCE COMPONENTS............................................................................................................37 TABLE 6.1 – SECURITY FUNCTIONS MAPPED TO SECURITY FUNCTIONAL REQUIREMENTS..............................38 TABLE 6.2 – ASSURANCE EVALUATION EVIDENCE...........................................................................................46 TABLE 8.1 MAPPING THE SECURITY ENVIRONMENT TO THE SECURITY OBJECTIVES.......................................50 TABLE 8.2 ALL IT SECURITY OBJECTIVES FOR THE TOE ARE NECESSARY .....................................................50 TABLE 8.3 SECURITY OBJECTIVE TO REQUIREMENTS MAPPING.......................................................................53 TABLE 8.4 ALL SECURITY REQUIREMENTS FOR THE TOE ARE NECESSARY ....................................................54 TABLE 8.5 – FUNCTIONAL COMPONENT DEPENDENCIES ..................................................................................59 TABLE 8.6 – SFR TO SECURITY FUNCTION MAPPING.......................................................................................61 vi Revision History Version 1.0, First submission of the ST to the CygnaCom SEL for evaluation and to StoneSoft for comment. Version 1.1 Incorporated comments from StoneSoft and minor corrections. Version 2.0 Rewritten for new TOE definition and no PP compliance claims. Version 2.1 Incorporated edits from Klaus review and added general statement on threats and assets protected. Version 3.0 For evaluation to address EORs and review from R&D. Note: the rationale section is not complete and some CC and general format and presentation requirements are not complete. To assist with the development and review process, the document is in 4 files: 1a.) IntroandEnv.3.0.doc (refers to 1b.) Figure1.1FirewallStystemArchitecture.doc), 2.) Section5.3.0.doc, 3.) TSS.3.0.doc, and 4.)Rationale.3.0.doc. Version 3.1 Addressed EORs Version 3.2 Incorporated comments from R&D Version 3.3 Addressed EORs Version 3.4 Addressed remaining issues from ST EORs, before TOE evaluation. Version 3.5 Combined into 1 file, fixed formatting, update references, and a couple of minor edits/nits. Version 3.6 Addressed changes based on evaluation results to date. Version 3.7 April 9, 2003. Address changes based on evaluation results to date. Version 3.8 April 18, 2003. Address changes based on evaluation results to date: additional key sizes for DSA, and application note for A.ADMINTRUSTED. Version 3.9 May 22, 2003 address changes based on evaluation results to date. Version 3.10 June 16, 2003. Addresses changes based on HMAC-SHA details and a few other minor edits. Version 3.11 June 30, 2003. Removed Client as a kind of SGW, and removed IPSec AH only and AH+ESP. Version 3.12 July 1, 2003. Removed DSA from the scope of the evaluation. Version 3.13 August 7, 2003. Updated evaluation evidence table, updated HMAC_SHA-1 requirement, and a couple of minor edits. 7 1 SECURITY TARGET INTRODUCTION 1.1 SECURITY TARGET IDENTIFICATION TOE Identification: Stonesoft StoneGate Firewall version 2.0.5 ST Title: Stonesoft StoneGate Firewall version 2.0.5 Common Criteria Security Target ST Version: 3.13 Assurance level: EAL4, augmented with ALC_FLR.1, Basic flaw remediation, and AVA_VLA.3, Moderately resistant. CC Version: 2.1 Registration: Keywords: Firewall, VPN, High Availability, Traffic Filter, Application Proxy 1.2 SECURITY TARGET OVERVIEW The StoneSoft StoneGate Firewall is a high availability firewall and Virtual Private Network (VPN) solution for securing data communication channels and enabling continuous network connectivity. The StoneGate Firewall is based on Multi-Layer Inspection technology that combines both stateful and application-level inspection technology to control connectivity and information flow between internal and external networks. It also provides a means to keep the internal hosts IP-address private from external users. The VPN security services are based on the IPSec standard and allow users multiple cryptographic support options. As part of a cluster, the StoneGate Firewall provides high availability of these firewall security services for the users and servers protected by the cluster of firewalls when a node in the cluster or a network connection to a node fail. The StoneGate Firewall product runs on a hardened Linux operating system that is shipped with the product. The product runs on a single or multi-processor Intel or SPARC platform. The product also includes a distributed management system comprising a management server, log server and Graphic User Interface (GUI) to support the management and operation of the firewall. The security features within the scope of the ST include: • Connection level information flow control for IP packets including network-through- application level packet filtering, and connection redirection for FTP, HTTP, and SMTP traffic. • VPN data protection; • Privacy for hosts IP-address on the internal network using static Network Address Translation (NAT); • High Availability for network security services; 8 • Audit generation; and • Management and protection functions to support the security services. This ST was developed by CygnaCom Solutions under contract with Stonesoft. 1.3 COMMON CRITERIA CONFORMANCE CLAIMS This TOE conforms to the following CC specifications: • &RPPRQ&ULWHULDIRU,QIRUPDWLRQ7HFKQRORJ\6HFXULW\(YDOXDWLRQ3DUW6HFXULW\IXQFWLRQDO requirements, Version 2.1, August 1999, ISO/IEC 15408-2: o Part 2 extended; o Components FAU_GEN.1-NIAP-0410, FAU_STG.NIAP-0414, FAU_STG.1-NIAP- 0423, and FDP_IFF.1-NIAP-0407 are used to comply with NIAP interpretations; o Component FMT_SMF.1, Specification of Management Functions, is a new component from CCIMB interpretation #65; o FPT_SEP_EXP.1 and FPT_SEP_ENV.1 are explicit functional components and are included to reflect how the software TOE and its IT environment work together to enforce domain separation. • Common Criteria for Information Technology Security Evaluation Part 3: Security assurance requirements, Version 2.1, August 1999, ISO/IEC 15408-3: o Part 3 conformant; o EAL4 augmented with ALC_FLR.1, Basic flaw remediation, and AVA_VLA.3, Moderately resistant. 1.4 TERMINOLOGY Certificate, Digital An electronic identification card for a user or device. Digital certificates are distributed, or granted, by certificate authorities (CAs), and ensure that the user or device is who/what they claim to be. Digital certificate holders have a public and private key pair, which can be used to sign messages (authenticate the sender), and decrypting incoming messages (ensuring only the certificate holder can decode the encrypted message). Clustering Technology A set of methods and algorithms used to implement highly scalable solutions where more than one machine handles the work load. The advantages of clustering technology include increased performance, availability, and reliability. Connection Tracking The set of data maintained for a connection. Used for relating incoming packets to existing connections. Connection tracking also includes information to support features like NAT, Load Balanced Routing and Protocol Agents. May also contain accounting information. 9 Firewall A barrier or choke point between two or more networks, which examines, controls and/or blocks the flow of data between those networks. Often thought of as a defense between a corporate network and the Internet, firewalls can also protect internal networks from each other. Firewall Cluster A group of firewalls that, through clustering technology, process the work normally performed by a single firewall machine. Firewall Engine The application software or processes that run on a firewall, performing the actual examination and access control of data. Firewall Node A single device, often a specialized PC or router, that runs firewall software, and performs the functions of a firewall as part of a firewall cluster. Firewall Security Policy A rule base that defines the policies implemented by the firewall for securing network and computer resources. Firewall System A collection of applications used to implement security policies and monitor network traffic at one or more sites. A firewall system consists of firewall engines, management servers, log servers and GUIs. High Availability The implementation of clustering technology, hot standby technology, or general redundancy in a system to increase the availability of an application, service, or network beyond what a single system is capable of providing. Increased availability is achieved by eliminating all single points of failure, with clustering technology providing the highest level of availability. IPSec (IP Security) A set of protocols supporting secure exchange of packets. Used for the implementation of VPNs, it provides transport and tunnel encryption modes. IPSec is defined in RFC 2401. Multi-Layer Inspection A hybrid firewall technology that incorporates the best elements of application level and network level firewalls, with additional technology to enable the secure handling of many connection types. NAT (Network Address Translation) A mechanism for assigning local networks a set of IP addresses for internal traffic and another for external traffic. NAT was originally described in RFC 1631 as a means for solving the rapidly diminishing IP address space. It provides a supplemental security purpose by hiding internal IP addresses. 10 Packet A unit of data sent across a network. Packet Filtering A method of controlling access to a network, or set of networks, by examining packets for source and destination address information, and permitting those packets to pass, or halting them based on defined rules. Protocol An agreed-upon format for transmitting data between two or more devices. Protocols typically define how to check for errors, how the sender will announce they have completed the sending of data, how the receiver will acknowledge receipt of the data, and how they will compress the data (if applicable). Protocol Agent A module that assists the firewall engine in handling a particular protocol. Protocol agents ensure that related connections for a service are properly grouped and evaluated by the firewall engine, as well as assisting the engine with content filtering or network address translation tasks. Route The set of routers or gateways a packet travels through in order to reach its destination. In TCP/IP networks, individual packets for a connection may travel through different routes to reach the destination host. Security Gateway (SGW) A remote trusted device that is IPSec compatible and is able to implement a VPN with the TOE. Virtual Private Network (VPN) A set of devices connected to one or more public networks, that encrypt communications amongst themselves. Effectively, the devices create a tunnel over the public network(s) as if they were connected by private lines instead. 11 2 TOE DESCRIPTION 2.1 PRODUCT TYPE The StoneGate firewall is a high availability firewall and VPN product for securing data communications and enabling continuous network connectivity. The firewall services include stateful packet filtering and application-level information flow control. The VPN services use a FIPS 140-2 cryptographic module. The StoneGate firewall is intended for use by organizations who need controlled, protected and audited access to services, both from inside and outside their organization’s network, by encrypting, allowing, denying, and/or redirecting the flow of data through the firewall. The StoneGate Firewall is the firewall component (or node) of the StoneGate product. The StoneGate product comprises a firewall engine, its operating system and data repository platform, cryptographic modules, and management system software. The firewall engine and its cryptographic module are included in the scope of the TOE. The management system and operating platforms are outside of the scope of the evaluation. To support the operations of the firewall engine, the management system includes a management server that provides a trusted interface for administrator functions, a log server to store and manage (i.e., filter, sort, archive) the log records, and a GUI to facilitate administrator access. It’s distributed architecture makes it flexible and scalable since it can run on a single or on multiple platforms, and on Windows 98, Windows NT (R) 4.0, Windows 2000, Linux, or Solaris. The firewall engine uses a hardened Linux operating system and trusted applications for single-use and reusable password authentication, and data storage. The StoneGate Firewall can operate as a single firewall or as part of a firewall cluster consisting of 2-16 firewall nodes. The firewall cluster is required for high availability of security services. Each node has internal and external network connections for which it provides its security services, and optionally can have separate management networks for connectivity to the management system and the other nodes in a cluster, i.e., management network and cluster network, respectively. See Figure 2.1 below. 12 Firewall Cluster Cluster Network Heartbeat External Network Internal Network Management & Log Server Management Network Heartbeat Traffic Network TOE: Firewall Node Figure 2.1 TOE Operating Environment 2.2 TOE SECURITY FUNCTIONS The Target of Evaluation (TOE) consists of the StoneGate Engine including the FIPS 140-2 approved SSHToolkit cryptographic module. It provides the following security services: Information Flow Control on the traffic that passes through the TOE. The TOE mediates the flow of all information that passes through its internal and external network connections to enforce the firewall security policy using: • Access rules based on the source address, destination address, transport layer protocol, application layer protocol, source port, destination port, and the interface on which the packet arrives, connection tracking, user authentication results, and the validity time. • VPN matching rules to decide whether to accept or discard encrypted and unencrypted connections. • Protocol Agents providing additional rules based on application level information and mechanisms to redirect connections. While the firewall engine supports many protocol agents, the evaluation is limited to protocol agents for FTP, HTTP, and SMTP. 13 VPN data protection between the TOE and another trusted Security Gateway (SGW). The TOE provides VPN network security services based on the IPSec protocol. This includes certificate- based authentication and data confidentiality and integrity protection using its FIPS PUB 140-2 certified cryptographic module described below. IPSec manual key exchange is an available configuration option but is not included in the evaluation. • I&A to support VPN: The TOE includes authentication mechanisms for SGWs to establish VPN connections. SGWs can authenticate with IKE, to establish a VPN connection using a certificate-based mechanism using RSA, or using pre-shared key. • Crypto Functions supporting the VPN: The TOE includes a FIPS PUB140-2 certified cryptographic module to provide the following cryptographic operations and key management services: • Cryptographic Operations: • 3DES encryption/decryption • AES encryption/decryption • RSA signature/verification • SHA-1 Secure Hash • HMAC-SHA-1 Keyed-Hash Message Authentication Code • Diffie-Hellman Key Exchange • Cryptographic Key Management: • Key generation of symmetric 3DES and AES keys • Key generation of RSA keys; • Cryptographic Key Destruction by zeroization. Network Address Translation (NAT) between external IT entities that pass traffic through the TOE ensuring the IP-address of hosts on internal networks are kept private from external users. High Availability: In case of a total node failure, failure in one component, or loss of connectivity to a network connected to a node, the firewall engine in a cluster is capable of failing over all sessions to other nodes. This provides continuous enforcement of the firewall security policy including information flow control and VPN services. Auditing: The TOE provides a means to generate audit records of security relevant events relating to the IP traffic through the firewall and firewall security policy changes. The TOE also provides a means for the authorized administrator to define the criteria used for the selection of the IP traffic events to be audited. The TOE provides mechanism to prevent audit data loss. Security Management and Protection of Security Functions: administrators access the firewall engine through the management server which provides the interface for managing the security policy and authentication attributes, the TSF data and security functions of the firewall engine. The firewall engine also ensures the trusted security functions are always invoked and cannot be bypassed. 14 2.3 TOE SCOPE AND EVALUATED CONFIGURATION As illustrated in Figure 2.2 below, the TOE boundary consists of: • The Firewall Engine software application, version 2.0.5; including: • The SSHToolkit Cryptographic module components, version 4.1.1. • Note: to verify the version and integrity of the TOE there are MD5 and SHA checksums on the Stonesoft web site, www.stonesoft.com. The TOE evaluated configuration specifies: • Connection tracking enabled; • Log spooling policy set to ‘stop traffic’; • Access to the command line interface to the Firewall Engine from the operating system is disabled as specified in the installation documentation; • VPN client policy download is disabled (consistent with the FIPS 140-2 validation); • The cryptographic module is configured to be in FIPS 140-2 mode; • The VPN policy parameters are configured to implement protocols and algorithms included in the TOE. The IT environment for the evaluated configuration includes: • TOE operating platform: Œ IBM server xSeries 330, Type 8674 Server, Œ Intel Pentium III 1133 MHz, Œ Debian GNU/Linux v.3.0 operating system, Œ Network Interface Cards, Fast Ethernet or Gigabit Ethernet Interfaces to support architecture defined below. The cards must be based on the Intel 82557, 82558 or 82559 chipset. The card used in the evaluated configuration is the IBM eServer xSeries 10/100 Ethernet Adapter. • StoneGate Firewall Management System and supporting software, version 2.0: Œ the management server, Œ the log server; Œ the Graphical User Interface (GUI), Œ OpenSLL, SSLeay 1995-1998, FIPs PUB 140-2 certified and OpenSSH (neither are required for security functions), Œ OpenLDAP client and server, version 2.3, 28 July 2000, • Architecture and System support: Œ 1 internal and 1 external network interface, Œ 1 cluster network interface, Œ 1 management network interface, Œ a second TOE to form a cluster, Œ a third TOE used as a Security Gateway for VPN functionality. 15 Figure 2.2 TOE Boundary and IT Environment Linux O/S Hardware including Intel Pentium III LDAP client and server SSH Toolkit Cryptographic Module SSL & SSH Card External Network 2nd Firewall Node GUI, Management & Log Server Internal Network Cluster Network Management Network Firewall Engine SGW TOE Boundary Key: Network Card 16 3 TOE SECURITY ENVIRONMENT The TOE provides appropriate security to process unclassified or sensitive but unclassified information in the Mission-Critical Categories. Mission-Critical Categories refer to DoD systems that handle information vital to the operational readiness or mission effectiveness of deployed and contingency forces in terms of both content and timeliness. It is assumed that the threat to information designated as Mission-Critical, by nature, is greater and subject to greater risk for disclosure and/or corruption by unauthorized parties as indicated by the assumption A.MODEXP. Information and information systems in the Mission-Critical Categories must maintain the appropriate level of confidentiality, integrity, availability, authentication, and non- repudiation based on the sensitivity of the information handled. To ensure the security of Mission- Critical Categories of information, vulnerability analysis is done by both the developer and the evaluator of the TOE to determine that it is resistant to penetration attacks performed by attackers possessing a moderate attack potential. This level of testing is defined by AVA_VLA.3. Additionally, in order to ensure protection of Mission-Critical information, more detailed product information is required from the vendor to facilitate more thorough analysis. This requirement is indicated by ADV_HLD.2, ADV_IMP.1, and ADV_LLD.1. For all Federal agencies, including Department of Defense agencies, for the use of cryptographic modules in the protection of sensitive but unclassified information, compliance with FIPS PUB 140- 2 is required. The TOE uses a FIPS PUB 140-2 level 1 compliant cryptographic module to provide cryptographic operations to support the VPN service. This section identifies the following: • Secure usage assumptions, • Organizational security policies, and • Threats to Security 3.1 SECURE USAGE ASSUMPTIONS A.ADMIN_ACCESS: Administrator Access Support Provided by the IT Environment The administrator accesses the TOE via the trusted management server on a trusted and separate management network. The administrator identifies and authenticates to the management server application. A.ADMINTRUSTED: Administrator Attributes Authorized Administrators are trained, qualified, non-hostile and follow all guidance. Application Note: If a Value Added Reseller installs the TOE, the user must establish that A.ADMINTRUSTED is applicable to the VAR. The user may also reinstall the TOE and verify its integrity using the checksums on the Stonesoft web site, www.stonesoft.com. A.AUDITMAN: Environment Audit Procedures Procedures shall exist to ensure that the audit trails are regularly analysed and archived. 17 A.AUDIT_SUPPORT: Audit Support Provided by the IT Environment The IT environment shall generate audit records for the security functions on which the TOE depends on from its environment. It will also provide protected permanent storage of the audit trails generated by the TOE, and it will also provide reliable timestamps for the audit records. A.MEDIAT_SUPPORT: Information Flow Control Support Provided by the IT Environment The IT environment of the TOE must ensure that information can not flow among the internal and external networks unless it passes through the TOE, and it must provide residual information protection for those packets. It must also provide secure storage of and access to the network security policy and user authentication data, and it must provide a reliable timestamp to support time-based information flow control decisions. A.MODEXP: Attack Level The threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered moderate. A.OPERATING_ENVIRONMENT: General IT Environment Support The node on which the TOE runs and the TOE’s associated management servers and management networks are dedicated to the trusted firewall system, function according to their specifications, and are physically secure, only allowing trusted administrators physical access. A.SELPRO: Self Protection Support Provided by the IT Environment The IT environment of the TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with its security functions. A.SHAREDSECRETKEY: Shared Secret Key Management The key used for Shared Secret SGW authentication will be generated and entered in the TOE in accordance with organization security policies and follow the guidance provided in the Administrator and User Guides. The key size must be greater than or equal to 10 bytes. The destruction of the key will be in accordance with the organization security policies and follow the guidance provided in the Administrator and User Guides. A.USER_AUTH: User Authentication for Information Flow Control The IT environment must provide a user authentication mechanisms for the TOE to use when the firewall security policy requires users to authenticate before information can flow between the internal and external networks. 3.2 ORGANIZATIONAL SECURITY POLICIES P.CRYPTO: Crypto Services The TOE shall use a cryptographic module for its cryptographic operations and associated key management that are compliant with FIPS PUB 140-2 (level 1). 3.3 THREATS TO SECURITY The threat agents are either unauthorized persons or external IT entities not authorized to use the TOE itself. The IT assets to be protected comprise the information and resources of the network being protected. 18 T.AUDIT_UNDETECTED: Audit Events Go Undetected A threat agent may attempt to compromise the assets without being detected. This threat includes a threat agent causing audit records to be lost or prevent future records from being recorded by taking actions to exhaust audit storage capacity, thus masking an attackers actions. T.MEDIAT: Information Flow Control An unauthorized person may send impermissible information through the TOE which results in the exploitation and/or compromise of IT assets. This threat includes an unauthorized person attempting to by-pass the information flow control policy by sending an IP packet with a fake source address. T.NOAUTH: Authorization An unauthorized person may attempt to bypass the security of the TOE, e.g., using a masquerade attack, so as to access the VPN security functions provided by the TOE. T.NODE_FAILURE: Denial of Service Prevention A failure of a node or a network connection to a node caused by a threat agent or due to the normal lifecycle of components could cause denial of service making IT assets not available. T.SECURE_CONNECTION_COMPROMISE: VPN Compromise A threat agent may attempt to read and/or modify data transmitted between the TOE and another Security Gateway (SGW). T.SELPRO: Self Protection An unauthorized person may access TOE management functions, and read, modify, or destroy security critical TOE data. 19 4 SECURITY OBJECTIVES 4.1 SECURITY OBJECTIVES FOR THE TOE O.AUDIT: Detect and Record Audit Events The TOE must provide a means to accurately detect and record security-relevant events in audit records, and prevent audit data loss by prioritizing and preventing security-relevant events when the audit storage capacity fills. O.CRYPTOSERVICES: Cryptographic Services The TOE shall provide cryptographic operations to support the VPN services and its associated key management functions using a cryptographic module that is FIPS 140-2 level 1 compliant. O.HIGHAVAILABILITY: High Availability The TOE when operating as part of a firewall cluster must provide high availability of information flow control and VPN services, ensuring continuation of service when firewall nodes or their interfaces fail. O.IDAUTH: I&A The TOE must uniquely identify and authenticate the claimed identity of SGWs before granting access to VPN functions. O.MEDIAT: Information Flow Control The TOE must mediate the flow of all information between users and external IT entities, including SGWs, on the internal and external networks connected to the TOE in accordance with its security policy. O.NETADDRHIDE: Hide Internal Network Addresses The TOE must provide a means to hide the IP addresses of hosts on its internal network. O.SECFUN: Management Functions The TOE must provide a means for an administrator via the management server to manage the TOE security functions. O.SELPRO: Self Protection The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions. O.VPN: Virtual Private Network Services The TOE must be able to protect the confidentiality of data transmitted between itself and SGWs via the use of encryption. The TOE must also be able to protect the integrity of data transmitted to a SGW and verify that the received data accurately represents the data that was originally transmitted via the use of encryption. 20 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT The following lists the security objectives for the environment. O.E.ADMIN_ACCESS: Administrator Access Support Provided by the IT Environment The administrator accesses the TOE via the trusted management server on a trusted and separate management network. The administrator identifies and authenticates to the management server application. O.E.ADMINTRUSTED: Administrator Attributes Authorized Administrators are trained, qualified, non-hostile and follow all guidance. O.E.AUDITMAN: Environment Audit Procedures Procedures shall exist to ensure that the audit trails are regularly analysed and archived. O.E.AUDIT_SUPPORT: Audit Support Provided by the IT Environment The IT environment shall generate audit records for the security functions on which the TOE depends on from its environment. It will also provide protected permanent storage of the audit trails generated by the TOE, and it will also provide reliable timestamps for the audit records. O.E.MEDIAT_SUPPORT: Information Flow Control Support Provided by the IT Environment The IT environment of the TOE must ensure that information can not flow among the internal and external networks unless it passes through the TOE, and it must provide residual information protection for those packets. It must also provide secure storage of and access to the network security policy and user authentication data, and it must provide a reliable timestamp to support time-based information flow control decisions. O.E.MODEXP: Attack Level Protection The TOE must demonstrate that it meets all of the assurance requirements defined in EAL4 augmented with ALC_FLR.1 and AVA_VLA.3 in Part 3 of the CC. This means the TOE must be methodically designed, tested, and reviewed, and has undergone an independent vulnerability analysis to determine that it is resistant to penetration attacks performed by an attacker possessing a moderate attack potential. O.E.OPERATING_ENVIRONMENT: General IT Environment Support The node on which the TOE runs and the TOE’s associated management servers and management networks are dedicated to the trusted firewall system, function according to their specifications, and are physically secure, only allowing trusted administrators physical access. O.E.SELPRO: Self Protection Support Provided by the IT Environment The IT environment of the TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with its security functions. O.E.SHAREDSECRETKEY: Shared Secret Key Management The key used for Shared Secret SGW authentication will be generated and entered in the TOE in accordance with organization security policies and follow the guidance provided in the Administrator and User Guides. The key size must be greater than or equal to 10 bytes. The destruction of the 21 key will be in accordance with the organization security policies and follow the guidance provided in the Administrator and User Guides. O.E.USER_AUTH: User Authentication for Information Flow Control The IT environment must provide a user authentication mechanisms for the TOE to use when the firewall security policy requires users to authenticate before information can flow between the internal and external networks. 22 5 IT SECURITY REQUIREMENTS 5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS This section contains the security functional requirements (SFRs) for the TOE, listed in Table 5.1. The following are the conventions used for the operations applied to the Security Functional Requirements: • Assignment – allows the specification of an identified parameter. Assignments are indicated by showing the value in square brackets, [assignment value]. • Selection – allows the specification of one or more elements from a list. Selections are indicated using italics in square brackets, [selection value]. • Refinement – allows the addition of detail to a requirement. Refinements are indicated using bold, refinement. • Iteration – allows a component to be used more than once with varying operations. Iteration is indicated by a plus sign and a number at the end of the component and additional text after the component name, e.g., FCS_COP.1+1 Cryptographic key generation: 3DES. Table 5.1 – Functional Components No. Component Component Name Class FAU: 1. FAU_GEN.1-NIAP- 0410+1 Audit data generation: TOE 2. FAU_SEL.1 Selective Audit 3. FAU_STG.NIAP- 0414 Site-Configurable Prevention of audit loss Class FCS: Cryptographic support 4. FCS_CKM.1+1 Cryptographic key generation: 3DES 5. FCS_CKM.1+2 Cryptographic key generation: AES 6. FCS_CKM.1+3 Cryptographic key generation: RSA 7 FCS_CKM.4 Cryptographic key destruction 8. FCS_COP.1+1 Cryptographic operation: 3DES 9. FCS_COP.1+2 Cryptographic operation: AES 10. FCS_COP.1+3 Cryptographic operation: HMAC-SHA-1 11. FCS_COP.1+4 Cryptographic operation: RSA 12. FCS_COP.1+5 Cryptographic operation: Diffie-Hellman 13. FCS_COP.1+6 Cryptographic operation: SHA-1 Class FDP: User Data Protection 14. FDP_IFC.1 Subset information flow control 23 15. FDP_IFF.1-NIAP- 0407 Simple security attributes 16. FDP_UCT.1 Basic data exchange confidentiality 17. FDP_UIT.1 Data exchange integrity Class FIA: Identification and Authentication 18. FIA_UAU.5+1 Multiple authentication mechanisms: For SGWs Class FMT: Security Management 19. FMT_MSA.1 Management of security attributes 20. FMT_MSA.2 Secure security attributes 21. FMT_MSA.3 Static attribute initialization 22. FMT_MTD.1 Management of TSF data 23. FMT_SMF.1 Specification of management functions 24. FMT_SMR.1 Security roles Class FPT: Protection of the TOE Security Functions 25. FPT_FLS.1 Failure with preservation of secure state 26. FPT_RVM.1+1 Non-bypassability of the TSP: TOE 27. FPT_SEP_EXP.1 TSF domain separation for software TOE Class FRU: Resource Utilization 28. FRU_FLT.2 Limited fault tolerance Class FTP: Trusted path/channels 29. FTP_ITC.1 Inter-TSF trusted channel 5.1.1 FAU – Audit FAU_GEN.1-NIAP-0410+1 Audit data generation: TOE FAU_GEN.1.1-NIAP-0410+1 - The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit; and c) [the events in Table 5.2]. FAU_GEN.1.2-NIAP-0410+1 - The TSF shall record within each audit record at least the following information: d) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [information specified in column three in Table 5.2]. Table 5.2 – TOE Auditable Events Functional Component Auditable Event Additional Audit Record Contents FAU_STG.NIAP-0414 Actions taken due to the audit storage failure. None 24 FDP_IFF.1-NIAP-0407 All decisions on requests for information flow except denial of packets with the IP source route option set, (i.e., the TOE denies all source route packets but does not record the denial in the audit log.) Source IP address of request FDP_UCT.1 FDP_UIT.1 The identity of any user or subject using the data exchange mechanisms. None FIA_UAU.5+1 Success or failure of IKE negotiation. Source IP address of request FMT_SMF.1 8VHRIWKHPDQDJHPHQW IXQFWLRQV:KHQDFKDQJHLV PDGHYLDWKHPDQDJHPHQW VHUYHUWKHPDQDJHPHQWVHUYHU JHQHUDWHVDXGLWUHFRUGVRIWKLV FKDQJH7KH72(UHFRUGVWKDWD FKDQJHKDVEHHQPDGHDQG LQFOXGHVWKHLGHQWLILHURIWKH PDQDJHPHQWVHUYHUUHFRUG Policy identifier (which is the reference to the management audit record. FPT_FLS.1 Failure from security policy not being recognized, and loss of connectivity to user or management networks. None FTP_ITC.1 Failure of the trusted channel functions. Identifier of Peer Gateway FAU_SEL.1 Selective Audit FAU_SEL.1.1 The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes: [ a) user identity, subject identity, event type b) all attributes used for the rules defined in FDP_IFF.1.1-NIAP-0407 except TOE interface on which traffic arrives.] FAU_STG.NIAP-0414 Site-Configurable Prevention of Audit Loss FAU_STG.NIAP-0414-1. The TSF shall provide the administrator the capability to select one or more of the following actions [prevent auditable events, except those taken by the authorised user with special rights] and [the capability to prioritize auditable events that get spooled on the local node while space is available on the node: • Alert: Generated with an alert status and are always stored. • Essential: Always generated even if the firewall engine is running out of disk space. • Stored: Stored to the audit log database if alert and essential log entries have already been stored. • Transient: Not stored to database but kept in firewall log cache. ] to be taken if the audit trail is full. 25 FAU_STG.NIAP-0414-2. The TSF shall [prevent auditable events] if the audit trail is full and no other action has been selected. 5.1.2 FCS – Cryptographic Support FCS_CKM.1+1 Cryptographic key generation: 3DES FCS_CKM.1+1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [Triple Data Encryption Standard (3DES) in TCBC mode and Keying Option 1: Three-key Triple DES] and specified cryptographic key sizes [168 bits] that meet the following: [FIPS 46-3 and FIPS 140-2 level 1]. FCS_CKM.1+2 Cryptographic key generation: AES FCS_CKM.1+2.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [Advanced Encryption Standard (AES) in CBC] and specified cryptographic key sizes [128 bits] that meet the following: [FIPS 197 and FIPS 140-2 level 1]. FCS_CKM.1+3 Cryptographic key generation: RSA FCS_CKM.1+3.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [RSA] and specified cryptographic key sizes [512-2048 bits] that meet the following: [PKCS#1 and FIPS 140-2 level 1 ]. FCS_CKM.4 Cryptographic key destruction FCS_CKM.4.1 - The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction method [which zeroizes all plaintext cryptographic keys] that meets the following: [FIPS 140-2, level 1]. FCS_COP.1+1 Cryptographic operation: 3DES FCS_COP.1+1.1 The TSF shall perform [ a) IPSec Security Association data encryption/decryption specified by IKE in RFC 2409 as defined in the TOE security policy; and b) IPSec ESP bulk data encryption/decryption specified in RFC 2406 as defined in the TOE security policy ] in accordance with a specified cryptographic algorithm [Triple Data Encryption Standard (3DES) in TCBC mode and Keying Option 1: Three-key Triple DES] and cryptographic key sizes [168 bits] that meet the following: [ FIPS 46-3 and FIPS 140-2 level 1]. FCS_COP.1+2 Cryptographic operation: AES FCS_COP.1+2.1 The TSF shall perform [ a) IPSec Security Association data encryption/decryption specified by IKE in RFC 2409 as defined in the TOE security policy; and 26 b) IPSec ESP bulk data encryption/decryption specified in RFC 2406 as defined in the TOE security policy ] in accordance with a specified cryptographic algorithm [Advanced Encryption Standard (AES) in CBC mode] and cryptographic key sizes [128 bits] that meet the following: [FIPS 197 and FIPS 140-2 level 1]. FCS_COP.1+3 Cryptographic operation: HMAC-SHA-1 FCS_COP.1+3.1 The TSF shall perform [ a) Keyed secure hash computation used in authentication with a pre-shared key as specified by IKE in RFC 2409 as defined in the TOE security policy; b) Keyed secure hash computation used in authentication with digital signature and verification using RSA as specified by IKE in RFC 2409 as defined in the TOE security policy; and c) Keyed secure hash computation used in IPSec ESP specified in RFC 2406, as defined in the TOE security policy] in accordance with a specified cryptographic algorithm [HMAC-SHA-1] and cryptographic key sizes [>= 10 bytes] that meet the following: [ FIPS 198 and FIPS 140-2 level 1]. Application note: FIPS 198 states ‘the size of the key, K, shall be equal to or greater than L/2, where L is the size of the hash function output’. This implies a key size of at least 10 bytes since the size of the SHA-1 output is 20 bytes. This also implies that pre- shared keys should be at least 10 bytes, as specified in A.SHAREDSECRETKEY. FCS_COP.1+4 Cryptographic operation: RSA FCS_COP.1+4.1 The TSF shall perform [authentication with digital signature and verification as specified by IKE in RFC 2409 as defined in the TOE security policy] in accordance with a specified cryptographic algorithm [RSA] and cryptographic key sizes [512 - 2048 bits] that meet the following: [PKCS#1 and FIPS 140-2 level 1]. FCS_COP.1+5 Cryptographic operation: Diffie-Hellman FCS_COP.1+5.1 The TSF shall perform [IPSec IKE key establishment specified in RFC 2409] in accordance with a specified cryptographic algorithm [Diffie-Hellman] and cryptographic key sizes[IKE group 1 = 768 bits, group 2 = 1024 bits, and group 5 has a modulus of 1536 bits] that meet the following: [RFC 2409, VPNC conformance and FIPS 140-2 level 1]. FCS_COP.1+6 Cryptographic operation: SHA-1 FCS_COP.1+6.1 The TSF shall perform [secure hash computation] in accordance with a specified cryptographic algorithm [SHA-1] and cryptographic key sizes [N/A] that meet the following: [ FIPS 180-2 and FIPS 140-2 level 1]. 27 5.1.3 FDP – User Data Protection FDP_IFC.1 –Subset Information Flow Control FDP_IFC.1.1 The TSF shall enforce the [Firewall Information Flow Control SFP] on [ a) subjects: external IT entities that send and receive information through the TOE to one another, and human users; b) information: TCP, UDP, ICMP, IPSec connections over IP sent through the TOE from one subject to another; c) operations: pass information and initiate the following services: VPN, NAT, authentication check, and opening related connections.] FDP_IFF.1-NIAP-0407– Simple Security Attributes FDP_IFF.1.1-NIAP-0407 The TSF shall enforce the [Firewall Information Flow Control SFP] based on the following types of subject and information security attributes: [ a) subject security attributes: • presumed address; • port • user identity b) information security attributes: • presumed address of source subject; • presumed address of destination subject; • TOE interface on which traffic arrives; • transport layer protocol information • service (protocol and port); • time/date of service request.] FDP_IFF.1.2-NIAP-0407 The TSF shall permit an information flow between a controlled subject and another controlled subject via a controlled operation if the following rules hold: [ • When the ‘matching part’ of the rules in the rule base matches the information security attribute values and the ‘action part’ of the matched rule is ‘allow’. The rules may be 28 composed from all possible combinations of the values of the information security attributes, created by the authorized administrator, and • When the ‘matching part’ of the rules in the rule base matches the information security attribute values and the ‘action part’ of the matched rule is ‘allow’ and the ‘authentication matching’ is defined in the rule, as specified in FDP_IFF.1.3-NIAP-0407, is successful. The rules may be composed from all possible combinations of the values of the information security attributes, created by the authorized administrator, and • When the ‘matching part’ of the rules in the rule base matches the information security attribute values and the ‘action part’ of the matched rule is ‘allow’ and option or match of the matched rule specifies ‘vpn’, and the ‘VPN matching’ rules defined in FDP_IFF.1.3-NIAP- 0407 are successful. The rules may be composed from all possible combinations of the values of the information security attributes, created by the authorized administrator.] FDP_IFF.1.3-NIAP-0407 The TSF shall enforce the [following additional information flow control rules: • Authentication matching – when a match in a rule requires authentication, if the user identity is successfully authenticated by the external authentication method defined in the rule authentication matching will return a succeed to the rules defined in FDP_IFF.1.2-NIAP-0407 and FDP_IFF.1.6- NIAP-0407, else it will return a fail; • VPN matching – if the connection arrived from the VPN specified (via IP address) in the rule or if the TOE can send it via the specified VPN, VPN matching will return a succeed to the rule defined in FDP_IFF.1.2-NIAP-0407 and FDP_IFF.1.6-NIAP-0407, else it will return a fail; and • Source route protection - the TOE shall reject requests in which the subject specifies the route in which information shall flow en route to the receiving subject.] FDP_IFF.1.4-NIAP-0407 The TSF shall provide the following [additional capabilities: • To support NAT, static IP address translation will translate the source and/or destination IP address to another IP address as defined in the rule. • To support VPN the TOE will attempt to initiate a VPN tunnel based on VPN option specified in the rule and definitions of VPN tunnels in the security policy; • To support authentication matching, the TSF initiates a request to the authentication service specified by the rule to obtain the authentication of the identity. • When configured, the TOE will redirect FTP packets, based on RFC 959, to a proxy type of software • When configured, the TOE will redirect SMTP, based on RFC 821, packets to a proxy type of software, • When configured, the TOE will redirect HTTP, based on RFC 2616, packets to a proxy type of software.] FDP_IFF.1.5-NIAP-0407 The TSF shall explicitly authorise an information flow based on the following rules: [no explicit authorization rules]. FDP_IFF.1.6-NIAP-0407 The TSF shall explicitly deny an information flow based on the following rules: [ • When the ‘matching part’ of the rules in the rule base matches the information security attribute values and the ‘action part’ of the matched rule is ‘discard or refuse’. The rules may be composed from all possible combinations of the values of the information security attributes, created by the authorized administrator; and • When the ‘matching part’ of the rules in the rule base matches the information security attribute values and the ‘authentication matching’ is defined in the rule, as specified in FDP_IFF.1.3-NIAP- 29 0407, fails. The rules may be composed from all possible combinations of the values of the information security attributes, created by the authorized administrator; and • When the ‘matching part’ of the rules in the rule base matches the information security attribute values and the option or match of the matched rule specifies ‘vpn’, and the ‘VPN matching’ rules defined in FDP_IFF.1.3-NIAP-0407 fail. The rules may be composed from all possible combinations of the values of the information security attributes, created by the authorized administrator; and • The following rules can be deduced from the above rules but are explicitly included for clarity: - The TOE shall reject requests for access or services where the information arrives on an external TOE interface, and the presumed address of the source subject is an external IT entity on an internal network; - The TOE shall reject requests for access or services where the information arrives on an internal TOE interface, and the presumed address of the source subject is an external IT entity on the external network; - The TOE shall reject requests for access or services where the information arrives on either an internal or external TOE interface, and the presumed address of the source subject is an external IT entity on a broadcast network; - The TOE shall reject requests for access or services where the information arrives on either an internal or external TOE interface, and the presumed address of the source subject is an external IT entity on the loopback network.] FDP_UCT.1 Basic data exchange confidentiality FDP_UCT.1.1 The TSF shall enforce the [Firewall Information Flow Control SFP] to be able to [transmit and receive] objects in a manner protected from unauthorised disclosure. FDP_UIT.1 Data exchange integrity FDP_UIT.1.1 The TSF shall enforce the [Firewall Information Flow Control SFP] to be able to [transmit and receive] user data in a manner protected from [modification, insertion, or replay] errors. FDP_UIT.1.2 The TSF shall be able to determine on receipt of user data, whether [modification, insertion or replay] has occurred. 5.1.4 FIA – Identification and Authentication FIA_UAU.5+1 Multiple authentication mechanisms : For SGWs FIA_UAU.5+1.1 The TSF shall provide [ a) Certificate-based b) IKE authentication with Pre-shared key]. 30 to support user authentication. FIA_UAU.5+1.2 The TSF shall authenticate any user’s claimed identity according to the [the mechanism defined in the VPN Policy authentication parameters; and the following rules: a) SGWs must be authenticated before granting access to VPN services; b) The TSF performs no authentication on External IT entities or human users initiating information flow through the TOE. When required by the Firewall Security Policy the TOE depends on the mechanisms from its IT environment, defined in FIA_UAU.5+2, to authenticate these users.] 5.1.5 FMT – Security Management FMT_MSA.1 Management of security attributes FMT_MSA.1.1 The TSF shall enforce the [Firewall Information Flow Control SFP] to restrict the ability to [modify] the security attributes [ a) Attributes from a rule in the firewall security policy; b) The rules in the firewall security policy.] to [the management server]. FMT_MSA.2 Secure security attributes FMT_MSA.2.1 The TSF shall ensure that only secure values are accepted for security attributes. FMT_MSA.3 Static Attribute Initialization FMT_MSA.3.1 The TSF shall enforce the [Firewall Information Flow Control SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [none] to specify alternative initial values to override the default values when an object or information is created. FMT_MTD.1 Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to [access as listed in Table 5.3] the [data list in Table 5.3] to [roles in Table 5.3]. Table 5.3 – TSF Data Management TSF DATA Management Server Access Other Users 31 Auditable events, log levels, and log spool policy; modify none Security policy attributes modify None NAT IP address translation table; modify none actions to be taken in case of audit storage failure; modify none IP address for SGWs for VPN services; modify , delete none For cluster definition for high availability including: • Interface data: NIC number mapping the stonegate interface number to the physical network address, CVI, NDI internal IP address and mask, NDI specifying interface network type (management, heartbeat, outgoing); • Network element data: cluster name, management server ID, Log server ID; • Routing information. modify , delete none Cryptographic key management attributes; modify , delete none The VPN Policy Parameters: • Confidentiality parameters • Integrity parameters; • Authentication parameters. modify , delete none FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions: [ a) Defining auditable events for information flow control auditing; b) Defining Log Spool Policy; c) Configuring access for management server interface for administrator; d) Configuring cluster definition for high availability with the following: 32 • Interface data: NIC number mapping the StoneGate interface number to the physical network address, CVI, NDI internal IP address and mask, NDI specifying interface network type (management, heartbeat, outgoing); • Network element data: cluster name, management server ID, Log server ID • Routing information. e) The VPN Policy Parameters including specifying cryptographic operations and the associated key management functions; f) Configuring Firewall Information Flow policy including NAT, VPN matching, authentication matching; g) Configuring information for SGW authentication for VPN access (i.e., IP addresses).] FMT_SMR.1 Security roles FMT_SMR.1.1 - The TSF shall maintain the roles [management server]. FMT_SMR.1.2 - The TSF shall be able to associate users with roles. 5.1.6 FPT – Protection of the TOE Security Functions FPT_FLS.1 Failure with preservation of secure state FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of failures occur: [ a) node hardware malfunction; b) security policy not recognized; c) interface to internal, external, management or cluster networks.] FPT_RVM.1+1 Non-bypassability of the TSP: TOE FPT_RVM.1+1.1 - The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. FPT_SEP_EXP.1 TSF domain separation for software TOE FPT_SEP_EXP.1.1 The TSF shall maintain a security domain that protects it from interference and tampering by untrusted subjects initiating actions through its own TSFI. 33 FPT_SEP_EXP.1.2 The TSF shall enforce separation between the security domains of subjects in the TOE Scope of Control. 5.1.7 FRU – Resource Utilization FRU_FLT.2 Limited fault tolerance FRU_FLT.2.1 The TSF shall ensure the operation of all the TOE’s capabilities when the following failures occur :[ a) node hardware malfunction; b) security policy not recognized; c) interface to internal, external, management or cluster networks.] 5.1.8 FTP – Trusted path/channels FTP_ITC.1 Inter-TSF trusted channel FTP_ITC.1.1 The TSF shall provide a communication channel between itself and a remote trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. FTP_ITC.1.2 The TSF shall permit [the TSF or SGW] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [VPN service]. 5.1.9 Strength of Function Requirement There is no strength of function requirement for the TOE since there are no security functions realized by a probabilistic or permutational mechanism. 5.2 SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT FAU_GEN.1-NIAP-0410+2 Audit data generation: environment FAU_GEN.1-NIAP-0410+2.1 The IT environment shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; 34 Application note: the start-up and shutdown of the audit functions is provided jointly by the TOE and its environment, reflected in (FAU_GEN.1.1). b) All auditable events for the [not specified] level of audit; and c) [see table 5.4 below]. FAU_GEN.1-NIAP-0410+2.2 The IT environment shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [events specified in column three in Table 5.4] Table 5.4 – Management Server Auditable Events Functional Component Auditable Event Additional Audit Record Contents FAU_SEL.1 All modifications to the audit configuration that occur while the audit collection functions are operating. Identity of authorized administrator performing event. FAU_STG.NIAP- 0414 Selection of an action to be taken when there is an audit storage failure. Identity of authorized administrator performing event FMT_MSA.1 All modifications of the values of security attributes None FMT_MSA.2 All offered and rejected values for a security attribute. None FMT_MSA.3 Modifications of the default setting of permissive or restrictive rules. None FMT_MTD.1 All modifications to the values of TSF data None FMT_SMF.1 8VHRIWKHPDQDJHPHQWIXQFWLRQV None FMT_SMR.1 Modifications to the group of users that are part of a role; None FAU_STG.1-NIAP-0423 Protected audit trail storage FAU_STG.1.1-NIAP-0423: The IT environment shall protect the stored audit records in the audit trail from unauthorised deletion.  FAU_STG.1.2-NIAP-0423 The IT environment shall be able to [prevent] unauthorised modifications to the audit records in the audit trail. 35 FDP_RIP.1 Subset residual information protection: Operating platform FDP_RIP.1.1 The IT environment shall ensure that any previous information content of a resource is made unavailable upon the [allocation of the resource to or deallocation of the resource from] the following objects: [packets of data transmitted to and from the TOE]. FIA_UAU.5+2 Multiple authentication mechanisms: Environment FIA_UAU.5+2.1 - The IT environment shall provide [reusable password, single-use password, and certificate-based mechanisms] to support user authentication. FIA_UAU.5+2.2 - The IT environment shall authenticate any user’s claimed identity according to the [following multiple authentication mechanism rules: a) single-use password or reusable password authentication mechanism shall be used for human users initiating information flow through the TOE as defined by the Firewall Security Policy rules before allowing any other TSF-mediated actions on behalf of that human user; Application note: It’s recommended this mechanism be a single-use password mechanism. b) no authentication mechanism is necessary for Peer TOEs in a cluster when access is over a trusted network; c) administrators use a reusable password to authenticate to the trusted management server; d) no authentication mechanism is necessary for the trusted management server when access is over a trusted network.] FPT_RVM.1+2 Non-bypassability of the TSP: Operating platform FPT_RVM.1+2.1 - The IT environment shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. FPT_SEP_ENV.1 IT Environment domain separation for Software TOE FPT_SEP_ENV.1.1 The IT Environment shall provide hardware and operating system services that ensure that all packets that arrive on the network interface card of the node are passed to the TSFI in a manner that protects them from interference and tampering by untrusted subjects. 36 FPT_STM.1 Reliable time stamps FPT_STM.1.1 The IT environment shall be able to provide reliable time stamps for its own use. 5.3 TOE SECURITY ASSURANCE REQUIREMENTS The Security Assurance Requirements for the TOE are the assurance components of Evaluation Assurance Level 4 (EAL4) augmented with ALC_FLR.1, Basic flaw remediation and AVA_VLA.3, Developer vulnerability analysis. 37 Table 5.5 - Assurance Components Assurance Class Assurance Component ID Assurance Component Name Configuration Management ACM_AUT.1 Partial CM automation ACM_CAP.4 Generation support and acceptance procedures ACM_SCP.2 Problem tracking CM coverage Delivery and Operation ADO_DEL.2 Detection of modification ADO_IGS.1 Installation, generation, and start-up procedures Development ADV_FSP.2 Fully defined external interfaces ADV_HLD.2 Security enforcing high-level design ADV_IMP.1 Subset of the implementation of the TSF ADV_LLD.1 Descriptive low-level design ADV_RCR.1 Informal correspondence demonstration ADV_SPM.1 Informal TOE security policy model Guidance Documents AGD_ADM.1 Administrator guidance AGD_USR.1 User guidance Life Cycle Support ALC_DVS.1 Identification of security measures ALC_FLR.1 Basic flaw remediation (augmentation) ALC_LCD.1 Developer defined life-cycle model ALC_TAT.1 Well-defined development tools Tests ATE_COV.2 Analysis of coverage ATE_DPT.1 Testing: high-level design ATE_FUN.1 Functional testing ATE_IND.2 Independent testing – sample Vulnerability Assessment AVA_MSU.2 Validation of analysis AVA_SOF.1 Strength of TOE security function evaluation AVA_VLA.3 Moderately resistant (augmentation) Further information on these assurance components can be found in the Common Criteria for Information Technology Security Evaluation (CCITSE) Part 3. 38 6 TOE SUMMARY SPECIFICATION This section provides a high-level description of the security functions and assurance measures provided by the TOE to meet the requirements specified in Section 5. 6.1 IT SECURITY FUNCTIONS The following table identifies the IT Security Functions provided by the TOE and their associated TOE functional requirements. Table 6.1 – Security Functions mapped to Security Functional Requirements TOE Security Function Sub-function Sub-function Description Requirement Requirement Name FAU_GEN.1- NIAP-0410+1 Audit Data Generation:TOE AU-1 Audit Selection and Generation FAU_SEL.1 Selective Audit Audit AU-2 Preventing Audit Data Loss FAU_STG.NIAP- 0414 Site-Configurable Prevention of Audit Loss FCS_COP.1+1-6 Cryptographic Operation: 3DES, AES, HMAC-SHA- 1, RSA, Diffie- Hellman, SHA-1. FCS_CKM.1+1-3 Cryptographic key generation: 3DES, AES, RSA. Cryptographic Functionality CRYPTO-1 Cryptographic Support FCS_CKM.4 Cryptographic key destruction FDP_IFC.1 Subset information flow control DPROT-1 Information Flow Control FDP_IFF.1-NIAP- 0407 Simple security attributes FDP_UCT.1 Basic data exchange confidentiality FDP_UIT.1 Data exchange integrity DPROT-2 VPN User Data Protection FTP_ITC.1 Inter-TSF trusted channel FDP_IFC.1 Subset information flow control User Data Protection DPROT-3 Network Address Translation FDP_IFF.1-NIAP- 0407 Simple security attributes High Availability HA-1 High Availability FPT_FLS.1 Failure with preservation of secure state 39 FRU_FLT.2 Limited fault tolerance I&A I&A-1 Identification & Authentication FIA_UAU.5+1 Multiple authentication mechanisms: For SGWs FMT_MSA.1 Management of security attributes FMT_MSA.2 Secure security attributes FMT_MSA.3 Static attribute initialization FMT_MTD.1 Management of TSF Data FMT_SMF.1 Specification of Management Functions SECMAN-1 Management of TOE Functions and Data FMT_SMR.1 Security roles FPT_RVM.1+1 Non-bypassability of the TSP: TOE Security Management and Protection of Security Functions SECMAN-2 Self-protection FPT_SEP_EXP.1 TSF domain separation for software TOE 6.1.1 Audit The Audit security functional requirements include audit selection and generation, and preventing audit data loss. 6.1.1.1 Audit Selection and Generation (AU-1) The TOE provides an audit mechanism that cannot be disabled. The startup and shutdown of the audit function is synonymous with the start-up and shutdown of the TOE. The set of potential audit events and record information are defined in FAU_GEN.1-NIAP-0410+1. The audit mechanism is the ‘logging’ operation which is triggered using the logging option of a rule in the firewall security policy. The TOE applies the matching mechanism for packet filtering (see DPROT-1) and for each match a logging option can be defined that generates an audit record. In addition to the logging operation, the TOE provides an audit record when the firewall security policy (i.e., active file) changes. When the TOE receives new firewall security policy it generates an audit 40 record identifying the date, time, and configuration identification. Note, the audit record generated by the TOE for component FMT_SMF.1 provides the link between the two sets of audit records. The TOE relies on the operating system to provide the time for the audit records and for the management server to generate audit records providing the details on the use of the security management functions. 6.1.1.2 Preventing Audit Data Loss (AU-2) The TOE provides a mechanism to prevent audit data loss. TOE audit entries are first stored on cache buffers on each node. The size of this cache depends on the size of the hard disk. The proprietary protocol for synchronizing and managing the data among the distributed components notifies the log server that there is new log information and sends the log entry to the log server. The log information is stored by the log server as database files which are only accessible to an authorized firewall administrator via the management server. An audit entry is removed from cache buffers after the TOE has received confirmation from log server that the entry has been successfully stored. The administrator defines the log spooling policy. This specifies the behavior of the TOE whenever its local log spool is filled as one of the following: • Stop traffic ( required in the evaluated configuration): TOE automatically goes to an offline state and connections going through TOE are transferred to other nodes in a cluster (please see HA-1). Once the spool situation has improved, the node returns automatically to online state. • Discard log: (the default setting and needs to be changed to the evaluated configuration) the cluster overlooks new log entries without any means of retrieval. This log spooling policy should be used only if the traffic is more important than the logs. The TOE also provides a means for the management server to prioritize log data. The mechanism is based on the following log level: • Alert: generated with an alert status and are always stored; • Essential: always generated even if the firewall engine is running out of disk space; • Stored: stored to the audit log database if alert and essential log entries have already been stored; • Transient: not stored to database but kept in firewall log cache. Before applying the selected log spooling policy, the engine stops producing transient logs. If insufficient, it can drop all but the essential log entries. As a last resort, the engine applies the selected log spooling policy. 6.1.2 Cryptographic Functionality (CRYPTO-1) The TOE includes a cryptographic module that provides cryptographic support for the VPN services. The TOE has been certified by the Virtual Private Network Consortium (VPNC) for conformance to the IPSec protocols it implements, and the cryptographic module is currently undergoing FIPS 140-2 validation. The FIPS 140-2 validation addresses the detailed workings of the cryptographic functionality and provides the assurance that only secure key values are 41 accepted for the applicable algorithms. Please refer to the FIPS 140-2 evaluation report for this information. The VPNC http://www.vpnc.org/ provides details of their conformance requirements. The cryptographic support provided by the TOE is defined in the security functional requirements: • Cryptographic Operations: - 3DES encryption/decryption - AES encryption/decryption - RSA signature/verification - SHA-1 Secure Hash - HMAC-SHA-1 Keyed-Hash Message Authentication Code - Diffie-Hellman Key Exchange • Cryptographic Key Management: - Key generation of symmetric 3DES and AES keys - Key generation of RSA keys; - Cryptographic Key Destruction by zeroization. 6.1.3 User Data Protection The TOE includes 3 data protection functions: 1. Information flow control 2. VPN user data protection; 3. Network Address Translation (NAT); and 6.1.3.1 Information flow control (DPROT-1) The StoneGate Firewall provides an information flow control mechanism using a rule base that comprises a set of security policy rules, i.e., the firewall security policy. The TSF applies the firewall security policy to all traffic that passes through via its internal or external network interfaces. The traffic is TCP, UDP, ICMP, IPSec connections over IP. The TSF only permits traffic to pass through which has been explicitly allowed by the firewall security policy and implements packet defragmentation to enforce the policy on entire IP packets. Authorized administrators using the management server define the firewall security policy rules. The TSF implements connection tracking to manage the information flow control decisions for connections rather than packets, providing increased performance and support for firewall features that require packet information above the IP level. The connection tracking mechanism stores the state information of each connection to allow packets belonging to an established connection to pass. Connection tracking works closely with the protocol agents to manage the information flow control decisions based on information attributes at the different networking layers through the application layer to decide whether a packet should be granted access or not. The following protocol agents and their security function are within the scope of the evaluation: FTP, HTTP, and SMTP redirection. The TSF follows a specific orderly algorithm to traverse the rule base for matching and filtering the traffic between its internal and external networks. Any traffic that is not explicitly accepted by the security policy is rejected by the firewall. The structure of the rule base and the capabilities of its 42 associated protocol agents enable the TSF to make the information flow control decisions defined in FDP_IFF.1.2-NIAP-0407 through FDP_IFF.1.6-NIAP-0407. Each rule comprises matching criteria and target actions. If the matching criteria is verified (i.e., a comparison matches) the TSF applies the target actions. The TSF compares the information attributes defined in FDP_IFF.1.1-NIAP-0407 with the matching criteria of the rule to determine whether apply the rule. If applied the target actions are implemented and the additional capabilities and flow control rules defined in FDP_IFF.1.2-NIAP-0407 through FDP_IFF.1.6-NIAP-0407 are applied. 6.1.3.2 VPN User Data Protection (DPROT-2) The VPN service includes the creation of encrypted communication channels and the definition of encryption policies. Either the TOE or a SGW can initiate the process to establish a VPN channel. It operates in a tunnel mode among the gateways using the IPSec protocol set as defined in RFC 2401 to integrate the following security functions: • Authentication: public key exchanges and certificates protect the identity of communicating parties (see authentication section I&A-1). • Access control: VPN access is restricted by the firewall traffic filter and rule bases (see information flow control above, DPROT-1). • Confidentiality: encryption methods protect data from unauthorized parties • Data integrity: digital signatures ensure that unauthorized attempts to tamper with data cannot go unnoticed.  The TOE has been certified by the VPNC to be compatible with the IPSec VPN protocols, http://www.vpnc.org. The IPsec protocol suite specifies the use of encryption to provide authentication, integrity and confidentiality security services. The TOE uses the Encapsulating Security Payload (ESP) protocol to provide confidentiality, data origin authentication, and connectionless integrity. The Gateways negotiate to establish tunnels – two unidirectional connections called Security Associations (SAs) used to securely transmit data. SAs provide the information required to support the VPN connection, keys, algorithms, modes, and lifetimes. The SAs are negotiated during the Internet Key Exchange (IKE) phases. IKE negotiation consists of two separate phases, IKE Phase I and IKE Phase II. During IKE Phase I the Gateways authenticate each other and create a secure channel for further negotiation (IKE Phase II). Authentication is done using a certificate based public key method (RSA signature and verification) or with a Pre-shared key (using HMAC-SHA-1). Encryption keys are generated and exchanged using the Diffie-Hellman key agreement method for encryption during the IKE negotiation. Two modes for IKE phase 1 are available: • Main mode: This mode protects the identity of each communicating party. With this mode, the communicating parties exchange six packets representing the initial message and its reply. The first exchanges negotiate an agreement for the SAs based on IKE proposal; the 43 second exchanges share Diffie-Hellman public keys and some required data; and, finally, the third exchanges authenticate the identities and all previously exchanged data. • Aggressive mode: This mode does not protect the identity of the communicating parties. With this mode only three packets are exchanged in a more compact format. The first exchanges negotiate an agreement for the SAs, share Diffie-Hellman public keys with some required data, send unencrypted identities, and authenticate the remote party. The negotiation is concluded with a second unidirectional exchange that authenticates the initiator of the negotiation. IKE Phase 2 negotiation establishes the encryption/decryption procedures for protecting the IP data traffic between the Gateways. It generates a pair of SAs, which contains information for protecting the IP traffic. The negotiation of IPsec SAs is encrypted using the keys already agreed in the IKE SAs. The generated IPsec tunnels are used for conveying securely the actual data traffic between security gateways. The SA specified for this phase sets the lifetime of the IPsec SAs.  6.1.3.2.1 VPN Policy Parameters The security associations generated for the IKE and IPsec SAs broadly represent the encryption policy to be implemented. To add granularity to the encryption policy, authorized firewall administrators can specify the negotiation degree of security associations; Security Associations can be negotiated for each pair of communicating networks, hosts, protocols, or ports. Symmetric Encryption Parameters: symmetric encryption is used to provide confidentiality of data during the SA negotiation based on IKE proposals and is used for encrypting/decrypting bulk data. The following symmetric algorithms can be specified: • 3DES; • AES; • (DES is included in the product for interoperability but is not included in the evaluation.) Data Integrity Parameters: the HMAC-SHA-1 keyed hash function is used to ensure the integrity of the data exchanged. Authentication Parameters: certificate based public key methods are used to authenticate the Gateways to each other. The following algorithms can be specified for Gateway authentication: • RSA signature; • Pre-shared key. Diffie-Hellman Parameters: The following two parameters can be set for computing Diffie- Hellman values in the IKE negotiation mode and the IPsec mode: • Diffie-Hellman group for IKE; • Diffie-Hellman group for Perfect Forward Secrecy (PFS). Lifetime Parameters: the lifetime of the IKE and IPsec tunnels can be specified in terms of elapsed time and transferred data. Lifetime (minutes or KB) represents the overall time (or data volume) after which the opened tunnels are closed. If a new tunnel is needed, the negotiation process is started over again. When an IPsec tunnel expires, only Phase II negotiation is performed again based on the settings of the IPsec proposal and through the IKE negotiated tunnel. This process generates new key material to be used for the IPsec traffic. Similarly, IKE SAs are set 44 to expire, but their lifetime is typically much longer than that of the IPsec SA since IKE SA negotiation is more complex. 6.1.3.3 Network Address Translation (NAT) (DPROT-3) When configured for static mapping NAT, the TOE provides a mechanisms to ensure the real addresses on the internal networks are hidden. Static mapping is a one to one mapping and provides a means to determine the IP address number that is chosen. Activation of NAT is done per connection based on the rule base. The TOE rewrites the headers of IP packets. It is a two-way process and keeps track of the source and destination addresses and can do a reverse translation to returning packets. The NAT manipulation occurs after a connection has been accepted so that connection decisions are based on the original addresses. Routing takes place after the connection has been modified. NAT rules can be defined independently of access rules. 6.1.4 High Availability (HA-1) As part of a firewall cluster the TOE provides high availability of the firewall security services defined in the firewall security policy. Up to 16 firewall nodes can form a cluster. The evaluated configuration assumes the cluster uses a dedicated and secure network. In case a firewall node in a cluster has a hardware malfunction, or can’t recognize its security policy, or a failure of an interface to an internal, external, management or cluster network, the firewall engine is capable of failing over all sessions to other nodes. This provides continuous enforcement of the firewall security policy including information flow control and VPN services. The TOE’s clustering subsystem implements the high availability security feature. The clustering subsystem includes a set of proprietary protocols to communicate among the nodes of a cluster to communicate the following state information: 1. Which nodes are online; 2. What is the capacity of each online node; 3. What is the load of each node; 4. The following firewall state is exchanged: • Current connections • Active authentications 6.1.5 Identification and Authentication (I&A-1) The TOE provides the following Identification and Authentication mechanisms for SGWs to establish a VPN connection with the TOE: • Certificated-based using RSA digital signatures; and • IKE authentication with Pre-shared key. SGWs and the TOE authenticate each other when establishing a VPN connection, i.e., tunnel. This is done during the IKE Phase 1of the IKE protocol. The certificate-based authentication method options are RSA signatures. The pre-shared key method uses the HMAC_SHA-1 cryptographic 45 algorithm. Either side can initiate the connection and based on the configuration setting the appropriate authentication method is used. The FIPS 140-2 cryptographic module within the Gateway performs the required cryptographic operations. 6.1.6 Security Management and Protection of Security Functions 6.1.6.1 Management of TOE Functions and Data (SECMAN-1) Security management defines the protection and management mechanisms of the TOE. The management interface to the TOE is via the management server. This interface provides the functionality required for administrators to manage the trusted data and security attributes for the security functions. The TOE maintains a single role, management server, and the use of its interface implicitly defines the role. The TOE implements consistency checking on the trusted data received through the management server interface to ensure only consistent values are accepted. The management server authenticates the administrator. The TOE enforces restrictive default values for information flow security attributes. Any traffic that is not explicitly accepted by the security policy is rejected by the firewall. An authorized administrator must successfully log into the management server to modify the configuration to permit the flow of information. The certification that the embedded cryptographic module is FIPS 140-2 compliant will provide the assurance that that only secure key values are accepted for the cryptographic keys. 6.1.6.2 Non-bypassability of the TSP (SECMAN-2) In its evaluated configuration, the TOE communicates with its management server over a trusted management network within a controlled access facility that does not allow unauthorized physical access. A second trusted network connects the TOE with the other nodes in its cluster. The TOE does not support access by untrusted subjects, i.e., no untrusted processes have access to the TOE. The untrusted subjects serviced by the TOE are external IT entities and human users that send and receive information through the TOE between its internal and external networks. The packets arrive on the NIC cards of the node and the TOE relies on the operating system to correctly process the packets. The TOE ensures it applies the security policy to all packets it receives from its internal and external networks. 6.2 ASSURANCE MEASURES The assurance level is EAL4 augmented with ALC_FLR.1, Flaw remediation, and AVA_VLA.3, Moderately resistant. EAL4 is augmented with ALC_FLR.1 and AVA_VLA.3. ALC_FLR.1 is included to add assurance for the flaw remediation aspect of a product’s life cycle. AVA_VLA.3 ensures a moderate level of security for protecting information in Mission-Critical Categories. This level of assurance provides appropriate assurance measures for the expected application of the product. EAL4 ensures a product that is methodically designed, tested, and reviewed with 46 maximum assurance from positive security engineering based on good commercial development practices. It also requires a moderate to high level of independently assured security. Appropriate assurance measures will be employed to satisfy the security assurance requirements. The evaluation will confirm whether the assurance measures are sufficient to satisfy the assurance requirements. The assurance measures will consist of the set of evaluation evidence listed in Table 6.2, below. The documents listed in the table will be used as to satisfy assurance evaluation requirements. Table 6.2 – Assurance Evaluation Evidence Assurance Class Assurance Component ID Assurance Component Name How Satisfied Configuration Management (CM) ACM_AUT.1 Partial configuration management automation GRD11068: Configuration Management Plan, version 17, 2003-07-25 ACM_CAP.4 Generation support and acceptance procedures GRD11068: Configuration Management Plan, version 17, 2003-07-25, GRD11069: Acceptance Plan, version 3, 2002-11-04, GRD23001 - Test Document Version Control, version 1, 2003-06-18 ACM_SCP.2 Problem tracking CM coverage GRD11068: Configuration Management Plan, version 17, 2003-07-25, GRD11077 - Design Documentation Configuration Item List, version 23, 2003-08-05, GRD11081 - Process Documentation Configuration Item List, version 9, 2003- 07-25, GRD11084 - Observed Security Flaws, version 2, 2003-03-31, GRD23002 - Remedy and Known Issues, version 2, 2003-07-31 SG 2.0.5.888 Test Suite, version 25, 2003-07-25 TDD11070 - Implementation Representation Configuration Item, version 4, 2002-11-22 Delivery and Operation ADO_DEL.2 Detection of modification ADO_DEL.2 – Delivery Documentation, version 9, 2003-03-12 ADO_IGS.1 Installation, StoneGate Common Criteria Certification 47 Assurance Class Assurance Component ID Assurance Component Name How Satisfied generation, and start-up procedures User’s Guide, version 180080803, 2003- 08-08 StoneGate Installation Guide, version 213090802, 2002-08-09, StoneGate Administration Guide, version 202090802, 2002-08-09 Development ADV_FSP.2 Fully defined external interfaces GRD11038: StoneGate Engine Functional Specification, version 11, 2003-02-28 ADV_HLD.2 Security enforcing high-level design HLD11013: StoneGate Engine High Level Design, version 44, 2003-02-12 GRD11083: Interfaces of Subsystems, version 5, 2003-04-24 ADV_IMP.1 Subset of the implementation of the TSF Source code needed for evaluation was provided. Full list can be found from: TDD11070: Implementation Representation Configuration Item List, version 4, 2002-11-22 ADV_LLD.1 Descriptive low- level design GRD11077: Design Documentation Configuration Item List, version 23, 2003-08-05 ADV_RCR.1 Informal correspondence demonstration GRD11018: StoneGate Engine Representation Correspondence, version 17, 2003-02-12 ADV_SPM.1 Informal TOE security policy model GRD11080: Security Policy Model, version 5, 2003-08-05 Guidance Documents AGD_ADM.1 Administrator guidance StoneGate Administrator’s Guide, version 202090802, 2002-08-09, StoneGate Common Criteria Certification User’s Guide, version 180080803, 2003- 08-08, StoneGate Install Guide, version 213090802, 2002-08-09, GRD23002 - Remedy and Known Issues, version 2, 2003-07-31 AGD_USR.1 User guidance StoneGate Administrator’s Guide, version 202090802, 2002-08-09, StoneGate Common Criteria Certification User’s Guide, version 180080803, 2003- 08-08 Life Cycle Support 48 Assurance Class Assurance Component ID Assurance Component Name How Satisfied ALC_DVS.1 Identification of security measures ALC_DVS.1 – Identification of security measures, version 7, 2003-03-19 ALC_FLR.1 Basic flaw remediation (augmentation) ALC_FLR.1 - Flaw Remediation Procedures, version 5, 2002-12-16 ALC_LCD.1 Developer defined life-cycle model ALC_LCD.1 - Life Cycle Definition, version 3, 2002-12-12 ALC_TAT.1 Well-defined development tools GRD14050: Development Tools and Techniques, version 5, 2002-12-19 GRD23001: Test Document Version Control, version 1, 2003-06-18 Tests ATE_COV.2 Analysis of coverage ATE_COV_DPT-7 – Analysis of coverage and depth of testing, version 7, 2002-02-13 ATE_DPT.1 Testing: high-level design ATE_COV_DPT-7 – Analysis of coverage and depth of testing, version 7, 2002-02-13 ATE_FUN.1 Functional testing SG 2.0.5.888 Test Suite, version 25, 2003-07-25 ATE_IND.2 Independent testing – sample TOE version 2.0.5.888 was provided for testing. Vulnerability Assessment AVA_MSU.2 Validation of analysis AVA_MSU - Misuse Analysis Guidance, version 17, 2003-08-08 AVA_SOF.1 Strength of TOE security function evaluation Not Applicable, there are no security mechanisms that rely on probabilistic or permutational mechanisms that are non- cryptographic. AVA_VLA.3 Moderately resistant (augmentation) GRD11082: StoneGate Engine Vulnerability Analysis, version 9, 2003- 07-25, VULN1 – CVE-CAN-FW-VPN-analysis, version 5, 2003-08-06 49 7 PP CLAIMS None. 50 8 RATIONALE This section provides the rationale for completeness and the consistency of the Security Target. 8.1 SECURITY OBJECTIVES RATIONALE This section includes the following: • Table 8.1 shows that all of the secure usage assumptions, organizational security policies, and threats to security have been addressed by the objectives. • Table 8.2 shows that each objective counters at least one assumption, policy, or threat. • The rationale for each of these mappings. Table 8.1 Mapping the Security Environment to the Security Objectives Policy/Threat/Assumptions Objectives T.AUDIT_UNDETECTED O.AUDIT, O.E.AUDIT_SUPPORT, O.E.AUDITMAN T.MEDIAT O.MEDIAT, O.NETADDRHIDE, O.VPN, O.E.MEDIAT_SUPPORT, O.E.USER_AUTH T.NOAUTH O.IDAUTH T.NODE_FAILURE O.HIGHAVAILABILITY T.SECURE_CONNECTION_COMPROMISE O.MEDIAT, O.VPN, O.CRYPTOSERVICES T.SELPRO O.SECFUN, O.SELPRO, O.E.ADMIN_ACCESS, O.E.SELPRO P.CRYPTO O.CRYPTOSERVICES A.ADMIN_ACCESS O.E.ADMIN_ACCESS A.ADMINTRUSTED O.E.ADMINTRUSTED A.AUDITMAN O.E.AUDITMAN A.AUDIT_SUPPORT O.E.AUDIT_SUPPORT A.MEDIAT_SUPPORT O.E.MEDIAT_SUPPORT A.MODEXP O.E.MODEXP A.OPERATING_ENVIRONMENT O.E.OPERATING_ENVIRONMENT A.SELPRO O.E.SELPRO A.SHAREDSECRETKEY O.E.SHAREDSECRETKEY A.USER_AUTH O.E.USER_AUTH Table 8.2 All IT Security Objectives for the TOE are Necessary Objectives Policy/Threat/Assumptions Security Objectives for the TOE 51 O.AUDIT T.AUDIT_UNDETECTED O.CRYPTOSERVICES P.CRYPTO, T.SECURE_CONNECTION_COMPROMISE O.HIGHAVAILABILITY T.NODE_FAILURE O.IDAUTH T.NOAUTH O.MEDIAT T.MEDIAT, T.SECURE_CONNECTION_COMPROMISE O.NETADDRHIDE T.MEDIAT O.SECFUN T.SELPRO O.SELPRO T.SELPRO O.VPN T.MEDIAT, T.SECURE_CONNECTION_COMPROMISE Security Objectives for the Environment O.E.ADMIN_ACCESS A.ADMIN_ACCESS, T.SELPRO O.E.ADMINTRUSTED A.ADMINTRUSTED O.E.AUDITMAN A.AUDITMAN, T.AUDIT_UNDETECTED O.E.AUDIT_SUPPORT A.AUDIT_SUPPORT, T.AUDIT_UNDETECTED O.E.MEDIAT_SUPPORT A.MEDIAT_SUPPORT, T.MEDIAT O.E.MODEXP A.MODEXP O.E.OPERATING_ENVIRONMENT A.OPERATING_ENVIRONMENT O.E.SELPRO A.SELPRO, T.SELPRO O.E.SHAREDSECRETKEY A.SHAREDSECRETKEY O.E.USER_AUTH A.USER_AUTH, T.MEDIAT 8.1.1 Policies P.CRYPTO: Crypto Services The TOE shall use a cryptographic module for its cryptographic operations and associated key management that are compliant with FIPS PUB 140-2 (level 1). P.CRYPTO is satisfied by ensuring that the cryptographic operations of the TOE are implemented using a cryptographic module that is FIPS 140-2 level 1 compliant, (O.CRYPTOSERVICES). 8.1.2 Threats T.AUDIT_UNDETECTED: Audit Events Go Undetected A threat agent may attempt to compromise the assets without being detected. This threat includes a threat agent causing audit records to be lost or prevent future records from being recorded by taking actions to exhaust audit storage capacity, thus masking an attackers actions. This threat is diminished by: • Audit records which record security relevant events (O.AUDIT), • Security relevant events are prioritized and prevented as audit storage capacity fills (O.AUDIT), • Administrator actions being auditable (O.E.AUDIT_SUPPORT), • An audit trail that can be effectively reviewed (O.E.AUDITMAN), and • Reliable timestamps being available for the audit trail (O.E.AUDIT_SUPPORT). 52 T.MEDIAT: Information Flow Control An unauthorized person may send impermissible information through the TOE which results in the exploitation and/or compromise of IT Assets. This threat includes an unauthorized person attempting to by-pass the information flow control policy by sending an IP packet with a fake source address. This threat is diminished by: • Applying the firewall security policy to all information that passes through the networks between users and external IT entities (O.MEDIAT and O.E.MEDIAT_SUPPORT), • Preventing information flow for any packet that uses the source routing option (O.MEDIAT), • Information on the IP addresses of the hosts on the internal networks is not available to the external network (O.NETADDRHIDE), • Confidentiality and integrity services are available for the information passing between the internal and external networks (O.VPN), • No residual information is transmitted (O.E.MEDIAT_SUPPORT), • Reliable timestamps being available for time-based information flow control decisions (O.E.MEDIAT_SUPPORT), and • User authentication services available for information flow control decisions (O.E.USER_AUTH). T.NOAUTH: Authorization An unauthorized person may attempt to bypass the security of the TOE, e.g., using a masquerade attack, so as to access the VPN security functions provided by the TOE. This threat is diminished by VPN functions only being available to SGWs after they have been identified and authenticated using a mechanism that protects against masquerade attacks (O.IDAUTH). T.NODE_FAILURE: Denial of Service Prevention A failure of a node or a network connection to a node caused by a threat agent or due to the normal lifecycle of components could cause denial of service making IT assets not available. This threat is diminished high availability mechanisms for the information flow control and VPN services when the TOE is deployed as part of a firewall cluster (O.HIGHAVAILABILITY). T.SECURE_CONNECTION_COMPROMISE: VPN Compromise A threat agent may attempt to read and/or modify data transmitted between the TOE and another Secure Gateway (SGW). This threat is diminished by: • Ensuring VPN services are applied according to the firewall security policy to all information that flows between the internal and external networks (O.MEDIAT), • Providing confidentiality and integrity services to all information transmitted between itself and SGWs when required by the firewall security policy (O.VPN), and • Using cryptographic mechanisms to provide the integrity and confidentiality services (O.CRYPTOSERVICES). T.SELPRO: Self Protection An unauthorized person may read, access TOE management functions, and read, modify, or destroy security critical TOE data. This threat is diminished by: 53 • Providing a means for only authorized administrators to manage the security functions and trusted data (O.SECFUN, O.E.ADMIN_ACCESS), • Protecting itself against attempts to bypass, deactivate or tamper with security functions (O.SELPRO, O.E.SELPRO). The remaining assumptions are addressed by a direct mapping to their environment objective and are self-explanatory. 8.2 SECURITY REQUIREMENTS RATIONALE This section includes the following: • Table 8.3 shows that all of the objectives have been met by the requirements. • Table 8.4 shows that each requirement addresses at least one objective. • The rationale for each of these mappings. Table 8.3 Security Objective to Requirements Mapping Objectives Requirements O.AUDIT FAU_GEN.1-NIAP-0410+1, FAU_SEL.1, FAU_STG.NIAP-0414 O.CRYPTOSERVICES FCS_CKM.1+1 through FCS_CKM.1+3, FCS_CKM.4 FCS_COP.1+1 through FCS_COP.1+6 O.HIGHAVAILABILITY FPT_FLS.1, FRU_FLT.2 O.IDAUTH FIA_UAU.5+1 O.MEDIAT FDP_IFC.1, FDP_IFF.1-NIAP-0407, FPT_RVM.1+1, FPT_SEP_EXP.1 O.NETADDRHIDE FDP_IFC.1, FDP_IFF.1-NIAP-0407 O.SECFUN FMT_MSA.1, FMT_MSA.2, FMT_MSA.3, FMT_MTD.1, FMT_SMF.1, FMT_SMR.1 O.SELPRO FMT_MSA.2, FPT_RVM.1+1, FPT_SEP_EXP.1 O.VPN FDP_UCT.1, FDP_UIT.1, FTP_ITC.1 O.E.ADMIN_ACCESS FIA_UAU.5+2 O.E.ADMINTRUSTED Procedural O.E.AUDITMAN Procedural O.E.AUDIT_SUPPORT FAU_GEN.1-NIAP-0410+2, FAU_STG.1-NIAP-0423, FPT_STM.1, O.E.MEDIAT_SUPPORT FDP_RIP.1, FPT_RVM.1+2, FPT_SEP_ENV.1, FPT_STM.1, O.E.MODEXP EAL4 plus ALC_FLR.1, and AVA_VLA.3. O.E.OPERATING_ENVIRONMENT Procedural O.E.SELPRO FPT_RVM.1+2, FPT_SEP_ENV.1 54 O.E.SHAREDSECRETKEY Procedural O.E.USER_AUTH FIA_UAU.5+2 Table 8.4 All Security Requirements for the TOE are Necessary Requirement(s) Objective(s) FAU_GEN.1-NIAP-0410+1 O.AUDIT FAU_SEL.1 O.AUDIT FAU_STG.NIAP-0414 O.AUDIT FCS_CKM.1+1 O.CRYPTOSERVICES FCS_CKM.1+2 O.CRYPTOSERVICES FCS_CKM.1+3 O.CRYPTOSERVICES FCS_CKM.4 O.CRYPTOSERVICES FCS_COP.1+1 O.CRYPTOSERVICES FCS_COP.1+2 O.CRYPTOSERVICES FCS_COP.1+3 O.CRYPTOSERVICES FCS_COP.1+4 O.CRYPTOSERVICES FCS_COP.1+5 O.CRYPTOSERVICES FCS_COP.1+6 O.CRYPTOSERVICES FDP_IFC.1 O.MEDIAT, O.NETADDRHIDE FDP_IFF.1-NIAP-0407 O.MEDIAT, O.NETADDRHIDE FDP_UCT.1 O.VPN FDP_UIT.1 O.VPN FIA_UAU.5+1 O.IDAUTH FMT_MSA.1 O.SECFUN FMT_MSA.2 O.SECFUN, O.SELPRO FMT_MSA.3 O.SECFUN FMT_MTD.1 O.SECFUN FMT_SMF.1 O.SECFUN FMT_SMR.1 O.SECFUN FPT_FLS.1 O.HIGHAVAILABILITY FPT_RVM.1+1 O.MEDIAT, O.SELPRO FPT_SEP_EXP.1 O.MEDIAT, O.SELPRO FRU_FLT.2 O.HIGHAVAILABILITY FTP_ITC.1 O.VPN 55 O.AUDIT: Detect and Record Audit Events The TOE must provide a means to accurately detect and record security-relevant events in audit records, and prevent audit data loss by prioritizing and preventing security-relevant events when the audit storage capacity fills. This objective is satisfied by requiring the following: • An audit record can be generated for security-relevant events (FAU_GEN.1-NIAP-0410+1), • Security-relevant events can be included or excluded from the audit log based on selected attributes, and can be prioritized when the audit storage nears capacity (FAU_SEL.1 and FAU_STG.NIAP-0414), and • When the audit log is full, auditable events are prevented from occurring (FAU_STG.NIAP- 0414). O.CRYPTOSERVICES: Cryptographic Services The TOE shall provide cryptographic operations to support the VPN services and its associated key management functions using a cryptographic module that is FIPS PUB 140-2 level 1 compliant. This objective is satisfied by requiring a FIPS 140-2 compliant cryptographic module that performs the cryptographic operations 3DES, AES, HMAC-SHA-1, RSA, Diffie-Hellman, SHA- 1(FCS_COP.1+1 through 6). To support these operations cryptographic key destruction is required (FCS_CKM.4), and key generation for 3DES, AES, RSA (FCS_CKM.1+1 through 3). O.HIGHAVAILABILITY: High Availability The TOE when operating as part of a firewall cluster must provide high availability of information flow control and VPN services, ensuring continuation of service when firewall nodes or their interfaces fail. This objective is satisfied by requiring a secure state is preserved and ensuring operation, when node hardware malfunctions, the security policy is not recognized, or there is a failure on the internal, external or cluster network interfaces(FRU_FLT.2, and FPT_FLS.1). O.IDAUTH: I&A The TOE must uniquely identify and authenticate the claimed identity of SGWs before granting access to VPN functions. This objective is satisfied by requiring SGWs to authenticate using either certificates or IKE with a pre-shared key (FIA_UAU.5+1). O.MEDIAT: Information Flow Control The TOE must mediate the flow of all information between users and external IT entities, including SGWs, on the internal and external networks connected to the TOE in accordance with its security policy. This objective is satisfied by requiring a firewall security policy to control the information flow (FDP_IFC.1 and FDP_IFF.1-NIAP-0407), and requiring that the policy is applied to all traffic between the internal and external interfaces (FPT_RVM.1+1 and FPT_SEP_EXP.1). O.NETADDRHIDE: Hide Internal Network Addresses The TOE must provide a means to hide the IP addresses of hosts on its internal network. 56 This objective is satisfied by requiring a firewall security policy that provides IP address translation services (FDP_IFC.1 and FDP_IFF.1-NIAP-0407). O.SECFUN: Management Functions The TOE must provide a means for an administrator via the management server to manage the TOE security functions. This objective is satisfied by requiring there to be security management functions for the administrative roles (FMT_SMF.1 and FMT_SMR.1), and protection of the related trusted data and attributes (FMT_MSA.1, FMT_MSA.2, FMT_MSA.3, FMT_MTD.1). O.SELPRO: Self Protection The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions. This objective is satisfied by requiring domain separation and non-bypassability of its security functions. It also requires that the firewall security policy received by the management server is checked before implemented to ensure that only secure values are accepted for security attributes (FMT_MSA.2, FPT_RVM.1+1, FPT_SEP_EXP.1). O.VPN: Virtual Private Network Services The TOE must be able to protect the confidentiality of data transmitted between itself and SGWs via the use of encryption. The TOE must also be able to protect the integrity of data transmitted to a SGW and verify that the received data accurately represents the data that was originally transmitted via the use of encryption. This objective is satisfied by requiring a communication channel with a SGW be available to provide a means for data to be transmitted and received in a manner that protects it from unauthorized disclosure, modification, insertion or replay (FTP_ITC.1, FDP_UCT.1 and FDP_UIT.1). O.E.ADMIN_ACCESS: Administrator Access Support Provided by the IT Environment The administrator accesses the TOE via the trusted management server on a trusted and separate management network. The administrator identifies and authenticates to the management server application. This objective is satisfied by requiring that the TSF be provided an authentication service for administrators accessing the trusted management server. No authentication is required for the trusted management server since its access is over a trusted network (FIA_UAU.5+2). O.E.ADMINTRUSTED: Administrator Attributes Authorized Administrators are trained, qualified, non-hostile and follow all guidance. This objective must be satisfied by the environment but is supported by the requirement AGD_ADM.1. O.E.AUDITMAN: Environment Audit Procedures Procedures shall exist to ensure that the audit trails are regularly analysed and archived. This objective must be satisfied by the environment but is supported by the requirement AGD_ADM.1. O.E.AUDIT_SUPPORT: Audit Support Provided by the IT Environment 57 The IT environment shall generate audit records for the security functions on which the TOE depends on from its environment. It will also provide protected permanent storage of the audit trails generated by the TOE, and it will also provide reliable timestamps for the audit records. This objective is satisfied by requiring that IT environment provide audit records for TOE security relevant functions performed on the platform (FAU_GEN.1-NIAP-0410+2). Protected audit trail storage and a reliable timestamp for the audit records must also be available to the TSF (FAU_STG.1-NIAP-0423, and FPT_STM.1). O.E.MEDIAT_SUPPORT: Information Flow Control Support Provided by the IT Environment The IT environment of the TOE must ensure that information can not flow among the internal and external networks unless it passes through the TOE, and it must provide residual information protection for those packets. It must also provide secure storage of and access to the network security policy and user authentication data, and it must provide a reliable timestamp to support time-based information flow control decisions. This objective is satisfied by requiring that IT environment provide domain separation to ensure all traffic between the internal and external networks passes through the TOE and that there is no available residual information contained in the objects implementing the information flow (FDP_RIP.1, FDP_RVM.1+2 and FPT_SEP_ENV.1). A reliable timestamp for information flow control decisions based on time must also be available to the TSF (FPT_STM.1). O.E.MODEXP: Attack Level Protection The TOE must demonstrate that it meets all of the assurance requirements defined in EAL4 augmented in Part 3 of the CC. The TOE must be tested and shown to be resistant to attackers possessing moderate attack potential. This objective is satisfied by the EAL4 package of assurance requirements augmented with ALC_FLR.1 for flaw remediation assurance and AVA_VLA.3 to verify that the TOE is resistant to penetration attacks performed by an attacker possessing a moderate attack potential. O.E.OPERATING_ENVIRONMENT: General IT Environment Support The node on which the TOE runs and the TOE’s associated management servers and management networks are dedicated to the trusted firewall system, function according to their specifications, and are physically secure, only allowing trusted administrators physical access. This objective must be satisfied by the environment but is supported by the requirements ADO_DEL.2 and ADO_IGS.1. O.E.SELPRO: Self Protection Support Provided by the IT Environment The IT environment of the TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with its security functions. This objective is satisfied by requiring that IT environment provide domain separation (FPT_RVM.1+2, FPT_SEP_ENV.1). O.E.SHAREDSECRETKEY: Shared Secret Key Management 58 The key used for Shared Secret SGW authentication will be generated and entered in the TOE in accordance with organization security policies and follow the guidance provided in the Administrator and User Guides. The key size must be greater than or equal to 10 bytes. The destruction of the key will be in accordance with the organization security policies and follow the guidance provided in the Administrator and User Guides. This objective must be satisfied by the environment but is supported by the requirements ADO_IGS.1 and AGD_ADM.1. O.E.USER_AUTH: User Authentication for Information Flow Control The IT environment must provide a user authentication mechanisms for the TOE to use when the firewall security policy requires users to authenticate before information can flow between the internal and external networks. This objective is satisfied by requiring that IT environment provide a single-use password or reusable password authentication mechanism for human users initiating information flow through the TOE as defined by the Firewall security policy rules (FIA_UAU.5+2) 8.2.1 Assurance Rationale The assurance level selected for the TOE EAL4 augmented with ALC_FLR.1 and AVA_VLA.3 because it provides appropriate assurance measures for the expected application of the product. EAL4 ensures a product that is methodically designed, tested, and reviewed with maximum assurance from positive security engineering based on good commercial development practices. It also requires a moderate to high level of independently assured security. ALC_FLR.1 and AVA_VLA.3 are augmentations to the EAL4 requirements. ALC_FLR.1 is included to add assurance for flaw remediation which is a standard part of a product’s life cycle. AVA_VLA.3 helps ensure a moderate level of security for protecting information in Mission-Critical Categories. Mission-Critical Categories of information is assumed, by nature, to have a greater threat for disclosure and/or corruption by unauthorized parties as indicated by the assumption A.MODEXP. To ensure the security of Mission-Critical Categories of information, not only must vulnerability analysis by the developer be performed, but the evaluator of the TOE must perform independent penetration testing to determine that the TOE is resistant to penetration attacks performed by attackers possessing a moderate attack potential. This level of testing is required in this Security Target by AVA_VLA.3. 8.2.2 SOF Rationale There are no strength of function claims since there are no security mechanisms that rely on probabilistic or permutational mechanisms that are noncryptographic. 59 8.2.3 Security Requirements are Justified Table 8.5 – Functional Component Dependencies No. Component Dependencies Reference 1. FAU_GEN.1-NIAP- 0410+1 FPT_STM.1 IT-Environment FAU_GEN.1 1 2. FAU_SEL.1 FMT_MTD.1 22 FMT_MTD.1 22 3. FAU_STG.NIAP-0414 FAU_STG.1 IT-Environment FCS_CKM.2, Provided by 12. FCS_COP.1, 8 FCS_CKM.4, 7 4. FCS_CKM.1+1:3DES FMT_MSA.2 20 FCS_CKM.2 Provided by 12. FCS_COP.1 9 FCS_CKM.4 7 20 5. FCS_CKM.1+2:AES FMT_MSA.2 FCS_CKM.2 Provided by 12. FCS_COP.1 11 FCS_CKM.4 7 6. FCS_CKM.1+3:RSA FMT_MSA.2 20 FCS_CKM.1 4-6 7. FCS_CKM.4 FMT_MSA.2 20 FCS_CKM.1 4 FCS_CKM.4 7 8. FCS_COP.1+1:3DES FMT_MSA.2 20 FCS_CKM.1 5 7 FCS_CKM.4 FMT_MSA.2 9. FCS_COP.1+2:AES 20 FCS_CKM.1 A.SHAREDSECRETKEY when used with pre- shared key, and N/A for other functions. FCS_CKM.4 7 10. FCS_COP.1+3:HMAC- SHA-1 FMT_MSA.2 20 FCS_CKM.1 6 FCS_CKM.4 7 11. FCS_COP.1+4:RSA FMT_MSA.2 20 FCS_CKM.1 N/A 12. FCS_COP.1+5:Diffie- Hellman FCS_CKM.4 7 60 FMT_MSA.2 20 FCS_CKM.1 N/A FCS_CKM.4 N/A 13. FCS_COP.1+6:SHA-1 FMT_MSA.2 20 14. FDP_IFC.1 FDP_IFF.1 15 FDP_IFC.1 14 15. FDP_IFF.1-NIAP-0407 FMT_MSA.3 21 FTP_ITC.1 29 16. FDP_UCT.1 FDP_IFC.1 14 FDP_IFC.1 14 17. FDP_UIT.1 FTP_ITC.1 29 18. FIA_UAU.5+1 None N/A FDP_IFC.1 14 FMT_SMR.1 24 19. FMT_MSA.1 FMT_SMF.1 23 ADV_SPM.1 EAL4 FDP_IFC.1 14 FMT_MSA.1 19 20. FMT_MSA.2 FMT_SMR.1 24 FMT_MSA.1 19 21. FMT_MSA.3 FMT_SMR.1 24 FMT_SMR.1 24 22. FMT_MTD.1 FMT_SMF.1 23 23. FMT_SMF.1 None N/A 24. FMT_SMR.1 FIA_UID.1 IT-Environment 25. FPT_FLS.1 ADV_SPM.1 EAL4 26. FPT_RVM.1+1 None N/A 27. FPT_SEP_EXP.1 None N/A 28. FRU_FLT.2 FPT_FLS.1 25 29. FTP_ITC.1 None N/A 8.2.4 Justification for explicit requirements The explicit requirements, FAU_GEN.1-NIAP-0410, FAU_STG.NIAP-0414, FAU_STG.1-NIAP- 0423, and FDP_IFF.1-NIAP-0407, are used for compliance with NIAP interpretations 0407, 0410, 0414, and 0423, respectively. Component FMT_SMF.1, Specification of Management Functions, is a new component from CCIMB interpretation #65. They impose no additional assurance requirements. The explicit requirements FPT_SEP_EXP.1 and FPT_SEP_ENV.1 are used to explicitly state the domain isolation requirements to reflect how the software TOE must work in the context of its IT environment to enforce domain separation. 8.2.5 Rationale for SAR Dependencies EAL4 augmented with ALC_FLR.1 Basic flaw remediation, and AVA_VLA.3, Moderately resistant. ALC_FLR.1 has no dependencies. AVA_VLA.3 dependencies, ADV_FSP.1, ADV_HLD.2, ADV_IMP.1, ADV_LLD.1, AGD_ADM.1, AGD_USR.1, are satisfied by EAL4. 61 8.3 RATIONALE FOR TOE SUMMARY SPECIFICATION Section 6, the TOE Summary Specification, describes the security functions of the TOE. In that section Table 6.1 indicates which requirements are satisfied by the corresponding security function and the subsections describe how the security functions work together to satisfy all the requirements. Table 8.6 below identifies how all of the security functions are necessary in order for the TSF to provide the required security functionality. Table 8.6 – SFR to Security Function Mapping No. Component Security Function(s) 1. FAU_GEN.1-NIAP- 0410+1 AU-1 2. FAU_SEL.1 AU-1 3. FAU_STG.NIAP-0414 AU-2 4. FCS_CKM.1+1 CRYPTO-1 5. FCS_CKM.1+2 CRYPTO-1 6. FCS_CKM.1+3 CRYPTO-1 7. FCS_CKM.4 CRYPTO-1 8. FCS_COP.1+1 CRYPTO-1 9. FCS_COP.1+2 CRYPTO-1 10. FCS_COP.1+3 CRYPTO-1 11. FCS_COP.1+4 CRYPTO-1 12. FCS_COP.1+5 CRYPTO-1 13. FCS_COP.1+6 CRYPTO-1 DPROT-1 14. FDP_IFC.1 DPROT-3 DPROT-1 15. FDP_IFF.1-NIAP-0407 DPROT-3 16. FDP_UCT.1 DPROT-2 17. FDP_UIT.1 DPROT-2 18. FIA_UAU.5+1 I&A-1 19. FMT_MSA.1 SECMAN-1 20. FMT_MSA.2 SECMAN-1 21. FMT_MSA.3 SECMAN-1 22. FMT_MTD.1 SECMAN-1 23. FMT_SMF.1 SECMAN-1 24. FMT_SMR.1 SECMAN-1 25. FPT_FLS.1 HA-1 26. FPT_RVM.1+1 SECMAN-2 27. FPT_SEP_EXP.1 SECMAN-2 28. FRU_FLT.2 HA-1 29. FTP_ITC.1 DPROT-2 62 8.4 RATIONALE FOR PP CONFORMANCE This ST makes no claims of conformance with any PP. 63 9 ACRONYMS CA Certificate Authorities CC Common Criteria for IT Security Evaluation CM Configuration Management EAL GUI NAT Evaluation Assurance Level Graphical User Interface Network Address Translation SF Security Function SFP Security Function Policy SGW Security Gateway ST Security Target TOE Target of Evaluation TSC TSF Scope of Control TSF TOE Security Functions TSP VPN TOE Security Policy Virtual Private Network 64 10 REFERENCES StoneSoft Documentation Admin Guide: Stonesoft StoneGate Administrator’s Guide, Version 1.5, revision SGAG-GM 1.5-5/28/01, 2001 Fundamentals: Stonesoft StoneGate Fundamentals and Implementation, StoneGate Course Handbook, StoneGate Versions 1.5 and 1.6, revision: SGCH1-101270901, 2001 Advanced: Stonesoft StoneGate Advanced Implementation and Beyond, StoneGate Course Handbook, StoneGate Versions 1.5 and 1.6, revision: SGCH2-100280901, 2001 Install: Stonesoft StoneGate Installation Guide, Version 1.5, revision SGInstG-GM 1.5-5/29/01, 2001 Standards Common Criteria for Information Technology Security Evaluation, CCIB-98-031 Version 2.1, August 1999. Federal Information Processing Standard Publication (FIPS-PUB) 46-3, Data Encryption Standard (DES), October 1999. Federal Information Processing Standard Publication (FIPS-PUB) 140-2, Security Requirements for Cryptographic Modules, May 25, 2001. Federal Information Processing Standard Publication (FIPS-PUB) 180-2, Secure Hash Standard, August 1, 2002. Federal Information Processing Standard Publication (FIPS-PUB) 186-2, Digital Signature Standard, June 27, 2000. Federal Information Processing Standard Publication (FIPS-PUB) 197, Advanced Encryption Standard, November 26, 2001. Internet Engineering Task Force, IP Encapsulating Security Payload (ESP), RFC 2406, November 1998. Internet Engineering Task Force, Internet Key Exchange (IKE), RFC 2409, November 1998. Internet Engineering Task Force, File Transfer Protocol, RFC 959, October 1985. Internet Engineering Task Force, Simple Mail Transfer Protocol, RFC 959, August 1982. 65 Internet Engineering Task Force, Hypertext Transfer Protocol, RFC 2616, June 1999. RSA Security Inc., PKCS #1, version 2.0, July 2000. Virtual Private Network Consortium, http://www.vpnc.org.