122-B
UK IT SECURITY EVALUATION AND
CERTIFICATION SCHEME
COMMON CRITERIA CERTIFICATION REPORT No. P164
BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Issue 1.0
January 2002
© Crown Copyright 2002
Reproduction is authorised provided the report
is copied in its entirety
UK IT Security Evaluation and Certification Scheme
Certification Body, PO Box 152
Cheltenham, Glos GL52 5UF
United Kingdom
EAL4 augmented BorderWare Firewall Server
Version 6.5
Running on specified Intel platforms
Page ii Issue 1.0 January 2002
ARRANGEMENT ON THE
MUTUAL RECOGNITION OF COMMON CRITERIA CERTIFICATES
IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY
The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member
of the above Arrangement and as such this confirms that the Common Criteria certificate has been
issued by or under the authority of a Party to this Arrangement and is the Party’s claim that the
certificate has been issued in accordance with the terms of this Arrangement.
The judgements contained in the certificate and Certification Report are those of the Qualified
Certification Body which issued it and of the Evaluation Facility which carried out the evaluation.
There is no implication of acceptance by other Members of the Arrangement of liability in respect
of those judgements or for loss sustained as a result of reliance placed upon those judgements by
a third party.*
*Mutual recognition applies to EAL4 but not to ALC_FLR.1 (basic flaw remediation) or to
AVA_VLA.3 (moderately resistant vulnerability analysis).
The following trademarks are acknowledged:
BorderWare Firewall Server is a trademark of BorderWare Technologies Inc.
Windows and Windows NT are trademarks of Microsoft Corporation.
PowerEdge is a trademark of Dell Computer Corporation.
Intel, Pentium and Celeron are trademarks of Intel Corporation.
All other product names mentioned herein are trademarks of their respective owners.
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page iii
CERTIFICATION STATEMENT
BorderWare Technologies’ BorderWare Firewall Server is a secure Internet gateway designed to
implement secure Internet or intranet connections. The BorderWare Firewall Server incorporates a
hardened operating system based on FreeBSD UNIX.
BorderWare Firewall Server Version 6.5 has been evaluated under the terms of the UK IT Security
Evaluation and Certification Scheme and has met the Common Criteria Part 3 augmented
requirements incorporating Evaluation Assurance Level EAL4, ALC_FLR.1 (basic flaw
remediation) and AVA_VLA.3 (moderately resistant vulnerability analysis) for the specified
Common Criteria Part 2 conformant functionality in the specified environment when running on the
platforms described in Annex A.
Originator CESG
Certifier
Approval CESG
Deputy Technical Manager of the
Certification Body
Authorisation CESG
Senior Executive
UK IT Security Evaluation
and Certification Scheme
Date authorised 23 January 2002
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page iv Issue 1.0 January 2002
(This page is intentionally left blank)
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page v
TABLE OF CONTENTS
CERTIFICATION STATEMENT ............................................................................................ iii
TABLE OF CONTENTS..............................................................................................................v
ABBREVIATIONS..................................................................................................................... vii
REFERENCES ............................................................................................................................ ix
I. EXECUTIVE SUMMARY..................................................................................................1
Introduction............................................................................................................................1
Evaluated Product ..................................................................................................................1
TOE Scope .............................................................................................................................2
Protection Profile Conformance.............................................................................................3
Assurance Level .....................................................................................................................3
Strength of Function...............................................................................................................3
Security Claims ......................................................................................................................3
Threats Countered ..................................................................................................................4
Threats and Attacks not Countered........................................................................................4
Environmental Assumptions and Dependencies....................................................................5
IT Security Objectives............................................................................................................5
Non-IT Security Objectives....................................................................................................6
Security Functional Requirements .........................................................................................7
Security Function Policy ........................................................................................................7
Evaluation Conduct................................................................................................................8
Certification Result ................................................................................................................9
General Points ........................................................................................................................9
II. EVALUATION FINDINGS ..............................................................................................11
Security Policy Model..........................................................................................................12
Delivery and Installation ......................................................................................................13
User Guidance......................................................................................................................13
Misuse ..................................................................................................................................13
Developer’s Tests.................................................................................................................14
Evaluators’ Tests..................................................................................................................15
III. EVALUATION OUTCOME.............................................................................................17
Certification Result ..............................................................................................................17
Recommendations................................................................................................................17
ANNEX A: EVALUATED CONFIGURATION......................................................................19
ANNEX B: PRODUCT SECURITY ARCHITECTURE........................................................23
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page vi Issue 1.0 January 2002
(This page is intentionally left blank)
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page vii
ABBREVIATIONS
AUX AUXiliary
ATA Advanced Technology Attachment
BSD Berkeley Software Development
BWAPI BorderWare Application Programming Interface
CC Common Criteria
CEM Common Evaluation Methodology
CESG Communications-Electronics Security Group
CLEF Commercial Evaluation Facility
DES Data Encryption Standard
DHCP Dynamic Host Configuration Protocol
DMZ De-Militarised Zone
DNS Domain Name Server
ETR Evaluation Technical Report
FTP File Transfer Protocol
GUI Graphical User Interface
HTML HyperText Markup Language
HTTP HyperText Transfer Protocol
ICMP Internet Control Message Protocol
IMAP Internet Message Access Protocol
IDE Integrated Drive Electronics
IP Internet Protocol
IPSEC IP SECurity
ISP Internet Service Provider
LDAP Light Directory Access Protocol
NIAP National Information Assurance Partnership
NNTP Network News Transmission Protocol
NTP Network Time Protocol
POP Post Office Protocol
PPTP Point to Point Tunnelling Protocol
RAC Release Acceptance Criteria
SCSI Small Computer System Interface
SFR Security Functional Requirement
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SoF Strength of Function
SSH Secure Shell
SSL Secure Sockets Layer
SSN Secure Servers Network
TCP Transmission Control Protocol
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
UKSP United Kingdom Scheme Publication
URL Uniform Resource Locator
VPN Virtual Private Network
WWW World Wide Web
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page viii Issue 1.0 January 2002
(This page is intentionally left blank)
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page ix
REFERENCES
a. Description of the Scheme,
UK IT Security Evaluation and Certification Scheme,
UKSP 01, Issue 4.0, February 2000.
b. The Appointment of Commercial Evaluation Facilities,
UK IT Security Evaluation and Certification Scheme,
UKSP 02, Issue 3.0, 3 February 1997.
c. Security Target for BorderWare 6.5,
BorderWare Technologies Inc.,
ST, Version 2.4, January 2002.
d. Common Criteria Part 1,
Common Criteria Implementation Board,
CCIB-99-031, Version 2.1, August 1999.
e. Common Criteria Part 2,
Common Criteria Implementation Board,
CCIB-99-032, Version 2.1, August 1999.
f. Common Criteria Part 3,
Common Criteria Implementation Board,
CCIB-99-033, Version 2.1, August 1999.
g. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology,
Common Evaluation Methodology Editorial Board,
Version 1.0, CEM-99/045, August 1999.
h. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology Supplement: ALC_FLR- Flaw Remediation,
Common Evaluation Methodology Editorial Board,
Version 1.0, CEM-2001/0015, August 2001.
i. Manual of Computer Security Evaluation, Part III, Evaluation Tools and Techniques,
UK IT Security Evaluation and Certification Scheme,
USKP 05, Version 2.0, 30 July 1997.
j. Manual of Computer Security Evaluation, Part V, Generic Potential Vulnerabilities,
UK IT Security Evaluation and Certification Scheme,
USKP 05, Version 1.0, 30 July 1997.
k. Common Criteria Interpretations,
Common Criteria Interpretation Management Board,
http://www.commoncriteria.org .
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page x Issue 1.0 January 2002
l. Evaluation Technical Report,
Common Criteria EAL4 Augmented Evaluation of BorderWare 6.5,
Syntegra CLEF,
LFS/T340/ETR, Issue 1.0, 10 January 2002.
m. Installation and Administrative Guide,
BorderWare Technologies Inc.,
V6.5, August 2001.
n. BorderWare Firewall Server 6.5 Reference Guide,
BorderWare Technologies Inc.,
V6.5, November 2001.
o. BWClient Help GUI,
BorderWare Technologies Inc.,
V1.6, October 2001.
p. EAL4 Configuration Guide for BorderWare 6.5,
BorderWare Technologies Inc.,
V6.5, August 2001.
q. TOE Security Policy Model For BorderWare 6.5,
BorderWare Technologies Inc.,
SPM, Version 1.4, August 2001.
r. BorderWare Products Hardware Support Guide,
BorderWare Technologies Inc.,
V6.5, November 2001.
s. Certification Report No. P136, BorderWare Firewall Server Version 6.1.1,
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, January 2000.
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 1
I. EXECUTIVE SUMMARY
Introduction
1. This Certification Report states the outcome of the IT security evaluation of BorderWare
Firewall Server Version 6.5 to the Sponsor, BorderWare Technologies Inc., and is intended to assist
potential consumers when judging the suitability of the product for their particular requirements.
2. The prospective consumer is advised to read the report in conjunction with the Security
Target [Reference c], which specifies the functional, environmental and assurance evaluation
requirements.
Evaluated Product
3. The version of the product evaluated was:
BorderWare Firewall Server Version 6.5.
This product is also described in this report as the Target of Evaluation (TOE). The Developer was
BorderWare Technologies Inc. Details of the evaluated configuration, including the product’s
supporting guidance documentation, are given in Annex A.
4. The BorderWare Firewall Server is a secure Internet gateway. It provides a set of ancillary
services necessary to implement Internet and intranet connections. The TOE provides 3 layers of
security: packet filtering, circuit level gateways and application level gateways.
5. The TOE incorporates a bespoke hardened FreeBSD UNIX-based operating system. The
operating system provides a separate domain of execution for each security critical subsystem and
implements kernel level packet filtering.
6. The following TOE subsystems are TOE Security Policy (TSP)-enforcing:
• BorderWare Application Programming Interface (BWAPI)
• UNIX Kernel
• Database
• System console
• Administration Graphical User Interface (ie the Admin GUI)
• Proxies
• File Transfer Protocol (FTP) Server
• Web Server
7. The BorderWare Firewall Server’s operating system does not permit any user logins. The
firewall administrator can perform basic administration and configuration of the BorderWare
Firewall Server from the console, but full administration services are only available from the Admin
GUI on a client workstation. The Admin GUI is provided by the BWClient remote administration
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 2 Issue 1.0 January 2002
application installed on a Win32 machine on the internal network. Further details of the BWClient
are provided in Annex A to this report.
8. The following TOE subsystems are TSP-supporting:
• Domain Name Server (DNS)
• Mail Server
• Finger Server
• Ident Server
• Traceroute Response Server
• Ping Server
• Network Time Protocol (NTP) Server and Client
• Dynamic Host Configuration Protocol (DHCP) Client
• H.323/Microsoft NetMeeting Proxy
9. The proxies manage connections for TCP/IP applications, provided by the servers such as
DNS and mail relay. A complete list of the proxies within the scope of this evaluation is provided
in Annex B to this report. The TOE provides dual DNS and Network Address Translation to ensure
separation between internal and external networks. The mail relay service protects e-mail servers
by allowing mail dispatch and delivery without permitting a connection between the server and an
untrusted network.
10. Details of the TOE’s architecture can be found in Annex B to this report.
TOE Scope
11. The scope of the certification applies to the TOE running on any standard IA-32 compliant
Intel platform as the TOE does not rely on specific processor speed or RAM size and therefore will
operate on any Intel processor that satisfies the hardware dependencies. See Annex A for details of
the platforms on which the TOE was tested and paragraph 27 for hardware dependencies.
12. The TOE can run with a maximum of 6 and a minimum of 2 network interface cards. These
are used to connect the firewall to the internal, external and (if there are three or more network
interface cards) the Secure Servers Network (SSN) or to further Auxiliary (AUX) networks, which
together form a De-Militarised Zone (DMZ). For the purpose of the statement of threats, objectives
and environmental assumptions in the Security Target [c], the DMZ is treated as an internal network.
The TOE was tested with a number of network interface cards, including a network interface card
that can support 2 independent networks.
13. The proxies and services within the scope of the evaluation are detailed in Annex B to this
report.
14. The evaluation of BorderWare Firewall Server Version 6.5 excludes the following
functionality, which has not been considered by the Evaluators:
• Third party authentication (eg Crypto Card for administrator authentication or Secure
inbound FTP and Telnet proxies)
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 3
• Virtual Private Network (VPN) or IPSEC capability
• Point to Point Tunnelling Protocol (PPTP) Proxy
• User Defined Proxies
• Uniform Resource Locator (URL) Filtering (ie SmartFilter)
• Secure remote administration of the firewall from an external (unprotected) network
• Support access for patches and upgrades
• Web caching proxy
• SNMP agent
• TCPDump network diagnostic program
• Java and ActiveX filtering
• Encryption provided by OpenSSL as part of the product’s web server
Protection Profile Conformance
15. The Security Target [c] did not claim conformance to any protection profiles.
Assurance Level
16. The Security Target [c] specifies the assurance requirements for the resultant evaluation. The
assurance incorporated predefined evaluation assurance level EAL4 augmented by ALC_FLR.1
(basic flaw remediation) with AVA_VLA.3 (moderately resistant vulnerability analysis) replacing
the EAL4 assurance component AVA_VLA.2 (independent vulnerability analysis). Common
Criteria Part 3 [f] describes the scale of assurance given by predefined evaluation assurance levels
EAL1 to EAL7. EAL0 represents no assurance. As AVA_VLA.3 is hierarchically dominant to
AVA_VLA.2, mutual recognition applies to this certification at the assurance level of EAL4.
Strength of Function
17. The TOE contained permutational cryptographic functions to provide administrator
password-based authentication at the system console and FTP-user passwords to meet the “timing
of authentication” Security Functional Requirement (SFR) FIA_UAU.1. The minimum Strength of
Function (SoF) claim for the TOE was SOF-medium. This claim referred to the strength of the
password file encryption mechanism using the Data Encryption Standard (DES) which was
additionally protected by operating system access control. DES is publicly known and as such it is
the policy of the national authority for cryptographic functions, the Communications-Electronics
Security Group (CESG), not to comment on its appropriateness or strength. The minimum SoF claim
also applied to the administrator password and FTP-Admin authentication mechanisms.
Security Claims
18. The Security Target [c] fully specifies the TOE’s security objectives, and threats which these
objectives counter and functional requirements and security functions to elaborate the objectives.
The Security Target does not mandate compliance with any Organisational Security Policies. All of
the functional requirements were taken from Common Criteria (CC) Part 2 [e]; use of this standard
facilitates comparison with other evaluated products. An overview of CC is given in CC Part 1 [d].
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 4 Issue 1.0 January 2002
Threats Countered
19. The threats that the TOE is to counter are as follows:
a. Attackers on the external network may gain inappropriate access to the internal
network.
b. Users on the internal network may inappropriately expose data or resources to the
external network.
c. An attacker on the external network may try to connect to services other than those
expressly intended to be available in accordance with the security policy.
d. An attacker on the internal network may try to connect to services other than those
expressly intended to be available.
e. An attacker on the internal or external network may attempt to initiate a service from
an unauthorised source.
f. An attacker on the internal or external network may exploit a configuration not in
accordance with the chosen network security policy of the firewall.
g. Unauthorised changes to the configuration may be completed without being
identified.
h. An attacker on the internal or external network may attempt to use operating system
facilities on the firewall server.
Threats and Attacks not Countered
20. Protection against violation of network security policy as a result of inaction or action taken
by careless, willfully negligent or external system administrators must be supplied by measures in
the TOE’s environment or accepted as potential security risks.
21. The TOE does not claim to resist all denial-of-service attacks, although during testing the
TOE was found to be resistant to all of the denial-of-service attacks performed by the Evaluators.
22. Potential consumers should note that it is not possible for any firewall to counter all types
of Internet Protocol (IP) source address spoofing attack, although all network traffic appearing on
an interface is denied by the packet filtering rules, other than that which is implied by the relevant
IP packet source address. It should be noted that the threat of the internal or external masquerade
variant of IP address source address spoofing (ie masquerade of an internal IP source address on an
internal network or of an external IP source address on the external network) is not countered.
23. Potential consumers should note that the firewall, in common with similar TOEs, does not
counter the threat of Session Hi-jacking (ie an external attacker taking over an authenticated session
initiated by another external host).
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 5
24. Potential consumers should be aware that the TOE does not detect viruses.
25. Potential consumers should be aware that in general the TOE does not counter the attack of
tunnelling one protocol inside another.
Environmental Assumptions and Dependencies
26. The TOE’s environment must also satisfy the following assumptions:
a. The firewall must be physically protected to prevent hostile individuals engaging in
theft, implantation of devices or unauthorised alteration of the physical configuration
of the firewall.
b. The firewall will only limit the access to resources and data between an internal and
external network.
27. The TOE has no software or firmware dependencies. The TOE has the following hardware
dependencies:
• User and Kernel mode
• Interrupts and Exceptions
• Processor Execution levels
• Memory Allocation
• System clock
• File area partitioning
IT Security Objectives
28. The IT security objectives in the Security Target [c] are as follows:
a. The firewall must limit the valid range of addresses expected on each of the external
and internal networks.
b. The firewall must limit the hosts and service ports that can be accessed from the
external network.
c. The firewall must limit the hosts and service ports that can be accessed from the
internal network.
d. The TOE must provide authentication of the end-user prior to establishing a through
connection, in accordance with the security policy enforced on the TOE. (The policy
is to ensure that no services are allowed for inbound connections.)
e. The firewall must provide a facility for monitoring successful and unsuccessful
attempts at connections between networks.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 6 Issue 1.0 January 2002
f. The firewall must provide a secure method of administrative control of the firewall,
ensuring that only the authorised administrator can exercise such control.
g. The firewall must provide separate areas in which to process security functions and
service requests. The processing of a security function must be completed prior to the
invocation of subsequent security functions.
h. The firewall is designed and configured solely to act as a firewall and does not
provide any operating system user services to any network users; only administrators
have access to the firewall via the Admin GUI. (The firewall does, however, provide
application proxy authentication.)
Non-IT Security Objectives
29. The non-IT security objectives in the Security Target [c], which are met by procedural or
administrative measures in the TOE’s environment, are as follows:
a. Those responsible for the firewall must ensure that it is delivered, installed and
managed in a manner that maintains the security policy.
b. Those responsible for the firewall must train administrators to establish and maintain
sound security policies and practices.
c. Administrators of the firewall must ensure that the audit facilities are used and
managed effectively. In particular, audit logs should be inspected on a regular basis
and appropriate action should be taken on detection of breaches of security or events
that are likely to lead to a breach in future. Furthermore, appropriate archive action
must be taken to ensure security logs archived by the firewall are not overwritten
before they are inspected.
d. The firewall must be configured as the only network connection between the internal
network and the external network.
e. A firewall administrator is assigned the responsibility for day-to-day management
and configuration of the firewall, including management of the audit trail.
f. The firewall must be physically protected so that only administrators have access.
The firewall must only be administered via the dedicated management port on the
firewall or by using the Admin GUI on the internal network.
g. The configuration of the firewall will be reviewed on a regular basis to ensure that
the configuration continues to meet the organisation’s security policies in the face of
changes to the firewall configuration, changes in the security objectives, changes to
the threats from the external network, and changes in the hosts and services made
available to the external network by the internal network.
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 7
Security Functional Requirements
30. The TOE provides security functions to satisfy the following SFRs:
• Timing of identification (FIA_UID.1)
• Timing of authentication (FIA_UAU.1)
• Authentication failure handling (FIA_AFL.1)
• Management of security attributes (FMT_MSA.1)
• Static attribute initialisation (FMT_MSA.3)
• Security roles (FMT_SMR.1)
• Management of TOE Security Functions’ (TSF) data (FMT_MTD.1)
• Security audit data generation (FAU_GEN.1)
• Security alarms (FAU_ARP.1)
• Security potential violation analysis (FAU_SAA.1)
• Security audit review (FAU_SAR.1)
• Protected audit trail storage (FAU_STG.1)
• Non-bypassability of the TSP (FPT_RVM.1)
• TSF domain separation (FPT_SEP.1)
• Reliable time stamps (FPT_STM.1)
• Subset access control (FDP_ACC.1)
• Security attribute based access control (FDP_ACF.1)
• Subset information flow policy (FDP_IFC.1)
• Information flow functions based on simple security attributes (FDP_IFF.1)
Security Function Policy
31. The TOE has an explicit access control Security Function Policy defined in the FDP_ACC.1
SFR and an explicit information flow control policy defined in the FDP_IFC.1 SFR. A summary of
each of these policies is provided below, and more details can be found in the “Security Policy
Model” section and in paragraph 11 of Annex B to this report.
32. Access to the firewall’s internal data is controlled by the identification and authentication
of an administrator at the firewall console. Once authentication has been completed, according to
the requirements specified by the FIA class of components, an administrative user is able to access
all TSF data. Access to data stored in the FTP server is controlled according to whether the user has
successfully provided the necessary authentication information. An “anonymous” or “FTP” FTP user
can only access a subset of the information that the FTP Admin user is able to access.
33. There are 2 types of information flow:
a. AUTHENTICATED – traffic from the internal network to the firewall, providing
access to the firewall for a remote administrator on the internal network, which
requires the source subject to be identified and authenticated as an administrator of
the firewall.
b. UNIDENTIFIED – outbound traffic, of which the source subject is not identified, and
inbound traffic from the external network to the SSN or AUX networks.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 8 Issue 1.0 January 2002
Evaluation Conduct
34. The evaluation was carried out in accordance with the requirements of the UK IT Security
Evaluation and Certification Scheme as described in UKSP 01 and UKSP 02 [a, b]. The Scheme has
established a Certification Body which is jointly managed by CESG and the Department of Trade
and Industry on behalf of Her Majesty’s Government.
35. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE
in meeting its Security Target [c], which prospective users are advised to read. To ensure that the
Security Target gave an appropriate baseline for a Common Criteria evaluation, it was first itself
evaluated, as outlined by CC Part 3 [f].
36. The evaluation was a re-evaluation of a previously certified version of the product (see
Certification Report No. P136 [s]). The evaluation reused results where the deliverables related to
the product had not changed. All new or modified TSP-enforcing and TSP-supporting features of
the product were examined as part of the evaluation.
37. The evaluation was performed against the EAL4 assurance package and assurance
components ALC_FLR.1 (basic flaw remediation) and AVA_VLA.3 (moderately resistant
vulnerability analysis) defined in CC Part 3 [f]. The Common Evaluation Methodology (CEM) [g]
was used as the methodology for the evaluation. The CEM supplement for flaw remediation [h] was
used as the methodology for ALC_FLR.1.
38. There is no mutually recognised methodology for AVA_VLA.3. The Certification Body
agreed that the Evaluators should determine that the Developer’s vulnerability analysis was
systematic by demonstrating that a predetermined, planned approach was employed in producing the
analysis which demonstrated that the analysis was complete. The methodology agreed for the
moderate attack potential used the guidance in CEM [g] Annex B and was based on the methodology
for AVA_VLA.2 at EAL4.
39. All Common Criteria Interpretations [k] finalised before the end of the evaluation were
applied by the Evaluators. The following Interpretations required updates to the activity reports:
• Interpretation 004 (Configuration Management)
• Interpretation 043 (Security Target)
• Interpretation 084 (Security Target)
• Interpretation 116 (Delivery and Operation)
40. The Evaluators conducted sampling during the evaluation, as required for the relevant work-
units for EAL4. Guidance provided in the CEM [g], Annex B, Section B.2, was followed in all
cases. The Evaluators also confirmed the sample size and approach with the Certifier in all cases.
For the testing, the Evaluators repeated a sample of 33% of the Developer’s tests. The Evaluators
checked that the sample covered all of the subsystems and interfaces changed since the evaluation
of BorderWare Firewall Server Version 6.1.1 and covered a representative sample of the
Developer’s tests for the other subsystems and interfaces. Where the sampling related to gaining
evidence that a process such as configuration control was being followed, the Evaluators sampled
sufficient information to gain reasonable confidence that this was the case.
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 9
41. The Evaluators used software tools during independent testing. The Evaluators used these
tools in accordance with guidance from the Certification Body and from UKSP 05 Part III [i]
Chapter 12.
42. The Certification Body monitored the evaluation, which was carried out by the Syntegra
Commercial Evaluation Facility (CLEF). The evaluation was completed in January 2002 when the
CLEF submitted the final Evaluation Technical Report (ETR) [l] to the Certification Body which,
in turn, produced this Certification Report.
Certification Result
43. For the evaluation result see the “Evaluation Outcome” section.
General Points
44. Certification is not a guarantee of freedom from security vulnerabilities; there remains a
small probability (smaller with higher assurance levels) that exploitable vulnerabilities may be
discovered after a certificate has been awarded. This Certification Report reflects the Certification
Body’s view at the time of certification. Consumers (both prospective and existing) should check
regularly for themselves whether any security vulnerabilities have been discovered since this report
was issued and, if appropriate, should check with the Vendor to see if any patches exist for the
product and whether such patches have been evaluated and certified. Consumers are reminded of the
security dangers inherent in downloading TOE components, hot-fixes and patches where these are
available, and that the UK Certification Body provides no assurance whatsoever for patches obtained
in this manner. More up to date information on known security vulnerabilities within individual
certified products and systems can be found via the IT Security Evaluation and Certification Scheme
web site www.cesg.gov.uk.
45. The evaluation addressed the security functionality claimed in the Security Target [c], with
reference to the assumed environment specified in the Security Target. The configuration evaluated
was that specified in Annex A. Prospective consumers of the TOE are advised to check that this
matches their identified requirements and to give due consideration to the recommendations and
caveats of this report.
46. The issue of a Certification Report is not an endorsement of a product.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 10 Issue 1.0 January 2002
(This page is intentionally left blank)
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 11
II. EVALUATION FINDINGS
47. The Evaluators examined the following assurance classes and components taken from CC
Part 3 [f]:
Assurance class Assurance components
Configuration
management
Partial configuration management automation (ACM_AUT.1)
Generation support and acceptance procedures (ACM_CAP.4)
Problem tracking configuration management coverage (ACM_SCP.2)
Delivery and operation Detection of modification (ADO_DEL.2)
Installation, generation and startup procedures (ADO_IGS.1)
Development Fully defined external interfaces (ADV_FSP.2)
Security enforcing high-level design (ADV_HLD.2)
Subset of the implementation of the TOE Security Functions (ADV_IMP.1)
Descriptive low-level design (ADV_LLD.1)
Informal correspondence demonstration (ADV_RCR.1)
Informal TOE Security Policy (ADV_SPM.1)
Guidance documents Administrator guidance (AGD_ADM.1)
User guidance (AGD_USR.1)
Life cycle support Identification of security measures (ALC_DVS.1)
Basic flaw remediation (ALC_FLR.1)
Developer defined life-cycle model (ALC_LCD.1)
Well defined development tools (ALC_TAT.1)
Security Target TOE description (ASE_DES)
Security Environment (ASE_ENV)
Security Target introduction (ASE_INT)
Security objectives (ASE_OBJ)
Protection Profile claims (ASE_PPC)
IT security requirements (ASE_REQ)
TOE summary specification (ASE_TSS)
Analysis of coverage (ATE_COV.2)
Testing: high-level design (ATE_DPT.1)
Tests
Functional testing (ATE_FUN.1)
Independent testing – sample (ATE_IND.2)
Vulnerability Assessment Misuse: validation of analysis (AVA_MSU.2)
Strength of TOE security function evaluation (AVA_SOF.1)
Moderately resistant vulnerability analysis (AVA_VLA.3) – hierarchical to
independent vulnerability analysis (AVA_VLA.2)
48. All assurance classes were found to be satisfactory and were awarded an overall “pass”
verdict.
49. There are a number of aspects of the evaluation that are relevant to consumers. These are
summarised in the sections that follow.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 12 Issue 1.0 January 2002
Security Policy Model
50. The Security Policy Model [q] identifies 5 types of security policies in the TOE, which
completely define the conditions under which a user and administrator can interact with the TOE.
These policy types are as follows:
• Information flow control security policies
• Identification and authentication security policy
• Access control security policy
• Separation security policy
• Audit security policy
51. The TOE provides a flow control mechanism for all connection requests received by the
firewall on one of its network interfaces. The TOE processes incoming requests for services and will
permit or deny the request according to the rules set by the administrator. The initial default policy
is to deny connection requests that are not covered by an explicit rule. Information flows can be
either AUTHENTICATED (identification and authentication) or UNIDENTIFIED (no identification
or authentication). Details of the services belonging to each category are provided in paragraph 11
of Annex B to this report.
52. Only TOE administrators are allowed to login at the system console and the remote Admin
GUI on the internal network. The TOE does not perform any other source authentication within the
scope of the evaluation. Source authentication on FTP and Telnet IP packets entering the firewall
from the external network and the SSN/AUX was outside the scope of the evaluation. However, the
TOE performs source authentication on FTP IP packets from the internal network with the user
identifier “FTP Admin”. The claimed source address is verified against the address of the network
interface card on which it was received, disallowing the packet if the results of the check are not
consistent. A password-based scheme is used.
53. There are different access control policies for TOE administrators than for privileged FTP
administrators and for unprivileged users of the TOE. TOE administrators set the security policy by
modifying the configuration of the TOE, modifying the rules specifying permissible traffic, by
creating and updating administrator accounts, by configuring the events to be accounted and by
enabling audit alarms and configuring audit parameters. The FTP administrator can access the
administration area of the FTP server and may be granted access to download audit logs from the
FTP server. The FTP administrator can read, copy and delete the audit trails archived to the
administration area of the FTP server. Unprivileged users of the TOE interact with the TOE only
through proxies and have no access to privileged files and processes.
54. TOE functions operate independently with no interaction between processes. Process
separation is provided by separation of domains imposed by the operating system supported by the
underlying hardware. The partitioning of the file areas is performed by the hardware. A domain is
a partitioned file system area containing only the file system resources needed for a process to run.
Each process will be assigned its own working directory with access rights limited to that process.
55. The TOE ensures that the TSP functions are invoked and succeed before any related
operation is allowed to proceed. Packet filtering must always be performed and completed on any
packet received before any further action is performed. In the same way, authentication of the
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 13
administrator must be performed and completed prior to the administrator being able to invoke
system management.
56. The TOE detects and records the occurrences of security relevant events. Audit logs cannot
be modified and the audit mechanism cannot be turned off. System startup/shutdown, administrator
logon/logoff, GUI startup/shutdown, changes to an administrator account by an administrator,
changes to a rule by an administrator, audit log rollover, authentication of an unprivileged user,
change of administrator password, prohibited IP packets, and changes of system time/date are always
recorded in the audit log. It is also possible to configure auditing of rejected packets, establishment
or termination of a connection, attempted use of FTP commands and alarms sent. The date and time
of the event, type of event, subject identity, event outcome, requested destination address and port
number are recorded in each case.
Delivery and Installation
57. The consumer receives the TOE as a shrink wrapped package clearly labelled as BorderWare
Firewall Server Version 6.5. This package consists of CD-ROMs (in a sealed wallet) and
documentation. The use of shrink wrapping will ensure that interference with the TOE will be
detectable. It is sent by a shipping company (usually Federal Express) to the consumer. A licence
pack is sent to the consumer with the TOE software package. This licence pack contains a serial
number which the consumer has to use to obtain a product activation key from the Developer. This
ensures that a third-party could not masquerade as the Developer and supply potentially malicious
software.
58. The TOE has a number of configuration options which the consumer must perform in order
to use the TOE. These options are described in the Installation and Administrative Guide [m]. The
Evaluators were satisfied that all configuration options lead to a secure installation of the TOE.
User Guidance
59. User documentation was not relevant to the TOE.
60. The firewall administrator can configure the packet filtering rules, the proxies, servers and
alarms. These should be configured to match the requirements of the Security Target [c] and the
specific requirements of the organisation. The administrator should follow the guidance in the
administration guidance documentation [m-p] in order to ensure that the TOE operates in a secure
manner.
Misuse
61. The Evaluators found that the TOE provided a warning and alarm system documented in the
BWClient Help GUI document [o] to notify the TOE administrator of a potentially insecure state.
Regular examination of the TOE’s audit logs would also help detect a potentially insecure state. The
TOE also includes facilities to guard against failure caused by operational error due to power failure,
log overflow and overflow attack and provides safeguards in the event of these errors occurring.
Administrators should follow the guidance in the administration guidance documentation [m-p] in
order to ensure that the TOE operates in a secure manner.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 14 Issue 1.0 January 2002
Developer’s Tests
62. The TOE was installed and tested by the Developer on 6 hardware platforms as specified in
Annex A. These tests used different hardware platforms from those used in the Evaluators’ tests.
63. All services and proxies provided by the TOE were protected from buffer overflows by use
of the Propolice compiler add-in.
64. The TOE is designed to operate on standard IA-32 compliant Intel platforms. It does not rely
on specific processor speed or RAM size, and therefore should operate on any Intel processor that
provides the necessary security support services for FreeBSD UNIX in the following areas:
• User and Kernel mode
• Interrupts and Exceptions
• Processor Execution levels
• Memory Allocation
• System clock
• File area partitioning
65. See Annex A to this report for the minimum recommended hardware specification of the
TOE.
66. The Developer’s testing was designed to test the security functions that are provided by or
which relate to the use of the high-level design subsystems of the TOE. Unit tests were designed
based on the high-level design subsystems of the product. For each high-level design subsystem the
unit tests tested the TOE’s IT security objectives and other objectives such as usability and
performance.
67. The testing of the TOE’s external interfaces as specified in the TOE’s functional
specification was performed by a subset of the unit tests which were mapped to the security
functions in the functional specification. See Annex A to this report for details of the Developer’s
test environment.
68. The Developer’s testing procedures started with master runs, then described Release
Acceptance Criteria (RAC), followed by unit tests and then individual tests using test scripts. For
each product release, a master run is defined. The master run consisted of RAC, new feature testing
and full product tests (to exercise all features of the product). An RAC test is defined for each type
of product release, and consists of a pre-defined set of unit tests designed to check the basic
objectives of the build are met. A unit test is defined for a particular module of the product, or for
a particular set of functions or features. The unit tests consisted of one or more test scripts.
69. The Evaluators examined all of the test scripts and confirmed that the actual test results were
consistent with the expected test results. The expected results were also consistent with the actual
results of the Evaluators’ repeated sample of the Developer’s tests.
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 15
Evaluators’ Tests
70. The Evaluators sampled 33% of the Developer’s tests. 50% of these tests related to features
new to this version of the TOE, while the other 50% were repetition of tests performed during the
previous evaluation. Known public domain vulnerabilities relevant to firewalls were also tested. The
US NIAP (National Information Assurance Partnership) ICAT database (http://icat.nist.gov) was
included in the search for publicly known vulnerabilities. The search of ICAT resulted in one
penetration test.
71. The Evaluators agreed with the Certification Body prior to testing that tests should be
conducted across all platforms to test whether the hardware platform variations impact on the TOE
security functions. In some cases the same test was repeated on more than one of the hardware
platforms. In these cases the Evaluators noted that the same results were achieved across all
platforms. The Evaluators were satisfied that the hardware platform did not impact on the security
functions of the TOE.
72. Each new feature relating to a TOE Security Function was tested by at least one additional
test devised by the Evaluators during their independent testing. No problems were identified as a
result of these tests.
73. The Evaluators noted a publicly known vulnerability relating to the implementation of
OpenSSL in the web server of the TOE. There is a flaw in the pseudo-random number generator that
could allow an attacker to gain sufficient information to deduce nonces or encryption keys (see
FreeBSD Security Advisory 01:51 at http://www.freebsd.org/security). However there is currently
no known exploit of this vulnerability, and, as noted in the “TOE Scope” section above, the
cryptographic functions of OpenSSL are outside the scope of this evaluation.
74. The Evaluators used the following tools during independent testing:
• Insecure.org’s NMAP 2.3Beta8 port scanner
• Foundstone’s SuperScan Version 3.0 port
• War Industry’s Port Flooder from the Advance Hack 2.0 suite port
• Network Associate’s Sniffer Pro Version 1.5 packet sniffer
75. The configuration of the Evaluators’ test environment is described in Annex A.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 16 Issue 1.0 January 2002
(This page is intentionally left blank)
BorderWare Firewall Server EAL4 augmented
Version 6.5
running on specified Intel platforms
January 2002 Issue 1.0 Page 17
III. EVALUATION OUTCOME
Certification Result
76. After due consideration of the ETR [l], produced by the Evaluators, and the conduct of the
evaluation, as witnessed by the Certifier, the Certification Body has determined that BorderWare
Firewall Server Version 6.5, running on Intel platforms in the environment specified in Annex A,
meets the specified CC Part 3 [f] augmented requirements incorporating Evaluation Assurance Level
EAL4, ALC_FLR.1 (basic flaw remediation) and AVA_VLA.3 (moderately resistant vulnerability
analysis) for the specified CC Part 2 [e] conformant functionality in the specified environment.
77. The TOE contained 3 permutational cryptographic functions: password file encryption
provided by DES and the administrator password and FTP-Admin authentication mechanisms. The
administrator password and FTP-Admin authentication mechanisms were found to meet SoF-
medium. DES is publicly known and as such it is the policy of the national authority for
cryptographic functions, CESG, not to comment on its appropriateness or strength. Nevertheless,
the Evaluators found that, as the password file is protected by operating system access control, the
password file is adequately protected and the encryption mechanism is not directly attackable.
Recommendations
78. Prospective consumers of the product should understand the specific scope of the
certification by reading this report in conjunction with the Security Target [c].
79. The TOE provides some features that were not within the scope of the evaluation as
identified in the “TOE Scope” section above. The secure use of these features has thus not been
considered in the evaluation. It is recommended that these features should not be used if the TOE
is to comply with the evaluated configuration.
80. Only the evaluated product configuration, specified in Annex A, should be installed. The
product should be used in accordance with its guidance documentation [m-p].
81. The product should only be used in accordance with the environmental considerations
outlined in the Security Target [c].
82. Consumers should consider the threats not countered by the TOE when devising their
Organisational Security Policy and may need to consider additional products to provide content
checking and virus checking functionality not provided by the TOE.
83. The TOE is designed to operate on standard IA-32 compliant Intel processors (without
reliance on the processor speed or RAM size). However, it is recommended that the TOE should be
installed and operated on at least the minimum hardware specification identified in Annex A to this
report.
EAL4 augmented BorderWare Firewall Server
Version 6.5
running on specified Intel platforms
Page 18 Issue 1.0 January 2002
(This page is intentionally left blank)
BorderWare Firewall Server EAL4 augmented
Version 6.5 Annex A
running on specified Intel platforms
January 2002 Issue 1.0 Page 19
ANNEX A: EVALUATED CONFIGURATION
TOE Identification
1. The TOE is uniquely identified as:
BorderWare Firewall Server Version 6.5
2. The supporting guidance documents evaluated were:
• Installation and Administrative Guide [m]
• BorderWare Firewall Server 6.5 Reference Guide [n]
• BWClient Help GUI [o]
• EAL4 Configuration Guide for BorderWare 6.5 [p]
TOE Configuration
3. The TOE had the following configuration options:
a. loading the TOE software from the CD-ROM or from the network; and
b. allocating the size of the disk partition in which to install the TOE.
4. The TOE can be configured with between 2 and 6 network interface cards for the internal
and external network, the SSN and AUX networks. If only 2 network interface cards are installed,
only the internal and external networks are installed.
5. The Evaluators concluded that no TOE configuration options affected the security of the
TOE.
Environmental Configuration
6. The Developer’s test environment consisted of a total of 6 systems. Each system comprised:
• Intel processor, ranging from 400 MHZ Celeron to 750 MHZ Pentium III using 64,
128 or 256 MB RAM
• Hard disk drives, ranging in capacity from 2.2 GB to 20 GB, including Small System
Computer Interface (SCSI) and Integrated Drive Electronics (IDE) adapters
• CD-ROM drive
• 3.5 floppy disk drive
• Monitor
EAL4 augmented BorderWare Firewall Server
Annex A Version 6.5
running on specified Intel platforms
Page 20 Issue 1.0 January 2002
• Keyboard
• Between 2 and 6 network interface cards, including some 3COM cards and NE2000
compatibles from the supported list [r]
7. The Developer’s test environment was located on its own network, and was connected to
internal and external networks, supporting all of the possible test procedures and scenarios. For the
purpose of testing the SSN and AUX features of the firewall, separate sub-networks existed, to
which one or more servers and workstations were connected as required.
8. The Developer’s quality assurance department had several Microsoft Windows 95, Windows
98, Windows NT and Windows 2000 systems available for use both as clients and servers. Test
clients were required to run BWClient, and to simulate normal client activity. Test servers were
required to test passing traffic through the firewall. Both the test servers and test clients were
connected on the internal, external, SSN and AUX networks connected to the test firewalls.
9. The specific configurations of the server machines used during the Evaluators’ tests for the
TOE were:
• Compaq Proliant with 600 MHZ Intel Pentium III processor, 128 MB RAM, 9 GB
SCSI hard disk and 2 network interface cards
• Dell PowerEdge 1300 with 500 MHZ Pentium III processor, 256 MB RAM, 9 GB
SCSI hard disk and 6 network interface cards
• BorderWare RS 1000 Security Server with 600 MHZ Pentium III processor, 128 MB
RAM, 9 GB SCSI hard disk and 2 network interface cards
• BorderWare RS 2000 Security Server with 750 MHZ Pentium III processor, 256 MB
RAM, 2x 20GB IDE hard disks and 2 network interface cards with one card, a
3COM 3C982 ethernet card, supporting 2 networks
• Intel ISP 1100 with 600 MHZ Pentium III processor, 128 MB RAM , 2x 8 GB IDE
hard disks and 2 network interface cards
10. The TOE is designed to operate on standard Intel hardware platforms complying with the
standard IA-32 architecture. It includes device drivers to support the range of commonly used disk
controllers (IDE, ATA and SCSI) and the majority of network interface cards on the market. The
TOE does not rely on specific processor speed or RAM size and therefore, will operate on any Intel
processor that satisfies the hardware dependencies identified in paragraph 27 of the main body of
this report.
11. The minimum recommended hardware specification for the TOE is as follows:
• Intel Pentium Processor (133 MHZ)
• 64 MB RAM
• 1 GB Hard Disk (SCSI or IDE)
• 2-6 network interface cards from the supported list [r]
BorderWare Firewall Server EAL4 augmented
Version 6.5 Annex A
running on specified Intel platforms
January 2002 Issue 1.0 Page 21
• CD-ROM drive
• 3.5 inch floppy disk drive
12. The BWClient does not have any special requirements. It is a Windows based application
that runs on any Win32 operating system (Windows 95, Windows 98, Windows NT Version 4.0 or
Windows 2000). As the BWClient communicates over the network to the BorderWare Firewall
Server, it requires that the machine on which it is installed to have networking capability. A copy
of BWClient is included on the TOE distribution CD-ROM. In this evaluation BWClient was
installed on the internal interface machine which ran Windows 2000 on a Compaq Proliant machine
with the following specification:
• Intel Pentium III Processor (600 MHZ)
• 128 MB RAM
• 9 GB Hard Disk (SCSI)
• 1 network interface card
• CD-ROM drive
• 3.5 inch floppy disk drive
13. The machine used during Evaluators’ testing as representing the internal network had 128
MB of RAM and used the Microsoft Windows 2000 operating system. The machine representing
the external network had 128 MB RAM and used Windows NT 4.0 Service Pack 5 and Red Hat
Linux 6.2 operating systems. The machine representing the SSN and AUX networks had 128 MB
RAM and used Windows NT 4.0 Service Pack 5 and Red Hat Linux 6.2 operating systems.
14. The diagram below shows the architectural layout of the machines used for Evaluators’
independent testing:
Client
Gateway4
Gateway3
Gateway2
Gateway1 Gateway5
Internal Interface
External Interface
SSN
Interface
AUX1
AUX2
AUX3
EAL4 augmented BorderWare Firewall Server
Annex A Version 6.5
running on specified Intel platforms
Page 22 Issue 1.0 January 2002
15. The firewall machines in the above diagram are not in series; only one firewall was used at
a time. The machines represent the choices of firewall available.
BorderWare Firewall Server EAL4 augmented
Version 6.5 Annex B
running on specified Intel platforms
January 2002 Issue 1.0 Page 23
ANNEX B: PRODUCT SECURITY ARCHITECTURE
1. The TOE is an application-level firewall. It mediates information flows between clients and
servers located on internal and external networks governed by the TOE. The TOE employs proxies
to screen information flows. Proxy servers on the TOE, for services such as FTP and Proxy Server
HTTP requests (optional), require authentication at the TOE by client users before requests for such
services can be authorised. Thus, only valid requests are relayed by the proxy server to the actual
server on the internal network.
2. The TOE delivers three security layers:
• packet filtering
• circuit level gateways
• application level gateways
3. The packet filtering controls are performed at the operating system kernel level. By default,
these security policy rules deny all inbound information flows. Only an authorised administrator has
the authority to change the security policy rules.
4. The BorderWare Firewall Server operating system does not permit any operating system user
logons. All direct interaction with the TOE to perform configuration and administration tasks is
performed on the firewall server console, or via the Admin GUI on a client connected to the internal,
protected network. The administrator is the only user who is able to directly interact with the TOE.
Interaction with the TOE is transparent to all other users.
5. The administrator is able to perform basic configuration and administration of the firewall
using the firewall server console, via the “Admin menu”. Access to the console is physically
protected and logically controlled through password protection. Full administration services are only
provided through use of the Admin GUI at a client workstation. Use of the Admin GUI is protected
by use of a password. A challenge/response Crypto Card authentication token (56 bit DES
encryption) may be used, but this is outside the scope of the evaluation.
6. The TOE supports up to 6 network interface cards, each of which is connected to a different
network segment. Each network segment must be physically separate from the other network
segments. The minimum configuration is 2 physical network interface cards. In this configuration
one network interface card is connected to the internal network, and the second card is connected
to the external network. If more than 2 network interface cards are used, then the additional cards
will be assigned the role of SSN or AUX interfaces. The term SSN is used to describe the third
network card; any additional interfaces are described as AUX. The SSN and AUX interfaces are
identical. The SSN and AUX together form a DMZ. They are collectively known as SSN/AUX
interfaces. Connections between any 2 SSN/AUX interfaces are not allowed.
7. Transparent address translation is performed for all outbound traffic. Inbound address
translation is not transparent. An external entity must direct all traffic to an address assigned to the
firewall’s external or SSN/AUX interface. Subject to successful identification and authentication,
this traffic can be relayed to an entity on the internal network. The address translation is augmented
EAL4 augmented BorderWare Firewall Server
Annex B Version 6.5
running on specified Intel platforms
Page 24 Issue 1.0 January 2002
by the separate DNS, which ensures that internal addresses are never disclosed to an external entity
by domain name lookup.
8. When recorded, the audit trail data is stamped with the date and time information. Audit
events include:
• Every successful inbound and outbound connection
• Every unsuccessful connection
• Every successful and unsuccessful administrator authentication attempt
9. If the audit trail becomes full, then the trail will be archived and a new audit trail initialised.
If the limit of archived audit trails is reached, the oldest archive will be deleted to allow the current
audit trail to be archived. This mechanism ensures that the partition on the TOE’s disk reserved for
audit information never becomes full, an event that could lead to failure to record audit information.
10. The TOE has predefined proxies and built-in servers. The following tables identify the
predefined proxies and built in servers that are included within the scope of the evaluation.
11. Services provided by predefined proxies that can be configured on the TOE within the scope
of the evaluation are specified in the table below. The table heading identifies the direction of
information flow provided by the services and the relevant information flow security policies. Only
the Admin GUI on the internal network is subject to the AUTHENTICATED information flow
security policy. The following tables specify the information flows of the UNIDENTIFIED security
policy.
Internal->External Internal->SSN/AUX External-> SSN/AUX SSN/AUX->External
America On-line Finger Anonymous FTP FTP
Finger FTP Finger Finger
FTP Gopher Ident Ident
Gopher Ident NNTP Ping
Ident NetShow SMTP Mail POP Mail
NetShow NNTP WWW SMTP Mail
NNTP ICMP Ping/Timestamp Oracle SQL*Net WWW
Ping POP Mail BookWhere (Z39.50)
POP Mail RealAudio DNS Relay
RealAudio SMTP Mail Gopher
Telnet Telnet IMAP
BorderWare Firewall Server EAL4 augmented
Version 6.5 Annex B
running on specified Intel platforms
January 2002 Issue 1.0 Page 25
Internal->External Internal->SSN/AUX External-> SSN/AUX SSN/AUX->External
Whois WWW Lotus Notes
WWW IMAP Magistrate (Snare)
BookWhere (Z39.50) Lotus Notes MS SQL
DNS Relay Magistrate (Snare) NetShow
IMAP MS SQL NNTP
Lotus Notes SSH Oracle SQL*Net
Magistrate (Snare) Oracle SQL*Net Real Audio
MS SQL SSH
Oracle SQL*Net Telnet
SMTP Relay
SSH
NetMeeting
12. Services provided by servers that can be configured on the TOE server within the scope of
the evaluation are provided in the table below.
Internal External SSN/AUX
Finger Anonymous FTP Anonymous FTP
FTP Finger Finger
Ident Ident Ident
ICMP Ping/Timestamp ICMP Ping/Timestamp ICMP Ping/Timestamp
POP Mail SMTP Mail POP Mail
SMTP Mail Traceroute response SMTP Mail
Traceroute response WWW Traceroute response
WWW DNS WWW
DNS NTP DNS
LDAP NTP
NTP
13. Services provided by clients within the scope of the evaluation are provided in the table
below.
Internal External SSN/AUX
NTP DHCP NTP
NTP
EAL4 augmented BorderWare Firewall Server
Annex B Version 6.5
running on specified Intel platforms
Page 26 Issue 1.0 January 2002
14. The figure below provides an architectural overview of the BorderWare Firewall Server. It
identifies the network interfaces and the management interfaces via the system console and Remote
Admin GUI. The area within the box provides the scope of the TOE covered by the evaluation.
Internal
Network
External
Network
Optional
SSN/AUX
Network(s)
System
Console
BorderWare
Firewall
Server
Remote
Admin
GUI
Scope of the TOE
15. The TOE includes the operating system based on FreeBSD-4.2-Release. The kernel has all
redundant devices removed including shell access and UNIX login prompt. The TOE is comprised
of a number of subsystems described in the high level design. Each subsystem is further refined into
modules in the low level design.
16. The following diagram shows the subsystems described in the high level design and
relationships between them:
Unix Kernel
Mail
Server
DNS
FTP
Server
BWAPI
Console
Interface
Admin
GUI
Proxies Database
WEB
Server
Finger Ident H.323
NTP
DHCP
BorderWare Firewall Server EAL4 augmented
Version 6.5 Annex B
running on specified Intel platforms
January 2002 Issue 1.0 Page 27
17. The BWAPI subsystem is used to handle requests for firewall management functions from
the console interface and the remote Admin GUI. Management functions are functions used to
modify or view the firewall configuration, run diagnostic tests and view log files.
18. The UNIX Kernel provides the environment in which processes and subsystems execute. The
process environment provides controlled access to files, the IP stack and other processes. The IP
stack includes a packet filter that discards or redirects packets. It is responsible for passing data
between proxy and server subsystems and other hosts on the network. The kernel also provides
Transmission Control Protocol (TCP) connection state, TCP option negotiation, TCP flow control,
resending of unacknowledged TCP packets, and handling and generation of Internet Control
Message Protocol (ICMP or “ping”) error messages.
19. The Database subsystem provides a means of information storage and retrieval for other
subsystems.
20. The System Console (also known as the console interface) subsystem provides a user
interface for the firewall administrator to configure and maintain the other subsystems.
21. The Admin GUI subsystem is a Windows 95, 98, NT or Windows 2000 application that
allows an administrator to manage the BorderWare Firewall Server from a remote PC. Remote
management includes the configuration of firewall servers such as DNS and Mail, proxies,
authorised remote administration and examination of logs and diagnostic information.
22. The Proxies subsystem exchanges IP traffic between the TOE’s network interfaces. Where
appropriate, traffic is filtered or reinterpreted.
23. The DHCP Client subsystem is used to provide the firewall with its external IP address and
its default route address. DHCP is typically used in small installations where the customer does not
own an IP address, and is required by the Internet Service Provider (ISP) to request an IP address via
DHCP.
24. The DNS subsystem provides translation between Internet host names and addresses. It also
provides other resource records on hosts and domains.
25. The FTP Server subsystem provides a secure public file sharing system and allows an
administrator to upload and download certain configurations to the firewall.
26. The Web Server subsystem provides 2 distinct services, access and hosting, on the firewall
to allow remote management access to public static HTML documents.
27. The Mail Server subsystem comprises a Simple Mail Transfer Protocol (SMTP) mail server
and a Post Office Protocol (POP) mail server. The SMTP server is used to provide a secure means
of passing SMTP mail from the Internet to the internal network, and it may be used as a default mail
gateway to pass mail from the internal network to the Internet. The POP mail server is used to
provide access to user mailboxes held on the TOE.
28. The Finger Server subsystem implements the finger protocol and provides a static,
configurable information message. The finger service does not provide any information about
individual users.
EAL4 augmented BorderWare Firewall Server
Annex B Version 6.5
running on specified Intel platforms
Page 28 Issue 1.0 January 2002
29. The Ident Server subsystem is used to allow the TOE to process requests for the identity of
users on external networks. The TOE does not implement an Ident Client to identify the TOE or
users on the internal network.
30. The NTP Server and Client subsystem is used to provide a reference timestamp to internal
machines. The server enables the firewall to be the source of the timestamp; the client allows the
firewall to synchronise its system clock with reference sources on the Internet. Currently NTP must
be configured via the system console.
31. The H.323 Proxy subsystem allows internal users to employ H.323 type protocols such as
Microsoft NetMeeting without revealing information about the internal network. This proxy is
considered separate from the Proxy subsystem owing to its implementation.