SECURITY TARGET FOR THE SECURELOGIX CORPORATION® ETM® (ENTERPRISE TELEPHONY MANAGEMENT) SYSTEM VERSION 5.0.1 EWA-Canada Document No. 1495-011-D001 Version 1.1, 11 October 2005 Communications Security Establishment Common Criteria Evaluation File Number: 383-4-38 Prepared for: Canadian Common Criteria Scheme Certification Body Communications Security Establishment P.O. Box 9703 Terminal Ottawa, Ontario K1G 3Z4 Prepared by: Electronic Warfare Associates-Canada, Ltd. 55 Metcalfe St., Suite 1600 Ottawa, Ontario K1P 6L5 SECURITY TARGET FOR THE SECURELOGIX CORPORATION® ETM® (ENTERPRISE TELEPHONY MANAGEMENT) SYSTEM VERSION 5.0.1 Document No. 1495-011-D001 Version 1.1, 11 October 2005 Approved by: Deputy Project Manager: Kim Frawley Braun 11 October 2005 Project Manager: Mark Gauvreau 11 October 2005 Program Director: Erin Connor 11 October 2005 (Signature) (Date) ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page i of ii TABLE OF CONTENTS 1 INTRODUCTION....................................................................................................... 1 1.1 Identification................................................................................................................. 1 1.2 Overview....................................................................................................................... 1 1.3 CC Conformance .......................................................................................................... 3 1.4 Conventions .................................................................................................................. 4 1.5 Terminology.................................................................................................................. 4 2 TARGET OF EVALUATION DESCRIPTION ...................................................... 5 2.1 TOE Security Functional Policies (SFP) ...................................................................... 9 2.1.1 Telecommunications SFP (TELCO_SFP) ........................................................ 9 2.1.2 Network SFP (NETWORK_SFP) ................................................................... 11 2.1.3 File Access SFP (FILE_SFP)............................................................................ 11 2.1.4 Cryptographic SFP (CRYPTO_SFP) ............................................................. 11 3 TOE SECURITY ENVIRONMENT....................................................................... 12 3.1 Assumptions................................................................................................................ 12 3.2 Threats......................................................................................................................... 12 3.2.1 Threats Addressed By The TOE ..................................................................... 12 3.2.2 Threats To Be Addressed By Operating Environment ................................. 13 4 SECURITY OBJECTIVES ..................................................................................... 15 4.1 TOE Security Objectives ............................................................................................ 15 4.2 Environment Security Objectives ............................................................................... 16 5 IT SECURITY REQUIREMENTS......................................................................... 17 5.1 TOE Security Requirements ....................................................................................... 17 5.1.1 TOE Security Functional Requirements ........................................................ 17 5.1.2 TOE Security Assurance Requirements......................................................... 33 6 TOE SUMMARY SPECIFICATION..................................................................... 34 6.1 TOE Security Functions.............................................................................................. 34 6.2 Assurance Measures.................................................................................................... 39 7 PROTECTION PROFILE CLAIMS...................................................................... 41 8 RATIONALE ............................................................................................................ 42 8.1 Security Objectives Rationale..................................................................................... 42 8.1.1 TOE Security Objectives Rationale ................................................................ 42 8.1.2 Environment Security Objectives Rationale .................................................. 45 ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page ii of ii 8.2 Security Requirements Rationale................................................................................ 46 8.2.1 Security Functional Requirements Rationale ................................................ 46 8.2.2 Assurance Requirements Rationale ................................................................ 50 8.2.3 Rationale for Satisfying Functional Requirement Dependencies................. 50 8.2.4 Rationale for Satisfying Assurance Requirement Dependencies.................. 52 8.2.5 Rationale for Security Functional Refinements............................................. 52 8.2.6 Rationale for Audit Exclusions........................................................................ 54 8.3 TOE SUMMARY SPECIFICATION RATIONALE................................................. 54 8.3.1 TOE Security Functions Rationale.................................................................. 55 8.3.2 TOE Assurance Measures Rationale .............................................................. 61 9 ACRONYMS AND ABBREVIATIONS................................................................. 64 LIST OF FIGURES Figure 1: Example ETM® System Configuration..................................................................... 3 Figure 2: TOE Boundary Diagram ........................................................................................... 8 LIST OF TABLES Table 1. Summary of Security Functional Requirements....................................................... 17 Table 2. Additional Auditable Events from CC Functional Components .............................. 20 Table 3. Assurance Requirements for ETM® System............................................................. 33 Table 4. Mapping of TOE Security Objective to Threats....................................................... 42 Table 5. Mapping of Environment Security Objectives to Threats and Assumptions............ 45 Table 6. Mapping of Security Functional Requirements to TOE Security Objectives........... 47 Table 7. Security Functional Requirement Dependencies...................................................... 50 Table 8. Security Assurance Requirement Dependencies ...................................................... 52 Table 9. Rationale for Audit Exclusions................................................................................. 54 Table 10. Mapping of TOE Security Functions to Security Functional Requirements.......... 55 Table 11. Mapping of Assurance Measures to Security Assurance Requirements ................ 61 ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 1 of 65 1 INTRODUCTION 1.1 IDENTIFICATION This document details the Security Target (ST) for the SecureLogix Corporation® ETM® System. This ST (version 1.1, dated 11 October 2005) has been prepared by Steven Bowles of EWA-Canada Ltd., in accordance with the Common Criteria for Information Technology Security Evaluation (CC), version 2.2, January 2004. 1.2 OVERVIEW The ETM® System is designed to protect telecommunications lines from abuse and provide extensive auditing capabilities on all telecommunications line traffic. The ETM® System acts as a voice traffic firewall to protect internal telecommunication resources (telephones, modems, faxes, etc.) from abuse, fraud, and attack. The system is capable of operating in conjunction with a Private Branch Exchange (PBX), but is not required to do so. The evaluated configuration for the ETM® System v5.0.1 consists of: a. ETM® System Software; 1. ETM® System Console; 2. ETM® Management Server; 3. ETM® Report Server; 4. ETM® Database; 5. ETM® Call Recorder; and 6. Collection Server; b. ETM® System Applications; 1. Performance Manager; 2. Directory Manager; and 3. Usage Manager; c. ETM® Platform Appliances; 1. ETM® Communications Appliances; and 2. ETM® Application Appliances d. Windows/Solaris Operating System. The ETM® System mediates access between local telecommunication users and external telecommunication users based on rules defined by the administrator. Rule sets are created on the ETM® Management Server, which are then pushed to the appliances. The appliances allow or deny calls based on their respective rule sets. The default behaviour is to allow calls that are not explicitly denied. ETM® Communications Appliances support circuit switched analog, TDM digital, and VoIP calls. A hardware setting exists for all ETM® Communications Appliances to determine the default behaviour should an ETM® Communications Appliance fail (e.g., due to a power ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 2 of 65 outage). ETM® Communications Appliances can be configured to fail-safe (allow all calls) or fail-secure (deny all calls, including emergency numbers). There are also two ETM® Application Appliances. The AAA Services Appliance is used to temporarily enable a specific voice/data circuit while the Call Caching Appliance allows for the recording of calls. The ETM® System Console is used for the execution of ETM® System Applications. These applications allow the administrator to perform the following functions: a. Performance Manager provides a graphical interface for managing and monitoring ETM® Platform Appliances, view real-time monitoring and Policy processing, and view ETM® System; b. Directory Manager is used to manage the phone numbers and URIs used in the ETM® System; and c. Usage Manager is an application for generating reports of ETM® System activity, Policy processing, telecom cost accounting, and resource utilization. Ethernet network links are used to facilitate the following communication channels: a. between the ETM® Platform Appliances and the ETM® Management Server; b. between the ETM® System Console and the ETM® Management Server; c. between the administrator and appliances; and d. between appliances. The ETM® System also includes an option to encrypt network communication using Triple DES cryptography. Administrators may also communicate directly with an appliance through its serial port. Appropriate security measures are expected to exist for the network on which the ETM® System is deployed to protect the communication between components. Appropriate mechanisms must be put in place on the commercial products being used that are external to any SecureLogix Corporation Components. The Target of Evaluation (TOE) consists of the ETM® Management Server, the ETM® System Console (and the installed ETM® System Applications), and the ETM® Platform Appliances. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 3 of 65 Figure 1: Example ETM® System Configuration The ETM® System ST contains the following sections: • Security Target Introduction: Presents the ST identification and an overview of the ST structure. • TOE Description: Provides an overview of the TOE security functions and describes the physical and logical boundaries for the TOE. • TOE Security Environment: Describes the threats and assumptions that pertain to the TOE and the TOE environment. • Security Objectives: Identifies the security objectives that are satisfied by the TOE and the TOE environment. • IT Security Requirements: Presents the Security Functional Requirements (SFRs) met by the TOE. • TOE Summary Specification: Describes the security functions provided by the TOE to satisfy the security requirements and objectives. • Protection Profile Claims: Presents the rationale concerning compliance of the ST to any Protection Profiles (PPs). • Rationale: Presents the rationale for the security objectives, requirements, and the TOE summary specifications as to their consistency, completeness, and suitability. 1.3 CC CONFORMANCE The ETM® System is conformant with the identified functional requirements specified in Part 2 of the CC. The ETM® System is conformant to the assurance requirements for Evaluation Assurance Level (EAL) 2, as specified in Part 3 of the CC, with the following augmentations: ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 4 of 65 a. ACM_CAP.3 – Authorisation controls; b. ACM_SCP.1 – TOE CM coverage; and c. ALC_DVS.1 – Identification of security measures. 1.4 CONVENTIONS The CC permits four types of operations to be performed on functional requirements: selection, assignment, refinement, and iteration. These operations are identified in this ST in the following manner: • Selection: Indicated by surrounding brackets and italicised text, e.g., [selected item]. • Assignment: Indicated by surrounding brackets and regular text, e.g., [assigned item]. • Refinement: Indicated by underlined text, e.g., refined item. • Iteration: Indicated by assigning a number at the functional component level, e.g., “FDP_ACC.1, Subset access control (1)” and “FDP_ACC.1, Subset access control (2)”. 1.5 TERMINOLOGY The following terminology is used throughout this ST: Administrator An individual that communicates over the network to configure and operate the TOE. Network The TOE protects telecommunications lines (analog, digital and VoIP) but uses a TCP/IP network for internal TOE communications. Network refers to the TCP/IP network. Network attacker An unauthorised individual or IT entity that communicates over the network. Telecommunications user An individual or IT entity that communicates over the telecommunications lines. User An administrator, as defined above, unless stated otherwise. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 5 of 65 2 TARGET OF EVALUATION DESCRIPTION The evaluated configuration for the ETM® System v5.0.1 consists of: a. ETM® System Software; 1. ETM® System Console v5.0.1, Build 011; 2. ETM® Management Server v5.0.1, Build 011; 3. ETM® Report Server v5.0.1, Build 011; 4. ETM® Database v5.0.1, Build 011; 5. ETM® Call Recorder v5.0.1, Build 011; and 6. Collection Server v2.0, Build 011; b. ETM® System Applications; 1. Performance Manager v5.0.1, Build 011; 2. Directory Manager v5.0.1, Build 011; and 3. Usage Manager v5.0.1, Build 011; c. Java® Virtual Machine software, version 1.4.2_03 on both the ETM® Management Server and the ETM® System Console hosts; d. ETM® Platform Appliances; 1. ETM® Communications Appliances; and (a) ETM® Model 1010-Analog Appliance version 5.0.54 with 12 lines; (b) ETM® Model 1012-Hybrid Analog & VoIP Appliance version 5.0.54 with 12 lines; (c) ETM® Model 1024-Hybrid Analog & VoIP Appliance version 5.0.54 with 24 lines; (d) ETM® Model 1090-Hybrid Digital & VoIP Appliance version 5.0.54 (supporting 1 Span configurable for T1 CAS, T1 PRI, Euro (E1) CAS, E1 PRI, SS7, or VoIP); (e) ETM® Model 2100-Digitial Appliance version 5.0.54 (supporting 4 Spans configurable for T1 CAS, T1 PRI, E1 CAS, E1 PRI, or SS7); and (f) ETM® Model 3200-Digital Appliance version 5.0.54 (supporting 16 Spans configurable for T1 CAS, T1 PRI, E1 CAS, E1 PRI, or SS7). 2. ETM® Application Appliances (a) ETM® Model 1050-AAA Services Appliance version 5.0.54 with 2 IVR ports; (b) ETM® Model 1060-Call Caching Appliance version 5.0.54 for call recording; The ETM® System Software and ETM® System Applications run on Windows® NT 4 SP6a, Windows® 2000 SP4, Windows 2003 Server SP1, and Solaris™ 7/8 as the operating systems1 . The ETM® System Console and ETM® System Applications also run on Windows® XP SP2. These operating systems are included in the TOE. 1 Unlike the other ETM® System Software, Collection Server v2.0 only runs on Windows® 2000 SP4, and Windows 2003 Server SP1. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 6 of 65 The minimum hardware requirements for the ETM® System Software and ETM® System Applications are specified in the ETM® System Installation Guide and Technical Reference provided as part of the ETM® 5.0.1 Product Code CD-ROM. The administrator uses the ETM® System Console to communicate with the ETM® Management Server, and through it, communicate with an appliance. The administrator may also directly communicate to an appliance through a Telnet server or a serial port on the appliance. The Telnet access to an appliance can be disabled, if desired, and can also be configured to automatically disable for a period of time if the specified number of failed login attempts occur within the configured period of time. The failed login count resets to zero after a successful login. The ETM® System Components (ETM® Platform Appliances, ETM® System Software, and ETM® System Applications) can be distributed across an Ethernet network. The network access security policy requires administrators to provide a valid user ID and password for authentication. Appliances maintain a file of approved IP addresses and only allow telnet communications from these addresses. ETM® Management Servers maintain a file of approved Appliance IP addresses and only allow connections from Appliances at these addresses. ETM® Management Servers also maintain a file of approved remote ETM® System Console IP addresses and only allow communications from consoles at these addresses. The Performance Manager, running within an ETM® System Console, allows the administrator to manage one or multiple ETM® Systems using graphical windows. The administrator can configure appliances by creating a configuration file on the ETM® Management Server that, in turn, gets pushed to the appliances. Checks are performed on a regular basis to ensure the appliances are executing the latest configuration file as defined (i.e., stored) on the ETM® Management Server. It is important to note that, where possible, any configuration changes to the appliances should be made through the ETM® System Console; otherwise, changes made by communicating directly to the appliances can be overwritten when the next check occurs. (The configuration file on the appliance would be different than that on the ETM® Management Server, so it would be changed to match the ETM® Management Server.) The ETM® System includes the ability to examine the rule set for ambiguous rules (e.g., rules that will never be triggered due to a previous rule). The ETM® Platform Appliances that enforce the policies defined in the ETM® Management Server support different types of telecommunications protocols/services: a. The ETM® Model 1010 - Analog Appliance; b. The ETM® Models 1012 and 1024 - Hybrid Analog and VoIP Appliances; c. The ETM® Model 1050 – AAA Services Appliance; d. The ETM® Model 1060 – Call Caching Appliance; ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 7 of 65 e. The ETM® Model 1090 – Hybrid Digital and VoIP Appliance (supporting T1 CAS, T1 PRI, E1 CAS, and E1 PRI telecommunications protocols; and SIP and H.232 VoIP protocols); and f. The ETM® Models 2100 and 3200 – Digital Appliances (supporting T1 CAS, T1 PRI, E1 CAS, and E1 PRI telecommunications protocols). All appliances are created by SecureLogix Corporation using commercially available hardware components and execute on the Linux 2.4.21 operating system. The appliances can be configured individually or as a group. SecureLogix Corporation has added an extensive set of appliance command line instructions called ETM® System Commands. The ETM® System Command set can be accessed through a Telnet connection, an ASCII command line window opened in the ETM® System Console, or an RS-232 serial (console) link. However, a small subset of the ETM® System Commands can only be performed locally at the appliance through the serial link. The AAA Services Appliance is used by a user to temporarily enable an ETM® Communications Appliance rule allowing a specific voice/data circuit to be enabled. The telecom user is required to enter a user ID, PIN and destination telephone number to be called. This call will then be allowed if the ETM® System administrator has previously created a rule allowing the call based on a successful AAA user request. An authorised telecommunications user is able to access telecommunications resources to initiate calls in accordance with the TELCO Security Function Policy but only for a set maximum time period, configurable from 0 to 30 minutes. Additionally, access to the telecommunication resources are restricted to a single call during the set maximum time period. If the AAA service user does not call the authorized telecommunication resource within the time specified in the AAA Service configuration, the authorization expires. The AAA service is not supported for VoIP based calls. The Call Caching Appliance is used to record any inbound or outbound calls on digital trunks. The ETM® Call Recorder add-on for the ETM® Management Server allows an ETM® System administrator to create rules through the ETM® System Console that will initiate call recording based upon various call properties such as; direction, source, destination, time-of-day, and call type. The ETM® Call Recorder also adds functionality to the ETM® Communications Appliances (1012, 1024, 1090, 2100 & 3200) allowing them to record calls into temporary storage. The ETM® Communications Appliances forward the recorded calls to a Call Caching Appliance. The Call Caching Appliances then forward the recorded calls to a Collection Server where the calls are stored on disk and converted into standard sound file formats. ETM® System administrator can listen to the stored calls using standard third-party tools (i.e. Windows Media Player). The Collection Server can be installed on the same system as an ETM® Management Server or on a separate system. The ETM® Call Recorder service is not supported for VoIP based calls. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 8 of 65 A hardware setting exists for all ETM® Platform Appliances, except the AAA Appliance, to determine the default behaviour should an ETM® System Appliance fail (e.g., due to a power outage). In such cases, policy rules cannot be processed. The hardware setting allows the ETM® Communication Appliances to be configured to either fail-safe (allow all calls) or fail- secure (deny all calls, including emergency numbers). If the AAA Appliance fails, the AAA session is terminated and all AAA services are unavailable. As well, all ETM® Platform Appliances, except the AAA Appliance, support a “Last Resort” appliance recovery feature. In the event that an appliance’s boot image becomes corrupt, a hardware setting allows for a boot image to be downloaded from an ETM® Server. The system can encrypt communications between components using Triple DES cryptography. The ETM® System implementation of Triple DES is based on the specifications in FIPS 46-3 and ANSI X9.52-1998 and has been awarded certificate numbers 373, 374, and 375 on the Triple DES Validated Implementations list. Assessment of the cryptographic algorithm implementations does not form part of the CC evaluation but is separately validated under the Cryptographic Module Validation Program. Figure 2: TOE Boundary Diagram The Directory Manager, running within an ETM® System Console, is used to import and manage phone numbers in the ETM® System. The Directory contains the following types of Directory entries: Listings, Filters, Ranges, Groups, Wildcards, and Import Sets. Usage Manager, running within an ETM® System Console, gives the ETM® System extensive auditing and reporting capabilities. The level of detail of each audited event is configurable by the administrator; however, each audit record contains a unique identification number, date and time stamp, and the appliance, span or span group which originated the record. Also, all call details (call destination/source; call type, duration, and ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 9 of 65 direction; date and time; telecommunication line specifics; etc.) are recorded. Audit records may be viewed in a report generated using pre-defined or custom templates, or plotted in a graph in the ETM® System Console. The ETM® Report Server provides the processing engine that retrieves call, policy enforcement, and diagnostic log data from the ETM® Database when reports are generated. Reports may be generated on an automated schedule or as requested. Most of the data produced during the operation of the ETM® System is stored in the ETM® Database, which is part of the ETM® Management Server. The ETM® Database supports both Oracle® 8i and 9i DBMSs2 on both Windows® and Solaris™. The DBMS used for the ETM® Database can be installed on the same system as an ETM® Management Server or on a separate system. Audit records concerning telecommunication information flow and appliance status are generated at the ETM® Communication Appliances and are uploaded to the ETM® Management Server. Each appliance, except the AAA Appliance, contains a memory card that can store the audit records temporarily if the ETM® Management Server is unavailable. The memory cards can hold the audit data in a circular buffer where they will eventually be overwritten with newer records, however there is sufficient memory to hold multiple days of audit logs even under heavy telecommunications traffic. 2.1 TOE SECURITY FUNCTIONAL POLICIES (SFP) The TOE Security Policy (TSP) is comprised of the TELCO, NETWORK, FILE and CRYPTO SFPs that define the rules by which the TOE governs access to its telecommunication, network and file resources, and govern the export/import of cryptographic keys, respectively. 2.1.1 Telecommunications SFP (TELCO_SFP) The ETM® System is required to mediate access between local and external telecommunication users based on rules defined by the administrator. Rulesets are created on the ETM® Management Server, then pushed down to the appliances. The appliances are required to allow or deny calls based on their respective rulesets. The default telecommunications information flow security policy for ETM® System telecommunications users shall be “telecommunications that are not explicitly denied, are allowed”. The rule set shall be traversed from top to bottom, triggering on the first applicable rule. A default rule, which cannot be removed, shall exist at the top of the rule set to always allow emergency calls (e.g., 911). 2 As no security requirements are allocated to the DBMS, Oracle is considered to be part of the IT environment and is not included in the TOE. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 10 of 65 There is a capability for access control to a AAA Appliance based on security attributes of user ID and PIN. Rules-based Policies to identify, monitor, and control telecom network usage, access, security, and costs include: a. Voice Firewall Application Policies, used to monitor and control individual VoIP and TDM calls according to defined call criteria; and b. Voice IPS (Intrusion Prevention System) Application Policies, used to identify and control calling patterns that might indicate toll fraud, war dialing attempts, misuse of resources, and other undesired events. IPS Policies monitor and protect telecom resources against calling patterns over time, according to criteria specified and thresholds set. The Voice Firewall enables you to create rules-based Policies to control call traffic in real time, by allowing calls to go through or terminating them based on call criteria you specify. The Policy can be configured to send email and/or pages to administrators or security personnel, notifying them of attempted security violations. Each Voice Firewall Policy Rule has the following fields: Call Direction; Source; Destination; Call Type (Fax, Modem, STU, Modem Energy, Voice, Video, Data Call, Busy, Unanswered, and Undetermined.); Time; Call Duration, Action (Allow, Terminate; Attributes; and Track). Voice Intrusion Prevention System (IPS) Policies enable you to use rule-based Policies to manage usage of your telecom resources and protect your network against potential intrusion attempts, based on calling pattern thresholds over a specified time interval. Thresholds can be based on accumulated cost, count, and/or duration of calls that match the other criteria in the Rule. Accumulations are maintained for each Rule of the installed Policy. When a call matches all of the other criteria of a Rule, the values for the call are included in the accumulated values for the Rule. A single call can count against multiple Rules if it matches the criteria as Voice IPS Policy Rules have no processing order. These accumulations are compared to the thresholds every time the polling engine executes; if a threshold is exceeded, a breach is recorded and specified tracks and actions are executed. Each IPS Policy Rule has the following fields: Call Direction; Source; Destination; Call Type (Fax, Modem, STU, Modem Energy, Voice, Video, Data Call, Busy, Unanswered, and Undetermined.); Time; Serviced Types, Disposition, Call Duration, Threshold, Action (Allow, Terminate future, and Terminate current and future); and Track. A Recording Policy consists of a set of Rules that define specific calls to be recorded. Calls can be identified for recording by any combination of call direction, called and/or calling phone numbers, call time, and call type. Only calls that match all of the criteria in a Rule are recorded. Recording only begins at the start of a call. Each Recording Policy Rule has the following fields that specify which calls are to be recorded: Call Direction; Source; ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 11 of 65 Destination; Call Type (Fax, Modem, STU, Modem Energy, Voice, Video, Data Call, Busy, Unanswered, Undetermined.); Time; Action; and Priority. When a call matches both a Rule in a Recording Policy and a Rule in a Firewall or IPS Policy, the Action field of the IPS or Firewall Policy determines the outcome of the call. 2.1.2 Network SFP (NETWORK_SFP) User ID, password, source IP address, cryptographic algorithm, and cryptographic key shall be used as security attributes to enforce the NETWORK_SFP. Administrators are authenticated to the TOE using user ID/password enforcing access control. There are information flow control restrictions on client-to-server, appliance-to-server and appliance- to-appliance network communications. This is accomplished by validating IP address and username and password, by authenticating communications with a variable handshake and by encrypting the data with a valid cryptographic key and algorithm. 2.1.3 File Access SFP (FILE_SFP) Only one administrator can be granted access to edit an object at a time. Access to the TOE objects (i.e., data in the database) is controlled by user accounts that specify who is allowed to access the system and which features they are permitted to modify. User permissions provide granular control of the features available to users and limit displayed features to those for which a user has permissions. The following user permissions govern access to the ETM® System: Manage Users, Manage Server, Access Directory Manager, Access Usage Manager and Access Performance Manager. For details about the user permissions available in the ETM System, see "User Permissions" in the ETM® System Administration and Maintenance Guide. 2.1.4 Cryptographic SFP (CRYPTO_SFP) The import of passphrases is restricted to authorised administrators and processes. Passphrases are manually entered by authorized administrators through the ETM® System Console, overwriting any existing passphrases. The TOE can encrypt communications between components using Triple DES cryptography. Cryptographic keys are entered directly into the cryptographic modules. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 12 of 65 3 TOE SECURITY ENVIRONMENT 3.1 ASSUMPTIONS The following conditions are assumed to exist in the operational environment: A.PHYSEC The TOE is physically secure. A.COM Communications between the Management server and database server are protected by the environment and do not need to be explicitly protected by the TOE. A.NOEVIL Administrators are non-hostile and do not attempt to use O/S level administrative privileges to compromise the TOE functionality. 3.2 THREATS The following threats are addressed by either the TOE or the environment. 3.2.1 Threats Addressed By The TOE The threats discussed below are addressed by a compliant TOE. The threat agents are either human users or external IT entities not authorised to use the TOE. The assets that are subject to attack are the telecommunications resources and the ETM® System itself. T.SNIFF A network attacker may observe authentication data or system configuration information during transmission between components of the TOE. T.REPLAY A network attacker may use previously captured or falsified data to authenticate to the TOE or alter its configuration. T.ATKNET A network attacker may attack the TOE appliances using common and known network attack techniques. T.INTRES An unauthorised external telecommunications user may gain access to internal telecommunication resources (telephones, modems, faxes, etc.). T.EXTRES An internal telecommunications user may gain unauthorised access to external telecommunications resources (telephones, modems, faxes, telecommunications or internet service providers, etc.). T.MISUSE A telecommunications user may use internal telecommunications resources in an unauthorised manner (make a voice call on a fax line, etc.). ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 13 of 65 T.TOEPRO A telecommunications user or an unauthorized user may bypass, deactivate, corrupt or tamper with TOE security functions. T.ATKVIS A telecommunications user may conduct undetected attack attempts against the TOE. T.TOEDAT A telecommunications user may read, modify, or destroy internal TOE data. T.TOEFCN A telecommunications user or an unauthorized user may access and use security and/or non-security functions of the TOE. T.NONAPP An administrator may be unaware that an unauthorised application, executing on the TOE, is accessing the telecommunications lines or network via TOE interfaces. T.NOCOM An administrator may be unaware that internal TOE communications have failed. Potential causes of communication failures include system failures and denial of service attacks initiated by network attackers. T.AUDEXH An administrator may be unaware that the audit storage on the ETM® Management Server of the TOE has been exhausted. Potential causes for the exhaustion of audit storage include: excessive log traffic generated by high levels of usage by telecommunications users and/or attacks by unauthorized users and network attackers; and improper administration of the audit storage volume. 3.2.2 Threats To Be Addressed By Operating Environment The potential threats discussed below must be countered by procedural measures and/or administrative methods. The threat agents are either human users or external IT entities that are unauthorised to use the TOE. The assets that are subject to attack are telecommunications resources. T.USAGE The TOE may unwittingly be configured, used, and administered in an insecure manner by the administrator. T.BADADM Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator not following proper security procedures. T.TROJAN Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator unwittingly introducing a virus or trojan into the system. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 14 of 64 4 SECURITY OBJECTIVES 4.1 TOE SECURITY OBJECTIVES The following are the IT security objectives for the TOE: O.CRYPTO The TOE must protect the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. O.ATKNET The TOE appliances must protect themselves, using authentication and cryptography, against network based attacks generated using common and known network attack techniques. O.MEDTEL The TOE must mediate telecommunications access both inbound and outbound on the telecommunications lines. The TOE shall be capable of allowing or denying the communication based on predefined attributes. O.TELTOE The TOE must not allow unauthorised access to the TOE from the telecommunications interfaces. O.COMM The TOE must provide a mechanism to handle internal communication failures. O.AUDCHK The TOE must provide a mechanism that advises the administrator when local audit storage on the ETM® Management Server has been exhausted. O.ADMACC An administer role will exist on the TOE with access control mechanisms such that only authenticated administrators are able to perform security relevant functions. O.HMI The TOE must provide functionality that enables an administrator to effectively manage the TOE and its security functions from its local HMI. O.DSPACT The TOE must display to the administrator the current and recent history of telecommunications activity associated with the telecommunication lines. O.AUDIT The TOE must record and store a readable audit trail of TOE telecommunications activity and security relevant events, and permit their review only by authorised administrators. The TOE will be capable of performing audit reduction and triggering alarms, as required by the administrator. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 15 of 64 O.SELFPRO The TOE must protect itself against attempts by a telecommunications user or an unauthorized user to bypass, deactivate, corrupt, or tamper with TOE security functions. O.AAA The TOE must provide functionality that restricts access to AAA Appliances to authorised telecommunications users. 4.2 ENVIRONMENT SECURITY OBJECTIVES The following are non-IT security objectives that are to be satisfied without imposing technical requirements on the TOE. That is, they will not require the implementation of functions in the TOE hardware and/or software. Thus, they will be satisfied largely through application of procedural or administrative measures. O.GUIDAN The administrator responsible for the TOE must ensure that the TOE is delivered, installed, configured, administered, and operated in a manner that maintains its security. O.AUTHUSR Only authorised administrators are permitted physical access to the TOE. O.NETPRO The administrator responsible for the TOE must ensure that the communications infrastructure available from the environment is configured to provide an appropriate level of protection based on an environmental threat/risk assessment for the distributed client configuration. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 16 of 64 5 IT SECURITY REQUIREMENTS 5.1 TOE SECURITY REQUIREMENTS This section provides functional and assurance requirements that must be satisfied by a compliant TOE. These requirements consist of functional components from Part 2 of the CC and an Evaluation Assurance Level (EAL) containing assurance components from Part 3 of the CC. 5.1.1 TOE Security Functional Requirements The functional security requirements for this ST consist of the components from Part 2 of the CC listed in Table 1. Table 1. Summary of Security Functional Requirements Functional Components Identifier Name FAU_ARP.1 Security alarms FAU_GEN.1 Audit data generation FAU_SAA.1 Potential violation analysis FAU_SAR.1 Audit review FAU_SAR.3 (1) Selectable audit review FAU_SAR.3 (2) Selectable audit review FAU_SEL.1 Selective audit FAU_STG.1 Protected audit trail storage FAU_STG.3 Action in case of possible audit data loss FCS_CKM.4 Cryptographic key destruction FCS_COP.1 Cryptographic operation FDP_ACC.1 (1) Subset access control FDP_ACF.1 (1) Security attribute based access control FDP_ACC.1 (2) Subset access control FDP_ACF.1 (2) Security attribute based access control FDP_ACC.1 (3) Subset access control FDP_ACF.1 (3) Security attribute based access control FDP_IFC.1 (1) Subset information flow control FDP_IFF.1 (1) Simple security attributes FDP_IFC.1 (2) Subset information flow control FDP_IFF.1 (2) Simple security attributes FDP_ITC.1 Import of user data without security attributes FIA_AFL.1 (1) Authentication failure handling FIA_AFL.1 (2) Authentication failure handling ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 17 of 64 Functional Components Identifier Name FIA_ATD.1 (1) User attribute definition FIA_ATD.1 (2) User attribute definition FIA_SOS.1 (1) Verification of secrets FIA_SOS.1 (2) Verification of secrets FIA_UAU.1 Timing of authentication FIA_UID.1 Timing of identification FMT_MOF.1 Management of security functions behaviour FMT_MSA.1 (1) Management of security attributes FMT_MSA.1 (2) Management of security attributes FMT_MSA.3 Static attribute initialisation FMT_MTD.1 Management of TSF data FMT_SMF.1 Specification of management functions FMT_SMR.1 Security roles FPT_ITT.1 Basic internal TSF data transfer protection FPT_RVM.1 Non-bypassability of the TSP FPT_SEP.1 TSF domain separation FPT_STM.1 Reliable time stamps FTP_TRP.1 Trusted path FAU_ARP.1 Security Alarms FAU_ARP.1.1 – The TSF shall take [one or more of the following actions: audible alarm, SNMP trap, log, email with or without attachments, page to a pager, visual alert] upon detection of a potential security violation. FAU_GEN.1 Audit data generation FAU_GEN.1.1 – The TSF shall be able to generate an audit record of the following auditable events: a. [Start-up and shutdown of the audit functions; b. All auditable events for the [basic] level of audit; c. exhaustion of log storage; d. changes in TOE security function configuration; e. failed and successful logins by administrators to an appliance; f. logins and logouts by administrators to ETM® Management Server; g. failed and successful logins by telecommunications user to an AAA Appliance; h. changes to rule sets that are applied to an appliance; i. the additions/deletions/clones/modifications an administrator performs in the ETM® Management Server; ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 18 of 64 j. appliance and telephone circuit errors; k. requests from unknown appliances; l. detection of an ambiguous rule; m. rule violations; n. AAA user account locked; o. AAA service disconnected; p. second dial tone detected after call answer; and q. communication failure between components]. Application Note: Auditable events for the basic level of audit include all minimum requirements and are identified in Table 2. FAU_GEN.1.2 – The TSF shall record within each audit record at least the following information: a. Date and time of the event, type of event, subject identity (when available), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the ST: • [log time; • date; • call start time; • call end time; • call duration; • call direction (inbound or outbound); • phone number; • call source; • call destination; • call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); • “in-call” digits; • call trailing digits; • tracks; • appliance; • span/span group; • text; • call trunk channel; • trunk group; • channel; • name of rule set; • rule number; • rule comment; • unique record ID; ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 19 of 64 • unsuccessful login attempts; • call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and • telecommunications users that have authenticated to an AAA Appliance]. Table 2. Additional Auditable Events from CC Functional Components Functional Component Level Auditable Event FAU_ARP.1 Minimum Actions taken due to imminent security violations. Minimum Enabling and disabling of any of the analysis mechanisms. FAU_SAA.1 Minimum Automated responses performed by the tool. FAU_SAR.1 Basic Reading of information from the audit records. FAU_SEL.1 Minimum All modifications to the audit configuration that occur while the audit collection functions are operating. FAU_STG.3 Basic Actions taken due to exceeding of a threshold. Minimum Success and failure of the activity. FCS_CKM.4 Basic The object attribute(s), and object values(s) excluding any sensitive information (e.g. secret or private keys). Minimum Success and failure, and the type of cryptographic operation. FCS_COP.1 Basic Any applicable cryptographic mode(s) of operation, subject attributes and object attributes. Minimum Successful requests to perform an operation on an object covered by the SFP. FDP_ACF.1 Basic All requests to perform an operation on an object covered by the SFP. Minimum Decisions to permit requested information flows. FDP_IFF.1 Basic All decisions on requests for information flow. Minimum Successful import of user data, including any security attributes. FDP_ITC.1 Basic All attempts to import user data, including any security attributes. FIA_AFL.1 Minimum The reaching of the threshold for the unsuccessful authentication attempts and the actions (e.g. disabling of a terminal) taken and the subsequent, if appropriate, restoration to the normal state (e.g. re-enabling of a terminal). Minimum Rejection by the TSF of any tested secret. FIA_SOS.1 Basic Rejection or acceptance by the TSF of any tested secret. Minimum Unsuccessful use of the authentication mechanism. FIA_UAU.1 Basic All use of the authentication mechanism. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 20 of 64 Functional Component Level Auditable Event Minimum Unsuccessful use of the user identification mechanism, including the user identity provided. FIA_UID.1 Basic All use of the user identification mechanism, including the user identity provided. FMT_MOF.1 Basic All modifications in the behaviour of the functions in the TSF. FMT_MSA.1 Basic All modification of the values of security attributes. Basic Modifications of the default setting of permissive or restrictive rules. FMT_MSA.3 Basic All modifications of the initial values of security attributes. FMT_MTD.1 Basic All modifications to the values of TSF data. FMT_SMF.1 Minimum Use of the management functions FMT_SMR.1 Minimum Modifications to the group of users that are part of a role FPT_STM.1 Minimum Changes to the time. Minimum Failures of the trusted path functions. Minimum Identification of the user associated with all trusted path failures, if available. Basic All attempted uses of the trusted path functions. FTP_TRP.1 Basic Identification of the user associated with all trusted path invocations, if available. FAU_SAA.1 Potential violation analysis FAU_SAA.1.1 – The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the TSP. FAU_SAA.1.2 – The TSF shall enforce the following rules for monitoring audited events: a. Accumulation or combination of [System Events] known to indicate a potential security violation; b. [none]. Application Note: The ETM® System supports eight classes of System Events: Error, Panic, Policy, Security, Start/Stop, Telco, VoIP, and Warning. FAU_SAR.1 Audit review FAU_SAR.1.1 – The TSF shall provide [an administrator] with the capability to read [all audit data] from the audit records. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 21 of 64 FAU_SAR.1.2 –The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.3 Selectable audit review (1) FAU_SAR.3.1 (1) – The TSF shall provide the ability to perform [searches, ordering] of audit data based on: a. [log time; b. date; c. unsuccessful login attempts; d. call start time; e. call end time; f. call duration; g. call direction (inbound or outbound); h. phone number; i. call source; j. call destination; k. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); l. “in-call” digits; m. call trailing digits; n. tracks; o. appliance; p. span/span group; q. text; r. call trunk channel; s. trunk group; t. channel; u. name of rule set; v. rule number; w. rule comment; x. unique record ID; y. unsuccessful login attempts; z. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and aa. telecommunications users that have authenticated to an AAA Appliance]. FAU_SAR.3 Selectable audit review (2) FAU_SAR.3.1 (2) – The TSF shall provide the ability to perform [filtering] of audit data based on: a. [date; b. call direction (inbound or outbound); ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 22 of 64 c. call duration; d. phone number; e. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); f. “in-call” digits; g. call trailing digits; h. track; i. appliance; j. span/span group; k. text; and l. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.)]. Application Note: For several of the searchable audit fields, there are sub- types. The reporting tool included with ETM® System allows filters to be used to provide a finer layer of granularity. FAU_SEL.1 Selective audit FAU_SEL.1.1 – The TSF shall be able to include or exclude auditable events from the set of audited events based on the following attributes: a. [event type]. FAU_STG.1 Protected audit trail storage FAU_STG.1.1 – The TSF shall protect the stored audit records from unauthorised deletion. FAU_STG.1.2 – The TSF shall be able to [prevent] modifications to the audit records. FAU_STG.3 Action in case of possible audit data loss FAU_STG.3.1 – The TSF shall take [the following action: generate a security message] if the audit trail exceeds [the local storage capacity on the ETM® Management Server]. FCS_CKM.4 Cryptographic key destruction FCS_CKM.4.1 – The TSF shall destroy cryptographic keys in accordance with a specific cryptographic key destruction method [key values are overwritten] that meets the following: [none]. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 23 of 64 FCS_COP.1 Cryptographic operation FCS_COP.1.1 - The TSF shall perform [encryption and decryption of all data communications between TOE components] in accordance with a specified cryptographic algorithm [Triple DES in CFB mode for the domestic version of the ETM® System] and cryptographic key sizes [192 bits] that meet the following: [FIPS 46-3 and ANSI X9.52-1998]. Application Note: FCS_COP.1 is applicable to network communications between all ETM® System components excluding the ETM® Database. FDP_ACC.1 Subset access control (1) FDP_ACC.1.1 (1) – The TSF shall enforce the [NETWORK_SFP] on [administrators authenticating to the TOE]. FDP_ACF.1 Security attribute based access control (1) FDP_ACF.1.1 (1) – The TSF shall enforce the [NETWORK_SFP] to objects based on [user ID, password, and source IP address]. FDP_ACF.1.2 (1) – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a. [a user account for ‘user ID’ exists; b. ‘password’ matches the password for the identified user account and has not expired; c. ‘source IP address’ is included in the list of allowable IP addresses; and d. the user account is identified as being ‘not locked out’]. FDP_ACF.1.3 (1) – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [allow access if user is exempted from NETWORK_SFP, specially password expiry]. Application Note: This is an exemption from the password expiry control only. FDP_ACF.1.4 (1) – The TSF shall explicitly deny access of subjects to objects based on the [user account is disabled]. Application Note: The ‘Account disabled’ security attribute prevents login to the system from this account. Note that this setting prevents future logins from this account, but does not terminate an active login. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 24 of 64 FDP_ACC.1 Subset access control (2) FDP_ACC.1.1 (2) – The TSF shall enforce the [FILE_SFP] on [administrators editing TOE objects]. FDP_ACF.1 Security attribute based access control (2) FDP_ACF.1.1 (2) – The TSF shall enforce the [FILE_SFP] to objects based on [the number of administrators editing an object]. FDP_ACF.1.2 (2) – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [only one administrator shall be granted access to edit an object at a time]. FDP_ACF.1.3 (2) – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. FDP_ACF.1.4 (2) – The TSF shall explicitly deny access of subjects to objects based on the [none]. FDP_ACC.1 Subset access control (3) FDP_ACC.1.1 (3) – The TSF shall enforce the [TELCO_SFP] on [telecommunications users authenticating to an AAA Appliance]. FDP_ACF.1 Security attribute based access control (3) FDP_ACF.1.1 (3) – The TSF shall enforce the [TELCO_SFP] to objects based on [user ID and PIN]. FDP_ACF.1.2 (3) – The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: a. [the user ID and PIN are valid authorisation credentials for the AAA Appliance; b. access to the object is within a set maximum time period, configurable from 0 to 30 minutes; and c. access to the object is restricted to a single use during the set maximum time period]. FDP_ACF.1.3 (3) – The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [none]. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 25 of 64 FDP_ACF.1.4 (3) – The TSF shall explicitly deny access of subjects to objects based on the [none]. FDP_IFC.1 Subset information flow control (1) FDP_IFC.1.1 (1) – The TSF shall enforce the [TELCO_SFP] on a. [subjects: telecommunications channels; and b. operations: circuit request or change]. FDP_IFF.1 Simple security attributes (1) FDP_IFF.1.1 (1) – The TSF shall enforce the [TELCO_SFP] based on the following types of subject and information security attributes: [ a. subject security attributes: none; and b. information security attributes: call direction, call type, call source, call destination, call duration, caller ID restricted option, and time of day]. FDP_IFF.1.2 (1) – The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [an administrator-created rule (based on the information security attributes identified in FDP_IFF.1.1) does not explicitly deny the information flow]. Application Note: Rules that deny an information flow based on call duration do not deny the call from starting, but terminate the call once it has reached the specified duration. FDP_IFF.1.3 (1) – The TSF shall enforce the [default TOE behaviour in the event of a TOE failure to be either fail-safe (all calls allowed) or fail-secure (no calls allowed), based on a hardware setting]. Application Note: This only applies to all ETM® 1000 Series Appliances except the AAA Appliance. FDP_IFF.1.4 (1) – The TSF shall provide the following [none]. FDP_IFF.1.5 (1) – The TSF shall explicitly authorise an information flow based on the following rules: [the call destination is an emergency number (i.e., 911)]. FDP_IFF.1.6 (1) – The TSF shall explicitly deny an information flow based on the following rules: [none]. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 26 of 64 FDP_IFC.1 Subset information flow control (2) FDP_IFC.1.1 (2) – The TSF shall enforce the [NETWORK_SFP] on a. [subjects: network channels; and b. operations: data communications]. FDP_IFF.1 Simple security attributes (2) FDP_IFF.1.1 (2) – The TSF shall enforce the [NETWORK_SFP] based on the following types of subject and information security attributes: [ a. subject security attributes: user ID, password, and source IP address; and b. information security attributes: cryptographic algorithm and cryptographic key]. FDP_IFF.1.2 (2) – The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ a. client to server communications – source IP address is on the allowable IP address list, user ID and password are valid, and communications are encrypted with a valid cryptographic algorithm and key (i.e., Triple DES); b. appliance to server communications – source IP address is on the allowable IP address list and communications are authenticated with a variable handshake and encrypted with a valid cryptographic algorithm and key (i.e., Triple DES); or c. appliance to appliance communications – source IP address is on the allowable IP address list and communications are encrypted with a valid cryptographic algorithm and key (i.e., Triple DES)]. FDP_IFF.1.3 (2) – The TSF shall enforce the [none]. FDP_IFF.1.4 (2) – The TSF shall provide the following [none]. FDP_IFF.1.5 (2) – The TSF shall explicitly authorise an information flow based on the following rules: [none] FDP_IFF.1.6 (2) – The TSF shall explicitly deny an information flow based on the following rules: [none]. FDP_ITC.1 Import of user data without security attributes FDP_ITC.1.1 – The TSF shall enforce the [CRYPTO_SFP] when importing user data, controlled under the SFP, from outside of the TSC. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 27 of 64 FDP_ITC.1.2 – The TSF shall ignore any security attributes associated with the user data when importing from outside the TSC. FDP_ITC.1.3 – The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TSC: [none]. Application Note: The ETM® System Console allows administrators to manually enter (import) 3DES keys used to protect the network link between ETM® Communication Appliances and the ETM® Management Server. FIA_AFL.1 Authentication failure handling (1) FIA_AFL.1.1 (1) – The TSF shall detect when [six] unsuccessful authentication attempts occur related to [administrator login to an appliance via Telnet during a period of ten minutes]. FIA_AFL.1.2 (1) – When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [generate an audit event and deny the administrator access to the appliance for a period of one hour]. FIA_AFL.1 Authentication failure handling (2) FIA_AFL.1.1 (2) – The TSF shall detect when [a number, configurable from one to ten, of] unsuccessful authentication attempts occur related to [telecommunications user login to an AAA Appliance during a period of time configurable from zero to four weeks]. FIA_AFL.1.2 (2) – When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF shall [generate an audit event and deny the telecommunications user all access to the AAA Appliance for a period of time configurable from zero minutes to ten weeks, or until explicitly granted by an administrator]. FIA_ATD.1 User attribute definition (1) FIA_ATD.1.1 (1) – The TSF shall maintain the following list of security attributes belonging to individual users: [user ID, password, and permissions (granted to: Manage Users; Manage Servers; Access Directory Manager; Manage Directory Entries; Access Usage Manager; Administer Scheduled Reports; Access Performance Manager; Login to Card/Span via Telnet/Serial; Access Policy Features; View & Reinstall Firewall Policies; View & Reinstall IPS Policies; Manage Telecommunications Configuration; and Call Terminate Capability)]. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 28 of 64 FIA_ATD.1 User attribute definition (2) FIA_ATD.1.1 (2) – The TSF shall maintain the following list of security attributes belonging to individual telecommunications users: [user ID and PIN]. Application Note: This requirement applies to AAA users only. FIA_SOS.1 Verification of secrets (1) FIA_SOS.1.1 (1) – The TSF shall provide a mechanism to verify that secrets meet [a minimum length of eight characters, including at least one change of case and one digit, for administrator passwords]. FIA_SOS.1 Verification of secrets (2) FIA_SOS.1.1 (2) – The TSF shall provide a mechanism to verify that secrets meet [a minimum length of three digits to a maximum length of ten digits for telecommunications users PINs]. FIA_UAU.1 Timing of authentication FIA_UAU.1.1 – The TSF shall allow [any human with physical access to an appliance to gain access to the appliance security functions within a period of time, configurable from zero seconds to two minutes, of appliance start-up] before the user is authenticated. FIA_UAU.1.2 – The TSF shall require each user and telecommunications user accessing an AAA Appliance to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user or telecommunications user. Application Note: The required physical access is for the console (serial) port. FIA_UID.1 Timing of identification FIA_UID.1.1 – The TSF shall allow [any human with physical access to an appliance to gain access to the appliance security functions within a configurable period of time, from zero seconds to two minutes, of appliance start-up] before the user is identified. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 29 of 64 FIA_UID.1.2 – The TSF shall require each user and telecommunications user accessing an AAA Appliance to be successfully identified before allowing any other TSF-mediated actions on behalf of that user or telecommunications user. Application Note: The required physical access is for the console (serial) port. FMT_MOF.1 Management of security functions behaviour FMT_MOF.1.1 – The TSF restrict the ability to [enable, disable] the functions [ a. bypass of the TOE security functions; b. the setting of the various configurations of the TOE security functions; c. the setting of the level of telecommunications activity detail that is displayed; d. the logging of selected telecommunications traffic; e. the capturing of “in-call” digits; f. the display of errors; g. the display of current telecommunications activity; and h. the display of the audit log reports] to [an administrator]. FMT_MSA.1 Management of security attributes (1) FMT_MSA.1.1 (1) – The TSF shall enforce the [NETWORK_SFP] to restrict the ability to a. [delete, [create]] the security attributes [user ID]; and b. [modify, [none]] the security attributes [password, privileges, allowable IP addresses, PIN] to [an administrator]. Application Note: Deleting and creating the security attribute ‘user ID’ is analogous to deleting and creating a user account. FMT_MSA.1 Management of security attributes (2) FMT_MSA.1.1 (2) – The TSF shall enforce the [FILE_SFP] to restrict the ability to [modify, delete, [create]] the security attributes [groups of phone numbers and groups of specified times of day] to [an administrator]. FMT_MSA.3 Static attribute initialisation FMT_MSA.3.1 – The TSF shall enforce the [information flow control TELCO_SFP] to provide [permissive] default values for information flow security attributes that are used to enforce the TELCO_SFP. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 30 of 64 Application Note: The default rule configuration for the ETM® System is to allow all information flows. An authorised user must create an explicit deny rule in order to restrict any information flows. FMT_MSA.3.2 – The TSF shall allow the [administrator] to specify alternative initial values to override the default values when an object or information is created. FMT_MTD.1 Management of TSF data FMT_MTD.1.1 – The TSF shall restrict the ability to a. [query, modify, delete, [none]] the [audit logs]; b. [generate] the [audit reports]; c. [modify, [none]] the [audit level, appliance configuration, and date and time of the host machine and appliance]; d. [display] the [appliance status and current telecommunications activity] to [an administrator]. FMT_SMF.1 Specification of management functions FMT_SMF.1.1 - The TSF shall be capable of performing the following security management functions: a. [object management; b. rule/policy management; and c. user management]. FMT_SMR.1 Security roles FMT_SMR.1.1 – The TSF shall maintain the roles [administrator]. FMT_SMR.1.2 – The TSF shall be able to associate users with roles. FPT_ITT.1 Basic internal TSF data transfer protection FPT_ITT.1.1 – The TSF shall protect TSF data from [disclosure] when it is transmitted between separate parts of the TOE. FPT_RVM.1 Non-bypassability of the TSP FPT_RVM.1.1 - The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 31 of 64 FPT_SEP.1 TSF domain separation FPT_SEP.1.1 - The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects. FPT_SEP.1.2 - The TSF shall enforce separation between the security domains of subjects in the TSC. FPT_STM.1 Reliable time stamps FPT_STM.1.1 – The TSF shall be able to provide reliable time stamps for its own use. Application Note: In this context, “reliable” means that the chronological order of auditable events is preserved. FTP_TRP.1 Trusted path FTP_TRP.1.1 – The TSF shall provide a communication path between itself and [remote, local] users that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from modification or disclosure. FTP_TRP.1.2 – The TSF shall permit [local users, remote users] to initiate communication via the trusted path. FTP_TRP.1.3 – The TSF shall require the use of the trusted path for [[internal TSF data communications]]. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 32 of 64 5.1.2 TOE Security Assurance Requirements The security assurance requirements for EAL 2, as specified in Part 3 of the CC, with the augmentations of ACM_CAP.3, ACM_SCP.1, and ALC_DVS.1 are given in Table 3. Table 3. Assurance Requirements for ETM® System Assurance Components Assurance Class Identifier Name ACM_CAP.3 Authorisation controls (AUGMENTED) Configuration Management ACM_SCP.1 TOE CM coverage (AUGMENTED) ADO_DEL.1 Delivery Procedures Delivery and Operation ADO_IGS.1 Installation, generation, and start-up procedures ADV_FSP.1 Informal functional specification ADV_HLD.1 Descriptive high-level design Development ADV_RCR.1 Informal correspondence demonstration AGD_ADM.1 Administrator guidance Guidance Documents AGD_USR.1 User guidance Life Cycle Support ALC_DVS.1 Identification of security measures (AUGMENTED) ATE_COV.1 Evidence of coverage ATE_FUN.1 Functional Testing Tests ATE_IND.2 Independent testing – sample AVA_SOF.1 Strength of TOE security function evaluation Vulnerability Assessment AVA_VLA.1 Developer vulnerability analysis ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 33 of 64 6 TOE SUMMARY SPECIFICATION This section provides a description of the security functions and assurance measures of the TOE that meet the TOE security requirements. A typical attacker in the intended telecommunications environment for the ETM® System is deemed to possess only limited knowledge of the telecommunications systems and lack the skills and resources required to manipulate telecommunications interfaces. The purpose of the attacks would be to abuse services, use services fraudulently or simply to attack the services to cause service interruptions. The appliances include firewall protection on the network interfaces and the network environment provides additional network protection mechanisms for the ETM® System Console client and ETM® Management Server. Therefore, for an EAL 2 evaluation of the ETM® System, the attack potential to meet or exceed for AVA_SOF.1 calculations is LOW. Any remaining vulnerabilities can be only be exploited by an attacker of moderate or high attack potential. The strength of function claim is therefore SOF-BASIC and applies to F.ADMIN and F.AAA. 6.1 TOE SECURITY FUNCTIONS A description of each of the TOE security functions follows. F.CRYPTO The TOE does provide secure internal data communications through the use of cryptography. The TOE can encrypt communications between components using Triple DES cryptography. Cryptographic keys are manually entered (imported) by authorised administrators through the ETM® System Console, overwriting existing keys. F.NETBLK The TOE does provide security to its appliances from attack through the network. Data is protected from modification or disclosure when it is transmitted between separate parts of the TOE, by validating IP address and user ID and password and by authenticating communications with a variable handshake. F.TELBLK The TOE does block telecommunications access based on: call destination, call source, call type (voice, fax, modem, modem energy, STU III, busy, unanswered, data, or undetermined), call direction (inbound or outbound), call duration and time of day, excluding 911 calls. F.TELALW All other telecommunications traffic not specifically denied in accordance with F.TELBLK, are allowed. F.FAIL In the event of TOE failure (such as during a power outage), the TOE does provide an option to either fail-safe (all calls allowed) or fail secure (all calls denied including emergency calls). ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 34 of 64 Application Note: This applies only to ETM® 1000 Series Appliances, except AAA Appliances. F.FAILNOT Upon detection of a potential security violation, the TOE does provide an audible alarm, SNMP trap, log, email with or without attachments, page to a pager or visual alert. F.HMI The TOE does provide the administrator with the capability to perform HMI functions including: a. start-up, shutdown, and configure the TOE security functions; b. select the level of telecommunications activity detail that is displayed to the user; c. view and modify the settings that enable or disable the logging of selected telecommunications traffic; d. enable or disable the capturing of “in-call” digits; e. view on-line administrator guidance; f. modify and set the system time and date; g. archive, modify, create, delete, and display the audit logs; h. display errors; i. display current telecommunications activity; j. change user password; k. change user password expiry; l. add, modify and delete user ID; m. add and delete privileges and IP addresses; n. create, modify and delete phone numbers and time of day; o. modify audit level; p. generate audit reports; q. modify appliance configuration; r. modify date and time of host machine and appliances; s. display appliance status; t. manage server; u. modify users; v. edit policies; w. edit appliance parameters; x. login directly to an appliance; and y. change telecommunications user PIN. F.LOCK The TOE does provide locking of objects to prevent multiple administrators from editing the same object. Locking is provided at the object level. Multiple administrators are able to view but not edit the same object. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 35 of 64 F.AUDEVT The TOE does generate an audit log of the following events: a. Start-up and shutdown; b. exhaustion of log storage; c. changes in TOE security function configuration; d. failed and successful logins by administrators to an appliance; e. logins and logouts by administrators to ETM® Management Server; f. failed and successful logins by telecommunications user to an AAA Appliance; g. changes to rule sets that are applied to an appliance; h. the additions/deletions/clones/modifications an administrator performs in the ETM® Management Server; i. appliance and telephone circuit errors; j. requests from unknown appliances; k. detection of an ambiguous rule; l. rule violations; m. AAA user account locked; n. AAA service disconnected; o. second dial tone detected after call answer; and p. all other remaining auditable events for the basic level of audit identified in Table 2. F.AUDINF For each audit event entry, the TOE does record, where applicable: a. Date and time of the event, type of event, subject identity (when available), and the outcome (success or failure) of the event; and b. For each audit event type, based on the auditable event definitions of the functional components included in the ST: • log time; • date; • call start time; • call end time; • call duration; • call direction (inbound or outbound); • phone number; • call source; • call destination; • call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); • “in-call” digits; • call trailing digits; • tracks; • appliance; ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 36 of 64 • span/span group; • text; • call trunk channel; • trunk group; • channel; • name of rule set; • rule number; • rule comment; • unique record ID; • unsuccessful login attempts; • call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and • telecommunications users that have authenticated to an AAA Appliance. F.AUDLVL The types of audit events recorded by the TOE is configurable. F.TIME The TOE does provide a reliable time and date for the time stamping audit log entries. F.ALARM The TOE monitors telecommunication traffic and detects events defined by security policies. The TOE does signal the administrator based on a specified event. The types of signals include: audible alarm, SNMP trap, log, email with or without attachments, page to a pager or visual alert. F.AUDRPT The TOE does provide the ability to generate reports of audit data by searching and ordering the following categories: a. log time; b. date; c. unsuccessful login attempts; d. call start time; e. call end time; f. call duration; g. call direction (inbound or outbound); h. phone number; i. call source; j. call destination; k. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); l. “in-call” digits; m. call trailing digits; n. tracks; o. appliance; ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 37 of 64 p. span/span group; q. text; r. call trunk channel; s. trunk group; t. channel; u. name of rule set; v. rule number; w. rule comment; x. unique record ID; y. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.); and z. telecommunications users that have authenticated to an AAA Appliance]. F.AUDFLTR The TOE does provide improved granularity of reporting for F.AUDRPT by filtering the sub-types/ranges of audit data based on: a. date; b. call direction (inbound or outbound); c. call duration; d. phone number; e. call type (fax, modem, modem energy, voice, STU III, busy, unanswered, data, or undetermined); f. “in-call” digits; g. call trailing digits; h. span/span group; i. appliance; j. track; k. text; and l. call information (LOC-local call, INTL-international call, VSC- vertical service code, etc.). F.AUDSTO The TOE does protect audit data from unauthorised modification or deletion by managing log file size and location. F.ADMIN Access to the TOE is restricted to authorised administrators through the use of user ID, password and password expiration, and enforced upon an acceptable IP address. Each administrator does have a set of privileges that only allow the administrators to perform those tasks associated with their duties. A mechanism is provided to verify that administrator passwords meet a minimum of eight characters including one change of case character and one digit. The TOE also enforces temporary account lockout after a set number of failed authentication attempts. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 38 of 64 F.INIT When TOE security functions are started, the TOE does initialise with the security settings in effect when it was last shutdown. If this saved configuration cannot be loaded or does not exist, the TOE does warn the user via a pop-up dialog that the default configuration is being loaded. F.PROTSF The TOE mediates telephony access as a basic function of the system. Appliances allow or reject calls based on call attributes. Management servers allow or reject appliance client connections based on IP addresses and the 3DES encryption key, and allow or reject remote (console) connections based on the originating IP addresses, the 3DES encryption key, username and password. Username/password and possibly IP address restrict access to the appliances. Access to the management server and its data is restricted to authorized OS level administrators, database administrators, and ETM® System administrators. ETM® System enforces attribute locking and User Account Permissions. Only authenticated admins possessing appropriate ETM® System permissions are able to modify the 3DES keys. Appliances run as a separate domain. The TOE Operating system provides the protected domain for the management server and client software. F.AAA Access to AAA Appliances is restricted to authorised telecommunications users through the use of user ID and PIN. A mechanism is provided to verify that telecommunications user PINs meet a minimum length of three digits up to a maximum of ten digits. The TOE also enforces account lockout after a set number of failed authentication attempts. 6.2 ASSURANCE MEASURES A description of each of the TOE assurance measures follows. M.ID The TOE incorporates a unique version identifier that can be displayed to the user. M.SYSTEM The TOE is developed and maintained using a system to ensure only authorised changes are implemented in the evaluated version of the TOE. A list of all TOE documentation and all configuration items required to create the TOE is maintained. M.GETTOE The developer has controlled processes and procedures (for both hardware and software components) whereby the developer ensures that a secure version of the TOE is delivered to a customer. Both the process and procedures are documented. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 39 of 64 M.SETUP The TOE includes an automated installation and set-up program compatible with the TOE operating system. The installation process is self-explanatory, or provides additional instructions to clearly document the installation process. The default installation results in the secure installation and start-up of the TOE. M.SPEC A high level TOE design and functional specification have been provided by the developer for the evaluation which describes the TOE security functionality, subsystems, interfaces, and policy model. M.TRACE Correspondence mappings are provided by the developer such that the security functionality detailed in the TOE functional specification is upwards traceable to this ST, and downwards traceable to the high level design. M.DOCS Sufficient user and administrator guidance documentation are provided. M.TEST A suitably configured TOE is tested in a controlled environment to confirm that TOE functionality operates as specified, and that the TOE is protected from a representative set of well-known attacks. A mapping between developer test cases and TOE functionality is provided by the developer. The assurance requirements also ensure the TOE functionality is tested in a real- world environment. M.SECASS The developer examines the TOE design to ensure the security functions adequately address perceived threats in the security environment. The results of the examination are documented. Threats include deliberate attempts to disable, bypass, and brute-force attack the TSF. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 40 of 64 7 PROTECTION PROFILE CLAIMS This ST does not claim conformance to a Protection Profile. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 41 of 64 8 RATIONALE This section contains the Rationale arguments and proof. 8.1 SECURITY OBJECTIVES RATIONALE 8.1.1 TOE Security Objectives Rationale Table 4 provides a mapping of TOE Security Objectives to Threats, and is followed by a discussion of how each Threat is addressed by the corresponding TOE Security Objectives. Table 4. Mapping of TOE Security Objective to Threats T.SNIFF T.REPLAY T.ATKNET T.INTRES T.EXTRES T.MISUSE T.TOEPRO T.ATKVIS T.TOEDAT T.TOEFCN T.NONAPP T.NOCOM T.AUDEXH O.CRYPTO X X O.ATKNET X X O.MEDTEL X X X O.TELTOE X X X O.COMM X O.AUDCHK X O.ADMACC X X X O.HMI X X X O.DSPACT X X O.AUDIT X O.SELFPRO X X O.AAA X X X T.SNIFF A network attacker may observe authentication data or system configuration information during transmission between components of the TOE. O.CRYPTO protects the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. T.REPLAY A network attacker may use previously captured or falsified data to authenticate to the TOE or alter its configuration. O.ATKNET protects the TOE appliances against attack from the network. Replay attacks, in appliance to server communications, are countered by the communications being authenticated with a variable handshake and encrypted with valid cryptographic algorithm and key. O.CRYPTO protects the ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 42 of 64 confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. Falsified data can not be properly encrypted for use by the TOE since the network attacker does not have access to the cryptographic key. T.ATKNET A network attacker may attack the TOE appliances using common and known network attack techniques. O.ATKNET ensures the TOE appliances protect themselves against attack from the network by authenticating communications with a variable handshake and encrypted communications with valid cryptographic algorithm and key. T.INTRES An unauthorised external telecommunications user may gain access to internal telecommunication resources (telephones, modems, faxes, etc.). O.MEDTEL mediates telecommunications access across the telecommunication lines, preventing unauthorised use of telecommunication resources. O.AAA ensures that only authorised telecommunications users may access AAA Appliances. T.EXTRES An internal telecommunications user may gain unauthorised access to external telecommunications resources (telephones, modems, faxes, telecommunications or internet service providers, etc.). O.MEDTEL mediates telecommunications access across the telecommunication lines, preventing unauthorised use of telecommunication resources. O.AAA ensures that only authorised telecommunications users may access AAA Appliances. T.MISUSE A telecommunications user may use internal telecommunications resources in an unauthorised manner (make a voice call on a fax line, etc.). O.MEDTEL mediates telecommunications access across the telecommunication lines, preventing unauthorised use of telecommunication resources. T.TOEPRO A telecommunications user or an unauthorized user may bypass, deactivate, corrupt or tamper with TOE security functions. O.TELTOE does not allow unauthorised connections to the TOE itself. O.SELFPRO protects the TOE from attempts by a telecommunications user or an unauthorized user to bypass, deactivate, corrupt or tamper with TOE security functions. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 43 of 64 T.ATKVIS A telecommunications user may conduct undetected attack attempts against the TOE. O.DSPACT and O.HMI display, to the administrator, the current activity associated with telecommunications entities accessing, or attempting to access, the TOE. O.AUDIT records a readable audit trail of allowed and denied telecommunications access attempts, administrator login attempts, and permits the administrator to review the audit log entries. T.TOEDAT A telecommunications user may read, modify, or destroy internal TOE data. O.TELTOE does not allow unauthorised connections to the TOE itself. O.ADMACC restricts access to security functions only to authorised administrators. T.TOEFCN A telecommunications user or an unauthorized user may access and use security and/or non-security functions of the TOE. O.TELTOE does not allow unauthorised connections to the TOE itself. O.ADMACC restricts access to security functions only to authorised administrators. O.HMI permits the administrator to manage the TOE security functions to detect/prevent this threat. O.SELFPRO protects the TOE from tampering by a telecommunications user or an unauthorized user. O.AAA restricts access to AAA Appliances to authorised telecommunications users only. T.NONAPP An administrator may be unaware that an unauthorised application, executing on the TOE, is accessing the telecommunications lines or network via TOE interfaces. O.ADMACC restricts access to security functions only to authorised administrators. O.HMI permits the user to manage the TOE security functions to detect/prevent this threat. O.DSPACT displays to the user the current activity associated with telecommunications entities accessing, or attempting to access, the TOE. T.NOCOM An administrator may be unaware that TOE internal communications have failed. Potential causes of communication failures include system failures and denial of service attacks initiated by network attackers. O.COMM ensures the TOE notifies the administrator of an internal communications failure. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 44 of 64 T.AUDEXH An administrator may be unaware that the audit storage on the ETM® Management Server of the TOE has been exhausted. Potential causes for the exhaustion of audit storage include: excessive log traffic generated by high levels of usage by telecommunications users and/or attacks by unauthorized users and network attackers; and improper administration of the audit storage volume. O.AUDCHK ensures that the TOE notifies the administrator when the audit storage on the ETM® Management Server is exhausted. 8.1.2 Environment Security Objectives Rationale Table 5 provides a mapping of Environment Security Objectives to Assumptions and Threats, and is followed by a discussion of how each Assumption or Threat is addressed by the corresponding Environment Security Objectives. Table 5. Mapping of Environment Security Objectives to Threats and Assumptions A.PHYSEC A.COM A.NOEVIL T.USAGE T.BADADM T.TROJAN O.GUIDAN X X X X O.AUTHUSR X O.NETPRO X A.PHYSEC The TOE is physically secure. O.AUTHUSR ensures that only authorised users be permitted physical access to the TOE. A.COM Communications between the Management server and database server are protected by the environment and do not need to be explicitly protected by the TOE. O.NETPRO ensures that the environment protects the communications between Management server and database server. A.NOEVIL Administrators are non-hostile and do not attempt to use O/S level administrative privileges to compromise the TOE functionality. O.GUIDAN ensures that administrators administer and operate the TOE in a manner that maintains its security. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 45 of 64 T.USAGE The TOE may unwittingly be configured, used, and administered in an insecure manner by the administrator. O.GUIDAN provides administrators with instructions on how to securely maintain the TOE. T.BADADM Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator not following proper security procedures. O.GUIDAN provides administrators with instructions on how to securely maintain the TOE. T.TROJAN Compromise of the integrity and/or availability of the TOE may occur as a result of an administrator unwittingly introducing a virus or trojan into the system. O.GUIDAN provides administrators with instructions on how to securely maintain the TOE. 8.2 SECURITY REQUIREMENTS RATIONALE 8.2.1 Security Functional Requirements Rationale Table 6 provides a mapping of Security Functional Requirements to TOE Security Objectives, and is followed by a discussion of how each IT Security Objective is addressed by the corresponding Security Functional Requirements. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 46 of 64 Table 6. Mapping of Security Functional Requirements to TOE Security Objectives O.CRYPTO O.ATKNET O.MEDTEL O.TELTOE O.COMM O.AUDCHK O.ADMACC O.HMI O.DSPACT O.AUDIT O.SELFPRO O.AAA FAU_ARP.1 X X FAU_GEN.1 X FAU_SAA.1 X X FAU_SAR.1 X FAU_SAR.3 (1)&(2) X FAU_SEL.1 X FAU_STG.1 X FAU_STG.3 X X FCS_CKM.4 X FCS_COP.1 X FDP_ACC.1 (1) X FDP_ACF.1 (1) X FDP_ACC.1 (2) X FDP_ACF.1 (2) X FDP_ACC.1 (3) X X X FDP_ACF.1 (3) X X X FDP_IFC.1 (1) X X FDP_IFF.1 (1) X X FDP_IFC.1 (2) X FDP_IFF.1 (2) X FDP_ITC.1 X FIA_AFL.1 (1) X FIA_AFL.1 (2) X FIA_ATD.1 (1) X FIA_ATD.1 (2) X FIA_SOS.1 (1) X FIA_SOS.1 (2) X FIA_UAU.1 X X X FIA_UID.1 X X X FMT_MOF.1 X X X FMT_MSA.1 (1)&(2) X FMT_MSA.3 X FMT_MTD.1 X X FMT_SMF.1 X FMT_SMR.1 X X FPT_ITT.1 X FPT_RVM.1 X FPT_SEP.1 X FPT_STM.1 X FTP_TRP.1 X X O.CRYPTO The TOE must protect the confidentiality of authentication and system configuration data using cryptography as it passes between distributed components of the TOE. FCS_COP.1 requires a cryptographic operation to be performed in accordance with a specified algorithm and with a cryptographic key of a specified size. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 47 of 64 FCS_CKM.4 requires cryptographic keys to be overwritten. FTP_TRP.1 requires that internal TOE communications are protected O.ATKNET The TOE appliances must protect themselves, using authentication and cryptography, against network based attacks generated using common and known network attack techniques. FDP_IFC.1 (2), FDP_IFF.1 (2), FPT_ITT.1 and FTP_TRP.1 together require that the TOE protect its appliances against attack from the network. O.MEDTEL The TOE must mediate telecommunications access both inbound and outbound on the telecommunications lines. The TOE shall be capable of allowing or denying the communication based on predefined attributes. FDP_IFC.1 (1) together with FDP_IFF.1 (1) require that the TOE mediate communications across the telecommunications lines based on a combination of default and administrator-defined conditions. O.TELTOE The TOE must not allow unauthorised access to the TOE from the telecommunications interfaces. FDP_ACC.1 (3), FDP_ACF.1 (3), FDP_IFC.1 (1), and FDP_IFF.1 (1) define the only allowed access control security policies which ensure there are no other ways to access the TOE. O.COMM The TOE must provide a mechanism to handle internal communication failures. FAU_ARP.1 and FAU_SAA.1 combine to provide the administrator with real-time notification of a communication failure. O.AUDCHK The TOE must provide a mechanism that advises the administrator when local audit storage on the ETM® Management Server has been exhausted. FAU_STG.3 provides the administrator with notification that the audit storage on the ETM® Management Server has been exhausted. O.ADMACC An administer role will exist on the TOE with access control mechanisms such that only authenticated administrators are able to perform security relevant functions. FDP_ACC.1 (2), FDP_ACF.1 (2), FIA_UAU.1 and FIA_UID.1 ensure that all users are properly identified and authenticated before gaining access to the TOE. FMT_SMR.1 defines the security roles such that the only users are ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 48 of 64 administrators. FIA_ATD.1 (1) are the security attributes which identify administrators and their privileges. FIA_AFL.1 (1) adds extra assurance that attempts to guess the administrator’s password using brute force will be blocked (for Telnet access only). O.HMI The TOE must provide functionality that enables an administrator to effectively manage the TOE and its security functions from its local HMI. FMT_SMF.1 identifies the security management functions that are available in the TSF to the administrator. FMT_MOF.1 provides the administrator with the capability to manage the TOE and its security functions from its local HMI. O.DSPACT The TOE must display to the administrator the current and recent history of telecommunications activity associated with the telecommunication lines. FMT_MOF.1 provides the user with the capability to select the level of telecommunications activity that is displayed on the HMI. O.AUDIT The TOE must record and store a readable audit trail of TOE telecommunications activity and security relevant events, and permit their review only by authorised administrators. The TOE will be capable of performing audit reduction and triggering alarms, as required by the administrator. FAU_GEN.1 and FPT_STM.1 combine to require that a readable audit trail of network activity and security related events is recorded with reliable time stamps. FAU_STG.1 and FAU_STG.3 provide secure storage for the audit data. FAU_SAA.1 and FAU_ARP.1 provide the administrator with additional, real-time notification of some audit events. FAU_SAR.1, FAU_SAR.3 (1) and FAU_SAR.3 (2) provide the administrator with the capability to review both a complete and reduced audit trail. FAU_SEL.1 and FMT_MOF.1 combine to provide the administrator with the capability to select what level of network activity is recorded in the audit trail. FMT_MTD.1 restricts access to the audit logs to administrators. O.SELFPRO The TOE must protect itself against attempts by a telecommunications user or an unauthorized user to bypass, deactivate, corrupt, or tamper with TOE security functions. FDP_ACC.1 (1), FDP_ACF.1 (1), FDP_ACC.1 (3), FDP_ACF.1 (3), FDP_ITC.1, FIA_SOS.1 (1), FIA_SOS.1 (2), FIA_UAU.1 and FIA_UID.1 ensure that all users are properly identified and authenticated before gaining access to the TOE. FMT_MSA.1 (1), FMT_MSA.1 (2), FMT_MSA.3, ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 49 of 64 FMT_SMR.1 and FMT_MTD.1 ensure that all security functions are managed only by administrators who have the correct privileges. FPT_RVM.1 and FPT_SEP.1 ensure that the TSF is protected. O.AAA The TOE must provide functionality that restricts access to AAA Appliances to authorised telecommunications users. FDP_ACC.1 (3), FDP_ACF.1 (3), FIA_UAU.1 and FIA_UID.1 ensure that all telecommunications users are properly identified and authenticated before gaining access to an AAA Appliance. FIA_ATD.1 (2) lists the security attributes which identify telecommunications users. FIA_AFL.1 (2) adds extra assurance that attempts to guess a telecommunications user’s PIN using brute force will be blocked. 8.2.2 Assurance Requirements Rationale The ETM® System is designed to mediate telecommunications traffic over telecommunication lines and be simple enough for an average PC user to manage. An assurance level of EAL 2, structurally tested, was selected as the threat to security is considered to be unsophisticated telecommunications attackers, and the data to be protected consists mainly of system resources (although the ETM® System can prevent data leakage by blocking telecommunications access). Additional augmented assurance requirements (ACM_CAP.3, ACM_SCP.1, and ALC_DVS.1) were added to gain increased security throughout the development of the ETM® System. It is felt that an evaluation at this level provides evidence that the TOE functions in a manner consistent with its documentation, and that it provides useful protection against identified threats. 8.2.3 Rationale for Satisfying Functional Requirement Dependencies Table 7 identifies the Security Functional Requirements and their immediate dependencies, and also indicates whether the ST explicitly addresses each dependency. All but two of the dependencies for functional components have been met. Table 7. Security Functional Requirement Dependencies ST Requirement Dependencies Dependency Satisfied? FAU_ARP.1 FAU_SAA.1 Y FAU_ GEN.1 FPT_STM.1 Y FAU_SAA.1 FAU_GEN.1 Y FAU_ SAR.1 FAU_GEN.1 Y FAU_SAR.3 FAU_ SAR.1 Y FAU_GEN.1 Y FAU_ SEL.1 FMT_MTD.1 Y FAU_STG.1 FAU_GEN.1 Y FAU_STG.3 FAU_STG.1 Y ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 50 of 64 ST Requirement Dependencies Dependency Satisfied? FDP_ITC.1, or FCS_CKM.1 Y, N/A FCS_CKM.4 FMT_MSA.2 N FDP_ITC.1, or FCS_CKM.1 Y, N/A FCS_CKM.4 Y FCS_COP.1 FMT_MSA.2 N FDP_ACC.1 FDP_ACF.1 Y FDP_ACC.1 Y FDP_ACF.1 FMT_ MSA.3 Y FDP_ IFC.1 FDP_IFF.1 Y FDP_IFC.1 Y FDP_ IFF.1 FMT_MSA.3 Y FDP_ACC.1, or FDP_IFC.1 Y, Y FDP_ITC.1 FMT_MSA.3 Y FIA_AFL.1 FIA_UAU.1 Y FIA_ATD.1 – Y FIA_SOS.1 – Y FIA_UAU.1 FIA_UID.1 Y FIA_UID.1 – Y FMT_SMF.1 Y FMT_MOF.1 FMT_SMR.1 Y FDP_ACC.1, or FDP_IFC.1 Y, Y FMT_SMF.1 Y FMT_MSA.1 FMT_SMR.1 Y FMT_MSA.1 Y FMT_MSA.3 FMT_SMR.1 Y FMT_SMF.1 Y FMT_MTD.1 FMT_SMR.1 Y FMT_SMF.1 – Y FMT_SMR.1 FIA_UID.1 Y FPT_ITT.1 – Y FPT_RVM.1 – Y FPT_SEP.1 – Y FPT_STM.1 – Y FTP_TRP.1 – Y FMT_MSA.2 For FCS.CKM.4 and FCS_COP.1, this security functional requirement has been excluded because the TSF does not generate the security attributes (i.e., cryptographic keys) itself. Instead the security attributes are manually generated by the administrator in the TOE environment and then loaded into the TOE. The TOE does not validate the key values. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 51 of 64 8.2.4 Rationale for Satisfying Assurance Requirement Dependencies Table 8 identifies the Security Assurance Requirements and their immediate dependencies, and also indicates whether the ST explicitly addresses each dependency. All dependencies for assurance components have been met. Table 8. Security Assurance Requirement Dependencies ST Requirement Dependencies Dependency Satisfied? ACM_CAP.3 ALC_DVS.1 Y ACM_SCP.1 ACM_CAP.3 Y ADO_DEL.1 – Y ADO_IGS.1 AGD_ADM.1 Y ADV_FSP.1 ADV_RCR.1 Y ADV_FSP.1 Y ADV_HLD.1 ADV_RCR.1 Y ADV_RCR.1 – Y AGD_ADM.1 ADV_FSP.1 Y AGD_USR.1 ADV_FSP.1 Y ALC_DVS.1 – Y ADV_FSP.1 Y ATE_COV.1 ATE_FUN.1 Y ATE_FUN.1 – Y ADV_FSP.1 Y AGD_USR.1 Y ATE_IND.2 ATE_FUN.1 Y ADV_FSP.1 Y AVA_SOF.1 ADV_HLD.1 Y ADV_FSP.1 Y ADV_HLD.1 Y AVA_VLA.1 AGD_USR.1 Y 8.2.5 Rationale for Security Functional Refinements FAU_GEN.1 Audit data generation In FAU_GEN.1.2, changed “… at least the following information: … subject identity…” to “… at least the following information: … subject identity (when available)…” as the subject identity is not always available for audit generation. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 52 of 64 FAU_SAR.3 Selectable audit review Added an additional category to FAU_SAR.3.1 (2) to include filtering of audit data. The original wording of FAU_SAR.3.1 (1) remains unchanged. See application note for FAU_SAR.3 (2) for further details. FIA_ATD.1 User attribute definition (2) In FIA_ATD.1.1, changed “…belonging to individual users” to “…belonging to individual telecommunications users” since the requirement only applies to individuals who communicate over the telecommunications network to operate an AAA Appliance. FIA_UAU.1 Timing of authentication Reworded FIA_UAU.1.1 for clarity and proper English by removing “…on behalf of the user to be performed…”. The original intent of FIA_UAU.1.1 (specifying actions which can be performed before authentication) remains unchanged. In FIA_UAU.1.2, changed the two instances of “user” to “user and telecommunications user accessing an AAA Appliance” and “user or telecommunications user” respectively since only these TOE users authenticate to the TOE. FIA_UID.1 Timing of identification Reworded FIA_UID.1.1 for clarity and proper English by removing “…on behalf of the user to be performed…”. The original intent of FIA_UID.1.1 (specifying actions which can be performed before identification) remains unchanged. In FIA_UID.1.2, changed the two instances of “user” to “user and telecommunications user accessing an AAA Appliance” and “user or telecommunications user” respectively since only these TOE users are required to authenticate to the TOE. FMT_MSA.3 Static Attribute initialisation In FMT_MSA.3.1, changed “…default values for security attributes…” to “…default values for information flow security attributes…” since the requirement only applies to the information flow SFP. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 53 of 64 In FMT_MSA.3.1, changed “…to enforce the SFP” to “…to enforce the TELCO SFP” since there is more than one SFP and this requirement only applies to the TELCO SFP. 8.2.6 Rationale for Audit Exclusions Table 9 lists events that would normally be subject to audit at the Basic level of audit which are not audited for the indicated reasons: Table 9. Rationale for Audit Exclusions Functional Component Auditable Event Rationale for Exclusion FPT_STM.1 Changes to the time. This audit requirement has not been included because: • The only security functionality that relies on TOE system time is the time stamping of audit log entries. Since the TOE maintains the sequence of audit entries in the log, regardless of changes in system time, any relevant changes in system time would be apparent. • Authorised users or applications executing on the TOE must initiate system time changes. Users are assumed to be knowledgeable of the applications they are running, and hence are aware of changes in system time they initiate. If the operating system itself changes system time (e.g., daylight saving time changes), the user is notified. • System time is maintained by the operating system. In this case, the TOE operating system, Windows® NT, does not support a capability to audit system time changes. 8.3 TOE SUMMARY SPECIFICATION RATIONALE ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 54 of 64 8.3.1 TOE Security Functions Rationale Table 10 provides a mapping of TOE Security Functions to Security Functional Requirements and is followed by a discussion of how each Security Functional Requirement is addressed by the corresponding Security Function. FTP_TRP.1 X X FPT_SMT.1 X X FPT_SEP.1 X FPT_RVM.1 X FPT_ITT.1 X FMT_SMR.1 X X FMT_SMF.1 X FMT_MTD.1 X FMT_MSA.3 X FMT_MSA.1(1)&(2) X FMT_MOF.1 X FIA_UID.1 X X FIA_UAU.1 X X FIA_SOS.1(1)&(2) X X FIA_ATD.1(2) X FIA_ATD.1(1) X FIA_AFL.1(2) X FIA_AFL.1(1) X FDP_ITC.1 X FDP_IFF.1(2) X X FDP_IFC.1(2) X FDP_IFF.1(1) X X X FDP_IFC.1(1) X X X FDP_ACF.1(3) X FDP_ACC.1(3) X FDP_ACF.1(2) X FDP_ACC.1(2) X FDP_ACF.1(1) X FDP_ACC.1(1) X FCS_COP.1 X FCS_CKM.4 X FAU_STG.3 X X FAU_STG.1 X X FAU_SEL.1 X FAU_SAR.3(1)&(2) X X FAU_SAR.1 X X FAU_SAA.1 X X FAU_GEN.1 X X X FAU_ARP.1 X X F.CRYPTO F.NETBLK F.TELBLK F.TELALW F.FAIL F.FAILNOT F.HMI F.LOCK F.AUDEVT F.AUDINF F.AUDLVL F.TIME F.ALARM F.AUDRPT F.AUDFLTR F.AUDSTO F.ADMIN F.INIT F.PROTSF F.AAA Table 10. Mapping of TOE Security Functions to Security Functional Requirements ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 55 of 64 FAU_ARP.1 Security Alarms F.ALARM and F.FAILNOT combine to satisfy the requirements for detecting security violations based on administrator created rules and TOE communication failure respectively. FAU_GEN.1 Audit data generation F.AUDEVT, F.AUDINF, and F.TIME combine to satisfy the requirement for the generation of audit data for the specified set of TOE events. FAU_SAA Potential violation analysis F.ALARM and F.FAILNOT combine to satisfy the requirements for detecting security violations based on administrator created rules and TOE communication failure respectively. FAU_SAR.1 Audit review F.AUDRPT and F.AUDFLTR combine to satisfy the requirements for the reviewing of audit data by providing a capability for report generation and filtering. FAU_SAR.3 Selectable audit review (1) & (2) F.AUDRPT and F.AUDFLTR combine to satisfy the requirements for the selectable reviewing of audit data. FAU_SEL.1 Selective audit F.AUDLVL satisfies the requirement for the selectable recording of audit data. FAU_STG.1 Protected audit trail storage F.AUDSTO satisfies the requirement for protected storage of audit data by managing log file size and location. F.ADMIN protects the integrity of audit data by limiting access to authorised administrators. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 56 of 64 FAU_STG.3 Action in case of possible audit data loss F.AUDEVT and F.ALARM combine to satisfy the requirement for protected storage of audit data by generating a security message and alarm in the event of possible audit data loss. FCS_CKM.4 Cryptographic key destruction F.CRYPTO satisfies the requirement to overwrite existing cryptographic key values. FCS_COP.1 Cryptographic operation F.CRYPTO satisfies this requirement for cryptographic operations that are used to protect the confidentiality of internal data communications. The TOE can encrypt internal data communications using Triple DES cryptography. FDP_ACC.1 Subset access control (1) F.ADMIN satisfies the requirement for access control to the TOE through authentication of administrators. FDP_ACF.1 Security attribute based access control (1) F.ADMIN satisfies the requirement for access control to the TOE based on security attributes of user name, password, password expiry, and IP address. FDP_ACC.1 Subset access control (2) F.LOCK satisfies the requirement for access control for the editing of TOE objects. FDP_ACF.1 Security attribute based access control (2) F.LOCK satisfies the requirement for access control to the TOE and it’s objects based on number of concurrent users by preventing users from editing the same object. FDP_ACC.1 Subset access control (3) F.AAA satisfies the requirement for access control of an AAA Appliance through authentication of telecommunications users. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 57 of 64 FDP_ACF.1 Security attribute based access control (3) F.AAA satisfies the requirement for access control to an AAA Appliance based on security attributes of user ID and PIN. FDP_IFC.1 Subset information flow control (1) F.TELBLK, F.TELALW, and F.FAIL combine to satisfy the requirement to enforce information flow control on external IT entities that send and receive information across the telecommunications lines, based on security attributes. Telecommunication calls are allowed, blocked, or encrypted based on call attributes. In the event of TOE failure, fail-safe or fail-secure operation is allowed (for 1000 series Appliances). FDP_IFF.1 Simple security attributes (1) F.TELBLK, F.TELALW, and F.FAIL combine to satisfy the requirement to enforce information flow control on external IT entities that send and receive information across the telecommunication lines, based on security attributes. FDP_IFC.1 Subset information flow control (2) F.NETBLK satisfies the requirement to enforce information flow control on external IT entities that send and receive information across the network, based on security attributes. FDP_IFF.1 Simple security attributes (2) F.NETBLK and F.CRYPTO satisfy the requirement to enforce information flow control on external IT entities that send and receive information across the network, based on security attributes. Data is protected from modification or disclosure when it is transmitted between separate parts of the TOE by validating IP address and username and password, by authenticating communications with a variable handshake and by encrypting the data with valid a cryptographic key and algorithm. FDP_ITC.1 Import of user data without security attributes F.ADMIN satisfies this requirement to restrict the import of cryptographic keys to authorised administrators and processes. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 58 of 64 FIA_AFL.1 Authentication failure handling (1) F.ADMIN satisfies the requirement to restrict access to authorised administrators by temporarily turning off access to the TOE (Telnet to sensor only) after a set number of failed login attempts FIA_AFL.1 Authentication failure handling (2) F.AAA satisfies the requirement to restrict access to AAA Appliances to authorised telecommunications users by turning off access after a set number of failed login attempts FIA_ATD.1 User attribute definition (1) F.ADMIN satisfies the requirement for user attributes. FIA_ATD.1 User attribute definition (2) F.AAA satisfies the requirement for telecommunications user attributes. FIA_SOS.1 Verification of secrets (1) & (2) F.ADMIN and F.AAA satisfies the requirement for quality metrics of secrets (user attributes). FIA_UAU.1 Timing of authentication F.ADMIN and F.AAA satisfy the requirement for user authentication. FIA_UID.1 Timing of identification F.ADMIN and F.AAA satisfy the requirement for user identification. FMT_MOF.1 Management of security functions behaviour F.HMI satisfies the requirement for the TOE to provide the user with the capability to manage the security functions of the TOE through external interfaces. FMT_MSA.1 Management of security attributes (1) & (2) F.HMI satisfies the requirement for the TOE to provide the user with the capability to manage the security attributes of the TOE. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 59 of 64 FMT_MSA.3 Static attribute initialisation F.INIT satisfies the requirement for the default TOE configuration. FMT_MTD.1 Management of TSF data F.HMI satisfies the requirement for the TOE to provide the user with the capability to manage the TSF data. FMT_SMF.1 Specification of management functions F.HMI satisfies the requirement for the TSF to be capable of performing specific security management functions. FMT_SMR.1 Security Roles F.ADMIN satisfies the requirement for various (administrator) security roles and F.HMI satisfies the requirement for the TOE to provide the administrator with the capability to manage the security attributes of the TOE. FPT_ITT.1 Basic internal TSF data transfer protection F.NETBLK satisfies the requirement to protect TSF data when transmitted between separate components of the TOE. FPT_RVM.1 Non-bypassability of the TSP F.PROTSF satisfies the requirement for the TOE to ensure the non- bypassability of the TSP. FPT_SEP.1 TSF domain separation F.PROTSF satisfies the requirement for the TOE to protect the TSF through domain separation. FPT_STM.1 Reliable time stamps F.AUDINF and F.TIME combine to satisfy the requirement for the TOE to provide a reliable time and date for the time stamping audit log entries. FTP_TRP.1 Trusted Path F.NETBLK and F.CRYPTO satisfy the requirement to provide a trusted path to the TOE appliances. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 60 of 64 8.3.2 TOE Assurance Measures Rationale Table 11 provides a mapping of Assurance Measures to Security Assurance Requirements and is followed by a short discussion of how the Security Assurance Requirements are addressed by the corresponding Assurance Measures. Table 11. Mapping of Assurance Measures to Security Assurance Requirements ACM_CAP.3 ACM_SCP.1 ADO_DEL.1 ADO_IGS.1 ADV_FSP.1 ADV_HLD.1 ADV_RCR.1 AGD_ADM.1 AGD_USR.1 ALC_DVS.1 ATE_COV.1 ATE_FUN.1 ATE_IND.2 AVA_SOF.1 AVA_VLA.1 M.ID X M.SYSTEM X X X M.GETTOE X M.SETUP X M.SPEC X X M.TRACE X M.DOCS X X M.TEST X X X X M.SECASS X X ACM_CAP.3 Authorisation controls M.ID and M.SYSTEM combine to satisfy the requirement for configuration management. ACM_SCP.1 TOE CM coverage M.SYSTEM satisfies the requirement for CM tracking of all TOE configuration items and associated documentation. ADO_DEL.1 Delivery procedures M.GETTOE satisfies the requirement for delivery procedures. ADO_IGS.1 Installation, generation, and start-up procedures M.SETUP satisfies the requirement for installation, generation, and start-up procedures. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 61 of 64 ADV_FSP.1 Informal functional specification M.SPEC satisfies the requirement for a functional specification. ADV_HLD.1 Descriptive high-level design M.SPEC satisfies the requirement for a high-level design specification. ADV_RCR.1 Informal correspondence demonstration M.TRACE satisfies the requirement for design specifications that are consistent throughout the documentation. AGD_ADM.1 Administrator guidance M.DOCS satisfies the requirement for administrator guidance documentation. AGD_USR.1 User guidance M.DOCS satisfies the requirement for user guidance documentation. ALC_DVS.1 Identification of security measures M.SYSTEM satisfies the requirement for TOE developmental security. ATE_COV.1 Evidence of coverage M.TEST satisfies the requirement for evidence that all TOE security functions have been tested. ATE_FUN.1 Functional testing M.TEST satisfies the requirement for evidence that TOE security functions have been tested. ATE_IND.2 Independent testing – sample M.TEST satisfies the requirement for evidence that TOE security functions have been tested. AVA_SOF.1 Strength of TOE security function evaluation M.SECASS satisfies the requirement for evidence that all TOE security functions have been examined to ensure their strength against threats. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 62 of 64 AVA_VLA.1 Developer vulnerability analysis M.TEST and M.SECASS combine to satisfy the requirement for evidence that the TOE has been examined and tested in an effort to discover vulnerabilities. ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 63 of 64 9 ACRONYMS AND ABBREVIATIONS Acronym Definition AAA Authorisation, Authentication, and Accounting ANSI American National Standards Institute ASCII American Standard Code for Information Interchange CC Common Criteria for Information Technology Security Evaluation CD-ROM Compact Disc, read-only-memory CFB Cipher-feedback mode CM Configuration Management CO Central Office (Telecommunication provider) CRYPTO Cryptography CRYPTO_SFP CRYPTO Security Functional Policy DBMS DataBase Management System DES Data Encryption Standard E1 E-carrier First level EAL Evaluation Assurance Level ETM® Enterprise Telephony Management FIPS Federal Information Processing Standards HMI Human Machine Interface ID Identification IP Internet Protocol ISDN Integrated Services Digital Network IT Information Technology NETWORK_SFP NETWORK Security Functional Policy PBX Private Branch Exchange PC Personal Computer PIN Personal Identification Number PRI Primary Rate Interface PSTN Public Switched Telephone Network RS-232 Recommended Standard-232 SFP Security Functional Policy SNMP Simple Network Management Protocol ETM® System v5.0.1 Security Target Doc No: 1495-011-D001 Version: 1.1 Date: 11 Oct 05 Page 64 of 64 Acronym Definition SOF Strength of Function SP6A Service Pack Six A – for Windows NT 4.0 SS7 Signalling System 7 ST Security Target STU Secure Telephone Unit TELCO Telecommunications TELCO_SFP TELCO Security Functional Policy T1 T-carrier First level TCP Transmission Control Protocol TOE Target of Evaluation TSF TOE Security Functions TSP TOE Security Policy VoIP Voice-over-Internet-Protocol Windows® NT Windows® New Technology