National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Juniper Networks, Inc. Juniper Networks Mx Routers, PTX Routers and EX9200 Switches Running Junos OS 14.2R3 Report Number: CCEVS-VR-VID10661-2015 Dated: December 28, 2015 Version: 1.0 National Institute of Standards and Technology Information Technology Laboratory 100 Bureau Drive Gaithersburg, MD 20899 National Security Agency Information Assurance Directorate 9800 Savage Road STE 6940 Fort George G. Meade, MD 20755-6940 Acknowledgements Validation Panel Sheldon Durrant The MITRE Corporation, Bedford, MA Jean Petty The MITRE Corporation, McLean, VA Common Criteria Testing Laboratory Kenji Yoshino, Michael Baron InfoGard Laboratories, Inc. San Luis Obispo, CA 2 Table of Contents 1 Executive Summary......................................................................................5 2 Identification of the TOE ..............................................................................6 3 Interpretations.............................................................................................6 4 Security Policy..............................................................................................7 4.1 Audit................................................................................................................................. 7 4.2 Cryptographic Operations................................................................................................ 7 4.3 User Data Protection........................................................................................................ 7 4.4 Identification and Authentication.................................................................................... 7 4.5 Security Management...................................................................................................... 8 4.6 Protection of the TSF........................................................................................................ 8 4.7 TOE Access........................................................................................................................ 8 4.8 Trusted Path/Channels..................................................................................................... 8 5 TOE Security Environment............................................................................9 5.1 Secure Usage Assumptions .............................................................................................. 9 5.2 Threats Countered by the TOE......................................................................................... 9 5.3 Organizational Security Policies..................................................................................... 10 6 Architectural Information...........................................................................10 6.1 Architecture Overview ................................................................................................... 10 6.1.1 TOE Hardware.....................................................................................................................10 6.1.2 TOE Software ......................................................................................................................11 7 Documentation ..........................................................................................12 7.1 Guidance Documentation .............................................................................................. 12 7.2 Test Documentation....................................................................................................... 12 7.3 Vulnerability Assessment Documentation..................................................................... 12 7.4 Security Target ............................................................................................................... 13 8 IT Product Testing.......................................................................................13 8.1 Evaluation Team Independent Testing .......................................................................... 13 8.2 Vulnerability Analysis..................................................................................................... 13 9 Results of the Evaluation............................................................................14 3 10 Validator Comments/Recommendations....................................................15 11 Security Target ...........................................................................................15 12 Terms.........................................................................................................15 12.1 Acronyms.................................................................................................................... 15 13 Bibliography...............................................................................................16 4 1 Executive Summary This report documents the NIAP validators’ assessment of the CCEVS evaluation of the Juniper Networks Mx Routers, PTX Routers and EX9200 Switches Running Junos OS 14.2R3. This report is intended to assist the end-user of this product with determining the suitability of this IT product in their environment. End-users should review both the Security Target (ST), which is where specific security claims are made, in conjunction with this Validation Report (VR), which describes how those security claims were evaluated. The Target of Evaluation (TOE) is a network device (router/switch), and includes the following network devices running Junos OS 14.2R3: • Mx-Series 3D Universal Edge Routers: o Mx240 o Mx480 o Mx960 o Mx2010 o Mx2020 • PTX-Series Packet Transport Routers: o PTX3000 o PTX5000 • EX-Series Ethernet Switches (9200): o EX9204 o EX9208 o EX9214 Each Juniper Networks Mx-series and PTX-series routing platform is a complete routing system that supports a variety of high-speed interfaces (only Ethernet is within scope of the evaluation) for medium/large networks and network applications. Similarly, the EX-series 9200 switches provide high-performance, carrier-class networking solutions, supporting a variety of high- speed Ethernet interfaces for medium/large networks. Table 1 below identifies the components that must be present in the Operational Environment to support the operation of the TOE: Component Description Syslog Server Syslog server supporting SSHv2 connections to send audit logs SSH Client SSHv2 client for remote administration Serial Connection Serial connection client for local administration SFP/Line Cards Small Form-factor Pluggable (SFP)/Line Cards are required by the TOE to operate, communicate with the connected network. These are detailed for each TOE appliance in Section 10 of the ST. Table 1: Operational Environment Components 5 2 Identification of the TOE Table 2 provides information needed to completely identify the product, including: • The Target of Evaluation (TOE), the fully qualified identifier of the product as evaluated; • The Security Target (ST), describing the security features, claims, and assurances of the product; • The conformance result of the evaluation; • The organizations and individuals participating in the evaluation. Evaluation Scheme United States Common Criteria Evaluation Validation Scheme Evaluated Target of Evaluation Juniper Networks Mx Routers, PTX Routers and EX9200 Switches running Junos OS 14.2R3 Protection Profile • Protection Profile for Network Devices, Version 1.1, 08 June 2012 • Security Requirements for Network Devices Errata #3, 3 November 2014 Security Target Juniper Networks Mx Routers, PTX Routers and EX9200 Switches running Junos OS 14.2R3, Version 1.0, December 10, 2015 Dates of Evaluation July 8 – November 12, 2015 Conformance Result Pass Common Criteria Version Version 3.1 Revision 3 (July 2009) Common Evaluation Methodology (CEM) Version Version 3.1, Revision 3, July 2009 Evaluation Technical Report (ETR) 15-3595-R-0042 V1.0, December 18, 2015 Sponsor/Developer Juniper Networks, Inc. Common Criteria Testing Lab (CCTL) InfoGard Laboratories, Inc. CCTL Evaluators Kenji Yoshino, Michael Baron CCEVS Validators Sheldon Durrant, Jean Petty Table 2: Product Identification 3 Interpretations The Evaluation Team performed an analysis of the international interpretations of the CC and 6 the CEM and determined that none of the International interpretations issued by the Common Criteria Interpretations Management Board (CCIMB) were applicable to this evaluation. The TOE is also compliant with all international interpretations with effective dates on or before August 21, 2015. 4 Security Policy This section contains the product features and denotes which are within the logical boundaries of the TOE. The following Security Functions are supported by the TOE: • Audit • Cryptography • User Data Protection • Identification and Authentication • Security Management • Protection of the TSF • TOE Access • Trusted Path/Channels 4.1 Audit Junos auditable events are stored in the syslog files, and can be sent to an external log server (via Netconf over SSH). Auditable events include start-up and shutdown of the audit functions, authentication events, service requests, as well as the events listed in the table in Section 8 of the ST. Audit records include the date and time, event category, event type, username, and the outcome of the event (success or failure). Local syslog storage limits are configurable and are monitored. In the event of storage limits being reached the oldest logs will be overwritten. 4.2 Cryptographic Operations The TOE includes a baseline cryptographic module that provides confidentiality and integrity services for authentication and for protecting communications with adjacent systems. 4.3 User Data Protection The TOE is designed to process network packets and forward them as appropriate. The packet handling is implemented in such a manner as to prevent the leakage of user data from one packet into other packet(s) that was not intended by the originator. 4.4 Identification and Authentication The TOE requires users to provide unique identification and authentication data before any administrative access to the system is granted. .The devices also require that applications exchanging information with them successfully authenticate prior to any exchange. This covers all services used to exchange information, including Secure Shell (SSH). Telnet, File Transfer Protocol (FTP), and Secure Socket Layer (SSL) are out of scope and are not used in the evaluated configuration. 7 4.5 Security Management The TOE provides an Authorized Administrator role that is responsible for: • The configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the evaluated product • The regular review of all audit data • All administrative tasks (e.g., creating the security policy) The TOE is managed through a Command Line Interface (CLI). The CLI is accessible through a remote administrative session, as well as a local console session. 4.6 Protection of the TSF The TOE provides protection mechanisms for its security functions. One of the protection mechanisms is to protect TSF data (e.g. cryptographic keys, administrator passwords). The TOE does not provide a CLI interface to permit the viewing of keys. Cryptographic keys are protected through the enforcement of kernel-level file access rights, limiting access to the contents of cryptographic key containers to processes with cryptographic rights or shell users with root permission. Another protection mechanism is to ensure the integrity of any software/firmware updates which can be verified utilizing an ECDSA (P-256 with SHA-256) digital signature prior to installation on the TOE. In addition, the kernel maintains a set of fingerprints (SHA1 digests) for executable files and other files which should be immutable. No executable can be run or shared object loaded unless the fingerprint is correct. The fingerprints are loaded as the filesystems are mounted, from digitally signed manifests. The TOE provides for both cryptographic and non-cryptographic self-tests, and is capable of automated recovery from failure states. Junos OS is designed to fail securely. In the event of a transiently corrupt state or failure condition, the system will report an error; the event will be logged and the system restarted, having ceased to process network traffic. When the system restarts, the system boot process does not proceed without passing all self-tests for cryptographic algorithms, RNG tests, and software integrity tests. The TOE also maintains a real-time clock to provide reliable timestamp for its own use. 4.7 TOE Access The TOE can be configured to terminate interactive user sessions after a user defined time-out variable is set. In addition, the TOE is able to present an access banner with warning messages prior to authentication. The TOE also allows the user to manually terminate an interactive session. 4.8 Trusted Path/Channels The TOE creates trusted channels between itself and remote trusted authorized IT product (e.g. syslog server) entities that protect the confidentiality and integrity of communications. The TOE 8 creates trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications. The TOE uses the SSHv2 protocol, configured to use FIPS Approved algorithms, to provide Trusted Channels and Trusted Paths. Mutual authentication for Trusted Channels is provided by SSH public key authentication for both the client (remote IT entity) and the server (TOE). Remote administrators authenticate to the TOE using Trusted Paths is provided by SSH public key authentication or password-based authentication. The TOE identifies itself to remote Administrators using SSH public key authentication. 5 TOE Security Environment 5.1 Secure Usage Assumptions The following assumptions are made about the usage of the TOE: A.NO_GENERAL_PURPOSE It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment. A.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all admin guidance in a trusted manner. 5.2 Threats Countered by the TOE The TOE is designed to counter the following threats: T.ADMIN_ERROR An authorized administrator may incorrectly install or configure the TOE incorrectly, resulting in ineffective security mechanisms. T.TSF_FAILURE Security mechanisms of the TOE may fail, leading to a compromise of the TSF. T.UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE. These actions may remain undetected and thus their effects cannot be effectively mitigated. T.UNAUTHORIZED_ACCESS A user may gain unauthorized access to the TOE data and TOE executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources. A malicious user, process, or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data. T.UNAUTHORIZED_UPDATE A malicious party attempts to supply the end user with an update to the product that may compromise the security features of the TOE. T.USER_DATA_REUSE User data may be inadvertently sent to a destination not intended by the original sender. 9 5.3 Organizational Security Policies The TOE enforces the following OSPs: P.ACCESS_BANNER The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the TOE. 6 Architectural Information The TOE is classified as a Network Device for Common Criteria purposes. The TOE is made up of hardware and software components. 6.1 Architecture Overview The Target of Evaluation (TOE) is a network device (router/switch), and includes the following network devices running Junos OS 14.2R3: • Mx-Series 3D Universal Edge Routers: o Mx240 o Mx480 o Mx960 o Mx2010 o Mx2020 • PTX-Series Packet Transport Routers: o PTX3000 o PTX5000 • EX-Series Ethernet Switches (9200): o EX9204 o EX9208 o EX9214 The TOE consists of the following IT components: 1. Network device model (as detailed in Table 3 below) 2. Junos OS 14.2R3: an operating system for security appliances 6.1.1 TOE Hardware The hardware has two components: the router/switch chassis and the PICs, DPCs and Line Cards that have been installed in the appliance. The various PICs, DPCs, MPCs, MICs and FPCs that have been installed in the appliance allow it to communicate with the different types of networks that may be required within the environment where the router/switch will be used1 ; however, they are considered non-TOE hardware and consequently, do not fall within the evaluated scope of the TOE. 1 These network interfaces are required for the TOE to operate. However, they are not relied upon for the enforcement of security functionality necessary to satisfy the requirements of NDPP and so do not fall within the scope of the TSF. Therefore, the network interfaces are considered to be non-TOE hardware/software/firmware entities. 10 The physical boundary of the TOE is detailed in Table 3 below: Series Model Slots2 Firmware3 Mx-Series Mx240 3 x MPCs and DPCs Junos 14.2R3.8 Mx480 6 x MPCs and DPCs Junos 14.2R3.8 Mx960 12 x MPCs and DPCs Junos 14.2R3.8 Mx2010 10 x 480 line-rate 10GbE ports Junos 14.2R3.8 Mx2020 20 x 960 line-rate 10GbE ports Junos 14.2R3.8 PTX-Series PTX3000 9 x Switch Interface Boards Junos 14.2R3.8 PTX5000 9 x Switch Interface Boards Junos 14.2R3.8 EX-Series EX9204 4 slots of up to 260 Gbps (full duplex) per slot fabric capacity Junos 14.2R3.8 EX9208 8 slots of up to 260 Gbps (full duplex) per slot fabric capacity Junos 14.2R3.8 EX9214 14 slots of up to 260 Gbps (full duplex) per slot fabric capacity Junos 14.2R3.8 Table 3 - TOE Physical Boundary 6.1.2 TOE Software The Junos OS consists of two major architectural components: • The Routing Engine (RE), which provides Layer 3 routing services and network management and control • The Packet Forwarding Engine (PFE)4 , which provides all operations necessary for transit packet forwarding The TOE is comprised of the Junos OS 14.2R3.8 firmware running on the appliance chassis listed in Table 3 above (including the software implementing the Routing Engine and the software and ASICs implementing the Packet Forwarding Engine). Hence the TOE is contained within the physical boundary of the specified appliance chassis. 2 The fabric/cards plugged into the chassis slots are considered to be non-TOE hardware/software/firmware entities as discussed above. 3 The firmware version reflects the detail reported for the components of the Junos OS when the show version command is executed on the appliance. 4 The network interface components form the lower layers of the PFE (the DPC, PICs, DPCs, MPCs and FPCs network interface components) which simply deal with physical interfaces mechanics. 11 7 Documentation This section details the documentation that is (a) delivered to the customer, and (b) was used as evidence for the evaluation of the TOE. 7.1 Guidance Documentation Document Revision Date Junos OS CLI User Guide, Release 14.2 14.2 October 22, 2014 Junos OS Common Criteria Evaluation Configuration Guide for Mx Series, PTX Series and EX9200 Series Devices Release 14.2R3 14.2R3 November 16, 2015 Junos OS Getting Started Guide for Routing Devices, Release 14.2 14.2 October 16, 2014 Installation and Upgrade Guide, Release 14.2 14.2 June 11, 2015 Junos OS System Log Messages Reference, Release 14.2 14.2 October 28, 2014 Junos OS Security Services Administration Guide for Routing Devices, Release 14.2 14.2 October 16, 2014 Junos OS User Access and Authentication Feature Guide for Routing Devices, Release 14.2 14.2 October 16, 2014 7.2 Test Documentation Document Revision Date EX9204 Test Report Document Number:15-3595- R-0030 Version 1.0 December 18, 2015 PTX5000 Test Report Document Number:15-3595- R-0038 Version 1.0 December 18, 2015 Mx960 Test Report Document Number:15-3595-R- 0041 Version 1.0 December 18, 2015 7.3 Vulnerability Assessment Documentation Document Revision Date Juniper Junos Vulnerabilities N/A November 11, 2015 OpenBSD OpenSSH Vulnerabilities N/A November 11, 2015 12 7.4 Security Target Document Revision Date Security Target Juniper Networks Mx Routers, PTX Routers and EX9200 Switches Running Junos OS 14.2R3 1.0 December 10, 2015 Seeding of JUNOS Kernel RBG (Yarrow) 1.27.5 November 20, 2015 8 IT Product Testing This section describes the testing efforts of the Developer and the Evaluation Team. 8.1 Evaluation Team Independent Testing The developer and the CCTL (InfoGard Laboratories, Inc.) generated the testing plan and designed the testing activities specified in the Protection Profile for Network Device Protection Profile, Version 1.1, and the Security Requirements for Network Devices Errata #3, and generated automated and manual tests to execute the designed test plan. The Evaluation Team moderated and observed the testing of the TOE as performed by the vendor. The testing activities were conducted as specified in the Protection Profile for Network Device Protection Profile, Version 1.1, and the Security Requirements for Network Devices Errata #3. 8.2 Vulnerability Analysis The Evaluator performed the vulnerability analysis while performing testing as described in the Test Plan. While performing the Test Plan, the Evaluator configured the TOE according to the Configuration Guide. The Evaluator performed a full TCP port scan and a UDP port scan of the top 1000 ports using NMAP 6.49BETA4. These scans attempted to identify the service and version running on any open port. OpenSSH 6.6.1 was the only TCP service identified by NMAP. NMAP did not discover any services available over UDP (Note “open|filtered” indicates that the TOE did not respond to the packets sent to theses ports). Based on the NMAP scan the Evaluator performed a public vulnerability search for Junos 14.2R3.8 and OpenSSH 6.6.1. Juniper Junos vulnerabilities [JUNOS] and OpenBSD OpenSSH 6.6 [SSH] vulnerabilities were the best results the Evaluator was able to identify. The search was performed on October 21, 2015 and re-run on November 24, 2015 and identified the following known vulnerabilities: Junos: • CVE-2015-7752: N/A: This applies to versions of Junos 14.2 prior to R3, The TOE is R3. • CVE-2015-7749: N/A: The TOE is no a vSRX device. • CVE-2015-7748: N/A: The TOE does not contain “Trio” Chipset linecards. 13 • CVE-2015-5363: N/A: The TOE is not an SRX device. • CVE-2015-5362: N/A: This applies to versions of Junos 14.2 prior to R3, The TOE is R3. • CVE-2015-5360: N/A: This applies to versions of Junos 14.2 prior to R3, The TOE is R3. • CVE-2015-5359: N/A: This applies to versions of Junos 14.2 prior to R2, The TOE is R3. • CVE-2015-5358: N/A: This applies to versions of Junos 14.2 prior to R2, The TOE is R3. • CVE-2015-5357: N/A: This vulnerability does not apply to Junos 14.2. • CVE-2014-6386: N/A: This vulnerability does not apply to Junos 14.2. • CVE-2014-6385: N/A: This applies to versions of Junos 14.2 prior to R2, The TOE is R3. • CVE-2014-6382: N/A: This applies to versions of Junos 14.2 prior to R2, The TOE is R3. • CVE-2014-6380, CVE-2014-6378, CVE-2014-3825, CVE-2014-3822, CVE-2014-3819, CVE- 2014-3818, CVE-2014-3817, CVE-2014-3815, CVE-2014-2714, CVE-2014-2713, CVE-2014- 0618, CVE-2014-0617, CVE-2014-0616, CVE-2014-0614, CVE-2014-0613, CVE-2014-0612, CVE-2013-7313, CVE-2013-6170, CVE-2013-4688, CVE-2013-4687, CVE-2013-4686, CVE- 2013-4684, CVE-2007-6372, CVE-2006-3529 , CVE-2004-0468, and CVE-2004-0467: N/A: These are older vulnerabilities that came up in the list for all Junos vulnerabilities; however none of these apply to Junos 14.2. OpenSSH: • CVE-2014-2653: N/A, This vulnerabilities applies version 6.6. It is not clear if the vulnerability applies to 6.6.1; however, this vulnerabilities applies to the SSH client portion of OpenSSH. The TOE does not operate as an SSH client. 9 Results of the Evaluation The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. InfoGard has determined that the TOE meets the security criteria in the Security Target, which claims compliance with the Protection Profile for Network Device Protection Profile, Version 1.1, June 8, 2012, and the Security Requirements for Network Devices Errata #3, November 3, 2014. A team of Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in November 2015. 14 10 Validator Comments/Recommendations The validators suggest that the consumer pay particular attention to the evaluated configuration of the product. The functionality evaluated is scoped exclusively to the security functional requirements specified in the Security Target, and only the functionality implemented by the SFRs within the Security Target was evaluated. 11 Security Target Security Target Juniper Networks Mx Routers, PTX Routers and EX9200 Switches Running Junos OS 14.2R3, Version 1.0, December 10, 2015. 12 Terms 12.1 Acronyms CC Common Criteria CCIMB Common Criteria Interpretations Management Board CLI Command Line Interface CSP Critical Security Parameters DAC Discretionary Access Control EAL Evaluation Assurance Level FIPS Federal Information Processing Standards Publication 140-2 FTP File Transfer Protocol I/O Input/Output MIB Management Information Base NIST National Institute of Standards and Technology OCSP Online Certificate Status Protocol PP Protection Profile PFE Packet Forwarding Engine RE Routing Engine SF Security Functions SFP Small Form-factor Pluggable SFR Security Functional Requirements SSH Secure Shell SSL Secure Sockets Layer 15 ST Security Target TOE Target of Evaluation TSF TOE Security Functions 13 Bibliography [1] Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, dated July 2009, Version 3.1 Revision 3, CCMB-2009-07-001. [2] Common Criteria (CC) for Information Technology Security Evaluation – Part 2: Security functional components, July 2009, Version 3.1, Revision 3, CCMB-2009-07-002. [3] Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance components, July 2009, Version 3.1, Revision 3, CCMB-2009-07-003. [4] Common Methodology for Information Technology Security Evaluation – Evaluation methodology, July 2009, Version 3.1, Revision 3, CCMB-2009-07-004. 16