Security Target
NexG Co., LTD
VForce 1700 V1.0
Security Target
Version: 1.2
Update Date: July 20, 2006
Security Target
NexG Co., LTD
<Revisions>
Version Date Revision Prepared by Approved by
1.1 June 30, 2006 First prepared. Hwang Seong-hun Ju Gap-su
1.2 July 20, 2006
Augmentation “Requirements for IT
environment” prepared.
Hwang Seong-hun Ju Gap-su
1
Table of Contents
1 SECURITY TARGET INTRODUCTION .......................................................................4
1.1 SECURITY TARGET IDENTIFICATION..................................................................................... 5
1.2 IDENTIFYING SECURITY TARGET AND TOE ......................................................................... 5
1.3 TYPOGRAPHIC CONVENTIONS.............................................................................................. 6
1.4 TERMS AND DEFINITIONS..................................................................................................... 7
1.5 COMMON CRITERIA CONFORMANCE ................................................................................. 11
2 TOE DESCRIPTION .............................................................................................13
2.1 SUMMARY OF SECURITY FUNCTIONS................................................................................. 14
2.2 TOE SCOPE AND BOUNDARY............................................................................................. 16
2.2.1 Physical Boundary ...................................................................................................... 16
2.2.2 Logical Boundary........................................................................................................ 18
3 TOE SECURITY ENVIRONMENT ............................................................................21
3.1 ASSUMPTIONS .................................................................................................................... 21
3.1.1 Assumptions Same as Those for Protection Profile .................................................... 21
3.1.2 Assumptions for Author-augmented TOE................................................................... 23
3.2.1 Threats Same as Those In Protection Profile .............................................................. 24
3.2.2 Threats against Author-augmented TOE.................................................................. 25
3.2.3 Threats against TOE Operating Environment Same as Protection Profile.................. 26
3.3 ORGANIZATIONAL SECURITY POLICIES ............................................................................. 27
3.3.1 Organizational Security Policies Same as Those in Protection Profile....................... 27
4 SECURITY OBJECTIVES ......................................................................................28
4.1 TOE SECURITY OBJECTIVES .............................................................................................. 28
4.1.1 TOE security Objectives Same as Those for Protection Profile.................................. 28
4.1.2 Security Objectives for Author-augmented TOE ........................................................ 29
4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT ............................................................... 29
4.2.1 Security Objective for Environment Same as Those in Protection Profile ................. 29
4.2.2 Security Objectives for Author-augmented Environment........................................... 30
5 IT SECURITY REQUIREMENTS..............................................................................32
5.1 TSF REQUIREMENTS.......................................................................................................... 32
5.1.1 Reused Security functional requirements (SFR) in Protection Profile ....................... 33
5.1.2 Author-augmented Security functional requirements (SFR)....................................... 62
5.1.3 Deleted Security functional requirements(SFR) ......................................................... 63
Security Target
2
5.2 TOE SECURITY ASSURANCE REQUIREMENTS.................................................................... 64
5.2.1 Configuration Management ........................................................................................ 65
5.2.2 Delivery and Operation............................................................................................... 66
5.2.3 Development............................................................................................................... 67
5.2.4 Guidance documents................................................................................................... 71
5.2.5 Life Cycle Support...................................................................................................... 72
5.2.6 Tests ............................................................................................................................ 74
5.2.7 Vulnerability Assessment............................................................................................ 76
5.3 REQUIREMENTS FOR IT ENVIRONMENTS........................................................................... 79
6 TOE SUMMARY SPECIFICATION...........................................................................81
6.1 ASSURANCE MEASURES..................................................................................................... 81
6.2 TOE SECURITY FUNCTION................................................................................................. 82
6.2.1 Security Audit (FAU).................................................................................................. 82
6.2.2 Cryptographic Support (FCS) ..................................................................................... 88
6.2.3 User Data Protection (FDP)........................................................................................ 91
6.2.5 Security Management (FMT)...................................................................................... 99
6.2.6 TSF Protection (FPT).................................................................................................111
6.2.7 TOE Access (FTA).................................................................................................... 112
6.2.8 Trusted Path/Channel (FTP)...................................................................................... 113
6.2.9 Privacy (FPR)............................................................................................................ 114
7 PROTECTION PROFILE CLAIMS.......................................................................... 116
7.1 PROTECTION PROFILE REFERENCE .................................................................................. 116
7.2 PROTECTION PROFILE TAILORING ................................................................................... 116
7.2.1 [FW_PP_V1.1] Tailoring.......................................................................................... 116
7.2.2 [VPN_PP_V1.1] Tailoring........................................................................................ 118
7.3 PROTECTION PROFILE AUGMENTATION ........................................................................... 119
7.3.1 Security Requirements Augmentation for Protection Profile.................................... 119
7.3.2 Protection Profile Threats and Purpose Augmentation ............................................. 119
8 RATIONALE ..................................................................................................... 121
8.1 SECURITY OBJECTIVES RATIONALE................................................................................. 121
8.1.1 Security Objectives Rationale for TOE Security Function Purpose Same as Those in
Protection Profile ............................................................................................................... 121
8.1.2 Security Objectives Rationale for Environment Same as Protection Profile............ 123
8.1.3 Author Augmented Security Objectives Rationale ................................................... 125
8.2 RATIONALE FOR SECURITY FUNCTIONAL REQUIREMENTS............................................... 126
Security Target
3
8.2.1 Rationale for Security functional requirements Same as Those in Protection Profile126
8.2.2 Author-augmented Rationale for Security functional requirements.......................... 134
8.2.3 Rationale for IT Environment Requirements............................................................ 135
8.3 RATIONALE FOR SECURITY ASSURANCE REQUIREMENTS ................................................ 136
8.4 RATIONALE FOR FUNCTIONAL REQUIREMENTS SOF(STRENGTH OF FUNCTION)............ 137
8.5 RATIONALE FOR TOE SUMMARY ..................................................................................... 138
8.6 COMPLIANCE WITH TSF SOF(STRENGTH OF FUNCTION)................................................ 147
8.7 COMPLIANCE WITH TOE SECURITYASSURANCE REQUIREMENTS .................................. 148
8.8 RATIONALE FOR SATISFACTION WITH DEPENDENCIES..................................................... 151
Security Target
4
1 Security Target Introduction
This chapter aims to identify Security Target and accurately describe typographic conventions and terms. The Target of
Evaluation(TOE)isVForce1700V1.0S/WofNexG, which controlsinformationflowbetweennetworksand encrypts
traffic transmitted to/from trusted networks. VForce 1700 V1.0 is a hardware device with a firewall and a Virtual
Private Network built in. VForce 1700 V1.0 is a gateway-type machine that configures a firewall that controls network
access using packet filtering and a VPN through IP Security (IPSec.) The VPN gateway encrypts/decrypts traffic
through the Security Association (SA) with its counterpart (VPN gateway.) The TOE refers to a series of functions
including major functions of the firewall and the VPN system built into VForce 1700 V1.0 S/W and supplementary
networkfunctionssuchassecuritymanagement,auditrecording,identificationandauthentication,routing,andDHCP.
The TOE decides whether to allow, drop, or reject networks specified by the security administrator and unencrypted
traffic using the firewall or packet filtering, and processes encrypted traffic in compliance with the pre-defined VPN
securitypolicy. Toexecutethesefunctions,theTOEisinstalledandoperatedattheendpointofthenetwork.
ThisSecurityTargetfortheTOEconsistsasfollows:
ƒ Chapter1introducestheSecurityTargetanddefinesterms.
ƒ Chapter2describestheTOEanddefinesscopeandboundaryoftheTOE.
ƒ Chapter3describestheTOEsecurityenvironment.
ƒ Chapter4describestheTOEsecurityobjectives.
ƒ Chapter5describesITsecurityrequirements.
ƒ Chapter6describestheTOEsummaryspecification.
ƒ Chapter7describesprotectionprofileclaims.
ƒ Chapter8providestherationalefortheSecurityTarget.
Security Target
5
1.1 Security Target Identification
TheSecurityTarget,TOE,andtheCommonCriteriafortheinformationprotectionsystemshallbeidentifiedasfollows:
Label Description
Security Target Title VForce 1700 V1.0 Security Target V1.1
Common Criteria
Identification
Common Criteria for Information Protection System (Announcement No.
2005-25 by Ministry of Information and Communication)
Prepared by Security and Authentication Team of NexG
Creation Date March 30, 2006
Related Protection
Profile
VPN Protection Profile V 1.1 for Government Agency (April 30, 2003)
Firewall Protection Profile V1.1 for Government Agency (April 30, 2003)
TOE Identification VForce 1700 V1.0
Terms VPN, Integrity, Confidentiality, Identification and Authentication, Encryption,
IKE, IPSec, VPN, Access Control, Information Flow Control, Firewall
Criteria Common Criteria (CC) V2.3
1.2 Identifying Security Target and TOE
TOE provides a security function which controls information flow for secure information transmission between trusted
networks connected to a public network in a physically safe environment. The security function provided by the TOE
hasanSOF-mediumasdefinedintheprotectionprofile.
Security Target
6
1.3 Typographic Conventions
This Security Target uses English words for clearer meaning of abbreviations and terms. Notations, forms, and
typographic conventions conform to the Common Criteria for information protection systems and protection profiles for
governmentagencies.
1.3.1Iteration
Iteration is used when the same component is used repeatedly for multiple operations. The result of the Iteration
operationisindicatedbytheiterationnumberwithinparentheses,(repeatnumber),followingthecomponentidentifier.
1.3.2Selection
Selection is used to select one or more options provided by the Common Criteria for the information protection system.
TheresultoftheSelectionoperationisindicatedinunderlineditalicizedcharacters.
1.3.3Refinement
Refinement is used to further restrict any requirement by adding detailsto therequirement. TheresultoftheRefinement
operationisindicatedinboldcharacters.
1.3.4Assignment
Assignmentisusedtoallocateaspecificvaluetoanunspecifiedparameter. (Example:Passwordlength)
TheresultoftheAssignmentoperationisindicatedbysquarebrackets,[Assignment_Value].
1.3.5SecurityTargetAuthor
The Security Target author is used to indicate that final decisions related to attributes have been made by the Security
Target author. The Security Target author is indicated by braces, {Decided by Security Target Author}. All security
functional requirements not completely executed in the protection profile shall be completed by the Security Target
Author.
1.3.6ApplicationNote
Application note clarifies the meaning of a requirement, provides information on options upon implementation, and
warns of items that require special attention when “conformity/non-conformity” of the requirement is defined.
Applicationnotemaybeprovidedwiththecorrespondingrequirement,ifnecessary.
Security Target
7
1.4 Terms and Definitions
Termsincluded inthisSecurity Targetand overlapping thosein theCommonCriteriaforinformationprotectionsystems
andprotectionprofilesforthegovernmentagenciesshallsupersedetheothers.
1.4.1 Object
Anentity within theTSFScopeofControl(TSC)thatcontainsorreceivesinformationanduponwhichsubjectsperform
operations
1.4.2 AttackPotential
The perceived potential for success of an attack, should an attack be launched, expressed in terms of an attacker’s
expertise,resources,andmotivation
1.4.3 SOF(StrengthofFunction)-of-Function(SOF)
The qualification of a TOE security function expressing the minimum effort assumed necessary to defeat its expected
securitybehaviorbydirectlyattackingitsunderlyingsecuritymechanisms
1.4.4 SOF-medium
A level of the TOE SOF(Strength of Function)-of-function where analysis shows that the function provides adequate
protection against straightforward or intentional breach of TOE security function by attackers possessing a moderate
attackpotential
1.4.5 Iteration
One of the operations defined in the Common Criteria for the information protection system. A component is used
morethanonceinavarietyofoperations.
1.4.6 SecurityTarget(ST)
AsetofsecurityrequirementsandfunctionalspecificationstobeusedasabasisforTOEevaluation
1.4.7 ProtectionProfile(PP)
Animplementation-independentsetofsecurityrequirementsforacategoryofTOEsthatmeetspecificconsumerneeds
1.4.8 HumanUser
AnypersonwhointeractswiththeTOE
1.4.9 User
Security Target
8
Anyentity(humanuserorexternalITentity)outsidetheTOEthatinteractswiththeTOE
1.4.10 Selection
One of the operations defined in the Common Criteria for the information protection system. One or more items are
specifiedfromalistinacomponent.
1.4.11 Identity
Arepresentationuniquelyidentifyinganauthorizeduser
1.4.12 Element
Anindivisiblesecurityrequirement
1.4.13 Role
ApredefinedsetofrulesestablishingallowedinteractionsbetweenauserandtheTOE. (Example:User,Administrator)
1.4.14 Operation
An operation ensures that a component can respond to a certain threat in the Common Criteria for the information
protectionsystemortosatisfyacertainsecuritypolicy. (Example:Iteration,Assignment,Selection,orRefinement)
1.4.15 ThreatAgent
AnyunauthorizeduserorexternalITentitywhichthreatenstoaccess,alter,ordeleteassets
1.4.16 ExternalITEntity
AnyITproductorsystem,untrustedortrusted,outsideoftheTOEthatinteractswiththeTOE
1.4.17 AuthorizedAdministrator
An authorizeduser who securely operates and managesthe Firewall andthe VPN system accordingto the TOEsecurity
Policy(TSP)
1.4.18 AuthorizedUser
AuserwhocanexecuteTSPfunctionsaccordingtotheTSP
1.4.19 AuthorizedGeneralUser
AuserwhoisnotanauthorizeduserwhocanexecuteTSPfunctionsaccordingtotheTSP
1.4.20 AuthenticationData
Informationusedtoverifytheclaimedidentityofauser.
Security Target
9
1.4.21 Assets
InformationorresourcestobeprotectedbyTOEcountermeasures
1.4.22 Refinement
One of the operations defined in the Common Criteria for the information protection system whereby additional details
areaddedtoarequirement.Theadditionofdetailstoacomponent.
1.4.23 CommonCriteriaforInformationProtectionSystem
It is the Common Criteria published on May 21, 2005 by the Minister of Information and Communication. It is the
Korean translation of Common Criteria (CC) version 2.3 which is based on the criteria of many countries and has been
developedbasedonacommonlanguageandcommonunderstanding.
1.4.24 OrganizationSecurityPolicies
Oneormoresecurityrules,procedures,practices,orguidelinesimposedbyanorganizationuponitsoperations.
1.4.25 Dependency
A relationship between requirements such that the requirement depended upon must normally be satisfied for the other
requirementstobeabletomeettheirobjectives
1.4.26 Subject
AnentitywithintheTSCthatcausesoperationstobeperformed
1.4.27 Augmentation
TheadditionofoneormoreassurancecomponentstoanEALorassurancepackage
1.4.28 Component
ThesmallestselectablesetofelementsthatmaybeincludedinaprotectionprofileorSecurityTarget.
1.4.29 Class
AgroupingoffamiliesthatshareacommonfocusintheCommonCriteriafortheinformationprotectionsystem
1.4.30 TargetofEvaluation(TOE)
AnITproductorsystemanditsassociatedguidancedocumentationthatisthesubjectofanevaluation
1.4.31 EAL
Security Target
10
A package consisting of assurance components that represents a point on the predefined assurance scale in the Common
Criteriafortheinformationprotectionsystem
1.4.32 Family
Agroupofcomponentsthatsharesecurityobjectivesbutmaydifferinemphasisorrigor
1.4.33 Assignment
Thespecificationofanidentifiedparameterinacomponent
1.4.34 Extension
The addition of functional requirements to an ST or PP not contained in Part 2 of the Common Criteria for the
information protection system or security assurance requirements not contained in Part 3 of the Common Criteria for the
informationprotectionsystem.
1.4.35 PerfectForwardSecurity(PFS)
When a security tunnel is created between networks to form a VPN, the Diffie-Hellman algorithmisused. At thistime,
IKE,akeyexchangeprotocol,supportsPFSandreusescreatedkeysinsteadofgeneratingadditionalkeys.PSFselectsthe
Diffie-Hellmanalgorithmandgenerateskeysthatcannotbereused.
1.4.36 TCPMaximumSegmentSize(TCPMSS)
The largest segment size in the first SYN packet of the TCP session is determined and the packet sizes for the next
sessionsaredeterminedlater
1.4.37 TOEsecurityfunction(TSF)
Asetofallhardware,software,andfirmwareoftheTOEthatmustberelieduponforthecorrectenforcementoftheTSP
1.4.38 TOEsecurityPolicy(TSP)
Asetofrulesthatregulatehowassetsaremanaged,protected,anddistributedwithinaTOE
1.4.39 TSFData
DatacreatedbyandfortheTOEthatmightaffecttheoperationoftheTOE
1.4.40 TSFScopeofControl(TSC)
ThesetofinteractionsthatcanoccurwithorwithinaTOEandaresubjecttotherulesoftheTSP
1.4.41 VPN_PP_V1.1(VirtualPrivateNetworkProtectionProfileforGovernmentV1.1)
VPNProtectionProfileV1.1forthegovernmentagency
Security Target
11
1.4.42 FW_PP_V1.(1FirewallProtectionProfileforGovernmentV1.1)
FirewallProtectionProfileforGovernmentV1.1
1.5 Common Criteria Conformance
ThisSecurityTargetcomplieswiththefollowing:
ƒ VPNProtectionProfileforGovernmentAgencyV1.1April302003[VPN_PP_V1.1]
ƒ FirewallProtectionProfileforGovernmentAgencyV1.1April302003[FW_PP_V1.1]
ƒ Common Criteria for the information protection system (Notice 2005-25 by Ministry of Information and
Communication,May212005)[1]
ƒ CommonCriteria(CC)V2.3
The TOE that contains this Security Target fully complies with the functional requirements and the security assurance
requirements specified in Parts 2 and 3 of the Common Criteria for the information protection system, VPN Protection
Profile for Government Agency V1.1 [VPN_PP_V1.1] which defines minimum requirements for an information
protection system for a government agency, and Firewall Protection Profile V1.1 [FW_PP_V1.1] for Government
Agency. The assurance level of the TOE is EAL 3+ approved by the certificate authority (in Korea). The following is
anextendedsecurityfunctioncomponentofPart2oftheCommonCriteriatowhichtheTOEcomplies:
ƒ FPT_TST.2 ResponsetotheTSFDataintegrityerror
The following security function components have been added to VPN Protection Profile for Government Agency V1.1
[VPN_PP_V1.1] and Firewall Protection Profile for Government Agency V1.1 [FW_PP_V1.1] with which the TOE
complies:
ƒ FPR_PSE.1 Pseudonymity
ƒ FPR_UNO.4 Authorizeduserobservability
The following security function components have been added from Common Criteria (CC) V2.3 with which the TOE
complies:
ƒ FMT_SMF.1 SpecificationofManagementFunctions
Security Target
12
ThefollowingassurancelevelcomponentshavebeenaddedtoEAL3inPart3ofCommonCriteriawithwhichtheTOE
complies:
ƒ ADV_IMP.2ImplementationoftheTSF
ƒ ADV_LLD.1Modularity
ƒ ALC_TAT.1Well-defineddevelopmenttools
ƒ ATE_DPT.2Testing:low-level-design
ƒ AVA_VLA.2Independentvulnerabilityanalysis
Security Target
13
2 TOE Description
TheTOEisVForce1700V1.0S/WrunninginVForce1700hardware,andexternallogserverS/W(NexgLogServer).
VForce 1700 V1.0 S/W provides both Firewalls with a strong access control function using packet filtering and a proxy
to protect the underlying structure of the boundary and core networks of the user and a VPN which secures connection
between two networks. The TOE is a security product which is equipped with a core engine integrating a kernel and
securitysoftwareandisconfiguredusingitsownoperatingsystem.
[Figure2-1]TOEOperatingEnvironment
As shown in [Figure2-1], the TOE can operate as a VPN or Firewall. The security policy of TOEa protects Network A
from a non-secure Internet Network B establishes a trusted communication channel between TOEb and TOEc of
Network C and imposes an encryption policy for the transmitted data. To allow non-secure communication (without
data encryption), Network B and Network C can implement a security policy that allows only authorized users or
authorized network traffic. In other words, Network B and Network C may conduct secure communication (using
encryption) but they can also conduct non-secure communication (without encryption) by allowing transmission of only
Security Target
14
authorized data. A user in the internet may need to be authorized by the gateway policy before being allowed to access
thenetworkthroughHTTP,TELNET,FTP,orotherapplicationsandonlyduringcertaintimes.
TheTOE is an access control systemthat controlsnetwork accessbasedontheheaderdataoftheTCP/IPv4packet. To
control access to the network, the TOE is installed at the endpoint of the network as shown in [Figure 2-1] and becomes
theonlyaccesspointtotheInternetwhichtheTOEprotects.EachpacketpassingthroughtheTOEorcomingtotheTOE
in compliance with the packet-filtering security policy defined by the administrator is subject to the security policy of the
TOE. Security policies of the TOE include Accept, Drop, and Reject. For the allowed packets, the TOE may apply an
NAT (Network Address Translation) policy or use a proxy. The TOE has a trusted external DBMS to store, maintain,
andmanageauditrecordsoccurringduringtheexecutionoftheTSFinasecureway.
2.1 Summary of Security Functions
The TOE (VForce 1700 V1.0) integrates a Firewall and a VPN—both run on the machine and the OS (VOS v3.0)
developed by NexG. The TOE supports packet filtering, Network Address Translation (NAT), and proxy, and ensures
secure communication by transmitting encrypted data through an IPSec-based virtual tunnel. The TOE provides the
followingsecurityfunctions:
ƒ Securitymanagement
ƒ Packetfilteringaccesscontrol
ƒ VPN
ƒ NAT
ƒ Supportservice
ƒ Proxy(Userauthenticationandmandatoryaccesscontrol)
ƒ Auditrecords
ƒ Identificationandauthentication
2.1.1 SecurityManagement
The security management function allows the authorized administrators to manage security conditions through web or
console interfaces. When the administrator manages security through the console, the TOE provides administrator
commandsusingtheWizardsothattheadministratorcansetupthenetworkwithanIPaddressthatisthesameastheone
used when the TOE was first installed in the network. For security management through console and web interfaces, the
TOE first identifies and authenticates the administrator. The authorized administrator can communicate with the TOE
usingawebbrowserintheformofSSLcommunicationthroughtheHTTPSprotocol.
Security Target
15
2.1.2 Packet-filteringAccessControl
The packet-filtering access control function controls packet traffic according to the security policy predefined by the
administrator. Basedonthepacket-filtering security policy,theTOEaccepts,drops,orrejectspackettrafficatthelayer3.
2.1.3 VPN(IPSec)
The TOE supports the VPN using IPSec. The TOE and the counterparty generate a Security Association (SA) using
IKEandencryptpackettrafficbetweenthenetworksofthetwoVPNsequippedwiththeTOEfordataintegrity.
2.1.4 SupportService
When the TOE supports VPN, the support service function encrypts the data transmitted between trusted networks by
IPSec tunneling. To establish a tunnel, the TOE provides functions to create, distribute, or destroy keys based on pre-
shared and RSA certificates. The TOE can issue a certificate using a built-in CA or request an external CA to issue a
certificate, and can upload a certificate. To ensure integrity of execution files that provide security functions and of the
securityfunctionconfigurationdata,theTOEcanconductanabstractmachinetestandafileintegritytest,andmonitorthe
security function execution status. In addition, the TOE provides a time management function and network services
suchasDHCP,staticrouting,andARPtable.
2.1.5 Proxy
The proxy identifies and authenticates users for popular Internet applications such as HTTP, TELNET, and FTP so that
only authorized users can access the services. The proxy uses HTTP authentication or SOCKS5 authentication. When
a user accesses a proxy network defined by the administrator, a Strength of Function will be given to the user and the
user’saccesstothenetworkwillbecontrolledaccordingtothatStrengthofFunction.
2.1.6 AuditRecords
The audit record function stores audit records on a storage media upon event occurrence. Audit records are divided into
real-time and non real-time audit records. Non real-time audit records are stored on separate external storage media and
theadministratorcanchecktherecordsandcalculatestatisticsusingaseparateexternallogserver.
2.1.7 IdentificationandAuthentication
The identification and authentication function authenticates administrators and general users using the internal user
management database of the TOE. Authentication mechanisms include the password mechanism and One-Time
Password(OTP)mechanism.
2.1.8 TOEAccessandPrivacy
AlluserandadministratorsessionsaccessingtheTOEarecontrolledbysessionlockingandtermination.
ToprotectprivacyofthedatapassingthroughtheTOE,theTOEtranslatessourceanddestinationIPaddresses.
Security Target
16
2.2 TOE Scope and Boundary
2.2.1 Physical Boundary
The TOE (VForce1700 V1.0) consists of the S/W (VForce 1700 V1.0 S/W) and the external log server software. The
S/W of the TOE includes the firewall and the VPN functions, and the external log server software (Nexg Log Server)
stores and manages audit logs. The software of the TOE runs on VForce-series hardware, and the external log server
functionsinanexternalmachine.
The software of VForce 1700 is controlled by VOS, it owns operating system which is stored in flash memory and
interactswiththehardwaresystem. Foravailabilityandfunctionalperformance,VForce1700operatesonlywithVOS.
Basic components of the hardware where the software of the TOE operates include CPU, memory, network port, serial
port, LED, and a case. The serial port connects to an external terminal. The administrator can manage the TOE
through the administrator console CLI. Five network interfaces are provided to connect external networks and internal
networks, and these network interfaces are physically separated so that packets not allowed by the TSP cannot pass
throughtheseinterfaces. The LEDhelpsthe operatorquickly checktheoperationalstatusofVForce1700andthestatus
ofeachnetworkinterface. VOSandHardwareareexcludedfromTOE.
ThefollowingtableshowsthehardwareandsoftwareplatformoftheTOE.
[Table2-1]Hardware/SoftwarePlatform
Product VForce 1700 v1.0 S/W NexG Log Server
Hardware CPU: VIA C3 1.2 GHz
RAM: 128 MB
Flash Memory: 64 MB
Firmware, Configuration DB.
Port:
Network interface – 5 Port (10/100 Base T )
Management interface – 1 Serial, 1 AUX Port
CPU: P4 2.0 GHz or higher
RAM: 256 MB or more
HDD: 18 GB or more
Port : 2 Local NIC
Security
Management
Microsoft Windows 2000 Professional/XP
- Internet Explorer 6.0 SP2 or higher
Security Target
17
Console - Pentium 3, 128 MB memory or more
Operating
System
VOS v3.0 RedHat 7.0 or higher
Security Target
18
2.2.2 Logical Boundary
TheTOEconsistsofthelogicalstructureasshownin[Figure2-2].
NexG Log Server VForce
Identification
Authentication
Subsystem
Log Server
Subsystem
Security Management
Subsystem
Support Service
Subsystem
Gateway Subsystem
Kernel Engine
Subsystem
Security Audit
Subsystem
Mail
LOG
DB
ADMIM CONSOL DHCP
NTP ADSL
NIC
VPN User
BACKUP
LOGCONF
[Figure2-2]TOELogicalBoundary
2.2.2.1 SecurityAudit
The TOE provides access control audit records and system audit records. The access control audit records are related to
accesscontrolandinformationflowcontroldefinedbytheadministratorwhilesystemauditrecordsarerelatedtochanges
in configuration, administrator’s login, network connection status, or other events outside of access control. Both types
of audit records include priorities. When an event crossing the threshold set by the administrator occurs, an alarm will
notify the administrator. The TOE has a separate space to store both types of audit records in memory so that the
administrator can search audit records in real time. The TOE also sends all audit records to an external audit record
serverwheretheadministratorcancheckallaccumulatedauditrecordsalthoughthesearchisnotinrealtime.
Security Target
19
2.2.2.2 CryptographicSupport
For data encryption and secure communication, the TOE provides functions to generate, distribute, or revoke secret keys
as well as functions related to cryptographic operations. The TOE ensures confidentiality and integrity of the packets
transmitted at IP protocol layer using the IPSec tunnel-based cryptographic function. The TOE also performs both
authentication and encryption in the key exchange stage to protect transmitted data using the highly reliable IPSec
encryptionmethod.
2.2.2.3 UserDataProtection
The TOE basically denies traffic flow in all directions. Only traffic that passes through the TOE is controlled by the
security policy predefined by the administrator. The access control and information flow control policy defines the
information flow between two nodes in different sub networks connected through certain interfaces. For example, an
internal user would be authenticated and allowed to access a network. In this case, the user is subject to the network
accesscontrolandinformationflowpolicy. TheTOEprotectstheuserdatabycontrollingrandomuseraccessaswellas
imposesamandatoryaccesscontrolbasedontheuser’sStrengthofFunctionandtheStrengthofFunctionofthenetwork
objectthattheusertriestoaccess.
2.2.2.4 SecurityManagement
The TOE allows only the authorized administrator to generate, modify, or delete security attributes or TSF data and to
start-up, terminate, or restart the TSF. The TOE provides CLI and web user interfaces for the administrator. The TOE
doesnotincludethewebbrowserthatsupportstheSSLusedbytheadministratortoaccesstheinterface.
2.2.2.5 IdentificationandAuthentication
In the TOE, the administrator, proxy user, and ADSL connection account users are divided into administrator and users.
Everyadministratororuseriscreatedandmanagedasauserobject,andismappedasausergroupobjectwithaStrength
of Function and proxy information being registered. All administrators and users are identified and authenticated using
IDsandpasswords,whicharestoredintheusermanagementdatabaseoftheTOE.
2.2.2.6 TSFProtection
The TOE includes minimum interfaces required for execution of the TSF in hardware and software, and no other
interfaces that may hinder execution of the TSF are provided. To execute the TSF, the TOE monitors the status of the
securityfunctiondaemonsandconductsanintegritytestoneveryfile.
2.2.2.7 TrustedPath/Channel
The TOEprovidesa trustedpathforthe administratorto accessthenetworkusingtheSSLprotocol. Forsecuredaccess,
theSSLprotocolgeneratesasecretkeyandmaintainsanencryptedconnection.
Security Target
20
2.2.2.8 TOEAccess
The TOE manages access sessions of administrators and users. If the administrator or user remains idle for a given
periodoftime,theTOEwillperformsessionlocking.
2.2.2.9 Privacy
The TOE translates source and destination IP addresses of the data passing through the TOE to protect user and server
information.
Security Target
21
3 TOE security Environment
This chapter defines security threats and organizational security policiesrelatedtotheTOE. TheTOEprovidesaproper
levelofprotectionforan ITenvironmentthatrequiresstrongcontrolofinformationflowonthenetwork. TheTOEdoes
not respond to a physical attack that may damage the TOE or violate a security function (including suspension of and
bypass security functions). Rather, the TOE is installed in the single point of connection of the network in a physically
safeconditionasspecifiedintheassumptions,andprovidessecurity functionstoprotectanetworkconnected totheTOE
fromall attacks. TheTOEhas beendesignedto be mostsuitableforthesecurityenvironmentdefinedintheFirewallfor
thegovernmentagency[FW_PP_V1.1]andVPNsystemprotectionprofile[VPN_PP_V1.1].
3.1 Assumptions
3.1.1 Assumptions Same as Those for Protection Profile
Thefollowingdescribesassumptionssameasthosefor[FW_PP_V1.1]and[VPN_PP_V1.1]:
3.1.1.1 A.PhysicalSecurity([FW_PP_V1.1]/[VPN_PP_V1.1])
TheTOEisinstalledinaphysicallysafeenvironmentaccessibleonlybyauthorizedadministrators.
Application Notes: The security policy for government agency computing equipment allows only the VPN client
administrator(orauthorizeduser)toaccesstheVPNclient.*
*-ThisSecurityTargetdoesnotsupportanyVPNclient.
3.1.1.2 A.SecurityMaintenance([FW_PP_V1.1])
Uponchanges inthenetwork suchas configuration changes,increaseordecreaseofhosts, andservice increase/decrease,
thenewenvironmentandthenewsecuritypolicyshallbeimmediatelyreflectedintheTOEoperationpolicytoprovidea
consistentlevelofsecurity.
3.1.1.3 A.TrustedAdministrator([FW_PP_V1.1]/[VPN_PP_V1.1])
Security Target
22
The authorized administrator of the TOE shall not have any malicious intention, receive proper training on TOE
management,andfollowtheadministratorguidelines.
3.1.1.4 A.OperatingSystemReinforcement([FW_PP_V1.1]/[VPN_PP_V1.1])
Unnecessary services or means shall be removed from the operating system, and security shall be enhanced to better
protect against vulnerabilities in the operating system thereby ensuring its reliability and stability. ([VPN_PP_V1.1] –
IncaseofaVPNclient,thesuboperatingsystemoftheTOEissecureandreliable.*)
*ThisSecurityTargetdoesnotsupportaVPNclient.
3.1.1.5 A.SinglePointofConnection([FW_PP_V1.1])
AllexternalnetworksandinternalnetworkscommunicatewitheachotheronlythroughtheTOE.
Security Target
23
3.1.1.6 A.SecurityPolicy([VPN_PP_V1.1])
The TOE and its counterpart must use interchangeable security policies that share the same security policy and minor
differences.
3.1.2 Assumptions for Author-augmented TOE
3.1.2.1 A.TrustedServer
Trusted servers are installed outside the TOE for maximum TOEperformance. SuchserversincludetheNetworkTime
Protocol(NTP)serverforreliabletimemanagementandtheremotesecuritymanagementsystem.
3.1.2.2 A.TrustedChannel
The communication data between the TOE and the administrator is transmitted through a secure channel established by
OpenSSLandthecertificatefortheOpenSSLismanagedinasecuremanner.
3.1.2.3 A.TrustedStorage
AuditrecordsrelatedtotheTOEarestored,andthestorageismaintainedandoperatedinasecuremanner.
Security Target
24
3.2 Threats
This security target classifies and defines security threats that an external threat agent may impose against the assets
protectedbytheTOE.
Major assets that the TOE protects include computer resources of the internal network and network services. External
threatsourcesillegallyaccesscomputerresourcesoftheorganizationorunderminetheavailabilityofresources.
The threat agent is usually a computer user or an external IT entity accessing the internal computer. The threat agent
usually possesses a low level of knowledge, resources, and motivations, and the threat agent is assumed to have a low
possibility to attack vulnerabilities. The threat agent can attack clear vulnerabilities and easily gain information about
vulnerabilities in the operating system and applications and the attack tools through the Internet to damage computer
resources and acquire information without authorization. The TOE protects assets against these clear vulnerabilities
fromthreat.
3.2.1 Threats Same as Those In Protection Profile
ThefollowingsarethreatsagainsttheTOEaugmentedbytheauthorandin[FW_PP_V1.1],,and[VPN_PP_V1.1].
3.2.1.1 T.Impersonation(FirewallSystem/[FW_PP_V1.1])
ThethreatagentmaypretendasifitisanauthorizeduserorcounterpartinordertoaccesstheTOE.
3.2.1.2 T.FlawCode([FW_PP_V1.1]/[VPN_PP_V1.1])
Thedevelopermayincludecodethatisnotexecutedinsomespecificationsandmayhavesecurityflaws.
3.2.1.3 T.StoringFailure([FW_PP_V1.1]/[VPN_PP_V1.1])
Whenstorageisfull,security-relatedeventsoftheTOEmaynotbestored.
3.2.1.4 T.UnauthorizedInformationInflow([FW_PP_V1.1])
Unauthorizedinformationmayflowintotheinternalnetwork.
3.2.1.5 T.UnauthorizedInformationOutflow([FW_PP_V1.1])
Aninternalusercansendinformationoutofthenetworkwithoutauthorization.
Security Target
25
3.2.1.6 T.NewAttack([FW_PP_V1.1])
ThethreatagentcanlaunchattacksagainsttheTOEoperatingenvironmentornewlyfoundvulnerabilitiesoftheTOE.
3.2.1.7 T.ContinuedAuthenticationAttempts([FW_PP_V1.1]/[VPN_PP_V1.1])
ThethreatagentcanaccesstheTOEaftercontinuedaccessattempts.
3.2.1.8 T.Bypassing([FW_PP_V1.1]/[VPN_PP_V1.1])
ThethreatagentcanaccesstheTOEbybypassingtheTOEsecurityfunctions.
3.2.1.9 T.ReplayAttack([FW_PP_V1.1]/[VPN_PP_V1.1])
ThethreatagentcanaccesstheTOEbyreplayingtheauthenticationdataofanauthorizeduser.
3.2.1.10 T.StoredDataDamage([FW_PP_V1.1]/[VPN_PP_V1.1])
TheTSFdatastoredintheTOEmaybeexposed,changed,ordeletedwithoutauthorization.
3.2.1.11 T.IPAddressSpoofing([FW_PP_V1.1])
A threat agent in an external network may try to access the internal network by spoofing the source IP address as an
internalIPaddress.
3.2.1.12 T.Abuse([VPN_PP_V1.1])
AnauthorizeduseroftheTOEmaydamagetheTSFintentionallyorforotherreasons.
3.2.1.13 T.Decoding([VPN_PP_V1.1])
Thethreatagentmaydecodethedataandaccessdatawithoutauthorization.
3.2.1.14 T.TransmissionIntegrity([VPN_PP_V1.1])
Thethreatagentmayconvertthedatatransmittedonthenetworkwithoutauthorization.
3.2.2 Threats against Author-augmented TOE
3.2.2.1 T.Privacy
When the IP address of the internal network is known as an IP address of a non-secure network, an attacker may access
theinternalnetworkwithoutauthorization.
Security Target
26
3.2.3 Threats against TOE Operating Environment Same as
Protection Profile
ThefollowingsarethreatsagainsttheTOEoperatingsystemthatisthesameas[FW_PP_V1.1]and[VPN_PP_V1.1]:
3.2.3.1 TE.PoorManagement([FW_PP_V1.1]/[VPN_PP_V1.1])
TheTOEmaybeconfigured,operated,andusedbyanauthorizedadministratorinanon-secureway.
3.2.3.2 TE.DeliveryandInstallation([FW_PP_V1.1]/[VPN_PP_V1.1])
SecuritybreachesmayoccurintheTOEduringdeliveryandinstallation.
Security Target
27
3.3 Organizational Security Policies
3.3.1 Organizational Security Policies Same as Those in
Protection Profile
The following shows the organizational security policies that are the same as those in [FW_PP_V1.1] and
[VPN_PP_V1.1]:
3.3.1.1 P.Audit([FW_PP_V1.1]/[VPN_PP_V1.1])
To trace responsibilities of all security-related behaviors, all security-related events shall be stored, maintained, and
reviewed.
3.3.1.2 P.TrustedManagement([FW_PP_V1.1]/[VPN_PP_V1.1])
TheauthorizedadministratorshallmanagetheTOEinasecuremanner.
3.3.1.3 P.Confidentiality([VPN_PP_V1.1])
If the network traffic transmitted to/from the counterpart of the TOE is specified on the TOE security policy, the traffic
shallbeencryptedordecryptedbytheTOE.
3.3.1.4 P.Cryptographic([VPN_PP_V1.1])
The cryptographic algorithm and module used in the TOE must be approved by the Director of National Intelligence
Service.
3.3.1.5 P.PlainTextTransmission([VPN_PP_V1.1])
All network traffic other than those transmitted to/from the counterpart of the TOE are allowed to be transmitted without
encryption/decryptionaccordingtotheTOEsecuritypolicy.
Security Target
28
4 Security Objectives
4.1 TOE security Objectives
4.1.1 TOE security Objectives Same as Those for Protection
Profile
The following describes the TOE security objectives augmented by the author and in [FW_PP_V1.1] and
[VPN_PP_V1.1].
4.1.1.1 O.Audit([FW_PP_V1.1]/[VPN_PP_V1.1])
The TOE shall store and maintain security-related events to trace responsibilities of security-related behaviors, and shall
provideameansfortheadministratortoreviewthestoreddata.
4.1.1.2 O.FlowCodeInspection([FW_PP_V1.1]/[VPN_PP_V1.1])
All code created by the developer shall be inspected for flaws, and code with flow shall be inspected for its affect on
internalelementsoftheTOE.
4.1.1.3 O.Management([FW_PP_V1.1]/[VPN_PP_V1.1])
TheTOEshallprovideameansforanauthorizedadministratoroftheTOEtoefficientlymanagetheTOE.
4.1.1.4 O.DataProtection([FW_PP_V1.1]/[VPN_PP_V1.1])
The TOE shall protect the TSF data stored in the TOE and data transmitted on the network from unauthorized exposure,
change,ordeletion.
4.1.1.5 O.IdentificationandAuthentication([FW_PP_V1.1]/[VPN_PP_V1.1])
The TOE shall identify and authenticate the user before allowing the user to access the TOE. Before tunneling with the
counterpart,theTOEshallauthenticatethecounterpart.
4.1.1.6 O.SelfFunctionProtection([FW_PP_V1.1]/[VPN_PP_V1.1])
TheTOEshallprotectitselffromchanges,deactivation,andbypassingofthesecurityfunctions.
Security Target
29
4.1.1.7 O.AccessControl([FW_PP_V1.1])
TheTOEshallcontrolaccesstointernalandexternalnetworksaccordingtothesecuritypolicy.
4.1.1.8 O.InformationFlowControl([FW_PP_V1.1])
TheTOEshallcontrolunauthorizedinformationinflowandoutflow.
4.1.1.9 O.Confidentiality([VPN_PP_V1.1])
TheTOEshallguaranteetheconfidentialityofthedatatransmittedonthenetwork.
4.1.1.10 O.InformationFlowMediation([VPN_PP_V1.1])
TheTOEshallmediateinformationflowsbetweentheTOEanditscounterpartaccordingtothesecuritypolicy.
4.1.1.11 O.KeySecurity([VPN_PP_V1.1])
TheTOEshallguaranteeconfidentialityandintegrityofthecryptographickeydataandsecurekeyexchanges.
4.1.2 Security Objectives for Author-augmented TOE
4.1.2.1 O.Privacy
TheTOEshallpreventexternalusersfrompredictingtheIPaddressesofinternalusers.
4.2 Security Objectives for the Environment
4.2.1 Security Objective for Environment Same as Those in
Protection Profile
Thefollowingdescribesthesecurityobjectivesforanenvironmentthesameas[FW_PP_V1.1]and[VPN_PP_V1.1]:
4.2.1.1 OE.PhysicalSecurity([FW_PP_V1.1]/[FW_PP_V1.1])
Security Target
30
TheTOEshallbelocatedinaphysicallysafeenvironmentwherebyonlyanauthorizedadministratorcanaccessit.
4.2.1.2 OE.SecurityMaintenance([FW_PP_V1.1])
Uponchanges inthenetwork suchas configuration changes,increaseordecreaseofhosts, andservice increase/decrease,
thenewenvironmentandthenewsecuritypolicyshallbeimmediatelyreflectedintheTOEoperationpolicytoprovidea
consistentlevelofsecurity.
4.2.1.3 OE.TrustedAdministrator([FW_PP_V1.1]/[VPN_PP_V1.1])
The authorized administrator of the TOE shall not have any malicious intentions, receive proper training on the TOE
management,andfollowtheadministratorguidelines.
4.2.1.4 OE.TrustedManagement([FW_PP_V1.1]/[VPN_PP_V1.1])
The TOE shall be distributed and installed in a secure manner, and must be configured, managed, and used by an
authorizeduserinasecuremanner.
4.2.1.5 OE.OperatingSystemReinforcement([FW_PP_V1.1]/[VPN_PP_V1.1])
Unnecessary servicesor means areremoved fromtheoperating system, and security is enhanced to better protect against
vulnerabilitiesintheoperatingsystemtherebyensuringitsreliabilityandstability.
4.2.1.6 OE.SinglePointofConnection([FW_PP_V1.1])
AllcommunicationbetweenanexternalnetworkandaninternalnetworkshallbeestablishedthroughtheTOE.
4.2.1.7 OE.SecurityPolicy([VPN_PP_V1.1])
The TOE and its counterpart must use interchangeable security policies which share main security policies and minor
differences.
4.2.2 Security Objectives for Author-augmented
Environment
4.2.2.1 OE.TrustedServer
All servers that communicate with the TOE are installed outside the TOE and shall be secure. The Network Time
Protocol(NTP)andtheremotesecuritymanagementsystemmaintainsecuretime.
4.2.2.2 OE.TrustedChannel
For secure communication between the TOE and the administrator, secure channels and certificate management
functionsareprovidedthroughtheopenSSLstandardprotocol.
Security Target
31
4.2.2.3 OE.TrustedStorage
TOE-related audit records are stored, and the storage is maintained and operated in a secure manner. The storage
providesarelationaldatabaseSQL-Lite.
Security Target
32
5 IT Security Requirements
This chapter specifically describes security functions and assurance requirements for the TOE. All requirements are
same as those in the protection profile upon which this Security Target was created. The author added some security
functionsthattheTOEprovidesbut arenotincludedin theprotectionprofileby referringto the CommonCriteria for the
informationprotectionsystem.
5.1 TSF Requirements
ThisparagraphdescribestheSecurityfunctionalrequirements(SFR):
ƒ Securityfunctionalrequirementssameasthoseintheprotectionprofile:ThisSecurityTargetintegratedand
tailored SFRs of two protection profiles ([VPN_PP_V1.1] and [FW_PP_V1.1]) and includes all SFRs of
thesetwoprotectionprofiles.
ƒ Securityfunctionalrequirementsaddedbytheauthor:Theauthoraddedsomesecurityfunctionsthatarenot
included in the protection profile but provided by the TOE by referring to the Common Criteria for the
informationprotectionsystem.
ƒ The SOF of the TOE is SOF-medium according to the SOF of [VPN_PP_1.1] and [FW_PP_1.1] with
which this Security Target complies. FIA_UAU.2 and FIA_UAU.4 satisfy with SOF-medium specified
in the Common Criteria for the information protection system (Notice 2005-25 by Ministry of Information
andCommunication)[1]. Moreover,FTP_TST.1andFTP_TST.2HashfunctionshaveSOF-high.
Security Target
33
5.1.1 Reused Security functional requirements (SFR) in
Protection Profile
The Security functional requirements (SFR) to which this Security Target refers consists of SFR components of two
protection profiles. The author added some SFRs that the TOE provides but are not included in the two protection
profilesbyreferringtotheCommonCriteriafortheinformationprotectionsystem.
[Table 5-1] Security functional requirements (SFR)
Security Function
Class
Security Function Component
PP
Identification*
FAU_ARP.1 Security alarms F / V
FAU_GEN.1 Audit data generation F / V
FAU_SAA.1 Potential violation analysis F / V
FAU_SAR.1 Audit review F / V
FAU_SAR.3 Selectable audit review F / V
FAU_SEL.1 Selective audit F / V
FAU_STG.1 Protected audit trail storage F / V
FAU_STG.3 Action in case of possible audit data loss F / V
Security Audit
FAU_STG.4 Prevention of audit data loss F / V
FCS_CKM.1 Cryptographic key generation V
FCS_CKM.2 Cryptographic key distribution V
FCS_CKM.4 Cryptographic key destruction V
Cryptographic
Support
FCS_COP.1 Cryptographic operation V
FDP_ACC.2 Complete access control F
FDP_ACF.1 security attribute based access control F
FDP_DAU.1 Basic data authentication V
FDP_IFC.1 Subset information flow control – VPN SFP V
FDP_IFC.2(1)
Complete information flow control –
PacketFiltering SFP
F
FDP_IFC.2(2)
Complete information flow control – Proxy
SFP
F
FDP_IFF.1(1) Simple security attributes – VPN SFP V
User Data
Protection
FDP_IFF.1(2)
Simple security attributes – PacketFiltering
SFP
F
Security Target
34
FDP_IFF.1(3) Simple security attributes – Proxy SFP F
FIA_AFL.1 Authentication failure handling F / V
FIA_ATD.1 User attribute definition F / V
FIA_SOS.1 Verification of secrets F / V
FIA_UAU.1** Timing of authentication F
FIA_UAU.2 User Authentication before any action V
FIA_UAU.4 Single-use authentication mechanisms F / V
FIA_UAU.7 Protected authentication feedback F / V
Identification and
Authentication
FIA_UID.2 User identification before any action F / V
FMT_MOF.1 Management of security functions behavior F / V
FMT_MSA.1 Management of security attributes F / V
FMT_MSA.2 Secure security attributes V
FMT_MSA.3 Static attribute initialisation F / V
FMT_MTD.1(1) Management of TSF Data F
FMT_MTD.1(2) Management of TSF Data F
FMT_MTD.1(3) Management of TSF Data F
FMT_MTD.1(4) Management of TSF Data V
FMT_MTD.1(5) Management of TSF Data F / V
FMT_MTD.1(6) Management of TSF Data F / V
FMT_MTD.2 Management of limits on TSF data F / V
FMT_MTD.3 Secure TSF Data V
Security
Management
FMT_SMR.1 Security roles F / V
FPT_AMT.1 Abstract machine testing F / V
FPT_RPL.1 Replay detection V
FPT_RVM.1 Non-bypassability of the TSP F / V
FPT_SEP.1 TSF domain separation F / V
FPT_STM.1 Reliable time stamps F / V
FPT_TST.1 TSF testing F / V
TSF Protection
FPT_TST.2
(Extension)
TSF Data integrity error handling
F / V
FTA_SSL.1 TSF-initiated session locking F / V
TOE Access
FTA_SSL.3 TSF-initiated termination F
Trusted
Path/Channels
FTP_ITC.1 Inter-TSF trusted channel V
*-F:[FW_PP_V1.1],V:[VPN_PP_V1.1]
Security Target
35
** - FIA_UAU.1 of [FW_PP_V1.1] has a hierarchical relationship with FIA_UAU.2 of [VPN_PP_V1.1]. This
SecurityTargetadoptedFIA_UAU.2,andFIA_UAU.1isnotexplainedhere.
Security Target
36
5.1.1.1SecurityAudit(FAU)
FAU_ARP.1SecurityAlarm
Hierarchicalto:Noothercomponents
Dependencies:FAU_SAA.1Potentialviolationanalysis
FAU_ARP.1.1 The TSF shalltake [{Notificationtothe administratorvia warning mail, warning messagepopup}]upon
detectionofapotentialsecurityviolation.
FAU_GEN.1Auditdatageneration
Hierarchicalto:Noothercomponents
Dependencies:FPT_STM.1Reliabletimestamps
FAU_GEN.1.1TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:.
a) Start-upandshut-downoftheauditfunction.
b) Alleventssubjecttoauditingaccordingtotheminimumauditlevel.
c) [See[Table5-2]AuditTargetEvents. {None}]
FAU_GEN.1.2TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:
a) Eventdate,eventtype,subjectidentity,andeventresult(Successorfailure)
b) Audit data type based on the audit target event definition of the functional component included in the
protection profile or Security Target. [[Table 5-2] Audit Target Events, Information related to the audit
targeteventsof{Next}]
ƒ Systemaudit–Eventpriority,Processname,Messagecontents(Open/Close,Details)
ƒ Accesscontrolaudit–Processingresult(ACCEPT/DROP/REJECT),prefix(Auditrecordprefixto
identify packet audit records), Interface name (Direction – In/Out), Source/Destination IP address,
Protocol,Source/Destinationport,ICMPtype/code
ƒ IPSecpacketaudit–Eventpriority,Messagecontents(Details)
Security Target
37
[Table 5-2] Audit Target Event
Functional
Component
Audit Target Event Augmented Audit Records
FAU_ARP.1 Actions against sudden security breaches Estimated source/destination
addresses.
FAU_SAA.1 Operation initiation and stoppage of analysis
mechanism, automatic response by the tool.
Authorized administrator’s
identity.
FAU_SEL.1 Changes in audit environment occurring while audit
collection function is executed.
-
FCS_CKM.1 Success and failure of the behavior. Estimated source/destination
addresses.
FCS_CKM.2 Success and failure of the behavior. Estimated source/destination
addresses.
FCS_CKM.4 Success and failure of the behavior. Estimated source/destination
addresses.
FCS_COP.1 Success and failure of cryptographic operation,
cryptographic operation type.
Estimated source/destination
addresses.
FDP_DAU.1 Successful creation of valid evidence. Estimated source/destination
addresses.
FDP_ACF.1 Successful request for operation in relation to the
object handled by the SFP.
Subject and object identifiers.
FDP_IFF.1 Decision to allow the requested information flow. Subject and object identifiers,
estimated source/destination
addresses.
FIA_AFL.1 Reaching the threshold of failed authentication
attempts and responses including recovery to normal
state, if proper.
Identification of unauthorized
users and authorized
administrators.
FIA_SOS.1 Rejection of all tested secret by the TSF. -
FIA_UAU.2 Failure of the authentication mechanism. User identity provided for the
TOE.
FIA_UID.2 Failure of user identification mechanism including
provided user identity.
User identity provided for the
TOE.
FMT_MSA.1 Changes in all security attributes. Security attributes.
FMT_MSA.2 All proposed security attributes and denied security
attributes.
Estimated source/destination
addresses.
FMT_MTD.1 Changes in the TSF data. Changed TSF data.
Security Target
38
FMT_MTD.2 Changes in the TSF data thresholds. Changed TSF data threshold.
FMT_MTD.3 All rejected TSF data. Estimated source/destination
addresses.
FPT_SEP.1 Change in the user group sharing the role. Authorized administrator’s
identity.
FPT_STM.1 Time change. Authorized administrator’s
identity.
FPT_TST.2 Description of integrity error, actions against the
integrity error, and result of actions taken.
-
FTA_SSL.1 Locking of the interactive session by the session
locking mechanism.
-
FTA_SSL.3 Termination of the interactive session by the session
locking mechanism.
-
FTP_ITC.1 Faults in the secure channel function, identification of
a secure channel where a fault occurred from an
initiator.
Initiator of a secure channel
where a fault occurred and the
target identity.
FMT_MOF.1 Use of related functions belonging to the audit
records.
Authorized administrator’s
identity.
FMT_SMF.1 Use of management functions. Authorized administrator’s
identity.
FPR_PSE.1 Subject/User who requested an answer to user
identity.
Estimated source/destination
addresses.
FPR_UNO.4 Observation of resources or services by user or
subject.
User identity provided for the
TOE. Estimated
source/destination addresses.
FAU_SAA.1Potentialviolationanalysis
Hierarchicalto:Noothercomponents.
Dependencies:FAU_GEN.1Auditdatageneration
FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules
indicateapotentialviolationoftheTSP.
Security Target
39
FAU_SAA.1.2TheTSFshallenforcethefollowingrulesformonitoringauditedevents:
a) Accumulation or combination of [Identification and authentication security policy violation, Access
controlruleviolation,Cryptographicoperationfailure]knowntoindicateapotentialsecurityviolation.
b) [{None}]
FAU_SAR.1Auditreview
Hierarchicalto:Noothercomponents.
Dependencies:FAU_GEN.1Auditdatageneration
FAU_SAR.1.1 The TSF shall provide [Authorized Administrator] with the capability to read [all audit data] from the
auditrecords.
FAU_SAR.1.2TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerrupttheinformation.
FAU_SAR.3Selectableauditreview
Hierarchicalto:Noothercomponents.
Dependencies:FAU_SAR.1AuditReview
FAU_SAR..3.1 The TSF shall provide the ability to perform searches, sorting of the audit data based on [{standards for
thefollowinglogicalrelations}].
a) Auditrecordtypes–Systemlog,firewalllog,sessionlog,proxysessionlog
b) Systemlog–Time,hostIPaddress,priority,process,messagecontents(Details:Keyword)
c) Firewall/Session log – Time, host, source/destination IP address, protocol, source/destination port, ICMP
type,service,size,operation(ACCEPT/DROP/REJECT/OPEN/CLOSE)
d) proxy session log – Time, host IP Address, source/destination IP address, user, service, operation (open,
close)
Security Target
40
FAU_SEL.1Selectiveaudit
Hierarchicalto:Noothercomponents.
Dependencies:FAU_GEN.1Auditdatageneration
FMT_MTD.1ManagementofTSFData
FAU_SEL.1.1 The TSF shall be able to include or exclude auditable events from the set of audited events based on the
followingattributes:
a) {EventType}
b) [{Packet-filteringSecurityPolicy}]
FAU_STG.1Protectedaudittrailstorage
Hierarchicalto:Noothercomponents.
Dependencies:FAU_GEN.1Auditdatageneration
FAU_STG.1.1TheTSFshallprotectthestoredauditrecordsfromunauthorizeddeletion.
FAU_STG.1.2TheTSFshallbeabletopreventunauthorizedmodificationstothestoredauditrecordsintheaudittrail.
FAU_STG.3Actionincaseofpossibleauditdataloss
Hierarchicalto:Noothercomponents.
Dependencies:FAU_STG.1Protectedaudittrailstorage
FAU_STG.3.1 The TSF shall [send notification to authorized administrator, {None}] if audit trail exceeds [{The default
remainingspaceofthestoragemediawheretheauditrecordsarestoredis10%andtheadministrator’ssetting(0~99%)}]
FAU_STG.4Preventionofauditdataloss
Hierarchicalto:FAU_STG.3Actionincaseofpossibleauditdataloss
Security Target
41
Dependencies:FAU_STG.1Protectedaudittrailstorage
FAU_STG.4.1 The TSF shall prevents audit target events except actions taken by an authorized user with special
authority and [{When the default remaining space of the storage media is 5% and the administrator’s setting (0~99%) is
crossed, a notification will be sent to the authorized administrator and action will be taken to stop the TSF of the TOE.}],
iftheaudittrailisfull.
Application Notes:If auditstorageisfull,only theauthorized administratorshallbeallowedtoperformoperations. Only
aftertheauthorizedadministratorrestoresstoragecanauditrecordsbegenerated.
5.1.1.2CryptographicSupport(FCS)
FCS_CKM.1Cryptographickeygeneration
Hierarchicalto:Noothercomponents.
Dependencies:[FCS_CKM.2Cryptographickeydistributionor
FCS_COP.1Cryptographicoperation]
FCS_CKM.4 Cryptographickeydestruction
FMT_MSA.2Securesecurityattributes
FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation
algorithm [standard block cryptographic algorithmfor governmentagencies] andspecified cryptographickeysizes[128
bitsormore]thatmeetthefollowing:[standardblockcryptographicalgorithmlistforgovernmentagencies].
FCS_CKM.2 Cryptographickeydistribution
Hierarchicalto:Noothercomponents.
Dependencies:[FDP_ITC.1Importofuserdatawithoutsecurityattributes,or
FDP_ITC.2Importofuserdatawithsecurityattributes,or
FCS_CKM.1Cryptographickeygeneration]
FCS_CKM.4Cryptographickeydestruction
FMT_MSA.2Securesecurityattributes
Security Target
42
FCS_CKM.2.1TheTSFshalldistributecryptographickeysinaccordancewithaspecifiedcryptographickeydistribution
method[IKE]thatmeetsthefollowing:[IETFRFC2409].
FCS_CKM.4 Cryptographickeyaccess
Hierarchicalto:Noothercomponents.
Dependencies:[FDP_ITC.1Importofuserdatawithoutsecurityattributes,or
FDP_ITC.2Importofuserdatawithsecurityattributes,or
FCS_CKM.1Cryptographickeygeneration]
FMT_MSA.2Securesecurityattributes
FCS_CKM.4.1 The TSF shall destroy cryptographic keys in accordance with a specified cryptographic key destruction
method[Allplaintextcryptographickeyinthedeviceandimportantsecurity-relatedparameterswillbechanged
into0.].
FCS_COP.1Cryptographicoperation
Hierarchicalto:Noothercomponents.
Dependencies:[FDP_ITC.1Importofuserdatawithoutsecurityattributes,or
FDP_ITC.2Importofuserdatawithsecurityattributes,or
FCS_CKM.1Cryptographickeygeneration]
FCS_CKM.4Cryptographickeydestruction
FMT_MSA.2Securesecurityattributes
FCS_COP.1.1 The TSF shall perform [Method defined in “The ESP CBC-Mode Cipher Algorithms” (RFC2451),
Using HMAC-SHA-1-96 (RFC2404) with IPSec AH and a 160-bit key in the ESP] in accordance with a specified
cryptographic algorithm [Standard block cryptographic algorithm for government agency, Hash function algorithm
standard (HAS-160)]and cryptographic key sizes [128 bits or higher, 160 bits ] that meet the following: [Standard block
cryptographic algorithm for government agencies, IT industry standard TTAS.KO-12.0011/R1 “Hash function standard
–Part2:Hashfunctionalgorithmstandard(HAS-160)”].
Security Target
43
5.1.1.3UserDataProtection(FDP)
FDP_ACC.2Completeaccesscontrol
Hierarchicalto:FDP_ACC.1
Dependenciesto:FDP_ACF.1Securityattributebasedaccesscontrol
FDP_ACC.2.1 The TSF shall enforce the [{administrator security policy}] on [{the following subject list and object
list}]andalloperationsamongsubjectsandobjectscoveredbytheSFP.
a) Subjectlist:ITentityoftheadministratorauthenticatedbyFIA_UAU.2orFIA_UAU.4.
b) Objectlist:
ƒ TOEsecuritymanagement(ControlCenter)
ƒ TOEsystemconsole
FDP_ACC.2.2 The TSF shall ensure that all operations between any subject in the TSC and any object within the TSC
arecoveredbyanaccesscontrolSFP.
FDP_ACF.1Securityattributebasedaccesscontrol
Hierarchicalto:Noothercomponents.
Dependencies:FDP_ACC.1Subsetaccesscontrol
FMT_MSA.3Staticattributeinitialisation
FDP_ACF.1.1TheTSFshallenforcethe[{administratorsecuritypolicy}]toobjectsbasedonthefollowing:[{following
securityattribute,Namedsecurityattributegroup}]
a) Administratorgroup
b) AdministratorNetwork
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and
controlledobjectsisallowed:
Security Target
44
[{
a) Allowiftheuserbelongstotheadministratorgroup. Otherwise,deny.
b) Allow if the user belongs to the administrator group and the source network IP address is set in the
administratornetwork. Otherwise,deny.
}]
FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following additional rules:
[{Administrator’saccesstoTOEconsole}]
FDP_ACF.1.4TheTSFshallexplicitlydenyaccessofsubjectstoobjectsbasedonthe[{None}].
FDP_DAU.1Basicdataauthentication
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FDP_DAU.1.1 The TSF shall provide a capability to generate evidence that can be used as a guarantee of the validity of
[datatransmittedthroughtheTOE]
FDP_DAU.1.2 The TSF shall provide [authorized administrator] with the ability to verify evidence of the validity of the
indicatedinformation.
FDP_IFC.1Subsetinformationflowcontrol
Hierarchicalto:Noothercomponents.
Dependencies:FDP_IFF.1Simplesecurityattributes
FDP_IFC.1.1TheTSFshallenforcethe[{VPNsecuritypolicy}]on[thefollowingsubjects,information,operations].
a) Subjectlist:ExternalITentitiestransmittingdatathroughtheTOE
b) Informationlist:DatatransmittedthroughtheTOE
Security Target
45
c) Operationlist:
ƒ Encryptionandhashoftheinformationtransmittedtothecounterpart.
ƒ Decryptionandintegritycheckoftheinformation,transmissiontothesubject.
ƒ Informationpassing.
ApplicationNotes:TheTOEcanestablishsecureornon-securecommunicationdependingontheTSP.
FDP_IFF.1(1)SubsetInformationFlowControl
Hierarchicalto:Noothercomponents.
Dependencies:FDP_IFC.1Subsetinformationflowcontrol
FMT_MSA.3Staticattributeinitialisation
FDP_IFC.1.1 The TSF shall enforce the [{VPN security policy}] on [the following] security attributes of subjects and
information.
a) Subject security attribute: IP addresses of external IT entities transmitting data through the TOE,
{Certificate subject (Certificate country, Organization, Organization Unit, Common Name, Email
Address)}
b) Information security attribute: Source and destination IP address to/from which the data packets are
transmitted,{Followingsecurityattributes}
ƒ IPSec-boundinterface
ƒ Sharedkey
ƒ Securityprotocol
ƒ Keyexchangemode
ƒ Authenticationmethod(Sharedkey/Certificate)
ƒ Subject security attribute – local and remote VPN gateway information (IP address and certificate
subject)
ƒ ISAKMP policy – Encryption type (algorithm) and key length, hash algorithm, Diffie-Hellman
group(Numbers2and5),validperiod
ƒ IPSec policy – Authentication method (authentication algorithm), encryption method (encryption
algorithm)andkeylength,validtime
ƒ VPNNetworkIPAddress
Security Target
46
ƒ PFSgroup-Diffie-Hellmangroup(Numbers2and5)
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a
controlledoperationifthefollowingruleshold:[{followingrules}]
a) Communication with the counterpart: For traffic coming from or going to the counterpart, the TOE shall
performthefollowingaccordingtothesecuritypolicy:
ƒ establishatrustedchannelwiththecounterpart,oruseanexistingtrustedchannel,or
ƒ notcallasecuritymechanismforthecommunicationnorestablishasecurechannel.
b) Communication with other than the counterpart: For traffic not coming from or going to the counterpart,
theTOEdoesnotcallasecuritymechanismnorestablishasecuritychannel.
FDP_IFF.1.3TheTSFshallenforcethe[{None}].
FDP_IFF.1.4TheTSFshallprovidethe[{following}].
a) Createthecorrespondingtunneluponarequestfortunnelconnectionortunnelcreation.
b) UseDeadPeerDetection(DPD.)
FDP_IFF.1.5TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[{None}].
FDP_IFF.1.6TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:[{None}].
FDP_IFC.2(1)Completeinformationflowcontrol
Hierarchicalto:FDP_IFC.1Subsetinformationflowcontrol
Dependencies:FDP_IFF.1Simplesecurityattributes
FDP_IFC.2.1 The TSF shall enforce the [{packet-filtering security policy}] on the [{following subject list and
informationlist}]andalloperationsthatcausethatinformationtoflowtoandfromsubjectscoveredbytheSFP.
a) Subjectlist:Internal/ExternalITentitiesexchangedthroughtheTOEandtheTOEitself.
b) Informationlist:Alltraffic(packet)passingthroughtheTOE.
Security Target
47
FDP_IFC.2.2 The TSF shall ensure that all operations that cause any information in the TSC to flow to and from any
subjectintheTSCarecoveredbyaninformationflowcontrolSFP.
FDP_IFC.2(2)Completeinformationflowcontrol
Hierarchicalto:FDP_IFC.1Subsetinformationflowcontrol
Dependencies:FDP_IFF.1Simplesecurityattributes
FDP_IFC.2.1 The TSF shall enforce the [{proxy security policy}] on the [{following subject list and information list}]
andalloperationsthatcausethatinformationtoflowtoandfromsubjectscoveredbytheSFP.
a) Subjectlist:Internal/ExternalITentitiesexchangedthroughtheTOE.
b) Informationlist:Protocol(FTP,TELNETtraffic)usingHTTPandSOCK5passingthroughtheTOE.
FDP_IFC.2.2 The TSF shall ensure that all operations that cause any information in the TSC to flow to and from any
subjectintheTSCarecoveredbyaninformationflowcontrolSFP.
FDP_IFC.2(3)Completeinformationflowcontrol
Hierarchicalto:FDP_IFC.1Subsetinformationflowcontrol
Dependencies:FDP_IFF.1Simplesecurityattributes
FDP_IFC.2.1 The TSF shall enforce the [{network address translation policy}] on the [{following subject list and
informationlist}]andalloperationsthatcausethatinformationtoflowtoandfromsubjectscoveredbytheSFP.
a) Subjectlist:Internal/ExternalITentitiesexchangedthroughtheTOE.
b) Informationlist:Alltraffic(packet)passingthroughtheTOE.
FDP_IFC.2.2 The TSF shall ensure that all operations that cause any information in the TSC to flow to and from any
subjectintheTSCarecoveredbyaninformationflowcontrolSFP.
Security Target
48
FDP_IFF.1(2)Simplesecurityattributes
Hierarchicalto:Noothercomponents.
Dependencies:FDP_IFC.1Subsetinformationflowcontrol
FMT_MSA.3Staticattributeinitialisation
FDP_IFF.1.1TheTSFshallenforcethe[{packet-filteringsecurity policy}]basedonthetypesofsubjectandinformation
securityattributes:[{asshownbelow}].
a) Subject security attribute: IP addresses of internal and external IT entities transmitting data through the
TOE.
b) Informationsecurityattribute:
ƒ Interfacepolicymapping
ƒ Source/destinationIPAddress,Securitylabel
ƒ Service(port)
ƒ Time
ƒ Numberofpacketspersecond(Minimum1~10,000)
ƒ Packetsize(Minimum1~65535)
ƒ MACaddress
ƒ TCPMSS(Minimum0~65495)
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a
controlledoperationifthefollowingruleshold:[asshownbelow].
a) [{If the information security attribute of the corresponding traffic is proven to be subject to information
flow according to the packet-filtering security policy set by the administrator, information flow will be
allowed.}]
FDP_IFF.1.3TheTSFshallenforcethe[thefollowing].
a) The port scan for the traffic subject to the packet-filtering security policy will be detected, and the audit
recordsormailwillbesenttotheadministrator.
b) A fragment packet for the traffic subject to the packet-filtering security policy will be detected, and the
auditrecordsormailwillbesenttotheadministrator.
FDP_IFF.1.4TheTSFshallprovidethefollowing[None].
Security Target
49
FDP_IFF.1.5TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[None].
FDP_IFF.1.6TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:[asshownbelow].
a) Basicpacket-filteringpolicy–Ifthereisnopacket-filteringsecuritypolicymet.
b) WhentheSourcesecuritylabelislowerthanthedestinationsecuritylabel.
FDP_IFF.1(3)Simplesecurityattributes
Hierarchicalto:Noothercomponents.
Dependencies:FDP_IFC.1Subsetinformationflowcontrol
FMT_MSA.3Staticattributeinitialisation
FDP_IFF.1.1 The TSF shall enforce the [{proxy security policy}]based on the types of subject and information security
attributes:[{asshownbelow}].
a) Subject security attribute: User and network addresses of internal/external IT entities, user ID, and user
StrengthofFunction
b) Informationsecurityattribute:
ƒ Securityattribute–Maximumaccesscount(5~65535),Sessiontime-out(5~65535)
ƒ Proxytimegroup
ƒ Proxynetworkgroup
ƒ HTTPauthenticationcontrol
ƒ SOCKS5-typeauthenticationcontrol
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a
controlledoperationifthefollowingruleshold:[asshownbelow].
a) [{Iftheinformation security attributeofthecorrespondingtrafficisproven tobesubjecttoinformationflow
accordingtotheproxysecuritypolicysetbytheadministrator,informationflowwillbeallowed.}]
FDP_IFF.1.3TheTSFshallenforcethe[{reauthenticationforthefollowingcases}].
Security Target
50
a) Afteridlestatusbetweentheuserandtheproxywithinthesessiontime-outlimitsetbytheadministrator
b) Aftertheadministratorforciblylogsoutauser
FDP_IFF.1.4TheTSFshallprovidethefollowing[None].
FDP_IFF.1.5TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[None].
FDP_IFF.1.6 The TSF shall explicitly deny an information flow based on the following rules: [{basic proxy policy –
trafficofanunauthenticateduserpassingthroughHTTPorSOCKS5}].
FDP_IFF.1(4)Simplesecurityattributes
Hierarchicalto:Noothercomponents.
Dependencies:FDP_IFC.1Subsetinformationflowcontrol
FMT_MSA.3Staticattributeinitialisation
FDP_IFF.1.1 The TSF shall enforce the [{network address translation policy}] based on the types of subject and
informationsecurityattributes:[{asshownbelow}].
a) Subjectsecurityattribute:sourceanddestinationnetworkaddressesofinternal/externalITentities
c) Informationsecurityattribute:
ƒ Networkaddresstranslation –IPaddressrangeforNetworkAddresstranslation
ƒ Portbinding–portrangeforportbinding
ƒ Service
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a
controlledoperationifthefollowingruleshold:[asshownbelow].
a) [{The network address shall be translated according to the network address translation policy set by the
administrator,andthen,informationflowshallbeallowed.}]
FDP_IFF.1.3TheTSFshallenforce[None].
Security Target
51
FDP_IFF.1.4TheTSFshallprovidethefollowing[None].
FDP_IFF.1.5TheTSFshallexplicitlyauthorizeaninformationflowbasedonthefollowingrules:[None].
FDP_IFF.1.6TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:[None].
5.1.1.4IdentificationandAuthentication(FIA)
FIA_AFL.1Authenticationfailurehandling
Hierarchicalto:Noothercomponents.
Dependencies:FIA_UAU.1Timingofauthentication*
* - [VPN_PP_V1.1] selected FIA_UAU.2 which has hierarchical relationship with FIA_UAU.1 so this Security Target
adoptedFIA_UAU.2.
FIA_AFL.1.1 The TSF shall detect when [{an administrator configurable positive integer other than 0}] unsuccessful
authenticationattemptsoccurrelatedto[{userauthenticationattempt}]
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met or surpassed, the TSF
shall[preventusersfrombeingauthenticatedtilltheauthorizedadministratortakesproperaction.].
Application Notes: A user is an authorized administrator or a counterpart. For a counterpart, other measures than the
userauthenticationattemptcountcanbeused.
FIA_ATD.1Userattributedefinition
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users[the list of the
followingsecurityattributes].
a) Securitylabel
{
Security Target
52
b) UserObject-UserID(ID),group,usestatus(bythecurrentuser),passwordtype,password,PAP,CHAP,
log-infailurecount,allowedlog-in,lastlog-in,usetime
c) Usergroup-UserObjectgroupID,attemptlimit,proxystatus(proxytimeselection),administratormode
status,userID
d) VPNgateway- X.509-typecertificatesubject,IPAddress
}
FIA_SOS.1Verificationofsecrets
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FIA_SOS.1.1(1)TheTSFshallprovideamechanismtoverifythatsecretsmeet[thefollowinglimit].
a) Minimumlengthofthepasswordsetbytheadministrator
- Generalpassword:7~16characters
- One-timepassword:8characters
b) Combinationrule–Alphanumeric(alphabetic+numeric,oralphabetic+specialsymbols)
FIA_UAU.2Userauthenticationbeforeanyaction
Hierarchicalto:FIA_UAU.1Timingofauthentication
Dependencies:FIA_UID.1Timingofidentification
FIA_UAU.2.1TheTSFshallrequireeachusertobesuccessfully authenticatedbeforeallowingany otherTSF-mediated
actionsonbehalfofthatuser.
FIA_UAU.4Single-useauthenticationmechanisms
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
Security Target
53
FIA_UAU.4.1TheTSFshallpreventreuseofauthenticationdatarelatedto[one-timepassword].
Application Notes: The single-use authentication mechanism can be applied to both authorized administrators and user.
single-useauthenticationmechanismmaynotbeusedaslongastheprovidedservicesconformtothesecuritypolicy.
FIA_UAU.7Protectedauthenticationfeedback
Hierarchicalto:Noothercomponents.
Dependencies:FIA_UAU.1Timingofauthentication*
*-[VPN_PP_V1.1]selectedFIA_UAU.2whichhasahierarchicalrelationshipwithFIA_UAU.1sothisSecurityTarget
adoptedFIA_UAU.2.
FIA_UAU.7.1 The TSF shall provide only [counterfeited password (Example: *)] to the user while the authentication is
inprogress.
FIA_UID.2Useridentificationbeforeanyaction
Hierarchicalto:FIA_UIDTimingofidentification
Dependencies:Nodependencies.
FIA_UID.2.1TheTSFshallrequireeachusertoidentifyitselfbeforeallowinganyotherTSF-mediatedactionsonbehalf
ofthatuser.
5.1.1.4SecurityManagement(FMT)
FMT_MOF.1Managementofsecurityfunctionsbehaviors
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMF.1SpecificationofManagementFunctions
FMT_SMR.1SecurityRole
Security Target
54
FMT_MOF.1.1 The TSF shall restrict the ability to activate, stop, start, change the functions [{listed as below}]] to [the
authorizedadministrator].
a) Objectdefinition–Certificate,CAmanagement,Network,Service,Time,IPSec,User
b) Status checking – Traffic per interface, Session list, IPSec security tunnel, Log-in user, Integrity, System
(firmwareversion,start-uptime,CPUload),Process
c) Interfacemanagement–EthernetandPPP(PPPoEforADSLauthentication)setupandmanagement
d) Staticroutingmanagement
e) ARPaddresslistmanagement
f) DHCPservermanagement
g) Network Address Translation policy management – Network Address Translation, port forwarding,
redirectpolicy
h) Basicproxysettingmanagement
i) Administratorpasswordchange
j) SNMPconfigurationmanagement
k) Dateandtimemanagement
l) Firmwareupgrade
m) Systemrestart/stop
n) Auditrecordsbackup
o) Auditrecordssetupmanagement
Application Notes: These security functional requirements are for the management of security functions. For example,
when the audit record storage is full, the security functional requirements describe what measures the authorized
administratorshalltakeandunderwhichcircumstancestheadministratorcanconductaself-test.
FMT_MSA.1Managementofsecurityattributes
Hierarchicalto:Noothercomponents.
Dependencies:[FDP_ACC.1Subsetaccesscontrolor
FDP_IFC.1SubsetInformationflowcontrol]
FMT_SMF.1SpeciationofManagementfunctions
FMT_SMR.1Securityrole
FMT_MSA.1.1 The TSF shall enforce [{administrator security policy}] to restrict the ability to change, inquire, and
delete default, {None security attributes {Security label, FDP_IFF.1-packet-filtering security policy rule audit records
Security Target
55
statusandlimit,Portscanningpacket,Auditrecordingstatusforabnormalpackets,TCPMSSsetup,VPNsecuritypolicy,
Proxysecuritypolicy}]to[theauthorizedadministrator]].
Application Notes: The authorized administrator shall support execution of the information flow control SFP by
managingsecurityattributes.
FMT_MSA.2Securesecurityattributes
Hierarchicalto:Noothercomponents.
Dependencies:ADV_SPM.1InformalTOEsecuritypolicymodel
[FDP_ACC.1Subsetaccesscontrol,or
FDP_IFC.1Subsetinformationflowcontrol]
FMT_MSA.1Managementofsecurityattributes
FMT_SMR.1Securityroles
FMT_MSA.2.1TheTSFshallensurethatonlysecurevaluesareacceptedforsecurityattributes.
FMT_MSA.3Staticattributeinitialisation
Hierarchicalto:Noothercomponents.
Dependencies:FMT_MSA.1Managementofsecurityattributes
FMT_SMR.1Securityroles
FMT_MSA.3.1TheTSFshallenforcethe[{packet-filteringsecuritypolicy,proxysecuritypolicy,VPNsecuritypolicy}]
toproviderestrictivedefaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.
FMT_MSA.3.2 The TSF shall allow the [authorized administrator] to specify alternative initial values to override the
defaultvalueswhenanobjectorinformationiscreated.
Security Target
56
FMT_MTD.1(1)ManagementofTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
FMT_MTD.1.1TheTSFshallrestricttheabilitytohandlethestatisticofthe[auditdata]tothe[authorizedadministrator]
FMT_MTD.1(2)ManagementofTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
FMT_MTD.1.1TheTSFshallrestricttheabilitytorecover,backupthe[majorfilescomposingtheTOE]inapermanent
auxiliarystoragedevicetothe[authorizedadministrator].
FMT_MTD.1(3)ManagementofTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
FMT_MTD.1.1 The TSF shall restrict the ability to query, modify, and delete the [access control security policy,
informationflowcontrolsecuritypolicy]tothe[authorizedadministrator].
FMT_MTD.1(4)ManagementofTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
Security Target
57
FMT_MTD.1.1 The TSF shall restrict the ability to modify the [cryptographic key attribute] to the [authorized
administrator].
FMT_MTD.1(5)ManagementofTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
FMT_MTD.1.1 The TSF shall restrict the ability to modify and delete the [identification and authentication data] to the
[authorizedadministrator].
FMT_MTD.1(6)ManagementofTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
FMT_MTD.1.1TheTSFshallrestricttheabilitytomodifythe[time]tothe[authorizedadministrator].
FMT_MTD.2ManagementoflimitsonTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:FMT_MTD.1ManagementofTSFdata
FMT_SMR.1Securityroles
FMT_MTD.2.1 The TSF shall restrict the specification of the limits for [audit storage capacity, authentication failure
count,self-testinterval]to[authorizedadministrator].
FMT_MTD.2.2 TheTSF shalltakethefollowing actions,ifthe TSFdata areat,orexceed,theindicatedlimits:[response
specifiedinFAU_STG.3,FIA_AFL.1,andFPT_TST.1]
Security Target
58
Application Notes: If the counterpart is not authenticated, another standard can be used rather than the authentication
failurecount.
FMT_MTD.3SecureTSFdata
Hierarchicalto:Noothercomponents.
Dependencies:ADV_SPM.1InformalTOEsecuritypolicymodel
FMT_MTD.1ManagementofTSFdata
FMT_MTD.3.1TheTSFshallensurethatonlysecurevaluesareacceptedforTSFdata.
FMT_SMR.1Securityroles
Hierarchicalto:Noothercomponents.
Dependencies:FIA_UID.1Timingofidentification
FMT_SMR.1.1TheTSFshallmaintaintheroles[ofauthorizedadministrator].
FMT_SMR.1.2TheTSFshallbeabletoassociateusersandwithauthorizedadministrator‘sroles.
5.1.1.6ProtectionoftheTSF(FPT)
FPT_AMT.1Abstractmachinetesting
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPT_AMT.1.1 The TSF shall run a suite of tests during initial start-up, periodically during normal operation, at the
request of an authorised user, {None} to demonstrate the correct operation of the security assumptions provided by the
abstractmachinethatunderliestheTSF.
Security Target
59
FPT_RPL.1Replydetection
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPT_RPL.1.1TheTSFshalldetectreplayforthefollowingentities:[{Authenticationofthecounterpart}]
FPT_RPL.1.2 The TSF shall perform [{prevention of reattempts and generation of audit records }] when replay is
detected.
Application Notes: The entity may be a message, service request, service response, or session. As a response to the
entity,theentitymaybeignored.
FPT_RVM.1Non-bypassabilityoftheTSP
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPT_RVM.1.1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function
withintheTSCisallowedtoproceed.
FPT_SEP.1TSFdomainseparation
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and
tamperingbyuntrustedsubjects.
FPT_SEP.1.2TheTSFshallenforceseparationbetweenthesecuritydomainsofsubjectsintheTSC.
Security Target
60
FPT_STM.1Reliabletimestamps
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPT_STM.1.1TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.
Application Notes: The security functional requirements shall provide a time stamp that guarantees that audit data is
generatedinorderandinrelationtothesecurityauditfunction.
FPT_TST.1TSFtesting
Hierarchicalto:Noothercomponents.
Dependencies:FPT_AMT.1Abstractmachinetesting
FPT_TST.1.1 The TSF shall run a suite of self tests [during initial start-up, periodically during normal operation, at the
requestoftheauthoriseduser,[None]todemonstratethecorrectoperationoftheTSF.operationoftheTSF.
FPT_TST.1.2TheTSFshallprovideauthorisedadministratorswiththecapabilitytoverifytheintegrityofTSFdata.
FPT_TST.1.3TheTSFshallprovideauthorisedadministrators withthecapability toverify theintegrity ofstoredTSF
executablecode.
FPT_TST.2TSFDataintegrityerrorhandling
Hierarchicalto:Noothercomponents.
Dependencies:FPT_TST.1TSFtesting
FPT_TST.2.1IfanTSFdataintegrityerrorisdetected,TSFshallhandleitasfollows.
a) NotificationtoAuthorizedAdministrator
b) [{AuditRecord}]
Security Target
61
5.1.1.7TOEaccess(FTA)
FTA_SSL.1TSF-initiatedsessionlocking
Hierarchicalto:Noothercomponents.
Dependencies:FIA_UAU.1Timingofauthentication*
* - [VPN_PP_V1.1] selected FIA_UAU.2 which has a hierarchical relationship with FIA_UAU.1 so that this Security
TargetadoptedFIA_UAU.2.
FTA_SSL.1.1TheTSFshalllockthesessionoftheauthorizedadministratorafter[{authorizedadministratoridletime
(default:1minute)}]by:
a) clearingoroverwritingdisplaydevices,makingthecurrentcontentsunreadable;
b) disablinganyactivityoftheuser'sdataaccess/displaydevicesotherthanunlockingthesession.
FTA_SSL.1.2 .The TSF shall require the following events tooccur prior to unlocking the session: [{re-identification and
authentication}].
ApplicationNotes:Inthesecurityfunctionalrequirements,ausermeansanauthorizedadministrator.
FTA_SSL.3 TSF-initiatedtermination
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FTA_SSL.3.1 The TSF shall terminate an interactive authorized general users session after a [{the following Idle time
ofauthorizedgeneraluserssetbytheadministrator(default:None)}].
a)Whenanauthorizedgeneraluserusingaproxycrossesthethresholdofthecorrespondingproxy
Security Target
62
5.1.1.8Trustedpath/channels(FTP)
FTP_ITC.1Inter-TSFtrustedchannel
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FTP_ITC.1.1 The TSF shall provide a communication channel between itself and a remote trusted IT product that is
logically distinct from other communication channels and provides assured identification of its end points and protection
ofthechanneldatafrommodificationordisclosure.
FTP_ITC.1.2.TheTSFshallpermittheTSFtoinitiatecommunicationviathetrustedchannel.
FTP_ITC.1.3TheTSFshallinitiatecommunicationviathetrustedchannelfor[remotemanagementfunction,{None}].
5.1.2 Author-augmented Security functional requirements
(SFR)
The Security functional requirements referred to by this Security Target consists of the SFR components specified in
Protection Profile Type 2. For the security functions provided by the TOE but not included in the protection profile, the
authorcanaddthembyreferringtotheCommonCriteriafortheinformationprotectionsystem.
[Table5-3]AugmentedSecurityFunctionalRequirements
Security Function
Class
Security Function Component
Security
Management
FMT_SMF.1* Specification of management functions
Privacy FPR_UNO.4 Authorized user observability
*FMT_SMF.1isbasedon‘CommonCriteria(CC)V2.2FinalInterpretation,October2005.’
Security Target
63
5.1.2.1SecurityManagement(FMT)
FMT_SMF.1SpecificationofManagementFunctions
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FMT_SMF.1.1TheTSFshallbecapableofperformingsecuritymanagementfunctions[asfollows]:
a) TSFfunctionmanagementandsecurityattributemanagement–SpecifiedinFMT_MOF.1.
b) TSFdatamanagement–SpecifiedinFMT_MTD.1.
c) TSFData(ConfigurationData)backupandrecovery
d) UpgradingoftheTOE
5.1.2.2Privacy(FPR)
FPR_UNO.4Authorizeduserobservability
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPR_UNO.4.1TheTSFshallprovidethe[authorizedadministrator]withthecapability toobservetheusageof[trafficat
eachinterfaceoftheTOE,packetfiltering,networkaddresstranslation,andVPNtunnel,logged-inuser].
5.1.3 Deleted Security functional requirements(SFR)
The deleted security functional requirements shown below use components with a hierarchical relationship so they are
not used again: FIA_UAU.1 Authentication – FIA_UAU.2 with a hierarchical relationship was selected in the VPN
protectionprofile.
Security Target
64
5.2 TOE security Assurance Requirements
Thisparagraphselectively providesaugmentedassurancerequirements(inbold characters)whichconformtotheEAL3
grade of the Common Criteria for the information protection system and EAL 3+ grade defined by a local (Korean)
certificateagency. Theaugmentedassurancecomponentsareasfollows:
ƒ ADV_IMP.2ImplementationoftheTSF
ƒ ADV_LLD.1Descriptivelow-leveldesign
ƒ ALC_TAT.1Well-defineddevelopmenttools
ƒ ATE_DPT.2Testing:low-leveldesign
ƒ AVA_VLA.2Independentvulnerabilityanalysis
[Table 5-4] EAL 3+ Grade Assurance Requirements List
Assurance Class Assurance Component
ACM_CAP.3 Authorisation controls
Configuration
management ACM_SCP.1 TOE CM coverage
ADO_DEL.1 Delivery procedures
Delivery and operation
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_HLD.2 Security enforcing high-level design
ADV_IMP.2 Implementation of the TSF
ADV_LLD.1 Descriptive low-level design
Development
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
Guidance documents
AGD_USR.1 User guidance
ALC_DVS.1 Identification of security measures
Life cycle support
ALC_TAT.1 Well-defined development tools
ATE_COV.2 Analysis of coverage
ATE_DPT.2 Testing: low-level design
ATE_FUN.1 Functional testing
Tests
ATE_IND.2 Independent testing - sample
AVA_MSU.1 Examination of guidance
AVA_SOF.1 Strength of TOE security function evaluation
Vulnerability
assessment
AVA_VLA.2 Independent vulnerability analysis
Security Target
65
5.2.1 Configuration Management
ACM_CAP.3 Authorisationcontrols
Dependencies: ALC_DVS.1Identificationofsecuritymeasures
<Developeractionelements>
ACM_CAP.3.1DThedevelopershallprovideareferencefortheTOE.
ACM_CAP.3.2DThedevelopershalluseaCMsystem.
ACM_CAP.3.3DThedevelopershallprovideCMdocumentation.
<Contentandpresentationevidenceelements>
ACM_CAP.3.1CThereferencefortheTOEshallbeuniquetoeachversionoftheTOE.
ACM_CAP.3.2CTheTOEshallbelabeledwithitsreference.
ACM_CAP.3.3CTheCMdocumentationshallincludeaconfigurationlistandaCMplan.
ACM_CAP.3.4CTheconfigurationlistshalluniquelyidentifyallconfigurationitemsthatcomprisetheTOE.
ACM_CAP.3.5CTheconfigurationlistshalldescribetheconfigurationitemsthatcomprisetheTOE.
ACM_CAP.3.6C The CM documentation shall describe the method used to uniquely identify the configuration items
thatcomprisetheTOE.
ACM_CAP.3.7CTheCMsystemshalluniquelyidentifyallconfigurationitemsthatcomprisetheTOE.
ACM_CAP.3.8CTheCMplanshalldescribehowtheCMsystemisused.
ACM_CAP.3.9CTheevidenceshalldemonstratethattheCMsystemisoperatinginaccordancewiththeCMplan.
ACM_CAP.3.10C The CM documentation shall provide evidence that all configuration items have been and are being
effectivelymaintainedundertheCMsystem.
ACM_CAP.3.11C The CM system shall provide measures such that only authorised changes are made to the
configurationitems.
<Evaluatoractionelements>
ACM_CAP.3.1.E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ACM_SCP.1TOECMcoverage
Dependencies: ACM_CAP.3Authorisationcontrols
Security Target
66
<Developeractionelements>
ACM_SCP.1.1DThedevelopershallprovidealistofconfigurationitemsfortheTOE.
<Contentandpresentationofevidenceelements>
ACM_SCP.1.1C The list of configuration items shall include the following: implementation representation and the
evaluationevidencerequiredbytheassurancecomponentsintheST.
<Evaluatoractionelements>
ACM_SCP.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
5.2.2 Delivery and Operation
ADO_DEL.1Deliveryprocedures
Dependencies: Nodependencies.
<Developeractionelements>
ADO_DEL.1.1DThedevelopershalldocumentproceduresfordeliveryoftheTOEorpartsofittotheuser.
ADO_DEL.1.2DThedevelopershallusethedeliveryprocedures.
<Contentandpresentationevidenceelements>
ADO_DEL.1.1C The delivery documentation shall describe all procedures that are necessary to maintain security when
distributingversionsoftheTOEtoauser'ssite.
<Evaluatoractionelements>
ADO_DEL.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
Security Target
67
ADO_IGS.1Installation,generation,andstart-upprocedures
Dependencies: AGD_ADM.1Administratorguidance
<Developeractionelements>
ADO_IGS.1.1D The developer shall document procedures necessary for the secure installation, generation, and start-up
oftheTOE.
<Contentandpresentationevidenceelements>
ADO_IGS.1.1C. The installation, generation and start-up documentation shall describe all the steps necessary for secure
installation,generationandstart-upoftheTOE.
<Evaluatoractionelements>
ADO_IGS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ADO_IGS.1.2E The evaluator shall determine that the installation, generation, and start-up procedures result in a secure
configuration.
5.2.3 Development
ADV_FSP.1Informalfunctionalspecification
Dependencies: ADV_RCR.1Informalcorrespondencedemonstration
<Developeractionelements>
ADV_FSP.1.1DThedevelopershallprovideafunctionalspecification.
<Contentandpresentationevidenceelements>
ADV_FSP.1.1CThefunctionalspecificationshalldescribetheTSFanditsexternalinterfacesusinganinformalstyle.
ADV_FSP.1.2CThefunctionalspecificationshallbeinternallyconsistent.
ADV_FSP.1.3CThefunctionalspecificationshalldescribethepurposeand method ofuseofall externalTSFinterfaces,
providingdetailsofeffects,exceptionsanderrormessages,asappropriate.
ADV_FSP.1.4CThefunctionalspecificationshallcompletelyrepresenttheTSF.
<Evaluatoractionelements>
Security Target
68
ADV_FSP.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ADV_FSP.1.2E The evaluator shall determine that the functional specification is an accurate and complete instantiation
oftheTOEsecurityfunctionalrequirements.
ADV_HLD.2Securityenforcinghigh-leveldesign
Dependencies: ADV_FSP.1Informalfunctionalspecification
ADV_RCR.1Informalcorrespondencedemonstration
<Developeractionelements>
ADV_HLD.2.1DThedevelopershallprovidethehigh-leveldesignoftheTSF.
<Contentandpresentationofevidenceelements>
ADV_HLD.2.1CThepresentationofthehigh-leveldesignshallbeinformal.
ADV_HLD.2.2CThehigh-leveldesignshallbeinternallyconsistent.
ADV_HLD.2.3CThehigh-leveldesignshalldescribethestructureoftheTSFintermsofsubsystems.
ADV_HLD.2.4CThehigh-leveldesignshalldescribethesecurityfunctionalityprovidedbyeachsubsystemoftheTSF.
ADV_HLD.2.5C The high-level design shall identify any underlying hardware, firmware, and/or software required by
the TSF with a presentation of the functions provided by the supporting protection mechanisms implemented in that
hardware,firmware,orsoftware.
ADV_HLD.2.6CThehigh-leveldesignshallidentifyallinterfacestothesubsystemsoftheTSF.
ADV_HLD.2.7CThehigh-leveldesignshallidentify whichoftheinterfacestothesubsystemsoftheTSFareexternally
visible.
ADV_HLD.2.8C The high-level design shall describe the purpose and method of use of all interfaces to the subsystems
oftheTSF,providingdetailsofeffects,exceptionsanderrormessages,asappropriate.
ADV_HLD.2.9C The high-level design shall describe the separation of the TOE into TSP-enforcing and other
subsystems.
<Evaluatoractionelements>
ADV_HLD.2.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ADV_HLD.2.2ETheevaluatorshalldeterminethatthehigh-leveldesignisanaccurateandcompleteinstantiationofthe
TOEsecurityfunctionalrequirements.
Security Target
69
ADV_IMP.2ImplementationoftheTSF
Dependencies: ADV_LLD.1Descriptivelow-leveldesign
ADV_RCR.1Informalcorrespondencedemonstration
ADV_TAT.1Well-defineddevelopmenttools
<Developeractionelements>
ADV_IMP.2.1DThedevelopershallprovidetheimplementationrepresentationfortheentireTSF.
<Contentandpresentationofevidenceelements>
ADV_IMP.2.1CTheimplementationrepresentationshallunambiguouslydefinetheTSFtoalevelofdetailsuchthatthe
TSFcanbegeneratedwithoutfurtherdesigndecisions.
ADV_IMP.2.2CTheimplementationrepresentationshallbeinternallyconsistent.
ADV_IMP.2.3C The implementation representation shall describe the relationships between all portions of the
implementation.
<Evaluatoractionelements>
ADV_IMP.2.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ADV_IMP.2.2E The evaluator shall determine that the implementation representation is an accurate and complete
instantiationoftheTOEsecurityfunctionalrequirements.
ADV_LLD.1Descriptivelow-leveldesign
Dependencies: ADV_HLD.2Securityenforcinghigh-leveldesign
ADV_RCR.1Informalcorrespondencedemonstration
<Developeractionelements>
ADV_LLD.1.1DThedevelopershallprovidethelow-leveldesignoftheTSF.
<Contentandpresentationofevidenceelements>
ADV_LLD.1.1CThepresentationofthelow-leveldesignshallbeinformal.
ADV_LLD.1.2CThelow-leveldesignshallbeinternallyconsistent.
ADV_LLD.1.3CThelow-leveldesignshalldescribetheTSFintermsofmodules.
ADV_LLD.1.4CThelow-leveldesignshalldescribethepurposeofeachmodule.
Security Target
70
ADV_LLD.1.5C The low-level design shall define the interrelationships between the modules in terms of provided
securityfunctionalityanddependenciesonothermodules.
ADV_LLD.1.6CThelow-leveldesignshalldescribehoweachTSP-enforcingfunctionisprovided.
ADV_LLD.1.7CThelow-leveldesignshallidentifyallinterfacestothemodulesoftheTSF.
ADV_LLD.1.8C The low-level design shall identify which of the interfaces to the modules of the TSF are externally
visible.
ADV_LLD.1.9C The low-level design shall describe the purpose and method of use of all interfaces to the modules of
theTSF,providingdetailsofeffects,exceptionsanderrormessages,asappropriate.
ADV_LLD.1.10CThelow-leveldesignshalldescribetheseparationoftheTOEintoTSP-enforcingandothermodules.
<Evaluatoractionelements>
ADV_LLD.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ADV_LLD.1.2E The evaluator shall determine that the low-level design is an accurate and complete instantiation of the
TOEsecurityfunctionalrequirements.
ADV_RCR.1Informalcorrespondencedemonstration
Dependencies:Nodependencies.
<Developeractionelements>
ADV_RCR.1.1D The developer shall provide an analysis of correspondence between all adjacent pairs of TSF
representationsthatareprovided.
<Contentandpresentationofevidenceelements>
ADV_RCR.1.1C For each adjacent pair of provided TSF representations, the analysis shall demonstrate that all relevant
security functionality of the more abstract TSF representation is correctly and completely refined in the less abstract TSF
representation.
<Evaluatoractionelements>
ADV_RCR.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
Security Target
71
5.2.4 Guidance documents
AGD_ADM.1Administratorguidance
Dependencies: ADV_FSP.1Informalfunctionalspecification
<Developeractionelements>
AGD_ADM.1.1DThedevelopershallprovideadministratorguidanceaddressedtosystemadministrativepersonnel.
Contentandpresentationofevidenceelements:
<Contentandpresentationofevidenceelements>
AGD_ADM.1.1C The administrator guidance shall describe the administrative functions and interfaces available to the
administratoroftheTOE.
AGD_ADM.1.2CTheadministratorguidanceshalldescribehowtoadministertheTOEinasecuremanner.
AGD_ADM.1.3C The administrator guidance shall contain warnings about functions and privileges that should be
controlledinasecureprocessingenvironment.
AGD_ADM.1.4CTheadministratorguidanceshalldescribeallassumptionsregardinguserbehaviourthatarerelevantto
secureoperationoftheTOE.
AGD_ADM.1.5CTheadministratorguidanceshalldescribeallsecurityparametersunderthecontroloftheadministrator,
indicatingsecurevaluesasappropriate.
AGD_ADM.1.6C The administrator guidance shall describe each type of security-relevant event relative to the
administrative functions that need to be performed, including changing the security characteristics of entities under the
controloftheTSF.
AGD_ADM.1.7CTheadministratorguidanceshallbeconsistentwithallotherdocumentationsuppliedforevaluation.
AGD_ADM.1.8C The administrator guidance shall describe all security requirements for the IT environment that are
relevanttotheadministrator.
<Evaluatoractionelements>
AGD_ADM.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
Security Target
72
AGD_USR.1Userguidance
Dependencies: ADV_FSP.1Informalfunctionalspecification
<Developeractionelements>
AGD_USR.1.1DThedevelopershallprovideuserguidance.
<Contentandpresentationofevidenceelements>
AGD_USR.1.1C The user guidance shall describe the functions and interfaces available to the non-administrative users
oftheTOE.
AGD_USR.1.2CTheuserguidanceshalldescribetheuseofuser-accessiblesecurityfunctionsprovidedbytheTOE.
AGD_USR.1.3C The user guidance shall contain warnings about user-accessible functions and privileges that should be
controlledinasecureprocessingenvironment.
AGD_USR.1.4C The user guidance shall clearly present all user responsibilities necessary for secure operation of the
TOE, including those related to assumptions regarding user behaviour found in the statement of TOE security
environment.
AGD_USR.1.5CTheuserguidanceshallbeconsistentwithallotherdocumentationsuppliedforevaluation.
AGD_USR.1.6CTheuserguidanceshalldescribeallsecurityrequirementsfortheITenvironmentthatarerelevanttothe
user.
<Evaluatoractionelements>
AGD_USR.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
5.2.5 Life Cycle Support
ALC_DVS.1Identificationofsecuritymeasures
Dependencies:Nodependencies.
<Developeractionelements>
ALC_DVS.1.1DThedevelopershallproducedevelopmentsecuritydocumentation.
<Contentandpresentationofevidenceelements>
Security Target
73
ALC_DVS.1.1C The development security documentation shall describe all the physical, procedural, personnel, and
other security measures that are necessary to protect the confidentiality and integrity of the TOE design and
implementationinitsdevelopmentenvironment.
ALC_DVS.1.2C The development security documentation shall provide evidence that these security measures are
followedduringthedevelopmentandmaintenanceoftheTOE.
<Evaluatoractionelements>
ALC_DVS.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ALC_DVS.1.2ETheevaluatorshallconfirmthatthesecuritymeasuresarebeingapplied.
ALC_TAT.1Well-defineddevelopmenttools
Dependencies: ADV_IMP.1TSFSubsetoftheimplementationoftheTSF.
<Developeractionelements>
ALC_TAT.1.1DThedevelopershallidentifythedevelopmenttoolsbeingusedfortheTOE.
ALC_TAT.1.2DThedevelopershalldocumenttheselectedimplementation-dependentoptionsofthedevelopmenttools.
<Contentandpresentationofevidenceelements>
ALC_TAT.1.1CAlldevelopmenttoolsusedforimplementationshallbewell-defined.
ALC_TAT.1.2CThedocumentationofthedevelopmenttoolsshallunambiguously definethemeaningofallstatements
usedintheimplementation.
ALC_TAT.1.3C The documentation of the development tools shall unambiguously define the meaning of all
implementation-dependentoptions.
<Evaluatoractionelements>
ALC_TAT.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
Security Target
74
5.2.6 Tests
ATE_COV.2Analysisofcoverage
Dependencies: ADV_FSP.1Informalfunctionalspecification
ATA_FUN.1Functionaltesting
<Developeractionelements>
ATE_COV.2.1DThedevelopershallprovideananalysisofthetestcoverage.
<Contentandpresentationofevidenceelements>
ATE_COV.2.1C The analysis of the test coverage shall demonstrate the correspondence between the tests identified in
thetestdocumentationandtheTSFasdescribedinthefunctionalspecification.
ATE_COV.2.2C The analysis of the test coverage shall demonstrate that the correspondence between the TSF as
describedinthefunctionalspecificationandthetestsidentifiedinthetestdocumentationiscomplete.
<Evaluatoractionelements>
ATE_COV.2.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ATE_DPT.2Testing:low-leveldesign
Dependencies: ADV_HLD.2Securityenforcinghigh-leveldesign
ADV_LLD.1Descriptivelow-leveldesign
ATE_FUN.1Functionaltesting
<Developeractionelements>
ATE_DPT.2.1DThedevelopershallprovidetheanalysisofthedepthoftesting.
<Contentandpresentationofevidenceelements>
ATE_DPT.2.1C The depth analysis shall demonstrate that the tests identified in the test documentation are sufficient to
demonstratethattheTSFoperatesinaccordancewithitshigh-leveldesignandlow-leveldesign.
<Evaluatoractionelements>
Security Target
75
ATE_DPT.2.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ATE_FUN.1Functionaltesting
Dependencies:Nodependencies.
<Developeractionelements>
ATE_FUN.1.1DThedevelopershalltesttheTSFanddocumenttheresults.
ATE_FUN.1.2DThedevelopershallprovidetestdocumentation.
<Contentandpresentationofevidenceelements>
ATE_FUN.1.1C The test documentation shall consist of test plans, test procedure descriptions, expected test results and
actualtestresults.
ATE_FUN.1.2C The test plans shall identify the security functions to be tested and describe the goal of the tests to be
performed.
ATE_FUN.1.3C The test procedure descriptions shall identify the tests to be performed and describe the scenarios for
testingeachsecurityfunction.Thesescenariosshallincludeanyorderingdependenciesontheresultsofothertests.
ATE_FUN.1.4CTheexpectedtestresultsshallshowtheanticipatedoutputsfromasuccessfulexecutionofthetests.
ATE_FUN.1.5C The test results from the developer execution of the tests shall demonstrate that each tested security
functionbehavedasspecified.
<Evaluatoractionelements>
ATE_FUN.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ATE_IND.2Independenttesting-sample
Dependencies: ADV_FSP.1Informalfunctionalspecification
AGD_ADM.1Administratorguidance
AGD_USR.1Userguidance
ATE_FUN.1Functionaltesting
Security Target
76
<Developeractionelements>
ATE_IND.2.1DThedevelopershallprovidetheTOEfortesting.
<Contentandpresentationofevidenceelements>
ATE_IND.2.1CTheTOEshallbesuitablefortesting.
ATE_IND.2.2C The developer shall provide an equivalent set of resources to those that were used in the developer's
functionaltestingoftheTSF.
<Evaluatoractionelements>
ATE_IND.2.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
ATE_IND.2.2ETheevaluatorshalltestasubsetoftheTSFasappropriatetoconfirmthattheTOEoperatesasspecified.
ATE_IND.2.3ETheevaluatorshallexecuteasampleoftestsinthetestdocumentationtoverifythedevelopertestresults.
5.2.7 Vulnerability Assessment
AVA_MSU.1Examinationofguidance
Dependencies: ADO_IGS.1Installation,generation,start-upprocedures
ADV_FSP.1Informalfunctionalspecification
AGD_ADM.1Administratorguidance
AGD_USR.1Userguidance
<Developeractionelements>
AVA_MSU.1.1DThedevelopershallprovideguidancedocumentation.
<Contentandpresentationofevidenceelements>
AVA_MSU.1.1C The guidance documentation shall identify all possible modes of operation of the TOE (including
operationfollowingfailureoroperationalerror),theirconsequencesandimplicationsformaintainingsecureoperation.
AVA_MSU.1.2CTheguidancedocumentationshallbecomplete,clear,consistentandreasonable.
AVA_MSU.1.3CTheguidancedocumentationshalllistallassumptionsabouttheintendedenvironment.
AVA_MSU.1.4C The guidance documentation shall list all requirements for external security measures (including
externalprocedural,physicalandpersonnelcontrols).
Security Target
77
<Evaluatoractionelements>
AVA_MSU.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
AVA_MSU.1.2EThe evaluator shall repeat allconfiguration andinstallation proceduresto confirm thatthe TOE can be
configuredandusedsecurelyusingonlythesuppliedguidancedocumentation.
AVA_MSU.1.3E The evaluator shall determine that the use of the guidance documentation allows all insecure states to
bedetected.
AVA_SOF.1StrengthofTOEfunctionevaluation
Dependencies: ADV_FSP.1Informalfunctionalspecification
ADV_HLD1Descriptivelow-leveldesign
<Developeractionelements>
AVA_SOF.1.1D The developer shall perform a strength of TOE security function analysis for each mechanism
identifiedintheSTashavingastrengthofTOEsecurityfunctionclaim.
<Contentandpresentationofevidenceelements>
AVA_SOF.1.1C For each mechanism with a strength of TOE security function claim the strength of TOE security
functionanalysisshallshowthatitmeetsorexceedstheminimumstrengthleveldefinedinthePP/ST.
AVA_SOF.1.2C For each mechanism with a specific strength of TOE security function claim the strength of TOE
securityfunctionanalysisshallshowthatitmeetsorexceedsthespecificstrengthoffunctionmetricdefinedinthePP/ST.
<Evaluatoractionelements>
AVA_SOF.1.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
AVA_SOF.1.2ETheevaluatorshallconfirmthatthestrengthclaimsarecorrect.
AVA_VLA.2Independentvulnerabilityanalysis
Dependencies: ADV_FSP.1Informalfunctionalspecification
ADV_HLD.2Securityenforcinghigh-leveldesign
ADV_IMP.1SubsetoftheimplementationoftheTSF
Security Target
78
ADV_LLD.1Descriptivelow-leveldesign
AGD_ADM.1Administratorguidance
AGD_USR.1Userguidance
<Developeractionelements>
AVA_VLA.2.1DThedevelopershallperformavulnerabilityanalysis.
AVA_VLA.2.2DThedevelopershallprovidevulnerabilityanalysisdocumentation.
<Contentandpresentationofevidenceelements>
AVA_VLA.2.1C The vulnerability analysis documentation shall describe the analysis of the TOE deliverables
performedtosearchforwaysinwhichausercanviolatetheTSP.
AVA_VLA.2.2CThevulnerabilityanalysisdocumentationshalldescribethedispositionofidentifiedvulnerabilities.
AVA_VLA.2.3C The vulnerability analysis documentation shall show, for all identified vulnerabilities, that the
vulnerabilitycannotbeexploitedintheintendedenvironmentfortheTOE.
AVA_VLA.2.4C The vulnerability analysis documentation shall justify that the TOE, with the identified vulnerabilities,
isresistanttoobviouspenetrationattacks.
<Evaluatoractionelements>
AVA_VLA.2.1E The evaluator shall confirm that the information provided meets all requirements for content and
presentationofevidence.
AVA_VLA.2.2E The evaluator shall conduct penetration testing, building on the developer vulnerability analysis, to
ensuretheidentifiedvulnerabilitieshavebeenaddressed.
AVA_VLA.2.3ETheevaluatorshallperformanindependentvulnerabilityanalysis.
AVA_VLA.2.4E The evaluator shall perform independent penetration testing, based on the independent vulnerability
analysis,todeterminetheexploitabilityofadditionalidentifiedvulnerabilitiesintheintendedenvironment.
AVA_VLA.2.5E The evaluator shall determine that the TOE is resistant to penetration attacks performed by an attacker
possessingalowattackpotential.
Security Target
79
5.3 Requirements for IT Environments
RequirementsforITEnvironmentsareasfollows:
FTP_ITC.1Inter-TSFtrustedchannel
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies..
FTP_ITC.1.1 The TSF shall provide a communication channel between itself and a remote trusted IT product that is
logically distinct from other communication channels and provides assured identification of its end points and protection
ofthechanneldatafrommodificationordisclosure.
FTP_ITC.1.2TheTSFshallpermittheTSFtoinitiatecommunicationviathetrustedchannel.
FTP_ITC.1.3TheTSFshallinitiatecommunicationviathetrustedchannelfor[remotecontrol,{None}].
Application Notes: The TOE calls the SSL function in the IT environment and provides a secure channel through the
SSLprotocol.
FPT_STM.1Reliabletimestamps
Hierarchicalto:Noothercomponents.
Dependencies:Nodependencies.
FPT_STM.1.1TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.
ApplicationNotes:TheTOE callsthetimestampserverintheITenvironment andmanagesthetimesourcesinasecure
manner.
FAU_SAR.3Selectiveauditreview
Hierarchicalto:Noothercomponents.
Dependencies:FAU_SAR.1Auditreview
Security Target
80
FAU_SAR.3.1 The TSF shall provide the ability to perform searches and sorting of audit data based on[{standard for
followinglogicalrelations}].
e) Auditrecordtype–Systemlogs,firewalllogs,sessionlogs,proxysessionlogs
f) Systemlog–Time,hostIPAddress,priority,process,messagecontent(Detailedinformation:keyword)
g) Firewall/session log – Time, host, source/destination IP Address, protocol, source/destination port, ICMP
type,service,size,operation(ACCEPT/DROP/REJECT/OPEN/CLOSE))
h) Proxy session log – Time, host IP Address, source/destination IP Address, User, service, operation
(OPEN,CLOSE)
Application Notes: The TOE calls SQL-Life, an external DBMS, in the IT environment and manages the audit record
storageinasecuremanner.
Security Target
81
6 TOE Summary Specification
This chapter describes how the TOE provides security functions and assurance measures to meet the assurance and
securityrequirementsoftheTOE.
6.1 Assurance Measures
The assurance measures for the assurance requirements specified in this Security Target comply with the assurance
requirements specified in Part 3 of the Common Criteria for the Information Protection System. [Table 6-1] shows the
listofdocumentsthatcanverifycompliancewiththeassurancerequirements.
[Table 6-1] Assurance Requirements and Assurance Documents
Assurance
component
Assurance Component Assurance Document
ACM_CAP.3 Authorisation controls Configuration Management
Document
ACM_SCP.1 TOE CM coverage Configuration Management
Document
ADO_DEL.1 Delivery procedures Delivery documents
ADO_IGS.1 Installation, generation, and start-up
procedures
Installation Guide
ADV_FSP.1
ADV_RCR.1
Informal functional specification
Informal correspondence demonstration
Functional Specification
ADV_HLD.2
ADV_RCR.1
Security enforcing high-level design
Informal correspondence demonstration
High-level Design
ADV_IMP.2
ADV_RCR.1
Implementation of the TSF
Informal correspondence demonstration
Implementation Specification
ADV_LLD.1
ADV_RCR.1
Descriptive low-level design
Informal correspondence demonstration
Low-level Design
AGD_ADM.1 Administrator guidance Administrator Guidance
documentation
AGD_USR.1 User guidance User Guidance documentation
Security Target
82
ALC_DVS.1 Identification of security measures Development Security
Document
ALC_TAT.1 Well-defined development tools Development Tool Document
ATE_COV.2 Analysis of coverage Test Document
ATE_DPT.2 Testing: low-level design Test Document
ATE_FUN.1 Functional testing Test Document
ATE_IND.2 Independent testing - sample Test Document
AVA_MSU.1 Examination of guidance Administrator and User
Guidance Documentation
AVA_SOF.1 Strength of TOE security function evaluation Vulnerability Analysis Report
AVA_VLA.2 Independent vulnerability analysis Vulnerability Analysis Report
6.2 TOE Security Function
Description of TOE Security Function (TSF) includes how each TSF conforms to the corresponding security functional
requirements. This paragraph includes descriptions of each security function and explains how each security function
meetsthecorrespondingrequirements.
6.2.1 Security Audit (FAU)
6.2.1.1 SecurityAlarm(FAU_Alarm)
FAU_Alarm.1 When an audit record of the corresponding priority set by the administrator occurs, the TOE will send
a warning message to the administrator. If an audit record crossing the priority set by the administrator occurs, details of
the correspondingauditrecord willbesent tothe administrator’se-mailaddress anddisplay the “Unconfirmedimportant
auditrecords”messagewillbedisplayedonthesecuritymanagementscreenoftheauthorizedadministrator’sPC.
FAU_Alarm.2 The TOE includes a potential violation analysis based on the priority of the audit record. If an event
such as “identification and authentication security policy violation”, “cryptographic operation failure,” or “access control
ruleviolation”,whichcanbeconsideredaspotentialthreats,occurs,theprioritylevelofthewarningorerrorwillbesentto
the authorized administrator with the corresponding audit record. In case of a user authentication failure in the TOE, an
alarm will be sent to the administrator as the identification and authentication security policy violation. In case of a
Security Target
83
cryptographicoperationfailurewhenthecryptographicpacketsentby theuserthroughtheIPSecprotocolisnotvalid,an
alarm will be sent to the administrator. To send an alarm (an e-mail to the administrator) for a packet dropped (by rule
violation, not the rejection policy), set “log” in the packet-filtering policy so that the “dropped” packets and the
correspondingauditrecordswillbeinformedtotheadministrator. Thisprocesscanbesummarizedasfollows:
ƒ Identification and authentication security policy violation – Audit records failed in authentication
andidentification. Auditrecordscrossingthepriority.
ƒ Cryptographicoperationfailure–WhenthecryptographicpacketsentbytheuserthroughtheIPSec
protocolisnotvalid.
ƒ Accesscontrolruleviolation–Whenapacketdroppedbythepacket-filteringpolicyselectsanaudit
record.
6.2.1.2 AuditRecordsGeneration(FAU_Audit)
FAU_Audit.1 The TOE stores audit records generated in VForce 1700 V1.0 S/W and VForce 1700 V1.0 S/W where
the security function operate to protect user data on the network. The TOE can also search the stored audit records,
generate statistical data, and report these items to the administrator. VForce 1700 V1.0 generates audit records for
operations of all security functions. When the TOE generates audit records,theeventoccurrencetime,auditrecorddata,
and the subject identity (user, source IP address, or the process that generated the audit record) will be also generated.
Each audit record contains similar information depending on the audit record type. For consistency of the event
occurrencetime,theTOEcanusetrustedtimethroughtheNTPprotocol.
ƒ SystemLog–Time(month,day,hh:mm:ss),priority,program,contents
ƒ Access Control Log – Time (month, day, hh:mm:ss), processing (accept/drop/reject), prefix (audit records
prefix to identify packet audit records, IN (inbound), OUT (outbound), source, destination, protocol,
SPORT,DPORT,TYPE(ICMP),CODE(ICMP)
ƒ IPSecpacketLog–Time(month,day,hh:mm:ss),priority,contents
FAU_Audit.2 AuditrecordscreatedbyTOEarecategorizedasshownbelow:
[Table 6-2] Audit Record Types and Description
Audit
Record
Type
Audit Record Result and Contents Included Functional
Components Required by
FAU_GEN
System Audit records are classified into audit records FAU_ARP.1, FAU_SAA.1,
Security Target
84
Log generated in the system, session opening/closing
information, and proxy-related audit records.
Then, audit records related to starting and
stopping of the process responsible for the audit
function are created. The system Log identifies the
security breach type according to the definition in
FAU_Alarm.2 and, audits and records the
responses (mail sending.) All of the
administrator’s security management activities
and new security attributes are audited and
recorded. If a security setting fails due to an
internal security problem, this event will be
included in the important audit records so that the
event is audited and stored. Audit records related
to identification and authentication are classified
as system Log which include success or failure of
identification and authentication in the TOE.
FAU_SEL.1, FCS_CKM.1,
FCS_CKM.2, FCS_CKM.4,
FIA_AFL.1, FIA_SOS.1,
FIA_UAU.2, FIA_UID.2,
FMT_MSA.1, FMT_MSA.2,
FMT_MTD.1, FMT_MTD.2,
FMT_MTD.3, FPT_SMR.1,
FPT_STM.1, FPT_TST.2,
FTA_SSL.1, FTA_SSL.3,
FTP_ITC.1,
FMT_MOF.1,FMT_SMF.1,FPR
_UNO.4
Access
Control
Log
Audit records created by the packet-filtering
security policy rules. These audit records contain
the processing result of the packet data and the
audit records generated in the IKE process that is
executed to connect the VPN. The audit records
for success and failure in each phase or key
generation phase of the IKE process are included.
Details about processing result (accept, drop, or
reject) generated by the packet-filtering policy are
also included.
FDP_ACF.1,
FDP_IFF.1,FPR_PSE.1
IPSec
Packet
Log
Encoding/decoding packets through the VPN IPSec
interface and event priority and message contents
(details) are recoded. The IPSec Packet Log
includes the audit records related to the
success/failure of encryption.
FCS_COP.1, FDP_DAU.1
FAU_Audit.3 Theaboveauditrecordshavethefollowingpriorities:
ƒ Emergency:AuditrecordthathascriticalinfluenceontheTOE.
ƒ Alert:Auditrecordsthatmustbeimmediatelymodified.
Security Target
85
ƒ Critical:Auditrecordsthatmustwarnofadangeroussituationrelatedtostoragemedia.
ƒ Error:Auditrecordsthatmayproduceanunexpectedresult
ƒ Warning:Auditrecordssubjecttowarning
ƒ Notice:Auditrecordsthatdonotproduceanunexpectedresultbutmayneedspecialaction.
ƒ Information:AuditrecordsforgeneralactivitiesmadeintheTOE.
ƒ Debug: Audit records concerning debugging messages in the subsystem (or process) that is
responsibleforthesecurityfunctionsintheTOE.
FAU_Audit.4 VForce 1700 V1.0 S/W can select whether to create an audit record for each packet-filtering policy set
by the administrator. (The selection choices include None, New Connection, and All.) In particular, to prevent
overload caused by multiple audit records for the same event, the TOE can limit the number of audit records for the
corresponding policy created per time unit. If the administrator selects “New Connection” or “All,” the administrator
will be required to select the average and the maximum number of audit records created by the corresponding security
policypersecond.
6.2.1.3 PreventionofLossofAuditRecords(FAU_Prevent)
FAU_Prevent.1 Only theauthorized administrator can accessandmanageauditrecordsgeneratedandmanagedbythe
TOE so that a general user or an unauthorized user including a third party cannot search, change, or delete audit records.
Even the authorized administrator cannot access the file system of the TOE. The console shell supports only basic
installationcommandssothat even anauthorizedadministratorcannotaccessthe file systemthatstores auditrecorddata.
Only the corresponding process executing the security function can access the audit record data files. There are no
accounts that can access the TOE through a network. The administrator can manage the file system only by accessing
theconsole.
FAU_Prevent.2 The TOE checks the available storage media space of the file system every hour. VForce 1700 V1.0
manages free space in two ways – “Warning” and “Suspension.” If the free space is less than 10% (changeable by the
administrator)ofthetotalfilesystemspaceandauditrecordsmaybelost,thefollowingwarningswillbegeneratedforthe
administratorasprimarymeasures:
ƒ Correspondingauditrecords
ƒ Notificationofoccurrenceofimportantauditrecordsthroughawarninge-mailoramessagebox
Security Target
86
FAU_Prevent.3 When the free space is 5% (changeable by the administrator) of the total file system space which is
subject to “Suspension”, an alarm mail will be sent to the administrator and all services of the TOE will be suspended to
prevent events subject to audit records as secondary measures. In other words, the authorized administrator will be
allowed only to access the security management functions of the TOE and all packet-filtering operations will be
suspended.
6.2.1.4 ViewingAuditRecords(FAU_View)
FAU_View.1 The TOE allows the authorized administrator to view audit records generated in the TOE on the security
management screen. (through web UIs.) Before the audit records generated in VForce1700 are sent to the NexG log
server, they are stored in memory as long as memory space allows so that administrators can view stored audit records.
VForce1700 provides a security management screen so that the authorized administrator can view audit records by audit
record types shown in [Table 6-1]. The authorized administrator can check the audit records according to the creation
timeoftheauditrecordsonthesecuritymanagementscreen.
FAU_View.2 The audit records created in VForce1700 are transmitted to and stored on the NexG log server in real
time so that an authorized administrator can view the audit records on the security management screen in real time. In
other words, in VForce1700, the administrator can search audit records that are stored in the available memory space
basedonFIFO. However,ifauditrecords createdin VForce1700aretransmittedtotheNexGlogserverinrealtime,the
administrator can view real-time audit records and search audit records in the log server’s disk by specifying the search
conditions.
FAU_View.3 After receiving audit records from VForce1700, for easier search, the NexG log server classifies these
recordsintoseveraltypesincludingthoseclassifiedbyVForce1700:
[Table 6-3] Audit Record Types
NexG Log Server
Classification
VForce1700 Classification
System log System Log
IPSec packet Log
Firewall log Access Control Log
Session log System Log
Proxy session log System Log
Security Target
87
FAU_View.4 The NexG log server can search and sort audit records according to the “log server classification”
Upontheadministrator’srequest,the NexG logservercan searchthe auditrecordsbasedone ofthe following conditions
and display the search result on the security management screen of the log server. Upon the search request of the
administrator,thelogserversendsqueriestotheDBwheretheauditrecordsarestoredanddisplaysthequeryresult:
ƒ System Log– Auditrecord creation time, IP addressofthehost which generated the auditrecords,Process
whichgeneratedtheauditrecords,contentsoftheauditrecord(Details:keyword)
ƒ Firewall/SessionLog–Auditrecordscreationtime,IPaddressofthehostwhichgeneratedtheauditrecords,
Source/Destination IP address, Protocol, Source/Destination port, ICMP type, Service, Packet size,
Processingresult(accept,drop,reject,open,andclose)
ƒ Proxy Session Log – Audit records creation time, IP address of the host which generated the audit records,
Source/DestinationIPaddress,UserID,Service,Processingresult(open,andclose)
6.2.1.5 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FAU_APR.1
ƒ FAU_GEN.1
ƒ FAU_SAA.1
ƒ FAU_SAR.1
ƒ FAU_SAR.3
ƒ FAU_SEL.1
ƒ FAU_STG.1
ƒ FAU_STG.3
ƒ FAU_STG.4
Security Target
88
6.2.2 Cryptographic Support (FCS)
6.2.2.1 CryptographicKeyManagement(FCS_IKE)
FCS_IKE.1 Key exchange is made through the use of the IKE. IKE uses ISAKMP which defines how to establish a
service for key exchanges. The IKE of the TOE consists of two phases for secure key exchange. In the first phase, the
SA is established, and in the second phase, the IPSec SA is established and a secret key is generated for IPSec
communicationusingtheSAestablishedinthefirstphase.
FCS_IKE.2 The TOE generates, installs, and manages cryptographic keys for cryptographic support. Cryptographic
keys supported by the TOE are divided into symmetric keys created by the Digital Signature Algorithm (DSA)
algorithm and asymmetric keys created by the Rivest-Shamir-Adieman (RSA) algorithm. Symmetric keys create an
algorithm and a secret key as defined based on the pre-shared key defined by the administrator. RSA keys are directly
created through the CA or a certificate can be issued by a trusted CAafteracertificateissuancerequestis made. Atthis
time,theRSAauthenticationkeycreationfunctionsupports1024bitsand2048bitsasthekeylength.
FCS_IKE.3 The IPSec that processes the IP packets uses the SA. When an outbound or inbound packet occurs, an
SA will be established to apply the cryptographic policy to the corresponding packet. If there is no SA, key exchange
will be made to establish a secure SA with the TOE. The TOE automatically exchanges keys with the gateway on a
regular basis to use new secret keys. The IKE of the TOE uses the ISAKMP that defines how to establish a key
exchange-based security service. Authenticated keys as a result oftheIKEandtheauthenticationkeyswiththesecurity
parametersoftheIPSecSAwillbecreated. Thekeyexchangepolicywillsupportmainandaggressivemodes.
6.2.2.2 KeyDestructionManagement(FCS_KEYDEST)
FCS_KEYDEST.1 If the key is expired during encrypted communication after the key exchange process, the IKE
daemonwilldestructthecryptographickeysoftheTOEandthecounterpartgateway,registerthecertificaterevocatedin
thekey exchangeprocessintheCertificateRevocationList(CRL)oftheTOE,andupdatekeys. Whenacryptographic
key used in the security tunnel is destructed, the TOE will set the data (file) with the corresponding cryptographic key
stored as “0” and delete data related to all cryptographic keys to prevent the old cryptographic key from remaining in
resources(suchasmemory.)
Security Target
89
6.2.2.3 ESPSupport(FCS_ESP)
FCS_ESP.1 The TOE generates, distributes, and destruct secret keys related to encryption for safe transmission of the
user data through the IPSec ESP protocol. The TOE also supports functions related to the cryptographic operations.
TheTOEprovidesthefollowingencryptionalgorithms:
ƒ AES: AES is being recognized as the new encryptionalgorithmstandard. It isbeing widely appliedto the
Internetbackbonestructureandishighlyinteroperable. Keylengthsinclude128,192,and256bits.
ƒ 3DES: An alternative to supplement the short key length of 56 bits of DES. 3DES iterates DES three
times using three keys. Although 3DES is three times slower than DES, it has been adopted by various
standardsbecauseitcanbeeasilyimplementedandprovideshigherreliability. Thekeylengthis168bits.
ƒ SEED: An encryption algorithm that has a block size of 128 bits and supports 128-bit key size. SEED is
anencryptionalgorithmforKoreadevelopedbytheKoreaInformationSecurityAgency(KISA).
FCS_ESP.2 The encryption key length created by the TOE is minimum 128 bits. Depending on the selected
encryptionalgorithm,thekeylengthisdetermined(AES:128,192,or256bits;3DES:192bits;SEED:128bits).
FCS_ESP.3 When the TOE establishes encrypted communication with its counterpart using ESP, the TOE supports
bothencryptionandintegrityofthedata(packets.) Forthispurpose,theTOEprovidesthefollowingintegrityalgorithm:
ƒ HMAC-SHA-1-96: The SHA-1 algorithm is based on the HMAC algorithm. The HMAC algorithm
provides a framework for using a hash algorithm like SHA-1. The HMAC-SHA-1-96 algorithm has a
block size of 64 bits. This algorithm supports a key length of 160 bits, or stores only the first 96 bits in the
ESP. Uponverificationofthedata,thisalgorithmgenerates160bitsandverifiesthefirst96bits.
ƒ HMAC-HAS-160: The HAS-160 algorithm is based on the HMAC algorithm. The HMAC algorithm
provides a framework for using a hash algorithm like HAS-160. HAS-160 uses a dedicated hash
algorithm. It can perform paste, division, and iteration operations. It handles message input in 512-bit
blocksanddisplaysdataas160bits.
FCS_ESP.4 The TOE provides functions which can authenticate the counterpart and detect replay of the authenticated
account in order to prevent packet hijacking by using an SA, authentication, and a sequence number when the TOE is
connectedtoaVPNgateway.
Security Target
90
6.2.2.4 AHSupport(FCS_AH)
FCS_AH.1 The TOE verifies the integrity of the data (packets) for secure data transmission using the IPSec AH
protocol. ToestablishsecuredcommunicationusingtheAH,theTOEprovidesanintegrityalgorithmasfollows:
ƒ HMAC-SHA-1-96: The SHA-1 algorithm is based on the HMAC algorithm.. The HMAC algorithm
provides a framework for using a hash algorithm like SHA-1. HMAC-SHA-1-96 algorithm has a block
size of 64 bits. This algorithm supports a key length of 160 bits, or stores only first 96 bits in the ESP.
Uponverificationofthedata,thisalgorithmgenerates160bitsandverifiesthefirst96bits.
ƒ HMAC-HAS-160: The HAS-160 algorithm is based on the HMAC algorithm.. The HMAC algorithm
provides a framework for using a hash algorithm like HAS-160. HAS-160 uses a dedicated hash
algorithm. It can perform paste, division, and iteration operations. It handles message input in 512-bit
blocksanddisplaysdatain160bits.
6.2.2.5 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FCS_COP.1
ƒ FCS_CKM.1
ƒ FCS_CKM.2
ƒ FCS_CKM.4
Security Target
91
6.2.3 User Data Protection (FDP)
The packet-filtering engine and the proxy engine of the TOE control all traffic accessing the network according to the
security policy predefined by the administrator. The packet-filtering engine and the proxy of the TOE firstly filters the
packets at Layer 3 and decides whether to allow, reject, or forward the packets based on information included in the
packetheader. The accesscontrolmethodsoftheTOEincludeMandatoryAccessControl(MAC)thatusesthesecurity
labeling information of each object added by theadministrator as well asDiscretionary Access Control (DAC) described
earlier.
6.2.3.1 Packet-filtering(FDP_PacketFiltering)
FDP_PacketFiltering.1 Packetsthatdonotgothroughthe VPNoftheTOEshallpassthepacket-filteringpolicyofthe
TOE. The packet-filtering security policy of the TOE decides whether to accept, reject, or drop the packet based on the
security objectandinformationcontainedintheIPheader. Ifthesecurityattributeisproper,thepacketwillbeforwarded
or accepted. If a packet is rejected, a reply will be sent using an ICMP error message and the packet not conforming to
thecorrespondingpolicywillbedropped. Ifapacketisdropped,nomessagereplywillbegenerated.
ƒ Source and destination IP Address – Network object and group, source/destination network IP address of
theIPheader
ƒ Portno.–Serviceobject,IPheaderportaddress
ƒ Time(Timeobject)
FDP_PacketFiltering.2 If the administrator has not set any packet-filtering security policy, the default policy will be
used and drop all packets. If none of the security policies set by the administrator is proper for a packet passing through
theTOE,thepacketwillbedropped. Inotherwords,allpacketsnotspecifiedinthepolicywillbedropped.
FDP_PacketFiltering.3 The TOE shall map each interface where the packet comes or goes with the corresponding
policy to apply the packet-filtering policy. When mapping them, the TOE can determine the order of the policies.
When the packet comes in or goes out through the interface, the TOE matches the packets in order of packet-filtering
securitypoliciesmappedwiththeinterfaceanddecideswhethertoaccept,reject,ordropthepacket.
FPT_Packetfiltering.4 To protect from interference and intrusion of an unreliable subject during packet filtering,
networkaddresstranslation,andaccesscontrol,theTOEseparatesTSFdataandcodefromexternalentitiesandseparates
thesubjectsintheTSC. ThisfunctionisexecutedbytheOSfunctionofthesub-abstractmachine.
Security Target
92
6.2.3.2 Proxy(FDP_Proxy)
FDP_Proxy.1 The TSF that the TOE executes requires an entity which uses HTTP or SOCKS5 protocols for
information exchange through the TOE. The TSF controls access and information flow by filtering packets at the
network layer level, and determines the maximum connection count and the session time-out for HTTP and SOCKS5
sessions.
FDP_Proxy.2 The proxy of the TOE provides user authentication and session limit functions together through a single
integrated daemon. Therefore, the proxy can apply the user authentication function for the HTTP and the SOCKS5
protocols that support user authentication. To use the user authentication function in the TOE, the administrator shall
connect the proxy time object to each user group that the administrator sets in the security management. Only connected
userscanbeauthenticatedbytheunique(HTTP,SOCKS5(TELNET,FTP))proxysecuritypolicyoftheproxy.
FDP_Proxy.3 When HTTP or SOCKS5 (TELNET or FTP) proxy is used as the default policy of the proxy in the
TOE,thepolicycanbedecidedbythefollowingcommonsecurityattributes:
ƒ Proxyoperationstatus
ƒ Inputinterface:Determinestheinterfacetobindthecorrespondingportoftheproxy.
ƒ DNS cache: Caches DNS names used in the proxy as many as set by the administrator and reduces
repetitivelyoccurringDNStraffictomaintaintheproxyrateconsistent.
ƒ Proxy protocol: Sets HTTP and SOCKS5 protocols. Uses HTTP protocol for the HTTP and SOCKS5
for FPT and TELNET. According to the characteristics of the protocol, only the HTTP protocol and
SOCKS5protocolsupportsuserauthentication.
ƒ Maximumconnectioncount (1~65535): Determinesthenumberofsessionstopassthroughtheproxy.
ƒ Session time-out (1~65535): Determines session time-out. If no data exchange occurs during the
determinedtime,thecorrespondingsessionwillbedisconnected.
ƒ Proxy time group: Same concept as “time object” in the packet-filtering security policy. The time group
canbesetonlyintheproxy.
FDP_Proxy.4 The TOE allows the administratorto disconnect auseriftheuserwasforciblyauthenticatedintheproxy
session through HTTP or SOCKS5. If the disconnected user wants to establish communication through HTTP or
SOCKS5, the user shall be authenticated in the TOE. FPD_Proxy.3 can automatically disconnect users by “session
time-out.” In other words, if there is no traffic passing through the proxy after the user was authenticated, the user will be
disconnectedafterthedefinedtimesetbytheadministrator.
Security Target
93
FDP_Proxy.5 The TOEperforms security-levelbased mandatoryaccesscontrolforusersthroughtheproxy.Iftheuser
passesthroughtheproxyusing anapplication whichusesHTTPorSOCKS5protocol,theTOEwillperformmandatory
access control. If the user tries to access an external network through an application, the TOE will compare the security
level of the authenticated user with the security level of the network object that the user tries to access. Only when user
security level is the same as or higher than the security level of the network object, the user will be allowed to access.
Otherwise, user access request will be denied by security level. Forthispurpose,theadministrator shalldefinetheproxy
network object and give it a security level. The administrator is also required to map the proxy network group with the
correspondingusergroupandallowtheusertoaccesstheproxynetwork.
6.2.3.3 EncryptedDataTransmission(FDP_VPN)
FDP_VPN.1 To establish a secure connection between two ormorenetworksusingapublicnetwork(forexample,the
Internet), the TOE creates an IPSec-based virtual tunnel and establishes encrypted communication between two or more
trusted sub-networks. All data transmitted through the TOE is encoded, decoded, and hashed, and for this purpose, the
TOE supports confidentiality algorithms such as 3DES, SEED, and AES, and the integrity algorithms of HAS-160 and
SHA-1. FortheIKE,theTOEsupportstheaggressiveandmainmode.
FDP_VPN.2 The TOE selects the IPSec protocol for encrypted communication with the gateway using the SA
determined by the VPN security policy. If a packet is altered by a third party during IKE procedure or encrypted
communication by the ESP protocol, the TOE drops the packet to guarantee integrity for data transmission and
authentication. Atthistime,theTOEprovidesSHA-1andHAS-160algorithmsonESP.
FDP_VPN.3 Packets destined for the encryption policy network defined in the VPN policy among the packets passing
through the TOE are encrypted according to the VPN policy set by the administrator before being transmitted. If the
packing going through the VPN interface is not part of the network communication defined in the VPN security policy,
the packet will be handled according to the packet-filtering policy. Even after the packet passes through the IPSec
interface, the TOE applies a normal packet-filtering policy instead of the encryption policy. The administrator defines
thesecuritypolicyoftheVPNonthesecuritymanagementscreenusingthefollowingattributes:
ƒ IPSec binding interface: Applies the VPN security policy only to the packets passing through the
correspondinginterface.
ƒ Shared key: Used to exchanges keys with the counterpart and create cryptographic keys. The shared key
isthestringseedthatbothcommunicationpartiesshare.
ƒ Securityprotocol:DeterminesESPprotocolorAHprotocolduringIPSeccommunication.
ƒ Keyexchangemode:DeterminesthemainmodeoraggressivemodeforIKEkeyexchange.
ƒ Authentication method: Determines whether to use the shared key or a predefined certificate for the key
exchangeforthesecuritytunnel(SA).
Security Target
94
ƒ Subject security attribute: IP addresses of the communication subject and the counterpart. Certificate
subject.
ƒ ISAKMP policy: Determines the encryption method. Determines the cryptographic algorithm, the key
length,andthevalidperiodforphase-1cryptographickey(SA)oftheIKE.
ƒ IPSec policy: Determines the encryption and the authentication methods. Determines encryption and
authentication algorithms, the key length, and the valid period for phase-2 cryptographic key (SA) of the
IKE.
ƒ VPN network IP address: Determines the IP addresses of the internal networks of the encrypted
communication counterpart and the local VPN gateway. Packets are encoded and decoded through the
IPSecbindinginterfaceaccordingtothepredefinedpolicyonlyforthecommunicationbetweenthedefined
IPaddresses.
ƒ PFS group – Determines how to generate the VPN security tunnel (SA) and regularly create cryptographic
keys of the security tunnel. PSF group number 2 or 5 is selected here, and the group numbers are Deffie-
Hellmangroupnumbers.
FDP_VPN.4 The TOE and the counterpart start to exchange keys when both sides determine all VPN policies. The
TOE determines the VPN policy later and becomes the initiator and starts to exchange keys for the security tunnel (SA).
AnSAautomaticallyexpireswhenthereisnoinbound/outboundpacketthroughtheSA,DeadPeerDetection(DPD)or.
anerroroccursinthenetworkenvironment(disconnectioninthenetwork.).
6.2.3.4 NetworkIntrusionDetection (FDP_NID)
FDP_NID.1 The TOE inspects traffic passing through the packet-filtering security policy, and stores audit records for
the abnormal packets. The administrator identifies abnormal packets by the access control audit record prefix (delimiter
thatidentifiesauditrecords):
ƒ Detectstheportscanforthetrafficappliedtothepacket-filteringsecuritypolicy,andgeneratesauditrecords
andmailtotheadministrator.
ƒ Detects fragmented packets for packets applied to the packet-filtering security policy, and generates audit
recordsandmailtotheadministrator.
Security Target
95
6.2.3.5 AdministratorAccessControl(FDP_AdminNetwork)
FDP_AdminNetwork.1 When an administrator with identification and authentication data (for example, ID and
password)orwithatrustedadministratornetworkaddresstriestoaccesstheTOEfromaremoteplace,theTOEexplicitly
allows information flow. When an authorized administrator tries to access the security management screen, the TOE
checks whether the source IP address belongs to the administrator network. If the administrator is from an allowed
administrator network, the TOE will display the security management login screen for the administrator. Then, the
administratorshallinputtheIDandthepasswordtobeauthenticatedinordertologintothesecuritymanagementscreen.
At this time, the TOE authenticates and identifies the user based on the administrator accounts and passwords of the
administrator group. If a user tries to log in with an account not in the administrator group, the TOE will consider the
userisnotanauthorizedadministrator,denytheloginattempt,andgeneratetheauditrecords.
FDP_AdminNetwork.2 The administrator can directly access the console using the RS-232 console cable other than
theInternetbrowser. When the machine is firstinstalledin the networkorthemachineisinitialized,theusershallaccess
the console to set the network IP. Like when using the web interface, the administrator shall input the ID and the
password to access the console. After the machine is first installed, the network will be set up and the administrator
account(admin)willbeadded. Theadministratoraccountbecomesthedefaultaccount.
6.2.3.6 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FDP_ACC.2
ƒ FDP_ACF.1
ƒ FDP_DAU.1
ƒ FDP_IFC.1
ƒ FDP_IFC.2(1)
ƒ FDP_IFC.2(2)
ƒ FDP_IFF.1(1)
ƒ FDP_IFF.1(2)
ƒ FDP_IFF.1(3)
ƒ FPT_RVM.1
ƒ FPT_SEP.1
ƒ FPT_RPL.1
Security Target
96
6.2.4 Identification and Authentication (FIA)
IdentificationandauthenticationismadeintheTOEatthesepoints:
ƒ Before the administrator allows the user to access the security management interface (on the web) for
securitymanagement.
ƒ Beforeageneraluserusesaprotocol(FTP,TELNET),thatusestheweb(HTTP),orSOCKS5throughthe
proxy.
TheTOEperformsidentificationandauthenticationasfollows:
6.2.4.1 GeneralCryptographicAuthentication(FIA_PwdAuth)
FIA_PwdAuth.1 When the administrator generates or changes a security policy related to user identification or
authentication, the TOE will inspect the cryptographic verification mechanism. The following policy is provided to
meet AVA_SOF.1 assurance requirements. A general password authentication mechanism is used to authenticate
usersandperformsauthenticationbasedonthefollowingcollationrules:
ƒ Thepasswordshallbeof7~16digits.
ƒ A total of 94 characters including special symbols (including a-z (26), A-Z (26), and 0-9 (10)) can be used.
(SpecialSymbols: !@#$%^&*()_+|`-=\{}:”<>?[];’,./“)
ƒ Collation rule: Alphanumeric or alphabetic characters with special symbols. (Alphabetic and numeric
characters,oralphabeticandspecialsymbols)
FIA_PwdAuth.2 A normal user’s password automatically expires on a date predefined by the administrator. When
theuseraccessesthenetworkagain,theuserwillberequiredtochangethepassword.
FIA_PwdAuth.3 The TOE identifies and authenticates IT entities through the internal user management database and
verifies general users and administrators. The TOE supports general passwords and one-time passwords. The
authorizedadministratorcanallowuserstoselectageneralpasswordoraone-timepassword.
FIA_PwdAuth.4 After the user (all users in the TOE including administrators) is successfully authenticated, the user
can use the security functions of the TOE. However, only the administrator canaccesstheSecurity Managementscreen
and use security management functions. General users are authenticated by the proxy and can use HTTP or SOCKS5
using the proxy defined in each proxy security policy. The TOE provides the authentication-feedback protection
Security Target
97
function during the operation of authentication by hiding the password entered by the user (for example, using the “*”
symbol.)
6.2.4.2 One-timePasswordAuthentication(FIA_OTPAuth)
FIA_OTPAuth.1 The onetime password is used. There is a list of one-time passwords for the authorized
administrator and users. When a user attempts to access thenetwork usingaone-timepassword,theusermustinputthe
ID and password corresponding to the sequence number displayed on the screen. However, if the user inputs an
incorrectpasswordthreetimes, anadditionalprocessis requiredtoallowtheusertotrytoaccess. Ifanadministratorora
generaluserlosesthelistofone-timepasswords,theadministratorshallbeimmediately informedandanotherlistofone-
timepasswordsshallbere-issued.
FIA_OTPAuth.2 The one-time password mechanism authenticates human users using characters. If created numeric
(280) passwords are used up, the administrator shall be informed and new passwords shall be created. To create a one-
time password, the TOE uses a prefix as a password. A prefix can be of 1~ 255 digits, and both the prefix and the one-
timepasswordshallbeusedtogethertoauthenticateauser.
6.2.4.3 AuthenticationFailureHandling(FIA_IAFailure)
FIA_IAFailure.1 Each user’s authentication failure can be processed, and the failure record is stored with the user
profile in the user DB. If the user authentication failure count exceeds the threshold set by the administrator, the session
will be locked. In this case, until the authorized administrator restores the setting, the user status cannot be changed.
The administrator can set the maximum authentication failure count. If the default is none, there will be no limit to the
user’s authentication failure count. If the user authentication failure count crosses the threshold, the TOE will reject the
user’slogin. Inthiscase,theusercanloginonlyaftertheadministratorchangestheloginsetting.
FIA_IAFailure.2 Other counterparts than the user are also subject to the authentication failure count threshold. If a
VPN gateway with a constant certificate subject (country, organization, organization unit, common name, or e-mail
address)or a sharedkeytriestoexchangecryptographickeys forthe VPNsecuritytunnel(SA),theauthenticationfailure
count applied to the IP address of counterpart. If the count exceeds the threshold, the VPN gateway will not able to
exchangekeystilltheadministratormodifiesthegateway. Therelatedauditrecordswillbestored.
6.2.4.4 UserPasswordChange(FIA_UPWDSet)
The TOE allows general users using a proxy service to access the TOE using HTTPS and to change passwords in their
accounts.
Security Target
98
6.2.4.5 IdentificationandAuthenticationSecurityStrength(FIA_SoF)
FIA_SOF.1, FIA_UAU.2, and FIA_UAU.4 conform to SOF-medium specified in the Common Criteria for the
InformationProtectionSystem(Notice2005-25bytheMinistryofInformationandCommunication)[1].
6.2.4.6 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FIA_AFL.1
ƒ FIA_UAU.2
ƒ FIA_UAU.4
ƒ FIA_UAU.7
ƒ FIA_UID.2
ƒ FIA_SOS.1
Security Target
99
6.2.5 Security Management (FMT)
6.2.5.1 Overview
Only authorized administrators can access the security management functions of the TOE through the identification and
authenticationprocesses,andonlyadministratorscanaccessTSFtorestartorstoptheTOEandchangethesecuritypolicy.
The TOE verifies the password in addition to the login password using the management password to allow the user to
accesstheSecurityManagementscreen.
Using the security management functions, the authorized administrator can set the TSF and define the TSP. To use a
security management function, the administrator must be identified and authenticated and verified to determine if he has
proper authority. Only the authorized administrator can add, change, or delete security policies using the security
management functions after passing the identification and authentication processes. The authorized administrator can
useTSFtorestartandstoptheTOEandoperatetheTOE.
For efficient security management the TOE provides web interfaces for the administrator and allows the administrator to
access the network through Internet Explorer. The administrator browser accesses the TOE through SSL using the
HTTPSprotocol.TheSecurityManagementscreenisimplementedbyHTMLorCGItosetorreceivesecurityattributes
by the administrator.. The TOE provides categorized security management functions as shown below and allows the
administratortoefficientlymanagesecurity:
[Table 6-4] Security Function Management Interfaces
Higher
Menu
Menu 1 Menu 2 Description
CA Management Manages the CA certificate and certificate
requests when the TOE functions as a CA.
Certificate
Certificate
Management
Manages own certificates.
Network Manages the network object.
Service Manages the service object.
Time Manages the time object.
IPSec Manages the IPSec object (ISAKMP policy,
IPSec, and gateway policy.)
Object
Definition
User Manages the user object.
Network Overall Status Traffic at Each Shows traffic amount of the interface in
Security Target
100
Interface Kbytes/second or packet/ second unit.
Session Shows the list of sessions passing the TOE.
Overall Status Shows interface information.
Ethernet Interface Sets Ethernet interfaces.
Interface
PPP Interface Sets the PPP interfaces.
Overall Status Shows current routing table of the TOE.
Routing
Static Routing Manages routing table.
ARP Shows and adds ARP.
DHCP Shows and sets the DHCP.
Overall Status Shows status of packet filtering, address
translation, port forwarding policy, and
redirect.
Default Setup Sets the default setting of the packet-
filtering policy and the TCPMSS.
Packet Filtering Manages packet-filtering policy.
NAT Manages NAT policy.
Port Forwarding Manages port-forwarding policy.
Redirect Manages redirect policy.
Default Setup Sets and manages proxy use status and
protocol.
Access
Control
Proxy
Proxy Time Object Manages proxy time object.
Status Shows the currently established SAs.
VPN IPSec
Connection Setup Manages the IPSec connection setting.
Cryptographic Change Changes and manages the cryptograph in
security management access.
Login User Shows login user in the TOE or the
administrator.
Host/Name Server Manages host name of the TOE and the DNS
name.
Date/Time Manages date/time of the TOE.
SNMP Sets the SNMP.
Real-time system log Shows system audit records in real time.
Real-time firewall log Shows firewall audit records in real time.
Real-time session log Shows session audit records in real time.
system
Audit
Records
Real-time proxy session
log
Shows proxy session audit records in real
time.
Security Target
101
Log search Shows audit records.
Log statistics Shows audit record statistics.
Backup Backs up audit records.
Policy Sets environment for the audit records.
Service setup Sets service.
Access control Manages administrator policy.
Firmware upgrade Upgrades software of the TOE.
System setup
management
Changes and initializes security
management, and backs up and restore TOE
configuration.
System
Management
System restart/stop Restarts or ends TOE.
Integrity Inspects and manages integrity.
System
Status Status Shows software version of TOE, operation
time, and CPU load.
The TOE allows the administrator to add, change, delete, or search alarms. When the administrator inputs the alarm
security policy attribute, the TOE will check whether the attribute already exists. If the attribute is not overlapping with
an existing one, the TOE will create an alarm security policy using the security policy attribute entered by the
administrator and add the alarm policy to the configuration data. The alarm security policy is activated as soon as it is
added. IftheadministratorrequeststheTOE to changeordeleteaparticularalarmpolicy,theTOEwillchangeordelete
thepolicyintheconfigurationdata.
The TOE provides security management functions whereby the administrator can create, delete, or search cryptographic
keys. The TOE provides the root CA creation function and the certificate request and management functions. The
TOE reads the current authentication key and certificate list from the configuration data, displays them on the Security
Management screen, and shows the downloading option. When the administrator inputs a command to delete the
authentication key, the TOE will check whether the key is used in other VPN policies. If the key is not in use by the
VPN policy, the TOE will delete the key and store the record in the certificate revocation list (CRL.) The authorized
administrator can search or download this certificate drop list. The TOE can recreate and change cryptographic keys.
After the TOE checks that the certificate created by the old cryptographic key is not valid, the TOE changes the
cryptographickey.
The TOE selectively creates audit records for each event security level. The TOE can store generated audit record files
or statistical data in the audit record management database and delete them or extract them as a file. The TOE reads the
current audit record setting from the configuration data and displays it for the administrator. The selective audit record
setting interface is Event Type—Emergency, Alert, Critical, Error, Warning, Notice, Info, or Debug—and the
administrator can change the setting. After the administrator successfully inputs data, the TOE stores the security
Security Target
102
attributes set by the administrator in the configuration data. The TOE reads the audit record setting option from the
configuration data and stores the audit record data or statistical data in the audit record management database. The
administratorcanalsoextractthedataasafileforsecondarybackup.
TheTOEdisplaysinterfacesfor theadministratortobackuptheconfigurationfile. Afterselectingtheconfigurationdata
to back up, the administrator at a remote PC can download the selected data using the HTTP protocol. The TOE
launches a browser for the administrator to search a configuration fileon theremotePC. Whenthe administrator selects
aconfigurationfile,itwillbeoverwrittenintheconfigurationfilestoredintheTOE.
6.2.5.2 SecurityObjectManagement(FMT_Object)
The TOE provides security functions that can add, change, delete, and search security objects necessary for the security
policy. The security objects (network, user, service, time, IPSec object) are used to establish all security policies of the
TOE. Network, user, and IPSec include data that can be identified by network address, user ID, and IPSec certificate
subject and the corresponding authentication data. The administrator can add, delete, or modify the identification and
authenticationdata.
The administrator creates network objects that are required to perform mandatory access control for network groups and
user groups and check the encryption status and integrity of the transmitted data. Serviceobjects are used by thepacket-
filtering security policy and the proxy security policy to apply a certain service. The time object is used by the packet-
filtering security policy and the proxy security policy, and the corresponding security policy is activated or deactivated
accordingtothetimeobject. TheIPSecobjectisusedbytheVPNsecuritypolicy.
NetworkObjectManagement(FMT_NetworkObj)
The TOE allows the authorized administrator to manage network object information (source and destination network
addresses) required for setting the packet-filtering security policy used to control accesses and information flows. The
authorized administrator can search, add, modify, or delete network object information (source and destination network
addresses)usingthenetworkobjectmanagementfunctions.
ServiceObjectManagement(FMT_ServiceObj)
TheTOEallowstheauthorized administratortomanageserviceobjectinformation(such asprotocol andport)necessary
for setting the packet-filtering policy used to control accesses and information flows. The authorized administrator can
search, add, modify, or delete service object information (such as protocol or port) using the service object management
functions.
Time Object Management (FMT_TimeObj)
Security Target
103
The TOE allows the authorized administrator to manage time object information (time and date) required for setting the
packet-filtering security policy used to control accesses and information flows. The authorized administrator can search,
add,modify,ordeletetimeobjectinformation(timeanddate)usingthetimeobjectmanagementfunction.
IPSec Object Management (FMT_IPsecObj)
The TOE allows the administrator to define and manage objects required for IPSec tunnel establishment to set the VPN
security policy for functions such as access control, information control flow, and cryptographic support. The IPSec
objects that the TOE provides include “ISAKMP policy object” in the key exchange phase such as authentication of the
counterpart and key exchange before the establishment of a tunnel, “IPSec policy object” that defines encryption and
integrityprotocolsthattheESPprotocolusesfortheestablishmentofthetunnel,andthe“gatewayobject”thatdefinesthe
gateway which will use IPSec. The administrator can search, add, modify, or delete IPSec objects using IPSec object
managementfunctions.
User Object Management(FMT_UserObj)
The TOE provides functions which define and manage user object information (ID, password, authentication method,
and other) to set the administrator and user security authentication policy used for user identification and authentication.
The authorized administrator can search, add, modify, or delete user object information (ID, password, authentication
method,andother)usingtheuserobjectmanagementfunctions.
TOE users include administrators, general users, and counterpart VPN gateways. When defining a user attribute of the
administrator, the TOE generates a general user, which is included in the default administrator group (admin group.)
Therefore, the user attribute of the administrator is same as the security attribute of the administrator group. The
administrator group refers to a group of general users in the administrator mode. Therefore, users in the TOE have the
followingsecurityattributes:
ƒ Securitylabel:AllusersintheTOEhaveasecuritylabel.
ƒ User: User ID, Group, Use status (by the current user), Password type (normal or one time), password, and
Password Authentication Protocol(PAP)whichisusedfortheauthenticationinthePPPserverthroughthe
PPP interface that TOE supports; Challenge Handshake Authentication Protocol (CHAP) which prevents
disclosure of the user name and password through challenge and reply process; Login failure count; Login
permission;Lastlogintime;andDuration.
ƒ User group: User group ID, Maximum attempt limit, Proxy use status (Proxy time object per user group),
Administrator mode status (The administrator group is in administrator mode, and in the default state, only
the admin group has the admin user ID, which can be changed by the administrator), and associated user
IDs.
ƒ VPNgateway–X.509-typecertificatesubject,andgatewaynetworkIPaddress
Security Target
104
Certificate Object Management (FMT_CertObj)
The TOE provides functions which can define and manage certificate objects required for using RSA-based keys. The
authorized administrator can add, modify, or delete the certificate issuance request using the certificate object
managementfunction.
CA Object Management (FMT_CAObj)
The TOE provides the CA management function as a CA by issuing a certificate with local keys and managing issued
certificates. The authorized administrator can create (drop, recreate) and view the root CA certificates using the CA
managementfunction,andcandownloadthecertificatefile(cacert.crt).
ProxyTimeObjectManagement(FMT_ProxyTimeObj)
The TOE defines proxy time objects besides time objects. The administrator can set the proxy time objects in the same
way as defining the time objects. The proxy time objects are mapped with the user group for the authentication of a
specialproxy.
ProxyNetworkObjectManagement(FMT_ProxyNetObj)
The TOE defines proxy network objects separately from network objects. The administrator can set proxy network
objects in the same way as defining network objects. The proxy network object is mapped with the user group for the
authenticationofaspecialproxy.
6.2.5.3 SecurityPolicyManagement(FMT_Policy)
AccessControlSettingManagement(FMT_ACDefaultPolicy)
Access control policies of the TOE include the packet-filtering security policy, network address translation policy, port
forwarding policy, redirect policy, and proxy security policy. The TOE provides a default for each of these policies.
The administrator can set a default policy for access control and apply the default policy to all access control activities.
Thedefaultaccesscontrolpolicyusuallycoversbasicpoliciesrelatedtopacket-filteringsecurityandauditrecords.
Packet-filteringPolicyManagement(FMT_PacketFilterPolicy)
The TOE allows the administrator to add, change, delete, or search packet-filtering security policies using the security
management functions. The TOE checks whether the attribute of the packet-filtering security policy entered by the
administrator overlaps with an attribute of an existing policy. If it does not overlap with an existing one, the TOE will
create a packet-filtering security policy based on the attribute of the security policy entered by the administrator. The
new security policy is not directly applied to the TOE. Instead, it is mapped with the interface before being applied.
When an existing packet-filtering policy is deleted or changed, the deletion will be applied immediately but the change
willbeappliedaftertheadministratorsavesthenewsetting.
Security Target
105
NetworkAddressTranslationPolicyManagement(FMT_SourceNATPolicy)
The TOE provides security management functions to add, change, delete or search network address translation security
policies. The TOE allows the administrator to create a network address translation policy. TheTOE checks whether the
network address translation policy inputted by the administrator overlaps with an existing one. If the policy does not
overlap with an existing one, the TOE will add the network address translation policy to the security policy. A new
policy is immediately applied but not stored till the administrator saves it. When the administrator changes or deletes a
certain network address translation policy, the TOE will immediately change or delete the corresponding policy in the
configurationdata.
Port-forwardingPolicyManagement(FMT_DestNATPolicy)
To control accesses and information flow, the TOE provides a function for setting the port-forwarding (DNAT) security
policy. The administrator can search, add, modify, or delete the port-forwarding security policies using the port-
forwarding policy management functions. Based on created object information, the TOE creates a security policy. If
informationoverlapswithexistinginformation andavalidityerroroccur,theadministratorwillbeimmediately informed
throughamessagebox. Otherwise,thepolicywillbeimmediatelyadded.
RedirectPolicyManagement(FMT_RedirectPolicy)
The TOE provides functions to establish a redirect security policy to control accesses and information flow. The
administrator can search, add, modify, or delete redirect security policies using the redirect policy functions. Based on
created network and service object information, the TOE creates a security policy. If information overlaps with existing
information and a validity error occur, the administrator will be immediately informed through a message box.
Otherwise,the policy willbeimmediately added. Theadded policyisappliedtothenetworkonlyaftertheadministrator
maps the policy with the corresponding network interface. The administrator can modify or delete existing policies.
Whentheadministratormodifiesordeleteapolicy,thechangewillbeimmediatelyappliedtothenetwork.
DefaultProxyPolicyManagement(FMT_ProxyDefault)
The TOE provides the default values for the security policy that the proxy provides. The administrator can set a default
policythatwillbeappliedtotheproxyasfollows:
ƒ Defaultserversetting:Informationrelatedtotheproxyoperation
ƒ Proxyprotocolsetting:Protocoltobeusedintheproxyandtheauthenticationprotocol
IPSecpolicyManagement(FMT_IPsecPolicy)
The TOE provides functions to add, modify, delete, or search VPN security policies. The TOE checks whether the
attributeofthe VPNsecurity policy enteredby theadministratoroverlaps with anattributeofan existingpolicy.Ifitdoes
not overlap with an attribute of an existing policy, the TOE will add the VPN security policy. The new VPN security
policy is immediately applied but not stored until the administrator storesthe setting. When theadministrator requests to
Security Target
106
modify or delete a certain VPN security policy, the VOE will immediately modify or delete the corresponding security
policy.
6.2.5.4 NetworkInterfaceManagement(FMT_NICManage)
The TOE provides various network configuration functions for its interfaces. The TOE can set interface status search,
connection method, backup, interface activation status, media type, and line fault detection, and view the status. The
TOEcansetbothphysicalandtunnelinterfaces.
6.2.5.5 PPPInterfaceManagement(FMT_PPPManage)
The TOEprovides functions to create, modify, delete,or searchPPPinterfacesnecessaryforPPPconnection. TheTOE
checks whether the attribute of the PPP connection inputted by the administrator overlaps with an attribute of an existing
interface. If the attributedoes notoverlap, the TOE will create a newPPPinterfacebasedontheattributeinputtedbythe
administrator and will add PPP interface information set by the administrator to the configuration data. If the
administrator requests to modify or delete a certain PPP interface, the TOE will modify or delete the corresponding
interfacesintheconfigurationdata.
6.2.5.6 StaticRoutingManagement(FMT_RoutingManage)
The TOE provides functions for the administrator to add, modify, delete or search the current routing table, network
address, gateway, interface, and device information. To add a static routing table, the administrator inputs address
(network/host) and gateway information and this information is applied to the TOE system. The TOE can search and
deletethestaticroutingtablesaddedbytheadministrator.
6.2.5.7 ARPManagement(FMT_ARP)
The TOE provides functions to add, modify, or delete ARP address information cached in the ARP memory address
tablethroughtheadministratorinterface.
6.2.5.8 DHCPManagement(FMT_DHCP)
The TOE provides functions to add, modify, or delete attributes of the DHCP server such as IP lease duration, IP
assignment scope, and subnet through the administrator interface to provide automatic IP assignment (DHCP) function
foraninternaluser.
Security Target
107
6.2.5.9 HostDNSSetting(FMT_HostDNSSet)
The TOE provides functions to set, modify, delete, or search hostnameson thenetwork. Theadministratorcandefinea
unique name (less than 255 alphanumeric digits) on the network, and the administrator can initialize domain information
withanewhostnameandhostinformation.
The TOE provides functions to set, modify, delete, or searchthename servers (DNS) that are used by the security policy
and audit record functions to search network address information. The administrator can add three name servers (DNS)
asIPaddresses,andthenewinformationisimmediatelyapplied.
6.2.5.10 SystemTimeSetting(FMT_TimeSet)
The TOE provides a function to set the time of the TOE. In the default status, the TOE synchronizes with a reliable
external NTP server for time setting. At this time, instead of an internal TOE function, an external time stamp server is
usedtosecurelymanagetimesources. TheTOEalsoallowstheadministratortosetandmodifythetime.
..
6.2.5.11 AuditRecordsSetting(FMT_AuditSetup)
To manage all audit records which occur during the operation of the TOE, the TOE sets the audit record management
policy. The administrator can set the audit record and confirm and cancel the audit record setting using provided
functions. Thefollowingisinputtedforthemanagementoftheauditrecords:
ƒ TOEreal-timeauditrecordsstoragesize
ƒ Logpriority
ƒ Warningpriority
ƒ SMTPserveraddress
ƒ Administratormail
ƒ Mailqueue
6.2.5.12 SecurityManagementSetting(FMT_AdminSetup)
The TOE can set the time-out limit of the administrator session in the security management environment. The time-out
limit is in minute or second units, and the default time-out limit is 10 minutes. The TOE can run each server from the
basic port or a port randomly set by the administrator. A trusted administrator network is registered in advance to
prevent the administrator from accessing the TOE due to a mistake in security policy. An administrator network can be
setbasedontheexistingnetworkobjectandgroups.
Security Target
108
6.2.5.13 FirmwareUpgrade(FMT_FirmUp)
The TOE provides a firmware upgrade function for enhanced capacity of the security functions and operating system.
The administrator can move the firmware to the administrator PC, and upload the corresponding image to the TOE
through the security management connection (HTTPS.) The TOE checks the integrity of the uploaded image, and
updates the firmware stored in flash memory. For this purpose, the administrator must receive the corresponding
firmware image from the TOE provider (NexG) in a secure manner, and move it to the administrator’s PC. When
uploadingtheimage,theTOEcanusetheSSLprotocolforsecuritymanagement.
6.2.5.14 SystemSetting(FMT_SysSetup)
The TOE provides functions to store, initialize, back up, and restore system settings such as policies and functional items
for operation and execution of the security functions. Therefore, the administrator can set, modify, delete, or search
systemsettingdata. Theadministratorcanset,modify,delete,orsearchthesystemsettingnecessaryforTOEoperation.
IfachangeismadeintheoperationoftheTOEbytheauthorizedadministratororinthepolicyandfunctionalsetting,the
change will be immediately applied in memory and saved in flash memory. The TOE can be also initialized to the
factory setting. The administrator caninitializeonly thesettingwhiletheTOEisoperatingorcanselecttheInitializeand
Restart option. The TOE also allows the administrator to back up all policies and settings in a single file and restore the
systemusingthebackupfile. Inthisway,theTOEcanrestorethesettingsdamagedbyunexpectedfaults.
TheTOEprovidesfunctionsfortheauthorizedadministratortostopandrestartthesoftwareintheSecurity Management
environment. The administrator can decide whether to restart or stop the system using these functions. When the
administrator executes a command to restart or stop the system, the TOE displays the confirmation message. After the
administrator’sapproval,theTOEwillrestartorstopthesystem.
6.2.5.15 SystemStatusManagement(FMT_SysStatus)
The TOE provides functions to display the versions of the security function and the operating system. The TOE
providesthefollowingversioninformation:
ƒ Dedicatedoperatingsystemversionandfirmwareversion
The TOE provides functions to search the running time of the system and system load (with the CPU idle time being
displayedin%)amongsystemstatusinformation.
Security Target
109
6.2.5.16 AuditRecordsBackup(FMT_AUBackup)
The TOE allows only the authorized administrator to store and back up audit record data in permanent storage to protect
the audit record trail. The audit records are stored in a dedicated database so that the audit records can be backed up and
extractedintoafileusingthestandarddatabasemanagementinterface,SQL.
TheTOEprovidesafunctiontorestorebackedupauditrecorddata.
6.2.5.17 ConfigurationSaving(FMT_SaveConfig)
“Security environmentattributes”setduringoperation aresavedin theoperatingsystemandapplied totherunningTOE.
However, if the TOE is restarted, all security environment attributes will be deleted. Therefore, the administrator must
save the security environment attributes in flash memory. The TOE can save security environment attributes entered
duringoperationintheDB.
6.2.5.18 Statistics(FMT_Statistics)
The TOE creates a statistical report by processing audit record data accumulated on audit record storage media and
providesareporttotheadministratorforefficientanalysis.Onlytheauthorizedadministratorcansearchthestatisticaldata,
andtheTOEprovidesthefollowingtypesofauditrecordstatistics:
ƒ Packetinformationbydate(Daily,Weekly,Monthly,andYearly)
ƒ Totalpackets,Allowedpackets,Rejectedpackets,Datatraffic,Byservice(Port,Protocol,Type)
ƒ Sessions,packets,anddatabypacketsourceordestination
6.2.5.19 AdministratorPasswordChange(FMT_AdminPass)
The TOE provides functions to change the password of the authorized administrator. The TOE also can set whether to
usetheadministratorpasswordprovidedwiththepasswordortonewlysetanadministratorpassword.
Security Target
110
6.2.5.20 InstallationWizardLaunch(FMT_Wizard)
When the TOE is installed, the TOE is initialized and the administrator must be allowed to access the TOE through the
security management screen. For this purpose, the TOE provides a minimum level security management setting
throughtheconsole(RS-232C)port.
6.2.5.21 AuditRecordsPolicySetting(FMT_LogServerPolicy)
The TOE provides functions to selectively include or exclude the audit target events based on the audit record event type
and the level in compliance with the audit record management security policy set by the administrator. All security
function-related operations and processing of VForce 1700 V1.0 S/W have a few options in relation to the generation of
audit records. Most of all, VForce 1700 V1.0 S/W generates audit records based on the selective audit record priority.
Theprioritiesoftheauditrecordsareasfollows:
ƒ Eightstages:Emergency>Alert>Critical>Error>Warning>Notice>Information>Debugging
ƒ Higherauditrecordprioritylevelincludeslowerlevels.
ƒ Audit records only for audit target events higher than the priority selected by the administrator. will be
created.
6.2.5.22 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FMT_MOF.1
ƒ FMT_MSA.1
ƒ FMT_MSA.2
ƒ FMT_MSA.3
ƒ FMT_MTD.1(1)
ƒ FMT_MTD.1(2)
ƒ FMT_MTD.1(3)
ƒ FMT_MTD.1(4)
ƒ FMT_MTD.1(5)
ƒ FMT_MTD.1(6)
ƒ FMT_MTD.2
ƒ FMT_MTD.3
ƒ FMT_SMR.1
ƒ FMT_SMF.1
ƒ FIA_ATD.1
ƒ FPT_STM.1
Security Target
111
6.2.6 TSF Protection (FPT)
6.2.6.1 AbstractMachineTest(FPT_ABTest)
FPT_ABTest.1 The TOE conducts a test to check whether each hardware element of the TSF implementation are
normally operable upon initial start, every 24 hours during operation, or upon the request of the administrator. The
TOE checks the gateway status of the interface it uses. If the gateway is down, the TOE will update the corresponding
routing table. In other words, if the gateway of an interface is down,theTOEwillimmediately deletethecorresponding
routing table. When the TOE detects a message in the kernel while checking interfaces, it will immediately update the
correspondingroutingtable. TheDPDtestdescribedearlierisincludedintheabstractmachinetest.
6.2.6.2 IntegrityChecking(FPT_Integrity)
FPT_Integrity.1 The TOE tests processes that use security functions. If a process is terminated without authorization,
the TOE will create audit records (and will send mail to the administration, if necessary) and restart the corresponding
process. To monitor whether an unauthorized user forges or alters files, the TOE provides an integrity function. The
integrity function targets the TSF data and the TSF execution codes. For the TSF data, the TOE compares the result of
the integrity test with the result of the previous test. The TSF execution codes are not changeable. The TOE conducts
integrity tests on the (execution) files composing processes and important files of the OS. If an integrity error is found,
the TOE will take measures as in the abstract machine test describe above to inform the authorized administrator and to
storeauditrecords. TheTOEconductsanintegritytestforthefollowing:
ƒ Atstartup
ƒ Upontherequestoftheauthorizedadministratorthroughsecuritymanagementfunctions
ƒ Everycycledefinedbytheadministrator
FPT_Integrity conforms to SOF-high for the hash function specified in the Common Criteria for the Information
ProtectionSystem(Notice2005-25bytheMinistryofInformationandCommunication)[1].
6.2.6.3SecurityFunctionalRequirements(SFR)Mapping:
ƒ FPT_AMT.1
ƒ FPT_TST.1
ƒ FPT_TST.2
ƒ FPT_RPL.1
Security Target
112
6.2.7 TOE Access (FTA)
6.2.7.1 SessionKill(FTA_SessionKill)
FTA_SessionKill.1 A general user is authenticated by the corresponding protocol (HTTP or SOCKS 5) through the
proxy and accesses the final destination server. If no traffic data is created after the user accesses the server, the
corresponding session will be terminated. After the session is terminated, the TOE informs the server and the client of
this and deletes the session from the session list. If the user requestsservertoaccessagain,theTOEwillauthenticatethe
userthroughtheHTTPorSOCKS5andrecognizetheuser’saccesstothedestinationserverasanewsession.
6.2.7.2 SessionLocking(FTA_SessionLock)
FTA_SessionLock.1 All administrators and general users who are accessing the TSF of the TOE shall prove that
they have proper authority through the identification and authentication processes. If no data is transmitted between the
administrator’s browser and the TOE, the TOE will lock the session. In other words, the session will be maintained
(with the SSL authentication token and the security management page being saved,) and the administrator will be
requiredtoinputanIDandpassword(withtheSSLauthenticationtokenmaintained)toaccessthepreviouspage.
6.2.7.3 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FTA_SSL.1
ƒ FTA_SSL.3
Security Target
113
6.2.8 Trusted Path/Channel (FTP)
6.2.8.1 TrustedChannel(FTP_AdminTrusted)
FTP_AdminTrusted.1 This is for secure information transmission. When the administrator directly accesses the
TOE for securitymanagement, theTOEprovidesan HTTPS(GUI)-basedsecurecommunicationpath fortheprotection
oftheconsoleandthenetwork.HTTPSisaNetscapewebprotocolinstalledinthebrowserthatencodesanddecodesthe
user page request at the SSL sub layer under the HTTP. The TOE uses the Open SSL cryptographic toolkit to support
SSLprotocolnetworkcommunication.
6.2.8.2 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FTP_ITC.1
Security Target
114
6.2.9 Privacy (FPR)
6.2.9.1 TOEStatusView(FPR_Status)
Upon the request of the authorized user who successfully logged in using the security management screen, the TOE will
displaythefollowing:
ƒ Traffic at Each Interface: Displays inbound/outbound packets, packets in Kbytes per second, and packet
count per second at each Ethernet interface including any virtual IPSec interface as well as
activation/deactivationstatusofeachinterface.
ƒ Session: Displays the list of sessions having passed the security policy of the TOE. The list includes
protocol, valid time (in second), source/destination port, ICMP type, code, TCP status, and establishment
statusofeachsession.
ƒ Access Control Status: Displays the number of packets and bytes that use packet-filtering, network address
translation,port-forwarding,andredirectsecuritypoliciesoftheTOE.
ƒ IPSec Status: Displays security tunnel (SA) information between the TOE and the communication
counterpart. Security tunnel information includes local and remote VPN networks of each security tunnel,
gateway address of the communication counterpart, and the number of packets having passed the
correspondingsecuritytunnel.
ƒ Login User: List of authorized administrators currently connected to the TOE. Displays user IDs, TTY
types,standbytime,logintime,andhostIPaddresses.
ƒ System Information: Displays overall TOE system information including the software version, operation
time,andCPUload.
6.2.9.2 SourceAddressTranslation(FPR_SNAT)
FPR_SNAT.1 To overcome the lack of IP address resources of IPv4andto protectinternalusers,theTOEprovidesan
network address translation function which can create private addresses. Withthisfunction, aninternaluser candisclose
only public IP addresses to the external IT entity and hide the private IP addresses during the communication with an
externalITentity.
6.2.9.3 DestinationNetworkAddressTranslation(FPR_DNAT)
FPR_DNAT.1 The TOE can also redirect a session from an public IP address to a certain internal host. When an
externalIT accessesan internal privatehost,theTOEhidesthe networkinformationoftheprivatehosttotheoutsideand
Security Target
115
connects the network IP accessible from the outside. Then, an externalItentity can accessthe network through ashared
IPwithoutdirectconnectiontothenetwork.
6.2.9.4 Redirecting(FPR_Redirect)
FPR_Redirect.1 The TOE changes destination network information (IP and port) and redirects to a destination set by
the administrator. The TOE can redirect some incoming and outgoing packets using the protocols (HTTP, FTP, and
TELNET) that the proxy supports and require them to pass the proxy. The TOE can also redirect access to the
destinationwithoutchangingthenetworkinformationofthehostthattheTOEprotects.
6.2.9.5 SecurityFunctionalRequirements(SFR)Mapping:
ƒ FDP_IFC.2(3)
ƒ FDP_IFF.1(4)
ƒ FPR_UNO.4
Security Target
116
7 Protection Profile Claims
This chapter provides correspondence between the TOE and [FW_PP_V1.1] and between the Security Target and
[VPN_PP_V1.1].
7.1 Protection Profile Reference
The TOE and the Security Target have been prepared based on [FW_PP_V1.1] and [VPN_PP_V1.1] , and the product
has been designed to meet all Security Functional Requirements and assurance requirements specified in the protection
profile.
7.2 Protection Profile Tailoring
7.2.1 [FW_PP_V1.1] Tailoring
The following shows the Security Functional Requirements of the Common Criteria for the Information Protection
Systemtailoredby[FW_PP_V1.1]:
[Table 7-1] Security Functional Requirements Tailored in [FW_PP_V1.1]
Functional Component Description
FAU_ARP.1 Security alarm
FAU_GEN.1 Audit data creation
FAU_SAA.1 Potential violation analysis
FAU_SAR.3 Selectable audit review
FAU_SEL.1 Selective audit
FAU_STG.3 Response to predicted audit data loss
FAU_STG.4 Prevention of loss of audit data
FDP_ACC.2 Complete access control
FDP_ACF.1 Security attribute-based access
Security Target
117
control
FDP_IFC.2 complete information flow control
FDP_IFF.1 Single-layer security attribute
FIA_AFL.1 Authentication failure handling
FIA_ATD.1 User attribute management
FIA_SOS.1 Secret verification
FIA_UAU.1 Authentication
FIA_UAU.4 Replay prevention authentication
mechanism
FIA_UAU.7 Authentication feedback protection
FMT_MOF.1 Security function management
FMT_MSA.1 Security attribute management
FMT_MSA.3 Static attribute initialization
FMT_MTD.1 TSF data management
FMT_AMT.1 Abstract machine test
FTP_TST.1 TSF self-test
FPT_TST.2(Extension) Response to TSF data integrity fault
(Extension)
FTA_SSL.1 Session locking by TSF
FTA_SSL.3 Session termination by TSF
Security Target
118
7.2.2 [VPN_PP_V1.1] Tailoring
The following shows the Security Functional Requirements tailored to the Common Criteria for the Information
ProtectionSystemby[VPN_PP_V1.1]:
[Table 7-2] Security Functional Requirements Tailored by [VPN_PP_V1.1]
Functional Component Description
FAU_ARP.1 Security Alarm
FAU_GEN.1 Audit data generation
FAU_SAA.1 Potential violation analysis
FAU_SAR.3 Selectable audit review
FAU_SEL.1 Selective audit
FAU_STG.3 Response expected loss of audit data
FAU_STG.4 Prevention of loss of audit data
FDP_IFC.1 Subset Information Flow Control
FDP_IFF.1 Single-layer security attribute
FIA_AFL.1 Authentication failure handling
FIA_ATD.1 User attribute definition
FIA_SOS.1 Verification of confidential information
FIA_UAU.4 Replay prevention authentication
mechanism
FIA_UAU.7 Authentication feedback protection
FMT_MOF.1 Security function management
FMT_MSA.1 Security attribute management
FMT_MSA.3 Static attribute initialization
FPT_AMT.1 Abstract machine test
FPT_PRL.1 Replay attack detection and measure
FPT_TST.1 TSF self-test
FPT_TST.2(Extension) Response to TSF data integrity fault
FTA_SSL.1 Session locking by TSF
FTP_ITC.1 Trusted channel between TSFs
Security Target
119
7.3 Protection Profile Augmentation
7.3.1 Security Requirements Augmentation for Protection
Profile
TosupportadditionalsecurityfunctionsoftheTOEbesidestherequirementsspecifiedintheprotectionprofile,theauthor
addedthefollowingsecurityfunctionalrequirements:
[Table 7-3] Author-augmented SFR
Functional
Component
Description
FMT_SMF.1 Management function specification
FPT_UNO.4 Authorized user observability
7.3.2 Protection Profile Threats and Purpose Augmentation
Besides the security threats and objectives specified in the security target, the author added the following security threats
andsecurityobjectives:
[Table 7-4] Author-augmented Threats and Security Objectives
Functional
Component
Description
T. Privacy
If an internal network IP address is disclosed to a non-trusted network IP
address, an unauthorized attacker may predict the internal network and access
the network without permission.
O. Privacy The TOE shall prevent an external user from predicting the IP of an internal user.
OE. Trusted
Server
For the functions of the TOE, the following servers located outside the TOE shall
be protected:
Network Time Protocol (NTP) and the remote security management system.
OE. Trusted
Channel
For secure communication between the TOE and the administrator, the TOE shall
provide a function that will protect channels and certificates using the OpenSSL
protocol.
Security Target
120
OE. Trusted
Storage
To ensure safe maintenance and management of the storage where the TOE-
audit records are stored, trusted storage shall be provided and this storage shall
provide SQL-Lite, a database management system.
Security Target
121
8 Rationale
This chapter provides the rationale for proving the completeness and theconsistency ofthe security target. Therationale
coversthefollowing:
ƒ Securityobjectives
ƒ Securityrequirements
ƒ TOEsummaryspecification
ƒ Securityfunctionalrequirementsdependency
ƒ Internalconsistencyofthesecuritytarget
8.1 Security Objectives Rationale
8.1.1 Security Objectives Rationale for TOE Security
Function Purpose Same as Those in Protection Profile
[Table 8-1] Security Objective Rationale Same as [FW_PP_V1.1] and [VPN_PP_V1.1]
Security Objective Description
O. Audit
This security objective provides means for the TOE to store, maintain, and
review the security-related events in a detailed and accurate manner. This
security objective is necessary for handling T. Misuse and T. Recording
Failure and supporting P. Audit in the organizational security policies.
O. Flaw Code
Inspection
The security objective ensures that flaw codes that might exist in the code by
the developer are detected. This security objective is necessary for
responding to T. Flaw Code.
O. Management
This security objective provides means for the authorized administrator to
securely manage the TOE. This security objective is necessary for
supporting P. Trusted Management.
O. Data Protection
This security objective ensures the integrity of TSF data. This security
objective is necessary for ensuring T. Transmission Integrity, handling T.
Stored Data Damage, and supporting P. Confidentiality and P. Cryptograph.
Security Target
122
O. Confidentiality
This security objective ensures confidentially of data transmitted by the TOE
on the network. This security objective is necessary for supporting T.
Cryptograph Decoding, P. Confidentiality and P. Cryptograph.
O. Identification
and Authentication
This security objective ensures that the TOE can identify and authenticate
users. This security objective is necessary for responding to T.
Impersonation, T. Continued Authentication Attempt, T. Bypassing, T. Replay
attack, T. Stored Data Damage, T. IP Address Spoofing and T. Misuse.
O. Self-protection
Because the TOE has a self-protection function, this security objective is
necessary for responding to T. New Attack, T. Bypassing, T. Misuse, and T.
Stored Data Damage.
O. Access control
Because the TOE controls access to the network, this security objective is
necessary for responding to T. Unauthorized Information Outflow, T.
Bypassing, T. IP Address Spoofing and T. Unauthorized Information Inflow.
O. Information Flow
Control
Because the TOE ensures mediation of information flow based on the security
policy, this security objective is necessary for responding to T. Unauthorized
Information Inflow and T. Unauthorized Information Outflow.
O. Information Flow
Mediation
Because the TOE ensures mediation of information flow based on the security
policy, this security objective is necessary for supporting P. Confidentiality
and P. Plain Text Transmission.
O. Key Security
Because the TOE provides confidentiality and integrity of the cryptographic
keys and ensures proper key exchanges, this security objective is necessary
for supporting T. Cryptographic Decoding, T. Transmission Integrity, P.
Confidentiality, and P. Cryptograph.
Security Target
123
8.1.2 Security Objectives Rationale for Environment Same
as Protection Profile
[Table 8-3] Security Objective Rationale for Environment Same as Protection Profile
Security
Objective
Description
OE. Physical
Security
OE. Physical Security ensures physical security of the TOE so it is necessary for
supporting A. Physical Security.
OE. Security
Maintenance
When there is a change in network environment due to a network configuration
change or increase/decrease of hosts or services, OE. Maintenance ensures that
the new environment and the new security policy are immediately applied to the
TOE operation policy for consistent security levels. Therefore, OE. Maintenance
is necessary for supporting A. Security Maintenance and responding to T. New
Attack.
OE. Trusted
Administrator
OE. Trusted Administrator ensures that the authorized administrator of the TOE
is reliable so it is necessary for supporting A. Trusted Administrator and
responding to T. Misuse, TE. Poor Management and TE. Delivery and Installation.
OE. Trusted
Management
OE. Trusted Management ensures that the TOE is delivered and installed in a
secure way and configured and managed by the authorized administrator so it is
necessary for responding to T. New Attack, TE. Poor Management, and TE.
Delivery and Installation and supporting P. Trusted Management.
OE. Security
Policy
This security objective ensures that the TOE and an authenticated TOE that
communicates with the TOE execute compatible security policies so it is
necessary for supporting Assumptions A. Security Policy.
OE. Operating
System
Reinforcement
This security objective eliminates unnecessary services or means for the
operation of the TOE, reinforces the vulnerabilities in the operating system, and
support safety and reliability of the operating system. It is necessary for
supporting Assumption A. Operating System Reinforcement and responding to
T. New Attack.
OE. Single Point
of Connection
This security objective ensures that all external networks communicate with the
internal network through the TOE so it is necessary for supporting Assumption
A. Single Point of Connection.
※ OE.AttackerLevelhasbeenchangedtoThreatinAssumptionsandnotincludedinthistable.
Security Target
124
[Table 8-4] Relation between the Security Environment and Security Objective
TOE Security Objective Security Objective for Environment
Security
Objective
Security
Environment
O.
Impersonation
O.
Flaw
Code
Inspection
O.
Management
O.
Data
Protection
O.
Identification
and
Authentication
O.
Self-protection
of
Functions
O.
Access
Control
O.
Information
Flow
Control
O.
Confidentiality
O.
Key
Protection
O.
Information
Flow
Mediation
OE.
Physical
Security
OE.
Security
Management
OE.
Trusted
Administrator
OE.
Safe
Management
OE.Operating
System
Reinforcement
OE.
Single
Point
of
Connection
OE.
security
policy
T. Impersonation X
T. Flaw Code X
T. Record Flaw X
T. Abuse X X X X
T. Decoding X X
T. Continued
Authentication
Attempts
X
T. Bypassing X X X
T. Replay Attack X
T. Stored Data
Damage
X X X
T. Transmission
Integrity
X X
T. Unauthorized
Information Inflow
X X
T. Unauthorized
Information Disclosure
X X
T. New Attack X X X X X
T. IP Address
Spoofing
X X
P. Audit X
P. Confidentiality X X X X
P. Trusted
Management
X X
P. Cryptographic X X X
P. Plain Test
Transmission
X
A. Physical Security X
A. security policy X
A. Security
Maintenance
X X
A. Trusted
Administrator
X
A. Operating System
Reinforcement
X
A. Single Point of
Connection
X
TE. Poor Management X X
TE. Delivery and
Installation
X X
※ A.Attacker’slevelandOE.AttackerLevelhasbeenchangedtoThreatinAssumptionsandnotincludedinthistable.
Security Target
125
8.1.3 Author Augmented Security Objectives Rationale
[Table 8-4] Author-augmented Security Objective Rationale
Security Target Description
O. Privacy
This security objective shall prevent an external user from predicting the
IP of an internal user. This security objective responds to Threat T.
Privacy.
OE. Trusted Server
This security objective ensures that external servers interacting with the
TOE are reliable so it is necessary for supporting Assumption A. Trusted
Server.
OE. Trusted Channel
This security objective ensures a trusted channel for the communication
between the TOE and the administrator so it is necessary for supporting
A. Trusted Channel. For safe channel provision and certificate
management, OpenSSL protocol is used.
OE. Trusted Storage
This security objective ensures that the storage where TOE-related audit
records are stored is maintained and managed in a secure way. This
security objective is necessary for supporting A. Trusted Storage. The
storage provides a relational database, SQL-Lite.
[Table 8-5] Relations between Augmented Security Objective Rationale and Security Environment
TOE Security Objective
Security Objective
Security Environment
O. Privacy OE. Trusted
Server
OE. Trusted
Channel
OE. Trusted
Storage
T. Privacy X
A. Trusted Server X
A. Trusted Channel X
A. Trusted Storage X
Security Target
126
8.2 Rationale for Security functional
requirements
8.2.1 Rationale for Security functional requirements Same
as Those in Protection Profile
O.FlawCodeInspectioniscoveredbytheassurancerequirements.
8.2.1.1 FAU_ARP.1 SecurityAlarm
The TOE provides functions that take measures against identified security breaches. Therefore, the TOE conforms to
therequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.2 FAU_GEN.1 AuditDataGeneration
The TOE provides functions to define audit target events and generate audit records. Therefore, the TOE conforms to
therequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.3 FAU_SAA.1 PotentialViolationAnalysis
The TOE provides functions to inspect audited events and identify security breaches. Therefore, the TOE conforms to
therequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.4 FAU_SAR.1 AuditReview
The TOE provides functions for the authorized administrator to review the audit records. Therefore, the TOE conforms
totherequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and [VPN_PP_V1.1].
8.2.1.5 FAU_SAR.3 SelectableAuditReview
The TOE provides functions to search and sort audit record data. Therefore, the TOE conforms to the requirements
specifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.6 FAU_SEL.1 SelectiveAudit
The TOE provides functions for the authorized administrator to include or selectively apply the audit target events based
on the security attribute. Therefore, the TOE conforms to the requirements specified in Security Objective O. Audit of
[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.7 FAU_STG.1 AuditTrailProtection
Security Target
127
The TOE provides functions to protect audit records from being changedordeleted by anunauthorized user. Therefore,
theTOEconformstotherequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.8 FAU_STG.3 ResponsetoPredictedAuditDataLoss
The TOE provides functions for the administrator to take predefined actions when the audit trail crosses the threshold.
Therefore, the TOE conforms to the requirements specified in Security Objective O. Audit of [FW_PP_V1.1] and
[VPN_PP_V1.1].
8.2.1.9 FAU_STG.4 PreventionofLossofAuditData
TheTOEprovides functions forthe administratorto takepredefinedactionswhenauditrecordstorageisfull. Therefore,
theTOEconformstotherequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.10 FCS_CKM.1 CryptographicKeyCreation
The TOE provides functions to create cryptographic keys based on the cryptographic key creation algorithm and the
defined cryptographic key length. Therefore, the TOE conforms to the requirements specified in Security Objectives O.
Confidentiality,O.DataProtection,andO.KeySecurityof[VPN_PP_V1.1].
8.2.1.11 FCS_CKM.2 CryptographicKeyDistribution
The TOE provides functions to distribute cryptographic keys according to the cryptographic key distribution method.
Therefore,theTOEconformstotherequirementsspecifiedinSecurityObjectivesO.Confidentiality,O.DataProtection,
andO.KeySecurityof[VPN_PP_V1.1].
8.2.1.12 FCS_CKM.4 CryptographicKeyDestruction
The TOE provides functions to destroy the cryptographic keys according to the cryptographic key destruction method.
Therefore,theTOEconformstotherequirementsspecifiedinSecurityObjectivesO.Confidentiality,O.DataProtection,
andO.KeySecurityof[VPN_PP_V1.1].
8.2.1.13 FCS_COP.1 CryptographicOperation
The TOE provides functions to perform cryptographic operations according to the cryptographic algorithm and the
predefined cryptographic key length. Therefore, the TOE conforms to the requirements specified in Security Objectives
O.ConfidentialityandO.DataProtectionof[VPN_PP_V1.1].
8.2.1.14 FDP_ACC.2 CompleteAccessControl
The TOE provides functions to secure complete access control for all traffic passing the TOE in compliance with the
administrator-set security policy. Therefore, the TOE conforms to the requirements specified in Security Objectives O.
DataProtectionandO.AccessControlof[FW_PP_V1.1].
Security Target
128
8.2.1.15 FDP_ACF.1 SecurityAttribute-basedAccessControl
The TOE provides functions to allow access control based on the security attribute in compliance with the administrator-
defined access control security policy. Therefore, the TOE conforms to the requirements specified in Security
ObjectivesO.DataProtectionandO.AccessControlof[FW_PP_V1.1].
8.2.1.16 FDP_DAU.1 BasicDataAuthentication
The TOE provides subjects to verify evidence creation capacity and evidence to guarantee the integrity of the data
transmitted to/from the TOE. Therefore, the TOE conforms to the requirements specified in Security ObjectiveO. Data
Protectionof[VPN_PP_V1.1].
8.2.1.17 FDP_IFC.1 SubsetInformationFlowControl
The TOE ensures that the information flow of the data transmitted to/from the TOE is controlled according to the VPN
security policy. Therefore, the TOE conforms to the requirements specified in Security Objective O. Information Flow
Mediationof[VPN_PP_V1.1].
8.2.1.18 FDP_IFC.2(1) CompleteInformationFlowControl
The TOE provides functions to completely control information flow of all traffic passing through the TOE based on the
packet-filtering security policy defined by the administrator. Therefore,the TOE conforms totherequirements specified
inSecurityObjectiveO.InformationflowControlof[FW_PP_V1.1].
8.2.1.19 FDP_IFC.2(2) CompleteInformationFlowControl
The TOE provides functions to completely control information flow of all traffic passing through the TOE based on the
proxy security policy defined by the administrator. Therefore, the TOE conforms to the requirements specified in
SecurityObjectiveO.InformationFlowControlof[FW_PP_V1.1].
8.2.1.20 FDP_IFF.1(1) Single-layerSecurityAttribute
The TOE provides functions to define and apply the VPN security policy which controls information flow based on the
security attribute. Therefore, the TOE conforms to the requirements specified in Security Objective O. Information
FlowMediationof[VPN_PP_V1.1].
8.2.1.21 FDP_IFF.1(2) Single-layerSecurityAttribute
The TOE provides functions to define and apply the packet-filtering security policy which controls information flow
based on the security attribute. Therefore, the TOE conforms to the requirements specified in Security Objective O.
InformationFlowControlof[FW_PP_V1.1].
Security Target
129
8.2.1.22 FDP_IFF.1(3) Single-layerSecurityAttribute
The TOE provides functions to define and apply the proxy security policy which controls information flow based on the
security attribute. Therefore, the TOE conforms to the requirements specified in Security Objective O. Information
FlowControlof[FW_PP_V1.1].
8.2.1.23 FIA_AFL.1 AuthenticationFailureHandling
The TOE provides functions to define the user authentication failure threshold and takes predefined actions when the
threshold is crossed. Therefore, the TOE conforms to the requirements specified in Security Objective O. Identification
andAuthenticationof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.24 FIA_ATD.1 UserAttributeDefinition
The TOE provides functions to define the security attribute list for each user. Therefore, the TOE conforms to the
requirements specified in Security Objective O. Identification and Authentication of [FW_PP_V1.1] and
[VPN_PP_V1.1].
8.2.1.25 FIA_SOS.1 VerificationofConfidentialInformation
The TOE provides functions to impose compliance with the password collationrulesetby thepassword. Therefore,the
TOE conforms to the requirements specified in Security Objective O. Identification and Authentication of
[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.26 FIA_UAU.2 UserAuthenticationPriortoEveryBehavior
The TOE provides functions to successfully authenticate authorized administrator and users. Therefore, the TOE
conforms to the requirements specified in Security Objectives O. Management, O. Data Protection, O. Identification and
Authenticationof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.27 FIA_UAU.4 ReplayPreventionAuthenticationmechanism
The TOE provides functions to prevent replay of the authentication data. Therefore, the TOE conforms to the
requirements specified in Security Objective O. Identification and Authentication of [FW_PP_V1.1] and
[VPN_PP_V1.1].
8.2.1.28 FIA_UAU.7 AuthenticationFeedbackProtection
TheTOEprovidesaresponsethatcontainsminimuminformationfortheuserbeforeorduringtheauthenticationprocess.
Therefore, the TOE conforms to the requirements specified in Security Objective O. Identification and Authentication of
[FW_PP_V1.1]and[VPN_PP_V1.1].
Security Target
130
8.2.1.29 FIA_UID.2 UserIdentificationPriortoEveryBehavior
The TOE guarantees successful identification of the authorized administrator and the user. Therefore, the TOE
conforms to the requirements specified in Security Objectives O. Management, O. Data Protection, O. Identification and
Authenticationof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.30 FMT_MOF.1 SecurityFunctionManagement
The TOE provides functions that allow only the authorized administrator to manage security functions. Therefore, the
TOE conforms to the requirements specified in Security Objective O. Management of [FW_PP_V1.1] and
[VPN_PP_V1.1].
8.2.1.31 FMT_MSA.1 SecurityAttributeManagement
The TOE provides functions that allow only the authorized administrator to manage security attributes. Therefore, the
TOE conforms to the requirements specified in Security Objective O. Management of [FW_PP_V1.1] and
[VPN_PP_V1.1].
8.2.1.32 FMT_MSA.2 TrustedSecurityAttribute
TheTOEallowsonly valueswithinthedefined rangetobeinputtedassecurityattributes. Therefore,theTOEconforms
totherequirementsspecifiedinSecurityObjectiveO.Self-protectionof[VPN_PP_V1.1].
8.2.1.33 FMT_MSA.3 StaticAttributeInitialization
The TOE guarantees management of the security attributes which are applied to the administrator security policy, the
VPN security policy, the packet-filtering security policy, and the proxy security policy. Therefore, the TOEconforms to
the requirements specified in Security Objective O. Management of [FW_PP_V1.1] and [VPN_PP_V1.1] and Security
ObjectiveO.InformationFlowMediationof[VPN_PP_V1.1].
8.2.1.34 FMT_MTD.1(1) TSFDataManagement
The TOE provides functions for the authorized administrator to create statistics from the audit data. Therefore, the TOE
conformstotherequirementsspecifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1].
8.2.1.35 FMT_MTD.1(2) TSFDataManagement
The TOE provides functions to back up and restore important files composing the TOE. Therefore, the TOE conforms
totherequirementsspecifiedinSecurityObjectiveO.Managementof[FW_PP_V1.1].
8.2.1.36 FMT_MTD.1(3) TSFDataManagement
The TOE provides functions for the authorized administrator to manage the administrator security policy, VPN security
policy, packet-filtering security policy, and proxy security policy. Therefore, the TOE conforms to the requirements
specifiedinSecurityObjectiveO.Managementof[FW_PP_V1.1].
Security Target
131
8.2.1.37 FMT_MTD.1(4) TSFDataManagement
The TOE provides functions for the authorized administrator to manage cryptographic key attributes. Therefore, the
TOEconformstotherequirementsspecifiedinSecurityObjectiveO.Managementof[VPN_PP_V1.1].
8.2.1.38 FMT_MTD.1(5) TSFDataManagement
The TOE provides functions for the authorized administrator to manage identification and authentication data.
Therefore, the TOE conforms to the requirements specified in Security Objective O. Management of [FW_PP_V1.1]
and[VPN_PP_V1.1].
8.2.1.39 FMT_MTD.1(6) TSFDataManagement
The TOE provides functions for the authorized administrator to manage TOE time data. Therefore, the TOE conforms
totherequirementsspecifiedinSecurityObjectiveO.Managementof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.40 FMT_MTD.2 TSFDataThresholdManagement
The TOE provides functions for the authorized administrator to manage TSF data thresholds and to take actions
predefined by the administrator when the threshold is crossed. Therefore, the TOE conforms to the requirements
specifiedinSecurityObjectiveO.Managementof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.41 FMT_MTD.3 TrustedTSFData
TheTOEallowsonly valueswithinthedefined rangetobeinputtedassecurityattributes. Therefore,theTOEconforms
totherequirementsspecifiedinSecurityObjectiveO.Self-protectionof[VPN_PP_V1.1].
8.2.1.42 FMT_SMR.1 SecurityRole
The TOE provides functions to define and apply security roles of all users including the administrators. Therefore, the
TOE conforms to the requirements specified in Security Objective O. Management of [FW_PP_V1.1] and
[VPN_PP_V1.1].
8.2.1.43 FPT_AMT.1 AbstractMachineTest
The TOE provides the abstract machine test function to check whether all functions of the TOE including the TSF are
normally operating. Therefore, the TOE conforms to the requirements specified in Security Objective O. Data
Protectionof[VPN_PP_V1.1]andSecurityObjectiveO.Self-protectionof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.44 FPT_RPL.1 ReplayAttackDetectionandMeasures
The TOE provides functions to detect and auditreplay ofuserorVPNgatewayauthenticationdata. Therefore,theTOE
conformstotherequirementsspecifiedinSecurityObjectiveO.IdentificationandAuthenticationof[VPN_PP_V1.1].
Security Target
132
8.2.1.45 FPT_RVM.1 Non-bypassabilityoftheTSP
The TOE provides a single point of connection through which the TSP is called. Therefore, the TOE conforms to the
requirementsspecifiedinSecurityObjectiveO.Self-protectionof[FW_PP_V1.1]and [VPN_PP_V1.1].
8.2.1.46 FPT_SEP.1 SecurityFunctionFragmentation
The TOE provides functions to maintain security for the execution of the TSF. Therefore, the TOE conforms to the
requirementsspecifiedinSecurityObjectiveO.Self-protection[FW_PP_V1.1]and [VPN_PP_V1.1].
8.2.1.47 FPT_STM.1 ReliableTimeStamp
The TOE provides a reliable time stamp function for the TSF. Therefore, the TOE conforms to the requirements
specifiedinSecurityObjectiveO.Auditof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.48 FPT_TST.1 TSFSelf-test
The TOE provides self-test and integrity test functions. Therefore, the TOE conforms to the requirements specified in
SecurityObjectivesO.DataProtectionandO.Self-protectionof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.49 FPT_TST.2 ResponsetoTSFDataIntegrityFault
The TOE provides functions to take actions predefined by the administration upon occurrence of a TSF data integrity
fault. Therefore, the TOE conforms to the requirements specified inSecurity ObjectivesO.DataProtectionandO.Self-
protectionof[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.1.50 FPT_SSL.1 SessionLockingbyTSF
After a certain period of idle time by the authorized administrator, the TOE locks the corresponding session and requires
an event before unlocking the session. Therefore, the TOE conforms to the requirements specified in Security
Objectives O. Self-protection of [FW_PP_V1.1] and [VPN_PP_V1.1], Security Objective O. Identification and
Authenticationof[FW_PP_V1.1],andSecurityObjectiveO.DataProtectionof[VPN_PP_V1.1].
8.2.1.51 FPT_SSL.3 SessionTerminationbyTSF
The TOE provides functions to terminate the session after a general user remains idle for a certain period of time.
Therefore,theTOEconformstotherequirementsspecifiedinSecurityObjectiveO.Self-protectionof[FW_PP_V1.1].
8.2.1.52 FTP_ITC.1 TrustedChannelbetweenTSFs
The TOE provides functions to securely manage the channel while the authorized administrator is accessing the security
management environment of the TOE. Therefore, the TOE conforms to the requirements specified in Security
ObjectiveO.Managementof[VPN_PP_V1.1].
Security Target
133
[Table 8-6] Mapping between TOE Security Functions and Security Objectives
PP [FW_PP_V1.1] [VPN_PP_V1.1]
Security
Target
Security
Function
Requirements
O
Audit
O
Management
O
Data
Protection
O
Identification
and
Authentication
O
Self-protection
of
Functions
O
Access
Control
O
Information
Flow
Control
O
Audit
O
Management
O
Data
Protection
O
Confidentiality
O
Identification
and
Authentication
O
Self-protection
of
Functions
O
Information
Flow
Mediation
O
Key
Security
FAU_ARP.1 X X
FAU_GEN.1 X X
FAU_SAA.1 X X
FAU_SAR.1 X X
FAU_SAR.3 X X
FAU_SEL.1 X X
FAU_STG.1 X X
FAU_STG.3 X X
FAU_STG.4 X X
FCS_CKM.1 X X X
FCS_CKM.2 X X X
FCS_CKM.4 X X X
FCS_COP.1 X X
FDP_ACC.1 X X
FDP_ACF.1 X X
FDP_DAU.1 X
FDP_IFC.1 X
FDP_IFC.2(1) X
FDP_IFC.2(2) X
FDP_IFF.1(1) X
FDP_IFF.1(2) X
FDP_IFF.1(3) X
FIA_AFL.1 X X
FIA_ATD.1 X X
FIA_SOS.1 X X
FIA_UAU.2 X X X X X X
FIA_UAU.4 X X
FIA_UAU.7 X X
FIA_UID.2 X X X X X X
FMT_MOF.1 X X
FMT_MSA.1 X X
FMT_MSA.2 X X X
FMT_MSA.3 X X X
FMT_MTD.1(1) X X
FMT_MTD.1(2) X
FMT_MTD.1(3) X
FMT_MTD.1(4) X
FMT_MTD.1(5) X X
FMT_MTD.1(6) X X
FMT_MTD.2 X X
FMT_MTD.3 X X
FMT_SMR.1 X X
FPT_AMT.1 X X X
FPT_RPL.1 X
FPT_RVM.1 X X
FPT_SEP.1 X X
FPT_STM.1 X X
FPT_TST.1 X X X X
FPT_TST.2 X X X X
FTA_SSL.1 X X X X
FTA_SSL.3 X
FTP_ITC.1 X
Security Target
134
8.2.2 Author-augmented Rationale for Security functional
requirements
8.2.2.1 FMT_SMF.1 ManagementFunctionSpecification
TheTOEensuresthatitprovides allrequired security managementfunctions,andmeetstherequirementsspecifiedin O.
ManagementofSecurityObjectivein[FW_PP_V1.1]and[VPN_PP_V1.1].
8.2.2.2 FPR_UNO.4 AuthorizedUserObservability
The TOE ensures that the authorized administrator can check TOE resources and process status for the purpose of
managing the TOE. The TOE meets the requirements specified in O. Management in Security Objective in
[FW_PP_V1.1]and[VPN_PP_V1.1].
[Table 8-7] Rationale for Author-augmented Security functional requirements
Security
Target
Security
Function
Requirements
O. Management *
FMT_SMF.1 X
FPR_PSE.1(1)
FPR_PSE.1(2)
FPR_UNO.4 X
* - [FW_PP_V1.1], [VPN_PP_V1.1]
Security Target
135
8.2.3 Rationale for IT Environment Requirements
8.2.3.1 FTP_ITC.1 TrustedChannelbetweenTSFs
The TOE secures the channel while the authorized administrator accesses the TOE from a remote place. The TOE
meetstherequirementsspecifiedinOE.TrustedChannelofTOESecurityObjective.
8.2.3.2 FPT_STM.1 Reliabletimestamp
The TOE provides a reliable time stamp using a reliable external time stamp synchronization function. Therefore, the
TOEconformstotherequirementsspecifiedinOE.TrustedServeroftheTOESecurityObjectiveOE.
8.2.3.3 FAU_SAR.3 SelectableAuditReview
Forsecuredmanagementandmaintenanceoftheauditrecords,theTOEprovidesareliableDBMS. TheTOEmeets
therequirementsspecifiedinOE.TrustedStorageofTOESecurityObjective.
[Table 8-8] Rationale for Author-augmented Security functional requirements
Security Target
for
Environment
Security Function
Requirements
OE. Trusted
Channel
OE. Trusted
Server
OE. Trusted
Storage
FTP_ITC.1 X
FPT_STM.1 X
FAU_SAR.3 X
Security Target
136
8.3 Rationale for security assurance
Requirements
This Security Target conforms to protection profiles for government agency [FW_PP_V1.1] and [VPN_PP_V1.1].
Therefore, an assurance requirements package which satisfies EAL3+ specified in the above protection profiles has been
selected, and EAL3 of the Common Criteria for the Information Protection System includes augmentation components
asfollows:
ƒ ADV_IMP.2ExpressionofTSFimplementations
ƒ ADV_LLD.1Declarativelow-leveldesign
ƒ ALC_TAT.1Well-defineddevelopmenttool
ƒ ATE_DPT.2Low-leveldesignTest
ƒ AVA_VLA.2IndependentVulnerabilityAnalysis
SecurityObjectiveO.CollatedCodeInspectioncheckswhetherthecodewrittenbythedeveloperhasanyflaw,andifso,
whether the flaw code affects internal components of the TOE. This security objective adds the assurance component
ADV_IMP.2(expressionofTSFimplementation)andATE_DTP.2(low-leveldesigntest).
Due to the dependency of ADV_IMP.2 (expression of TSF implementation), ADV_LLD.1 (declarative low-level
design) and ALC_TAT.1 (well-defined development tool) have been augmented. AVA_VLA.2 (independent
vulnerability analysis) has been also added because the protection profile requires the developer to carry out the
vulnerabilityanalysisandtheevaluatortheindependentvulnerabilityanalysis.
Security Target
137
8.4 Rationale for Functional Requirements
SOF(Strength of Function)
TheTOEofthisSecurityTargetshallprotectgeneralinformationofagovernmentagencyandtheassetvalueismedium
level. A threat agent is considered to possess low-level expertise, resources, and motivations. Therefore, to respond to a
threat agent with low-level attack potential, the TOE should provide security functions for SOF-medium. This Security
target has been designed and prepared based on SOF-medium declared in the intrusion prevention system for
governmentagency[FW_PP_V1.1]andtheVPNprotectionprofile[VPN_PP_V1.1].
The identifying value of FIA_UAU.2 and FIA_UAU.4 is 0 and the exploiting value is 21 when the security strength of
FIA_UAU.2 and FIA_UAU.4 is calculated according to Table A.3 in Annex A of CEM V2.3. This mechanism can
respondtolow-levelattackersandconformstotheSOF-mediumrequirementdeclaredintheSecurityTarget.
From the analysis of the SHA1 algorithm hash function SOF which is used to protect the integrity of the stored data and
tocreatetheOTP,the exploiting valuehasbeen foundimpractical. ThismechanismconformstothedeclaredSOF-high
requirement.
Security Target
138
8.5 Rationale for TOE Summary
Some security function of the TOE shall operate together to satisfy TOE security functional requirements. The
followingtableshowsthatallsecurityfunctionsaremappedwithallSFRs:
[Table 8-9] Mapping between SFRs and Security Functions
Security Function Summary Security functional requirements
Security alarm (FAU_Alarm) FAU_ARP.1
FAU_SAA.1
Audit records generation (FAU_Audit) FAU_GEN.1
FAU_SEL.1
Audit records search (FAU_View) FAU_SAR.1
FAU_SAR.3
Prevention of loss of audit records
(FAU_Prevent)
FAU_STG.1
FAU_STG.3
FAU_STG.4
ESP support (FCS_ESP)
AH support (FCS_AH)
FCS_COP.1
Cryptographic key management (FCS_IKE) FCS_CKM.1
FCS_CKM.2 , FPT_RPL.1
Key drop management (FCS_KEYDEST) FCS_CKM.4
Administrator access control
(FDP_AdminNetwork)
FDP_ACC.2
FDP_ACF.1 , FPT_RVM.1 , FPT_SEP.1
Encrypted data transmission (FDP_VPN) FDP_DAU.1
FDP_IFC.1,FDP_IFF.1(1)
, FPT_RVM.1 , FPT_SEP.1
Packet-filtering (FDP_PacketFiltering)
Network intrusion detection (FDP_NID)
FDP_IFC.2(1)
FDP_IFF.1(2), FPT_RVM.1 , FPT_SEP.1
Proxy (FDP_Proxy) FDP_IFC.2(2),
FDP_IFF.1(3),FPT_RVM.1 , FPT_SEP.1
Authentication failure handling (FIA_IAFailure) FIA_AFL.1
General cryptographic authentication
(FIA_PwdAuth)
FIA_UAU.2
FIA_UAU.7
FIA_UID.2
FIA_SOS.1
Security Target
139
One-time password authentication
(FIA_OTPAuth)
FIA_UAU.4
User password change (FIA_UPWDSet) FIA_UAU.2 , FIA_SOS.1, FIA_UAU.7
Strength of identification and authentication
security (FIA_SoF)
FIA_SOS.1
Security object management (FMT_Object) FMT_MTD.1(4),FMT_MTD.1(5),
FMT_MTD.3,FIA_ATD.1
Security policy management (FMT_Policy) FMT_MTD.1(3),FMT_MSA.3,
FMT_MTD.3
Network interface management
(FMT_NICManage)
FMT_MOF.1
FMT_MSA.1 , FMT_MSA.2
FMT_MTD.1(3)
PPP interface management (FMT_PPPManage) FMT_MOF.1
FMT_MSA.1, FMT_MSA.2
FMT_MTD.1(3)
Static routing management
(FMT_RoutingManage)
FMT_MOF.1
FMT_MSA.1, FMT_MSA.2
FMT_MTD.1(3)
ARP management (FMT_ARP) FMT_MOF.1
FMT_MSA.1, FMT_MSA.2
DHCP management (FMT_DHCP) FMT_MOF.1
FMT_MSA.1, FMT_MSA.2
Host name DNS setting (FMT_HostDNSSet) FMT_MOF.1
FMT_MSA.1
System time setup (FMT_TimeSet) FMT_MOF.1
FMT_MSA.1
FMT_MTD.1(6), FPT_STM.1
Audit record setup (FMT_AuditSetup) FMT_MOF.1
FMT_MSA.1
Security management Setup (FMT_AdminSetup) FMT_MOF.1
FMT_MSA.1,FMT_SMR.1
firmware upgrade (FMT_Firmup) FMT_MOF.1
FMT_MSA.1
System setup management (FMT_SysSetup) FMT_SMF.1
System status management (FMT_SysStatus) FMT_MOF.1
FMT_MSA.1
Security Target
140
Audit records backup (FMT_AuBackup) FMT_MTD.1(2), FMT_MTD.2
Setup storing (FMT_SaveConfig) FMT_MOF.1
FMT_MSA.1
Statistics (FMT_Statistics) FMT_MTD.1(1)
Administrator password change
(FMT_AdminPass)
FMT_MTD.1(5)
Installation Wizard launch (FMT_Wizard) FMT_MOF.1
Audit record policy setting
(FMT_LogServerPolicy)
FMT_MTD.1(3), FMT_MTD.2
Abstract machine test (FPT_ABTest) FPT_AMT.1
Integrity check (FPT_Integrity) FPT_TST.1
FPT_TST.2
Session locking (FTA_SessionLock) FTA_SSL.1
Session termination (FTA_SessionKill) FTA_SSL.3
Trusted channel (FTP_AdminTrusted) FTP_ITC.1
Source address conversion (FPR_SNAT) FDP_IFC.2(3), FDP_IFF.1(4)
Destination address conversion (FPR_DNAT)
Path redirection (FPR_Redirect)
FDP_IFC.2(3), FDP_IFF.1(4)
TOE status Checking (FPR_Status) FPR_UNO.4
Security Target
141
8.5.1 FAU_ARP.1–FAU_Alarm
TheTOEsendsalarmstoanadministratorthroughe-mailormessageboxwhenitdetectsanevent.
8.5.2 FAU_GEN.1–FAU_Audit
TheTOEgeneratesauditdataforalleventsoccurringintheTOE. Theauditdatahaseightphases:Emergency>Alert>
Critical>Error>Warning>Notice>Information>Debugging.
8.5.3 FAU_SAA.1-FAU_Alarm
When an event predefined by the administrator or an event that requires audit records, occurs, the TOE will warn the
administratorbysendingane-mailordisplayingamessagebox.
8.5.4 FAU_SEL.1–FAU_Audit
Dependingonthesecuritypolicysetbytheadministrator,theTOEcanselectivelygenerateauditrecords.
8.5.5 FAU_SAR.1–FAU_View
The TOE allows the administrator to analyze audit records for traffic in real time and search the security accumulated
securityauditrecordsintheextendedauditrecordanalysisenvironment.
8.5.6 FAU_SAR.3-FAU_View
TheTOEallowstheadministratortoselectivelysearchauditrecordsbydefiningsearchconditions.
8.5.7 FAU_STG.1-FAU_Prevent
TheTOEallowstheadministratortostoreauditrecordsbysystem,date,andtype.
8.5.8 FAU_STG.3-FAU_Prevent
The TOE checks the remaining audit data space. When the remaining space crosses the threshold, the TOE generates
alarms,stopssecurityfunctions,ortakesothermeasurestopreventthelossofauditrecords.
8.5.9 FAU_STG.4-FAU_Prevent
Whentheauditstoragebecomesfull,theTOEinformstheadministratorbysendingane-mailoropeningamessagebox.
8.5.10 FCS_COP.1–FCS_ESP,FCS_AH
When the TOE establishes encrypted communication with the VPN gateway, the TOE uses the cryptographic hash
algorithmspecifiedbythegovernmentagencyorastandardalgorithmdefinedbytheRFC.
8.5.11 FCS_CKM.1–FCS_IKE
Security Target
142
TheTOEgeneratescryptographickeysusingoneofthealgorithmsspecifiedbythegovernmentagency.
8.5.12 FCS_CKM.2-FCS_IKE
The TOE implements an IKE daemon at the application layer and distributes cryptographic keys in a standardized way
specifiedintheIETF.
8.5.13 FCS_CKM.4-FCS_KEYDEST
TheTOEdestroyscryptographickeysinasecurewaybysettingparametersimportantforsecurityas0.
8.5.14 FDP_ACC.2–FDP_AdminNetwork
The TOE controls administrator access by packet source or destination through the use of the administrator security
policy.
8.5.15 FDP_ACF.1-FDP_AdminNetwork
The TOEprovidesan access control function accordingto theadministrator access control security that the administrator
predefinedbasedonthesecurityattribute.
8.5.16 FDP_DAU.1–FDP_VPN
When the TOE establishes encrypted communication with the VPN gateway, the TOE applies the integrity algorithm to
all packets carrying data. For the communication channels with the administrator’s security management interface, the
TOEappliestheintegrityalgorithm.
8.5.17 FDP_IFC.1SubsetInformationFlowControl–FDP_VPN
TheTOEcontrolstheflowofinformationtransmittedto/fromtheTOEaccordingtotheVPNsecuritypolicy.
8.5.18 FDP_IFC.2(1) CompleteInformationFlowControl-FDP_PacketFiltering
The TOE can completely control information flow according to the packet-filtering security policy predefined by the
administratortocontrolinformationflowinrelationtoalltrafficpassingthroughtheTOE.
8.5.19 FDP_IFC.2(2) CompleteInformationFlowControl–FDP_Proxy
TheTOEcancompletelycontrolinformationflowaccordingtotheproxysecuritypolicypredefinedbytheadministrator
tocontrolinformationflowinrelationtoalltrafficpassingthroughtheTOE.
8.5.20 FDP_IFC.2(3)CompleteInformationFlowControl-FPR_SNAT,FPR_DNAT,FPR_Redirect
The TOE can completely control information flow according to the address translation security policy predefined by the
administratortocontrolinformationflowinrelationtoalltrafficpassingthroughtheTOE.
Security Target
143
8.5.21 FDP_IFF.1(1)Single-layerSecurityAttribute-FDP_VPN
TheTOEprovidesafunctionthatcancontrolandapplytheVPNsecuritypolicytocontrolinformationflowbasedonthe
securityattribute.
8.5.22 FDP_IFF.1(2)Single-layerSecurityAttribute-FDP_PacketFiltering
The TOE provides a function that can control and apply the packet-filtering policy to control information flow based on
thesecurityattribute.
8.5.23 FDP_IFF.1(3)Single-layersecurityattribute-FDP_Proxy
The TOE provides a function that can control and apply the proxy security policy to control information flow based on
thesecurityattribute.
8.5.24 FDP_IFF.1(4)Single-layersecurityattribute-FPR_SNAT,FPR_DNAT,FPR_Redirect
TheTOEprovidesafunctionthatcancontrolandapplytheaddresstranslationsecuritypolicytocontrolinformationflow
basedonthesecurityattribute.
8.5.25 FIA_AFL.1–FIA_IAFailure
When the administrator authentication failure count crosses the threshold, the TOE will inform the administrator by
generatinganalarm.
8.5.26 FIA_ATD.1–FMT_Object
When a security policy is executed based on the user object, the TOE allows the administrator to define and apply the
securityattributes.
8.5.27 FIA_UAU.2–FIA_PwdAuth,FIA_UPWDSet
AfterauthenticatinganadministratorwhocanaccesstheTOE,theTOEappliesthesecuritypolicy.
8.5.28 FIA_UAU.4-FIA_OTPAuth
TheTOEauthenticatestheadministratorusingaone-timepassword.
8.5.29 FIA_UAU.7-FIA_PwdAuth,FIA_UPWDSet
Whenauthenticatinganadministratoruser,theTOEhidescryptographicdatausingspecialcharacters.
8.5.30 FIA_UID.2-FDP_PwdAuth
Before the administrator or user uses a security function of the TOE, the administrator shall enter the ID so that the TOE
canjudgetheadministrator’soruser’sauthority(suchasbackuporpolicychange)
Security Target
144
8.5.31 FIA_SOS.1-FIA_PwdAuth,FIA_UPWDSet
TheTOEappliesamechanismtotheminimumlength,collationrule,andchangecycle.
8.5.32 FMT_MOF.1 – FMT_NICManage, FMT_PPPManage, FMT_RoutingManage, FMT_ARP ,
FMT_DHCP, FMT_HostDNSSet, FMT_TimeSet, FMT_AuditSetup, FMT_AdminSetup, FMT_Firmup,
FMT_SysStatus,FMT_SaveConfig,FMT_Wizard
Only the authorized administrator can access security and management functions after passing the identification and
authentication processes. Only theadministrator can useTSF functionssuchasstartingorstoppingtheTOEandchange
securitypolicies.
8.5.33 FMT_MSA.1 - FMT_NICManage, FMT_PPPManage, FMT_RoutingManage, FMT_ARP ,
FMT_DHCP,FMT_HostDNSSet,FMT_TimeSet,FMT_AuditSetup,FMT_AdminSetup,FMT_Firmup
,FMT_SysStatus,FMT_SaveConfig
The TOE provides a security management environment where only authorized administrators can manage networks,
time,users,IPSecobjects,andsecuritylevels.
8.5.34 FMT_MSA.2 - FMT_NICManage, FMT_PPPManage, FMT_RoutingManage, FMT_ARP ,
FMT_DHCP
TheTOEvalidatesthesetupdatausedintheTOEandallusersecurityattributes.
8.5.35 FMT_MSA.3–FMT_Policy
Inthedefaultcase,thepacket-filteringsecuritypolicyisnotused. Instead,theproxysecuritypolicyisused.
8.5.36 FMT_MTD.1(1)–FMT_Statistics
TheTOEgeneratesvarioustypesofstatisticaldatausingstoredauditdata.
8.5.37 FMT_MTD.1(2)–FMT_AuBackup
TheTOEbacksuporrecoversimportantfilescomposingtheTOE.
8.5.38 FMT_MTD.1(3) -FMT_Policy
The TOE allows the authorized administrator to manage administrator security policy, the VPN security policy, the
packet-filteringsecuritypolicy,andtheproxysecuritypolicy.
8.5.39 FMT_MTD.1(4)-FMT_Object
TheTOEallowstheauthorizedadministratortomanagecryptographickeyattributes.
8.5.40 FMT_MTD.1(5)–FMT_Object
Security Target
145
TheTOEallowstheauthorizedadministratortomanageidentificationandauthenticationdata.
8.5.41 FMT_MTD.1(6)-FMT_TimeSet
TheTOEallowstheauthorizedadministratortomanageTOEtime.
8.5.42 FMT_MTD.2-FMT_AuBackup,FMT_LogServerPolicy
TheTOE candefinethe maximum authenticationfailure count,timeinterval, maximumnumberofusersper proxy,and
thestoragecapacitythroughthesecuritymanagementinterfacesoftheconsoleorwebprovidedbytheTOE.
8.5.43 FMT_MTD.3-FMT_Object,FMT_Policy
TheTOEvalidatesthesecuritypolicyandtheobjectsofthesecuritypolicysetbytheadministrator.
8.5.44 FMT_SMR.1-FMT_AdminSetup
TheTOEcangiveadministratorauthoritytotheauthorizeduserandaugmentauthorities.
8.5.45 FMT_SMF.1- FM_SysSetup
The TOE allows the administrator to set up the back up procedure and the network environment by providing web
interfaces.
8.5.46 FPR_UNO.4–FPR_Status
TheTOEassuresthattheauthorizedadministratorcanchecktheTOEresourcesandprocessstatusinordertomanagethe
TOE.
8.5.47 FPT_AMT.1–FPT_ABTest
The TOE detects interface-related errors upon start and during operation to maintain communication with the VPN and
operationoftheVPNgateway.
8.5.48 FPT_RPL.1–FDP_VPN
When the IKE daemon establishes tunnels with the VPN gateway and during communication with the VPN gateway,
theTOEdetectsandrejectsthereplayattacks.
8.5.49 FPT_RVM.1-FDP_PacketFiltering,FDP_VPN
TheTOEfiltersallpacketspassingtheTOE.
Security Target
146
8.5.50 FPT_STM.1-FMT_TimeSet
The TOE can obtain reliable time information from the NTP server or allows a trusted administrator to change the TOE
time.
8.5.51 FPT_TST.1–FPT_Integrity
TheTOEcheckstheintegrityoftheTSFdata(configurationandbinaryfiles)andshowstheresulttotheadministrator.
8.5.52 FPT_TST.2-FPT_Integrity
When an integrity error is found in the TSF data (configuration and binary files), the TOE informs this to the
administratorandgeneratesauditrecords.
8.5.53 FPT_SEP.1-FMT_UserObj,FDP_Proxy
Whenexecutingthesecurityfunction,theTSFdividestheareaintoreliableandunreliable.
8.5.54 FTP_ITC.1–FPT_AdminTrusted
The TOE establishes encrypted communication with a trusted product. To establish encrypted communication, the
TOE supports the SSL protocol. The SSL protocol is created by the library that the Open SSL encryption toolkit
provides.
8.5.55 FTA_SSL.1–FTA_SessionLock
Whenanauthorizedadministratorlogsintothesecurity managementserverandremainsidleformorethanthespecified
time,theTOEwilllockthesession.
8.5.56 FTA_SSL.3-FTA_SessionLock,FTA_SessionKill
If the authorized administrator remains idle for a certain time set by the administrator or general user, the corresponding
communication session will automatically disconnect. The administrator and general users can access the TOE when a
communicationssessionisestablishedagain.
Security Target
147
8.6 Compliance with TSF SOF(Strength of
Function)
The TOE confirmsto theSOF-medium specifiedin [FW_PP_V1.1]and [VPN_PP_V1.1]to whichthis Security Target
conforms. General cryptographic operation and the one-time password method provided by the TOE all satisfy the
cryptographicgradesdefinedintheprotectionprofile.
Security Target
148
8.7 Compliance with TOE security Assurance
Requirements
TherationalefortheassurancerequirementsofEAL3+isasfollows:
[Table 8-9] Assurance Measures Mapping
Assurance
Measures
Assurance
Component ID
Configuration
Management
Delivery
Documents
Installation
Guide
Function
specifications서
Basic
Design
Implementation
Verification
Specification
Low-level
design서
Administrator
Guidance
document
User
Guidance
documentation
Development
Security
Document
Development
Tool
Document
Function
Test
Document
Module
Test
Document
Vulnerability분석서
ACM_CAP.3 X
ACM_SCP.1 X
ADO_DEL.1 X
ADO_IGS.1 X
ADV_FSP.1 X
ADV_HLD.2 X
ADV_IMP.2 X
ADV_LLD.1 X
ADV_RCR.1 X X X X X
AGD_ADM.1 X
AGD_USR.1 X
ALC_DVS.1 X
ALC_TAT.1 X
ATE_COV.2 X
ATE_DPT.2 X
ATE_FUN.1 X
ATE_IND.2 X X
AVA_MSU.1 X
AVA_SOF.1 X
AVA_VLA.2 X
8.7.1 ACM_CAP.3(ApprovalControl)
To assure all changes are approved and to guarantee proper functionality and use of the configuration management
system,configurationmanagementdocumentsareprovided.
8.7.2 ACM_SCP.1(TOEConfigurationManagementScope)
Configuration management documents are provided to assure that all changes are approved and controlled in the
configuration.
Security Target
149
8.7.3 ADO_DEL.1(DeliveryProcedure)
Delivery documents are provided to assure facilities and procedures that can deliver and control the TOE without any
change.
8.7.4 ADO_IGS.1(Installation,Generation,andStartProcedures)
To assure that the TOE is installed, generated, and started in a safe manner that the developer intended, installation guide
documentsareprovided.
8.7.5 ADV_FSP.1(informalfunctionspecifications)
Functional specification documents are provided to describe user interfaces, TSF operations, and the TOE security
functionalrequirements.
8.7.6 ADV_HLD.2(BasicDesignSeparatingSecurityFunctionsfromNon-securityFunctions)
Thebasicdesigndocumentdescribesmajorelements(sub-systems)oftheTSFandtherelationsbetweenthesub-system
and the functions it provides. To assure that the TOE provides a proper structure to implement the TSF requirements,
thebasicdesigndocumentisprovided.
8.7.7 ADV_IMP.2(ThesubsetoftheImplementationRepresentation)
To help operators understand and analyze operations of the TSF in detail, the implementation verification specification
documentsareprovided.
8.7.8 ADV_LLD.1(Declarativelow-leveldesign)
Low-level design documents are provided to describe internal operations of the TSF and interactions and dependency
betweenmodulesandtoensurethelow-leveldesignoftheTSFsub-systemisaccurateandeffective.
8.7.9 ADV_RCR.1(InformalCorrespondenceVerification)
To ensure correspondence among various expressions of the TSF (TOE summary specification, function specification,
basic design, low-level design, and implementation expression), the correspondence analysis is included in the function
specification,thebasicdesign,thelow-leveldesign,andtheimplementationrepresentations.
8.7.10 AGD_ADM.1(AdministratorGuidancedocumentation)
The administrator guidance documents are provided for the operation personnel so they can configure, maintain, and
managetheTOEinasecuremanner.
8.7.11 AGD_USR.1(UserGuidancedocumentation)
The user guidance documents are provided for TOE users and others who will use the external interfaces besides the
administrator.
Security Target
150
8.7.12 ALC_DVS.1(SecurityCountermeasureIdentification)
The development security documents are provided to protect the TOE with physical resources, procedures, human
resources,andothersecurityusersinthedevelopmentenvironment.
8.7.13 ALC_TAT.1(Well-definedDevelopmentTool)
To ensure that the TOE is correctly defined and correct and accurate development tools are used for the development of
theTOE,developmenttooldocumentsareprovided.
8.7.14 ATE_COV.2(TestCoverageAnalysis)
To assure that the TSF is systematically tested according to the functional specifications, the function test documents are
provided.
8.7.15 ATE_DPT.2(Low-levelDesignTest)
ToensurethattheTSF sub-system andtheTSF module are correctly implementedin theTSF sub-system phaseand the
modulephase,themoduletestdocumentsareprovided.
8.7.16 ATE_FUN.1(FunctionalTest)
Toensurethatallsecurityfunctionsareexecutedasspecified,thefunctionaltestdocumentsareprovided.
8.7.17 ATE_IND.2(IndependentTest)
Toensurethatthesecurityfunctionsareexecutedasspecified,thefunctionaltestdocumentsareprovided.
8.7.18 AVA_MSU.1(GuidanceDocumentationExamination)
The fault analysis is included in the administrator guidance and user guidance documents to describe all functions of the
guidancedocumentsandtoensurethatguidancedocumentshaveinternalconsistenceand safetyproceduresareincluded
intheoperation.
8.7.19 AVA_SOF.1(EvaluationofTSFStrength)
A vulnerability analysis report is provided to describe quantitative or statistical result for the security behaviors of the
lowersecuritymechanismandtodeterminethestrengthofthesecuritybehaviortoadapttotheresult.
8.7.20 AVA_VLA.2(IndependentVulnerabilityAnalysis)
The TOE identifies security vulnerabilities and provides a vulnerability analysis report to ensure that these vulnerabilities
willnotbeintentionallymisused.
Security Target
151
8.8 Rationale for Satisfaction with Dependencies
8.8.1 DependencyofSecurityFunctionalRequirements
ThesecurityfunctionalrequirementsandtheassurancerequirementsusedforthepreparationoftheTOEandtheSecurity
Targethavethefollowingdependencyrelationship. Thereisnoindependentcomponent.
[Table 8-10] SFR Satisfaction with Dependency
Component Dependency Inclusion Status
FAU_ARP.1 FAU_SAA.1 Included.
FAU_GEN.1 FPT_STM.1 Included.
FAU_SAA.1 FAU_GEN.1 Included.
FAU_SEL.1 FAU_GEN.1
FMT_MTD.1
Included.
FAU_SAR.1 FAU_GEN.1 Included.
FAU_SAR.3 FAU_SAR.1 None.
FAU_STG.1 FAU_GEN.1 Included.
FAU_STG.3 FAU_STG.1 Included.
FAU_STG.4 FAU_STG.1 Included.
FCS_COP.1 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1]
FCS_CKM.4, FMT_MSA.2
Included.
FCS_CKM.1 [FCS_CKM.2 or FCS_COP.1], FCS_CKM.4,
FMT_MSA.2
Included.
FCS_CKM.2 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1],
FCS_CKM.4, FMT_MSA.2
Included.
FCS_CKM.4 [FDP_ITC.1 or FDP_ITC.2 or FCS_CKM.1],
FMT_MSA.2
Included.
FDP_ACC.2(1) FDP_ACF.1 Included.
FDP_ACC.2(2) FDP_ACF.1 Included.
FDP_ACC.2(3) FDP_ACF.1 Included.
FDP_ACF.1(1) FDP_ACC.1, FMT_MSA.3 FDP_ACC.2 Selection
FDP_ACF.1(2) FDP_ACC.1, FMT_MSA.3 FDP_ACC.2 Selection
FDP_ACF.1(3) FDP_ACC.1, FMT_MSA.3 FDP_ACC.2 Selection
FDP_DAU.1 None. None.
FDP_IFC.1 FDP_IFF.1 Included.
FDP_IFC.2(1) FDP_IFF.1 Included.
Security Target
152
FDP_IFC.2(2) FDP_IFF.1 Included.
FDP_IFC.2(3) FDP_IFF.1 Included.
FDP_IFC.2(4) FDP_IFF.1 Included.
FDP_IFC.2(5) FDP_IFF.1 Included.
FDP_IFF.1(1) FDP_IFC.1, FMT_MSA.3 Included.
FDP_IFF.1(2) FDP_IFC.1, FMT_MSA.3 Included.
FDP_IFF.1(3) FDP_IFC.1, FMT_MSA.3 Included.
FDP_IFF.1(4) FDP_IFC.1, FMT_MSA.3 Included.
FDP_IFF.1(5) FDP_IFC.1, FMT_MSA.3 Included.
FIA_AFL.1(1) FIA_UAU.1 FIA_UAU.2*
FIA_AFL.1(2) FIA_UAU.1 FIA_UAU.2*
FIA_ATD.1 None. None.
FIA_SOS.1 None. None.
FIA_UAU.2 FIA_UID.1 FIA_UID.2**
FIA_UAU.4 None. None.
FIA_UAU.7 FIA_UAU.1 FIA_UAU.2*
FIA_UID.2 None. None.
FMT_MOF.1 FMT_SMR.1, FMT_SMF.1 Included.
FMT_MSA.1 [FDP_ACC1 or FDP_IFC.1], FMT_SMR.1,
FMT_SMF.1
Included.
FMT_MSA.2 ADV_SPM.1, [FDP_ACC.1 or FDP_IFC.1],
FMT_MSA.1, FMT_SMR.1
Included.
FMT_MSA.3 FMT_MSA.1, FMT_SMR.1 Included.
FMT_MTD.1(1) FMT_SMR.1, FMT_SMF.1 Included.
FMT_MTD.1(2) FMT_SMR.1, FMT_SMF.1 Included.
FMT_MTD.1(3) FMT_SMR.1, FMT_SMF.1 Included.
FMT_MTD.1(4) FMT_SMR.1, FMT_SMF.1 Included.
FMT_MTD.1(5) FMT_SMR.1, FMT_SMF.1 Included.
FMT_MTD.1(6) FMT_SMR.1, FMT_SMF.1 Included.
FMT_MTD.2 FMT_MTD.1, FMT_SMR.1 Included.
FMT_MTD.3 ADV_SPM.1, FMT_MTD.1 Included.
FMT_SMR.1 FIA_UID.1 FIA_UID.2**
FPT_AMT.1 None. None.
FPT_RPL.1 None. None.
FPT_RVM.1 None. None.
Security Target
153
FPT_SEP.1 None. None.
FPT_STM.1 None. None.
FPT_TST.1 FPT_AMT.1 Included.
FPT_TST.2 FPT_TST.1 Included.
FTA_SSL.1 FIA_UAU.1 FIA_UAU.2*
FTA_SSL.3 None. None.
FTP_ITC.1 None. None.
*-FIA_UAU.1selectedFIA_UAU.2whichisinahierarchicalrelationshiptoconformtothedependencyrequirement.
**-FIA_UID.1selectedFIA_UID.2whichisinahierarchicalrelationshiptoconfirmtothedependencyrequirement.
8.8.2 DependencyofSFRRequirementsinHierarchicalRelationship
All functional components specified in this Security Target except FMT_MSA.2 and FMT_MTD.3 meet the
dependency requirement. The assurance requirements EAL3+ according to the government agency profile which
complies with this Security Target is considered acceptable for the TOE for the government agency. ADV_SPM.1
informalTSPmodelhasnotbeenselected.
FIA_AFL.1,FIA_UAU.7,and FTA_SSL.1havingadependentrelationshipwithFIA_UAU.1andFIA_UAU.2having
a hierarchical relationship with FIA_UAU.1 conform to the dependency requirement. FIA_UAU.2 and FMT_SMR.1
having a dependent relationship with FIA_UID.1 and FIA_UID.2 having a hierarchical relationship with FIA_UID.1
conformtothedependencyrequirement.
Each assurance package specified in the Common Criteria for the Information Protection System conforms to the
dependency requirement so the rationale for this is not included in this document. [Table 8-11] shows dependency
conformation status of the augmented assurance requirements, and this Security Target specification conforms to the
dependencyrequirementofallassurancerequirements.
[Table 8-11] Satisfaction with Dependency of Assurance Requirements Augmented to EAL3
Component Dependency Inclusion Status
ADV_IMP.2 ADV_LLD.1, ADV_RCR.1, ALC_TAT.1 Included.
ADV_LLD.1 ADV_HLD.2, ADV_RCR.1 Included.
ALC_TAT.1 ADV_IMP.1 Included.
ATE_DPT.2 ADV_HLD.2, ADV_LLD.1, ATE_FUN.1 Included.
AVA_VLA.2 ADV_FSP.1, ADV_HLD.2, ADV_IMP.1,
ADV_LLD.1, AGD_ADM.1, AGD_USR.1
Included.
Security Target
154
Bibliography
ƒ Announcement 2005-25 by Ministry of Information and Communication, Common Criteria for the
InformationProtectionSystem
ƒ VPNProtectionProfileforGovernmentAgencyV1.1[VPN_PP_V1.1]
ƒ FirewallProtectionProfileforGovernmentAgencyV1.1[FW_PP_V1.1]
ƒ CommonCriteria(CC)V2.2FinalInterpretation,October2005
ƒ CommonEvaluationMethodologyforInformationTechnologySecurity