National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T- Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5 Report Number: CCEVS-VR-VID10517-2014 Dated: 7 March 2014 Version: 1.0 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6940 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940 ® TM Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 ii ACKNOWLEDGEMENTS Validation Team Ken Stutterheim Mike Allen The Aerospace Corporation Common Criteria Testing Laboratory Leidos (formerly SAIC, Inc.) Columbia, MD Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 iii Table of Contents 1 Executive Summary....................................................................................................1 1.1 Interpretations .......................................................................................................2 1.2 Threats...................................................................................................................2 1.3 Organizational Security Policies...........................................................................2 2 Identification...............................................................................................................3 3 Security Policy............................................................................................................4 3.1 Security Audit.......................................................................................................4 3.2 Cryptographic Support..........................................................................................4 3.3 User Data Protection.............................................................................................4 3.4 Identification & Authentication............................................................................4 3.5 Security Management ...........................................................................................4 3.6 Protection of the TOE’s Security Functions .........................................................4 3.7 TOE Access ..........................................................................................................4 3.8 Trusted Path/Channels ..........................................................................................5 4 Assumptions................................................................................................................6 4.1 Clarification of Scope ...........................................................................................6 5 Architectural Information ...........................................................................................7 6 Documentation............................................................................................................8 7 Product Testing...........................................................................................................9 7.1 Developer Testing.................................................................................................9 7.2 Evaluation Team Independent Testing .................................................................9 7.3 Penetration Testing .............................................................................................11 8 Evaluated Configuration...........................................................................................12 9 Results of the Evaluation ..........................................................................................13 10 Validator Comments/Recommendations ..................................................................14 11 Annexes.....................................................................................................................15 12 Security Target..........................................................................................................16 13 Bibliography .............................................................................................................17 1 Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 List of Tables Table 1 – Evaluation Details.................................................................................................. 3 Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 1 1 Executive Summary This report is intended to assist the end-user of this product and any security certification Agent for that end-user in determining the suitability of this Information Technology (IT) product in their environment. End-users should review the Security Target (ST), which is where specific security claims are made, in conjunction with this Validation Report (VR), which describes how those security claims were tested and evaluated and any restrictions on the evaluated configuration. Prospective users should carefully read the Assumptions and Clarification of Scope in Section 4 and the Validator Comments in Section 10 where any restrictions on the evaluated configuration are highlighted. This report documents the National Information Assurance Partnership (NIAP) assessment of the evaluation of the Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5. It presents the evaluation results, their justifications, and the conformance results. This Validation Report is not an endorsement of the Target of Evaluation (TOE) by any agency of the U.S. Government and no warranty of the TOE is either expressed or implied. This Validation Report applies only to the specific version and configuration of the product as evaluated and documented in the Security Target. The evaluation of the Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5 was performed by Leidos (formerly Science Applications International Corporation (SAIC)) Common Criteria Testing Laboratory (CCTL) in Columbia, Maryland, United States of America and was completed in March 2014. The evaluation was conducted in accordance with the requirements of the Common Criteria and Common Methodology for IT Security Evaluation (CEM), version 3.1 and assurance activities specified in Protection Profile for Network Devices, Version 1.1, 8 June 2012. The evaluation was consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on their web site (www.niap-ccevs.org). The Leidos evaluation team determined that the product is conformant to Protection Profile for Network Devices, Version 1.1, 8 June 2012. The information in this Validation Report is largely derived from the Assurance Activities Report (AAR) and associated test reports produced by the Leidos evaluation team. This Validation Report is not an endorsement of the Target of Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied. The Juniper network devices within the scope of the evaluation comprise the following series and models, all running Junos 12.1R3.5: • M-Series Multiservice Edge Routers: M7i; M10i; M120; M320 • MX-Series 3D Universal Edge Routers: MX5; MX10; MX40; MX80; MX240; MX480; MX960 • T-Series Core Routers: T320; T640; T1600 • EX-Series Ethernet Switches: EX3300; EX4200; EX4500; EX6200; EX8200. The Juniper network devices, in the context of the evaluation, are network devices that provide a secure base (comprising auditing, cryptographic support for network communications and update integrity, user identification and authentication, and secure management) for operational functions related to switching and routing IP network traffic. The products, when configured as specified in the guidance documentation, satisfy all of the security functional requirements stated in Security Target: Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 2 1.1 Interpretations Not applicable. 1.2 Threats The ST identifies the following threats that the TOE and its operational environment are intended to counter: • An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective security mechanisms. • Security mechanisms of the TOE may fail, leading to a compromise of the TSF. • A user may gain unauthorized access to the TOE data and TOE executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources. A malicious user, process, or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data. • A malicious party attempts to supply the end user with an update to the product that may compromise the security features of the TOE. • Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE. These actions may remain undetected and thus their effects cannot be effectively mitigated. • User data may be inadvertently sent to a destination not intended by the original sender. 1.3 Organizational Security Policies The ST identifies the following organizational security policy that the TOE and its operational environment are intended to fulfill: • The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the TOE. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 3 2 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology (CEM) for Evaluation Assurance in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation conduct security evaluations. The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology (IT) products, desiring a security evaluation, contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s Validated Products List. Table 1 provides information needed to completely identify the product, including: • The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated; • The Security Target (ST), describing the security features, claims, and assurances of the product; • The conformance result of the evaluation; • The Protection Profile to which the product is conformant (if any); and • The organizations and individuals participating in the evaluation. Table 1 – Evaluation Details Evaluated Product: Juniper Networks M-Series Multiservice Edge Routers, MX- Series 3D Universal Edge Routers, T-Series Core Routers and EX- Series Ethernet Switches running Junos 12.1R3.5 Sponsor: Juniper Networks, 1194 North Mathilda Ave., Sunnyvale, CA 94089-1206 Developer: Juniper Networks, 1194 North Mathilda Ave., Sunnyvale, CA 94089-1206 CCTL: Leidos (formerly Science Applications International Corporation) 6841 Benjamin Franklin Drive, Columbia, MD 21046 Kickoff Date: 18 December 2012 Completion Date: 3 February 2014 Interpretations: None CEM: Common Methodology for Information Technology Security Evaluation: Evaluation Methodology, Version 3.1, Revision 3, July 2009. Evaluation Class: None PP: Security Requirements for Network Devices, Version 1.1, 8 June 2012 Evaluation Personnel: Leidos (formerly Science Applications International Corporation): Anthony J. Apted, Chris Keenan Validation Body: National Information Assurance Partnership CCEVS Ken Stutterheim, Mike Allen Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 4 3 Security Policy The TOE enforces the following security policies as described in the ST. Note: Much of the description of the security policy has been derived from Security Target: Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5 and the Final ETR. 3.1 Security Audit The TOE is designed to be able to generate logs for a wide range of security relevant events. The TOE can be configured to store the logs locally so they can be accessed by an authorized TOE User and also to send the logs to a designated log server using SSHv2 to protect the logs on the network. 3.2 Cryptographic Support The TOE includes a cryptographic module that provides key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols—SSHv2 in the evaluated configuration. 3.3 User Data Protection The TOE performs a wide variety of network routing functions, passing network traffic among its various network connections. While implementing applicable network protocols associated with network traffic routing, the TOE is carefully designed to ensure that it doesn’t inadvertently reuse data found in network traffic. When a memory buffer is allocated to build a network packet, any previous data in the buffer is overwritten by new data being received by the TOE to build the next packet. The TOE keeps track of the length of the packet and when the end of the packet being built is reached, pads out the remainder of the allocated memory resource with zeroes as necessary. 3.4 Identification & Authentication The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of passing network traffic in accordance with its configured switching/routing rules. 3.5 Security Management The TOE provides Command Line Interface (CLI) commands to access the wide range of security management functions to manage its security policies. All administrative activity and functions including security management commands are limited to authorized users (i.e., administrators), who can access the CLI only after they have provided acceptable user identification and authentication data to the TOE. 3.6 Protection of the TOE’s Security Functions The TOE protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability). The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE. 3.7 TOE Access The TOE can be configured to display an informative banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 5 3.8 Trusted Path/Channels The TOE protects interactive communication with administrators using SSHv2 for CLI access, for which both integrity and disclosure protection is ensured. If the negotiation of an encrypted session fails or if the user does not have authorization for remote administration, an attempted connection will not be established. The TOE additionally protects communication with an external audit server, using TLS connections to prevent unintended disclosure or modification of logs. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 6 4 Assumptions The ST identifies the following assumptions about the use of the product: • It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE. • Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment. • TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner. 4.1 Clarification of Scope All evaluations (and all products) have limitations, as well as potential misconceptions that need clarifying. This text covers some of the more important limitations and clarifications of this evaluation. Note that: 1. As with any evaluation, this evaluation only shows that the evaluated configuration meets the security claims made, with a certain level of assurance (the assurance activities specified in Protection Profile for Network Devices and performed by the evaluation team). 2. This evaluation covers only the specific device models and software version identified in this document, and not any earlier or later versions released or in process. 3. The evaluation of security functionality of the product was limited to the functionality specified in the Protection Profile for Network Devices, Version 1.1, 8 June 2012. Any additional security related functional capabilities of the product were not covered by this evaluation. 4. This evaluation did not specifically search for, nor attempt to exploit, vulnerabilities that were not “obvious” or vulnerabilities to objectives not claimed in the ST. The CEM defines an “obvious” vulnerability as one that is easily exploited with a minimum of understanding of the TOE, technical sophistication and resources. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 7 5 Architectural Information This section provides a high level description of the TOE and its components as described in the Security Target and guidance documentation. Each TOE appliance is a network device that protects itself largely by offering only a minimal logical interface to the network and attached nodes. All router platforms are powered by the same JUNOS software, which is a special purpose OS that provides no general purpose programming capability. JUNOS provides both management and control functions as well as all IP routing. Each Juniper Networks M-series, T-series and MX-series routing platform is a complete routing system that supports a variety of high-speed interfaces (only Ethernet is within scope of the evaluation) for medium/large networks and network applications. Juniper Networks routers share common JUNOS software, features, and technology for compatibility across platforms. The hardware has two components: the router itself and the PICs/DPC that have been installed in the router. The various PICs/DPC that have been installed in the router allow it to communicate with the different types of networks that may be required within the environment where the router will be used. The router architecture of each platform cleanly separates routing and control functions from packet forwarding operations, thereby eliminating bottlenecks and permitting the router to maintain a high level of performance. Each router consists of two major architectural components: • The Routing Engine (RE), which provides Layer 3 routing services and network management and control; • The Packet Forwarding Engine (PFE), which provides all operations necessary for transit packet forwarding. The Routing Engine and Packet Forwarding Engine perform their primary tasks independently, while constantly communicating through a high-speed internal link. This arrangement provides streamlined forwarding and routing control and the capability to run Internet-scale networks at high speeds. The EX-series platforms provide high-performance, carrier-class networking solutions, supporting a variety of high-speed Ethernet interfaces for medium/large networks. The EX-series platforms share common JUNOS software with the routers, such that control plane features are implemented consistently with those of the routers. The EX-series platforms are designed as hardware devices, featuring complete Layer 2 and Layer 3 switching capabilities. The EX-series platforms are powered by the same JUNOS modular architecture as the routers. The hardware abstraction layer allows control-plane features to be written once and implemented seamlessly on the underlying hardware. This modular approach also enhances fault- tolerance, as each JUNOS software protocol daemon runs in its own protected memory space and can be gracefully restarted independently without impacting the rest of the system. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 8 6 Documentation 6.1 Product Guidance The guidance documentation examined during the course of the evaluation and delivered with the TOE is as follows: • Junos OS: Secure Configuration Guide for Common Criteria Network Device Protection Profile for Devices Running Junos OS 12.1, Release 12.1, Published 2014-01-09 • Junos OS: System Basics Configuration Guide, Release 12.1, Published 8 May 2012 • Juniper Networks Junos OS System Log Messages Reference, Release 12.1, Published 1 Mar 2012. The above documents are considered to be part of the evaluated TOE. Any additional customer documentation delivered with the TOE or made available through electronic downloads should not be relied upon for using the TOE in its evaluated configuration. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 9 7 Product Testing This section describes the testing efforts of the Evaluation Team. It is derived from information contained in the following: • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – EX3300 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – EX4200 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – EX4500 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – EX6200 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – EX8200 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – MX80 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – MX240 • Evaluation Team Test Report for Juniper Networks Secure Network Devices Running Junos 12.1R3.5 – T320. 7.1 Developer Testing The assurance activities in the Protection Profile for Network Devices do not specify any requirement for developer testing of the TOE. 7.2 Evaluation Team Independent Testing The evaluation team devised a Test Plan based on the Testing Assurance Activities specified in the Protection Profile for Network Devices. The Test Plan described how each test activity was to be instantiated within the TOE test environment. The evaluation team executed the tests specified in the Test Plan and documented the results in the team test reports listed above. All tests were executed on the following sample of platforms claimed in the ST: • EX3300 • EX4200 • EX4500 • EX6200 • EX8200 • M320—the other M-series platforms included in the TOE (M7i, M10i, M120) are functionally equivalent to the M320. The same firmware image is executed on all platforms and the only differences are in the number of external network connections and network capacity • MX80—the MX5, MX10, and MX40 platforms included in the TOE are functionally equivalent to the MX80. The same firmware image is executed on all platforms and the only differences are in the number of external network connections and network capacity Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 10 • MX240—the MX480 and MX960 platforms included in the TOE are functionally equivalent to the MX240. The same firmware image is executed on all platforms and the only differences are in the number of external network connections and network capacity • T320—the T640 and T1600 platforms included in the TOE are functionally equivalent to the MX240. The same firmware image is executed on all platforms and the only differences are in the number of external network connections and network capacity. Testing was conducted the week of the week of October 1, 2012 at the vendor’s facility in Sunnyvale, CA. With the exception of the testing of SSH for AES-CBC-256, the testing in October demonstrated the TOE satisfies the security functional requirements specified in the Protection Profile for Network Devices. In reviewing the logs from the referenced SSH testing in October, it was determined that an incorrect test setup for SSH with AES-CBC-256 had been performed. Supplemental testing was performed on March 5, 2014 to complete confirmation that the TOE performed as specified. The testing performed by the evaluation team is summarized as follows: • The evaluation team confirmed the TOE’s ability to generate the audit events specified in the ST • The evaluation team confirmed the TOE’s ability to establish a trusted channel with an external audit server and transfer audit records to the audit server via the trusted channel • The evaluation team confirmed the TOE supports RSA for public key authentication and password-based authentication over SSH • The evaluation confirmed the TOE drops an SSH connection if it receives a packet over 256K bytes in length • The evaluation team confirmed the TOE supports SSH connections using AES-CBC-128 and AES-CBC-256 • The evaluation team confirmed the TOE does not support DH Group 1 and that it does support DH Group 14 • The evaluation team confirmed the TOE supports the specified password composition requirements, including the specified minimum length • The evaluation team confirmed the TOE provides only obscured feedback when authentication information is entered at the local console • The evaluation team confirmed, for all supported methods of administrator access, the TOE allows access to the CLI when the correct authentication credentials are provided, and denies access when incorrect credentials are provided, and that the services available without authentication are as specified in the ST • The evaluation team confirmed the time could be set by the administrator • The evaluation team confirmed a legitimate update could be installed successfully on the TOE and that an illegitimate update was rejected • The evaluation team confirmed the TOE terminated a remote interactive session after the configured period of inactivity had elapsed. The evaluation team used values of 2, 5, and 8 minutes • The evaluation team confirmed the user was able to terminate both an interactive local session at the TOE console and a remote interactive session over the SSH-provided trusted path • The evaluation team confirmed the TOE displayed a configured notice and consent warning message for each method of access supported by the TOE, i.e., local interactive console, remote Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 11 interactive SSH using password authentication, and remote interactive SSH using public-key authentication • The evaluation team confirmed the TOE was able to establish a trusted channel with an external syslog server using SSHv2. Testing additionally demonstrated the trusted channel was established with the appropriate cryptographic protocol and algorithms to ensure channel data was not sent in plaintext and modification of channel data would be detected by the TOE. A test was also performed to physically interrupt the connection between the TOE and the external syslog server and to verify that communications remained protected when connectivity was restored • The evaluation team confirmed the only method of remote administration for the TOE is via SSH—the evaluation team did not identify any interface that could be used to establish a remote administrative session without invoking the trusted path. Testing additionally demonstrated the trusted path was established with the appropriate cryptographic protocol and algorithms to ensure channel data was not sent in plaintext and modification of channel data would be detected by the TOE. 7.3 Penetration Testing The evaluation team conducted an open source search for vulnerabilities in the product. The open source search did not identify any vulnerabilities applicable to the TOE in its evaluated configuration. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 12 8 Evaluated Configuration The evaluated version of the TOE is Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5, including the following series and models: • M-Series Multiservice Edge Routers: M7i; M10i; M120; M320 • MX-Series 3D Universal Edge Routers: MX5; MX10; MX40; MX80; MX240; MX480; MX960 • T-Series Core Routers: T320; T640; T1600 • EX-Series Ethernet Switches: EX3300; EX4200; EX4500; EX6200; EX8200. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 13 9 Results of the Evaluation The evaluation was conducted based upon the assurance activities specified in Protection Profile for Network Devices, Version 1.1, 8 June 2012 (NDPP), in conjunction with version 3.1, revision 3 of the CC and the CEM. A verdict for an assurance component is determined by the resulting verdicts assigned to the corresponding evaluator action elements. The evaluation team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each assurance component. For Fail or Inconclusive work unit verdicts, the evaluation team advised the developer of issues requiring resolution or clarification within the evaluation evidence. In this way, the evaluation team assigned an overall Pass verdict to the assurance component only when all of the work units for that component had been assigned a Pass verdict. The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates that the evaluation team performed the assurance activities in the NDPP, and correctly verified that the product meets the claims in the ST. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by the Leidos CCTL. The security assurance requirements are listed in the following table. TOE Security Assurance Requirements Assurance Component ID Assurance Component Name ADV_FSP.1 Basic functional specification AGD_OPE.1 Operational user guidance AGD_PRE.1 Preparative procedures ALC_CMC.1 Labeling of the TOE ALC_CMS.1 TOE CM coverage ATE_IND.1 Independent testing - conformance AVA_VAN.1 Vulnerability survey Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 14 10 Validator Comments/Recommendations The validation team suggests that the consumer pay particular attention to the installation guidance to ensure the devices are placed into the evaluated configuration. In order to remain CC compliant, the device(s) must first be configured for FIPS mode, then into Common Criteria Mode. Some devices may require the installation of a Junos FIPS image prior to the configuration of the Common Criteria mode. An account for the user ‘root’ is always present in the configuration; for the evaluated configuration the use of this root account is restricted to the initial configuration of the device. Otherwise the ‘root’ account is outside of the scope of the evaluated configuration. As was noted in in the Clarification of Scope section of this report, the devices provide more functionality than was covered by the evaluation. Only the functionality implemented by the SFR’s in the Security Target was evaluated. All other functionality provided by the devices needs to be assessed separately and no further conclusions should be drawn as to their effectiveness, nor can any claims be made relative to their security based upon this evaluation. The validation team’s assessment of the evidence provided by the evaluation team is that it demonstrates that the evaluation team performed the assurance activities prescribed in the NDPP and that the evaluation team correctly verified that the product meets the claims of the associated security target. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 15 11 Annexes Not applicable. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 16 12 Security Target The ST for this product’s evaluation is Security Target: Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5, version 1.6, 7 January 2014. Juniper Networks Network Devices Running Junos 12.1R3.5 January 2014 17 13 Bibliography 1. Common Criteria for Information Technology Security Evaluation – Part 1: Introduction and general model, Version 3.1, Revision 3, July 2009, CCMB-2009-07-001. 2. Common Criteria for Information Technology Security Evaluation – Part 2: Security functional requirements, Version 3.1, Revision 3, July 2009, CCMB-2009-07-002. 3. Common Criteria for Information Technology Security Evaluation – Part 3: Security assurance requirements, Version 3.1, Revision 3, July 2009, CCMB-2009-07-003. 4. Common Methodology for Information Technology Security: Evaluation Methodology, Version 3.1, Revision 3, July 2009, CCMB-2009-07-004. 5. Protection Profile for Network Devices, Version 1.1, 8 June 2012. 6. Security Target: Juniper Networks M-Series Multiservice Edge Routers, MX-Series 3D Universal Edge Routers, T-Series Core Routers and EX-Series Ethernet Switches running Junos 12.1R3.5, version 1.6, 7 January 2014.