122-B
UK IT SECURITY EVALUATION AND
CERTIFICATION SCHEME
COMMON CRITERIA CERTIFICATION REPORT No. P193
Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Issue 1.0
September 2003
© Crown Copyright 2003
Reproduction is authorised provided the report
is copied in its entirety
UK IT Security Evaluation and Certification Scheme
Certification Body, PO Box 144
Cheltenham, Glos GL52 5UF
United Kingdom
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page ii Issue 1.0 September 2003
ARRANGEMENT ON THE
RECOGNITION OF COMMON CRITERIA CERTIFICATES
IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY
The Certification Body of the UK IT Security Evaluation and Certification Scheme is a
member of the above Arrangement and as such this confirms that the Common Criteria
certificate has been issued by or under the authority of a Party to this Arrangement and is
the Party’s claim that the certificate has been issued in accordance with the terms of this
Arrangement.
The judgements contained in the certificate and Certification Report are those of the
Qualified Certification Body which issued it and of the Evaluation Facility which carried
out the evaluation. There is no implication of acceptance by other Members of the
Agreement Group of liability in respect of those judgements or for loss sustained as a
result of reliance placed upon those judgements by a third party.
Trademarks:
All product or company names are used for identification purposes only and may be trademarks of their respective
owners.
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page iii
CERTIFICATION STATEMENT
Check Point Software Technologies Limited’s VPN-1/FireWall-1 Next Generation (NG) is a
software-based firewall application which provides controlled access between physically
connected networks by permitting or denying the flow of packets. It also provides IP address
translation, IP address hiding and the logging of all attempts to communicate between physically
connected networks. In addition, it can operate as a virtual private network which is used to
establish a secure communications channel over an unsecured network using 2 installations of
the VPN-1/FireWall-1 firewall. The VPN facility is also used to establish a secure
communications channel between a VPN-1/FireWall-1 and a VPN-1 SecureClient allowing
remote access and secure connectivity for remote and mobile users.
Check Point VPN-1/FireWall-1 Next Generation (NG) with Feature Pack 2 (FP2) has been
evaluated under the terms of the UK IT Security Evaluation and Certification Scheme and has
met the Common Criteria Part 3 conformant requirements of Evaluation Assurance Level EAL4
for the specified Common Criteria Part 2 extended functionality when running on the platforms
specified in Annex A and in a ‘trusted configuration’ as defined in the Security Target and
summarised in paragraph 11 of this report.
Originator CESG
Certifier
Approval and
Authorisation
CESG
Technical Manager
of the Certification Body
UK IT Security Evaluation
Certification Scheme
Date authorised 29 September 2003
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page iv Issue 1.0 September 2003
(This page is intentionally left blank)
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page v
TABLE OF CONTENTS
CERTIFICATION STATEMENT.............................................................................................iii
TABLE OF CONTENTS..............................................................................................................v
ABBREVIATIONS .....................................................................................................................vii
REFERENCES .............................................................................................................................ix
I. EXECUTIVE SUMMARY.................................................................................................1
Introduction............................................................................................................................1
Evaluated Product..................................................................................................................1
TOE Scope.............................................................................................................................2
Protection Profile Conformance ............................................................................................3
Assurance...............................................................................................................................4
Strength of Function Claims..................................................................................................4
Security Policy.......................................................................................................................4
Security Claims......................................................................................................................4
Evaluation Conduct ...............................................................................................................5
General Points........................................................................................................................5
II. EVALUATION FINDINGS................................................................................................7
Introduction............................................................................................................................7
Delivery.................................................................................................................................7
Installation and Guidance Documentation.............................................................................7
Strength of Function..............................................................................................................8
Vulnerability Analysis ...........................................................................................................8
III. EVALUATION OUTCOME............................................................................................9
Certification Result................................................................................................................9
Recommendations..................................................................................................................9
ANNEX A: EVALUATED CONFIGURATION .....................................................................11
ANNEX B: PRODUCT SECURITY ARCHITECTURE.......................................................15
ANNEX C: PRODUCT TESTING............................................................................................19
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page vi Issue 1.0 September 2003
(This page is intentionally left blank)
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page vii
ABBREVIATIONS
AES Advanced Encryption Standard
CC Common Criteria
CEM Common Evaluation Methodology
CESG Communications-Electronics Security Group
CLEF Commercial Evaluation Facility
CMT Cryptographic Module Testing
CMV Cryptographic Module Verification
CVP Content Vectoring Protocol
DES Data Encryption Standard
DNS Domain Name Server
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
FIPS Federal Information Processing Standards
FP Feature Pack
FTP File Transfer Protocol
GUI Graphical User Interface
IKE Internet Key Exchange
IP Internet Protocol
ITSEC Information Technology Security Evaluation Criteria
LAN Local Area Network
LDAP Lightweight Directory Access Protocol
MIME Multipurpose Internet Mail Extensions
NG Next Generation
NIC Network Interface Card
NIST National Institute of Standards and Technology
NVLAP National Voluntary Laboratory Accreditation Program
SFR Security Functional Requirement
SIC Secure Internal Communications
SMTP Simple Mail Transfer Protocol
SoF Strength of Functions
SP Service Pack
TOE Target of Evaluation
TSF TOE Security Functions
UKSP United Kingdom Scheme Publication
VPN Virtual Private Network
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page viii Issue 1.0 September 2003
(This page is intentionally left blank)
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page ix
REFERENCES
a. Common Criteria EAL4 Evaluation VPN-1/FireWall-1 NG (FP2) Security Target,
Nokia Internet Communications,
Issue '1.8 for Nokia', 17 July 2003.
b. Common Criteria Part 1,
Common Criteria Interpretations Management Board,
CCIMB-99-031, Version 2.1, August 1999.
c. Common Criteria Part 2,
Common Criteria Interpretations Management Board,
CCIMB-99-032, Version 2.1, August 1999.
d. Common Criteria Part 3,
Common Criteria Interpretations Management Board,
CCIMB-99-033, Version 2.1, August 1999.
e. Description of the Scheme,
UK IT Security Evaluation and Certification Scheme,
UKSP 01, Issue 5.0, July 2002.
f. The Appointment of Commercial Evaluation Facilities,
UK IT Security Evaluation and Certification Scheme,
UKSP 02, Issue 3.0, 3 February 1997.
g. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology,
Common Criteria Evaluation Methodology Editorial Board,
Version 1.0, CEM-099/045, August 1999.
h. Certification Report P172, Check Point VPN-1/FireWall-1 Next Generation (NG) Feature
Pack 1 (FP1),
UK IT Security Evaluation and Certification Scheme,
Issue 2.0, February 2003.
i. Certification Report P192, Check Point VPN-1/FireWall-1 Next Generation (NG) Feature
Pack 2 (FP2) running on Nokia IPSO Operating System on specified Nokia platforms,
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, July 2003.
j. UKSP14 Addendum: EAL4 Delta Evaluation,
UK IT Security Evaluation and Certification Scheme,
Issue 2.C, 21 March 2000.
k. Task LFA/T193 Evaluation Technical Report,
LogicaCMG,
116788/F/T53/1, Issue 1.0, May 2003.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page x Issue 1.0 September 2003
l. Addendum to LFA/T192 ETR,
LogicaCMG,
116788/F/T51/2, Issue 1.0, July 2003.
m. Check Point Getting Started Guide, NG FP2,
Check Point Software Technologies Limited,
Part No. 700446, March 2002.
n. Check Point User Management Guide - NG FP2,
Check Point Software Technologies Limited,
Part No. 700352, March 2002.
o. ITSEC E3, CC EAL4 Secure Delivery - VPN-1/FireWall-1 NG FP2,
Check Point Software Technologies Limited,
N451026002, Rev A, September 2003.
p. Check Point EnterpriseSuiteNextGeneration(NG)FeaturePack2(FP2)Release Notes,
Check Point Software Technologies Limited,
15 July 2002.
q. CheckPoint VPN-1/FireWall-1 NG Feature Pack 2 System Generation/Installation Guide,
Check Point Software Technologies Limited,
N451010001, Version 2.7, April 2003.
r. Operating Instructions forITSEC E3 and EAL4 Compliance,
Nokia Internet Communications,
N450703002, Revision A, March 2003.
s. Check Point Desktop SecurityGuide, NG FP2,
Check Point Software Technologies Limited,
Part No. 700361, November 2001.
t. Check Point FireWall-1 Guide, NG FP2,
Check Point Software Technologies Limited,
April 2002.
u. Check Point Management Guide, NG FP2,
Check Point Software Technologies Limited,
March 2002.
v. Check Point Reference Guide, NG,
Check Point Software Technologies Limited,
Part No. 700351, November 2001.
w. Check Point Virtual Private Networks - NG FP2,
Check Point Software Technologies Limited,
Part No. 700350, March 2002.
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page 1
I. EXECUTIVE SUMMARY
Introduction
1. This Certification Report states the outcome of the Common Criteria security evaluation of
Check Point VPN-1/FireWall-1 Next Generation (NG) with Feature Pack 2 (FP2) to the
Sponsor, Nokia Internet Communications, and is intended to assist prospective consumers
when judging the suitability of the IT security of the product for their particular
requirements.
2. Prospective consumers are advised to read this report in conjunction with the Security
Target [Reference a] which specifies the functional, environmental and assurance
evaluation requirements.
Evaluated Product
3. The version of the product evaluated was:
Check Point VPN-1/FireWall-1 Next Generation (NG) Feature Pack 2 (FP2).
The Developer was Check Point Software Technologies Limited.
4. The product operates in 2 modes:
a. as a firewall which uses Stateful Inspection Technology to inspect all packets passing
between networks connected to the product, promptly blocking all unwanted
communication attempts (it supports the complete ‘IP’ family of protocols); and
b. as a Virtual Private Network (VPN) which is used to establish a secure
communications channel over an unsecured network (e.g. the Internet) using 2 Check Point
Firewalls.
The product’s firewall functionality and the invocation of the product’s VPN functionality are
the subject of this evaluation. This functionality, as described in the Security Target [a], is also
described in this report as the Target of Evaluation (TOE). The product’s cryptographic
functionality is outside the scope of this evaluation. (See section “Strength of Function Claims”
for details of FIPS testing of the product.)
5. By installing the TOE on a gateway, it can be used as a firewall to supervise all traffic
passing between connected networks. It uses Stateful Inspection Technology to inspect
packets and ensure that only communications from permitted hosts, accessing services
permitted for those hosts, are allowed to pass. A network behind the gateway may thus be
protected against attack or unauthorised access originating beyond the gateway.
6. The TOE has four main components:
a. a Graphical User Interface (GUI);
b. a Management Server;
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page 2 Issue 1.0 September 2003
c. one or more Firewall modules; and
d. one or more SecureClients.
7. The product can also operate as a VPN which is used to establish a secure communications
channel over an unsecured network (e.g. the Internet) using 2 installations of the
VPN-1/FireWall-1 firewall. The VPN facility is also used to establish a secure
communications channel between a VPN-1/FireWall-1 firewall and a remote VPN-1
SecureClient allowing remote access and secure connectivity for remote and mobile users.
8. The product is designed to operate in a distributed configuration, providing centralised
management of multiple firewall enforcement points (gateways), as well as centralised
management of remote VPN clients.
9. Details of the evaluated version of the TOE and oftrusted configurations of the product are
contained in the Security Target [a] and summarised in Annex A to this report.
10. An overview of the Product’s security architecture can be found in Annex B.
TOE Scope
11. Section 2.1 of the Security Target [a] defines a ‘trusted configuration’ of Check Point
VPN-1/FireWall-1 NG FP2 as follows:
a. executes on any computer system from the family of workstations and servers which
supports one of the following operating systems:
i. Nokia IPSO 3.5 or IPSO 3.5.1 (for the FireWall);
ii. Microsoft Windows NT4 Service Pack (SP) 6a (for the Management Server,
the Policy Server, GUI and SecureClient);
subject to the considerations of [m] and [q] as described in Annex C,
b. executes on a computer system which supports up to 128 port connections (note that
the VPN-1/FireWall-1 uses the concept of managed ports and does not use the traditional
firewall terms of internal and external network);
c. consists of:
i. a Management Server which resides on a protected LAN;
ii. a Graphical User Interface which resides on a separate workstation running
Microsoft Windows NT which is part of the protected LAN the Management Server
is part of;
iii. A VPN-1 SecureClient which resides on a remote machine outside of the
protected LAN but is part of the corporate network. The VPN-1 SecureClient must
reside on a machine running Windows NT;
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page 3
iv. a number of FireWall Modules which may or may not reside on the protected
LAN the Management Server is part of; and
v. a Policy Server installed on a VPN-1/FireWall-1 machine which resides on the
protected LAN that the Management Server is part of;
d. is configured, controlled and monitored using the GUI which communicates with the
Management Server; the Management Server then configures the Firewall Modules and via
the Policy Server downloads the Desktop Policy to the Secure Client(s); and
e. has been delivered, installed, configured and used in accordance with the operations
documentation [m - w].
12. The following features and facilities of Check Point VPN-1/FireWall-1, NG FP2 were
addressed during the evaluation:
• Network security provided by Firewall and remote Desktop (SecureClient)
components (note: Desktop SecureClient components that are part of the local LAN were
outside the scope of the evaluation)
• Remote Management capability, including separate GUI management client
• Security Server functionality (note: the actual services for which the Security Server
is used to arbitrate requests were outside the scope of the evaluation)
• LDAP client interface
• CVP interface
• End-user authentication (to interface level only - the actual authentication
mechanism was outside the scope of the evaluation)
• Content analysis (to interface level only)
• Auditing
13. The following features and facilities of Check Point VPN-1/FireWall-1 NG FP2 were
outside the scope of the evaluation:
• LDAP Server
• Authentication agent
• Secure internal communications
• VPN facility
• Content Verification Server
• Service Servers e.g. FTP, SMTP
• SYNDefender
• load balancing
14. In addition, all platforms other than those identified in paragraph 11.a above are outside the
scope of this evaluation.
Protection Profile Conformance
15. The Security Target [a] did not claim conformance to any protection profile.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page 4 Issue 1.0 September 2003
Assurance
16. The Security Target [a] specified the assurance requirements for the evaluation. Predefined
Evaluation Assurance Level EAL4 was used. Common Criteria Part 3 [d] describes the
scale of assurance given by predefined levels EAL1 to EAL7. An overview of CC is given
in CC Part 1 [b].
Strength of Function Claims
17. The minimum Strength of Function (SoF) claimed for the TOE was SoF-Medium. This
was not related to any specific security functions.
18. The Cryptographic mechanisms (MD5, AES, SHA, RSA, IKE, Diffie Hellman, DES and
Triple DES) are implemented within the product. These mechanisms are used to
implement the Secure Internal Communications (SIC) and VPN and are outside the scope
of the evaluation.
19. The product has been tested by a NIST NVLAP-accredited Cryptographic Module Testing
(CMT) laboratory under the Cryptographic Module Verification (CMV) programme and
validated by NIST (Certificate number 234) as complying with the requirements of FIPS
140-1 level 2. The Validation Report states that the TOE contains the FIPS-approved
algorithms DES (Cert #142), Triple-DES (Cert #80) and SHA-1 (Cert #69) with RSA
(PKCS #1 vendor affirmed) and HMAC-SHA-1 (Cert #69, vendor affirmed). Some
mechanisms within the product are non-FIPS-approved. This validation applies to FP1 and
the Developer asserts that changes from FP1 to FP2 do not affect the FIPS 140-1
validation.
Security Policy
20. The TOE Security Policy may be deduced from the Security Target [a]. There are no
Organisational Security Policies with which the TOE must comply.
Security Claims
21. The Security Target [a] fully specifies the TOE’s security objectives, the threats which
these objectives counter and Security Functional Requirements (SFR) and security
functions to elaborate the objectives.
22. With the exception of EDP_ITT.1(1) and EDP_ITT.1(2), all of the SFRs are taken from
CC Part 2 [c]. Use of this standard facilitates comparison with other evaluated products.
EDP_ITT.1(1) and EDP_ITT.1(2) are fully defined in the Security Target [a].
23. Security functionality claims are made for IT security functions grouped under the
following 5 categories:
• Access Control
• Audit
• Remote Supervision
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page 5
• Secure Internal Communication
• Data Exchange
Evaluation Conduct
24. The evaluation was carried out in accordance with the requirements of the UK IT Security
Evaluation and Certification Scheme as described in United Kingdom Scheme Publications
UKSP 01 and UKSP 02 [e, f]. The Scheme has established a Certification Body which is
managed by CESG on behalf of Her Majesty’s Government. As stated on page ii of this
Certification Report, the Certification Body is a member of the Common Criteria Mutual
Recognition Arrangement, and the evaluation was conducted in accordance with the terms
of this Arrangement.
25. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE
in meeting its Security Target [a], which prospective consumers are advised to read. To
ensure that the Security Target gave an appropriate baseline for a CC evaluation, it was
first itself evaluated. The TOE was then evaluated against this baseline. Both parts of the
evaluation were performed in accordance with CC Part 3 [d] and the Common Evaluation
Methodology (CEM) [g].
26. The TOE Security Functions (TSF) and security environment, together with much of the
supporting evaluation deliverables, remained largely unchanged from:
a. the evaluation of an earlier version (Feature Pack 1) of Check Point VPN-1/
FireWall-1 Next Generation to the Common Criteria EAL 4 assurance level [h]; and from
b. the evaluation of the TOE certified by the UK Security Evaluation and Certification
Scheme to the ITSEC E3 Assurance level [i].
27. For this evaluation of Check Point VPN-1/FireWall-1 Next Generation (NG) with Feature
Pack 2 (FP2), the Evaluators addressed every CEM [g] EAL4 work unit but made use
(with guidance provided in [j]) of the evaluation results [i] from the ITSEC E3 evaluation
where these were valid for the CEM requirements. They also made use of the evaluation
results from the previous Common Criteria evaluation of the Feature Pack 1 version [h].
28. The Certification Body monitored the evaluation which was carried out by the LogicaCMG
Commercial Evaluation Facility (CLEF). The evaluation was completed when the CLEF
submitted the Evaluation Technical Report (ETR) [k] with an addendum [l] to the
Certification Body in July 2003. The Certification Body then produced this Certification
Report.
General Points
29. The evaluation addressed the security functionality claimed in the Security Target [a] with
reference to the assumed operating environment specified by the Security Target. The
evaluated configuration was that specified in Annex A. Prospective consumers are advised
to check that this matches their identified requirements and to give due consideration to the
recommendations and caveats of this report.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page 6 Issue 1.0 September 2003
30. Certification is not a guarantee of freedom from security vulnerabilities; there remains a
small probability (smaller with greater assurance) that exploitable vulnerabilities may be
discovered after a certificate has been awarded. This Certification Report reflects the
Certification Body’s view at the time of issue of this Certification Report. Consumers (both
prospective and existing) should check regularly for themselves whether any security
vulnerabilities have been discovered since this report was issued and, if appropriate, should
check with the Vendor to see if any patches exist for the products and whether such
patches have been evaluated and certified.
31. The issue of a Certification Report is not an endorsement of a product.
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page 7
II. EVALUATION FINDINGS
Introduction
32. The evaluation addressed the requirements specified in the Security Target [a]. The results
of this work were reported in the ETR [k] under the CC Part 3 [d] headings. The following
sections note considerations that are of particular relevance to consumers of the TOE.
Delivery
33. The secure delivery of the firewall is described in [
o]. The delivery instructions are
summarised below.
34. Check Point VPN-1/FireWall-1 NG FP2 can be obtained via the Check Point support web
site at www.checkpoint.com/techsupport/downloads.jsp. The download section clearly
identifies the manufacturer and product type, and identifies it as Feature Pack 2 for Nokia
IPSO 3.5/ 3.51.
35. As an additional security feature the software comes with an MD5 signature, which canbe
confirmed. For The IPSO version of FP2 the MD5 signature should be:
63cd2754f32b7dd15446169751fb49b5
36. As part of the installation procedure of Check Point VPN-1/FireWall-1 it is necessary for
the purchaser to enter their licence details. Obtaining licences is described in detail in [m].
Notably the permanent licence required to install the product will only be provided to a
purchaser once the product is registered on Check Point’s Web Site. Registration will
require entry of user details along with a unique Certificate Key.
37. All supporting guidance documentation originating from Checkpoint is available from the
Checkpoint website. However the Operating Instructions for ITSEC E3 and EAL4
Compliance [r] must be obtained from Nokia.
Installation and Guidance Documentation
38. Check Point’s Getting Started Guide [m] provides procedures for system generation
(installation). In addition the following specifically define the evaluated configuration:
a. Release Notes [p] (which contain information on the supported platforms (operating
systems) and avoidance of known product limitations and problems);
b. a System Generation/Installation Guide [q]; and
c. Operating Instructions for ITSEC E3 and EAL4 Compliance [r].
39. The system generation procedures describe the installation pre-conditions (e.g. removing
any services on the VPN-1/FireWall-1 machine that are not required and might be a security risk,
confirming that routing and DNS are correctly configured, disabling IP forwarding, etc). They
describe the requirements for setting up administrator accounts/permissions, secure internal
communications and security policies, removing temporary files, etc.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page 8 Issue 1.0 September 2003
40. Procedures for secure operation of the TOE are described throughout the product manuals
([m - w]). The Getting Started Guide [m: Chapter 6] provides a tutorial covering aspects of
the TOE such as building security policies, use of network address translation, creation of
users, defining rule bases and viewing logs.
Strength of Function
41. The SoF claim for the TOE was as given above under “Strength of Function Claims”
above. Based on their examination of all the evaluation deliverables, the Evaluators
confirmed that there were no probabilistic or permutational mechanisms in the TOE and
that the SoF claim of SoF-Medium was therefore upheld.
Vulnerability Analysis
42. The Evaluators’ vulnerability analysis was based on both public domain sources and the
visibility of the TOE given by the evaluation process.
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
September 2003 Issue 1.0 Page 9
III. EVALUATION OUTCOME
Certification Result
43. After due consideration of the ETR and Addendum [k, l], produced by the Evaluators, and
the conduct of the evaluation, as witnessed by the Certifier, the Certification Body has
determined that Check Point VPN-1/FireWall-1 Next Generation (NG) with Feature Pack
2 (FP2) meets the Common Criteria Part 3 conformant requirements of Evaluation
Assurance Level EAL4 for the specified Common Criteria Part 2 extended functionality
when running on the platforms specified in Annex A and in a ‘trusted configuration’ as
defined in the Security Target [a] and summarised in paragraph 11 of this report.
44. The Certification Body has also determined that the TOE meets the minimum SoF claim of
SoF-Medium given above under “Strength of Function Claims”.
Recommendations
45. Prospective consumers of Check Point VPN-1/FireWall-1 Next Generation (NG) with
Feature Pack 2 (FP2) should understand the specific scope of the certification by reading
this report in conjunction with the Security Target [a]. In particular, prospective consumers
should note that, as stated in paragraph 4 above, the product’s cryptographic functionality
is outside the scope of this evaluation
46. The Product should be used in accordance with a number of environmental considerations
as specified in sections 3.1 and 5.4 of the Security Target [a]. Particular care should be
taken that the product is delivered installed and used in accordance with the supporting
guidance documentation [m - w].
47. Only a ‘trusted configuration’ of the TOE should be installed. This is defined in the
Security Target [a] and summarised in paragraph 11 above.
48. Consumers of the TOE should note, also, that the underlying operating system and the
underlying hardware platform are required to function correctly in order to support the
method of use assumptions that contribute to the secure operation of the TOE.
49. Administrators should be aware that the TOE does not counter the threat that a firewall
module could be bypassed by connecting the internal network directly to an external
network. It is recommended that the TOE is placed in a physically secure environment to
which only authorised personnel have access and that internal users are prevented from
connecting their workstations or servers to the external network by any link (e.g. a modem)
that does not pass through a firewall module that is part of a trusted configuration of
VPN-1/FireWall-1 NG FP2.
50. Consumers should note that the administrators of the TOE are assumed to be trusted
individuals who are appropriately vetted and trained. The TOE does not counter threats
from careless, negligent or hostile administrators. It is recommended that appropriate
measures, including regular, independent audits of the firewall configuration, be taken to
counter these threats.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms
Page 10 Issue 1.0 September 2003
51. Firewall flow policies are complex and they need to be tailored to fit specific requirements.
Consumers of the TOE should ensure that administrators are competent to determine the
firewall flow policies to be implemented or have access to people who are competent to
determine such policies.
52. Administrators should be aware that a firewall does not prevent malicious users on the
internal network colluding with hostile attackers on the external network if the user is
authorised to access and send the information to external hosts.
53. Administrators are recommended to inspect the TOE’s audit trails on a regular basis and,
also, to inspect, on a regular basis, the installed FireWall Security Policies and Desktop
Security Policies to ensure that they remain correct.
54. Administrators should take particular care to ensure that IP forwarding is enabled in the
TOE’s computer system only when V
PN-1/FireWall-1 is running and is disabled when
VPN-1/FireWall-1 is not running, otherwise IP packets may be forwarded by the
underlying operating system while the firewall is not running. Instructions to achieve this
are given in [q].
55. Potential consumers of the TOE should be aware that the TOE does not claim to resist all
denial-of-service attacks. Whilst the TOE does contain functionality to counter attacks
using fragmented or overlapping IP packets, SYN flooding attacks are outside the scope of
this evaluation because the SYNDefender functionality was not included in this evaluation.
56. Potential consumers should note that the VPN-1/FireWall-1, in common with similar
TOEs, does not counter the threat of Session Hi-jacking (i.e. an external attacker taking
over an authenticated session initiated by another external host) unless using VPN-1
SecureClient for remote access to the protected network. This threat should be considered
when defining the internal network security policy.
57. To reduce the potential impact of Session Hi-jacking, it is recommended that the internal
network security policy states what executable software is authorised to be received
through the firewall from the external network. Corresponding operational procedures to
quarantine such software may also be required.
58. To detect whether Session Hi-jacking has affected the firewall, it is recommended that a
backup of the firewall in its initial operational configuration is retained and used for
comparison at periodic intervals. Operational procedures should state when this
comparison is to be made.
59. Potential consumers should be aware that the TOE does not detect viruses. It is
recommended that executable programs attached to incoming mail messages should be
virus checked. Automatic explosion or execution of MIME-encoded attachments within
SMTP messages should also be disabled.
60. Administrators should note that whilst VPN-1/FireWall-1 NG FP2 can coexist within the
same network as earlier versions of VPN-1/FireWall-1 provided each are configured, and
their security policies defined, according to their evaluated configurations, the backward
compatibility of VPN-1/FireWall-1 NG FP2 to manage earlier versions of VPN-
1/FireWall-1 is not within the scope of this evaluation and certification.
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms Annex A
September 2003 Issue 1.0 Page 11
ANNEX A: EVALUATED CONFIGURATION
TOE Identification
1. The TOE is uniquely identified as:
Check Point VPN-1/FireWall-1 Next Generation (NG) Feature Pack 2 (FP2)
Note that the scope of the evaluation is described in the section “Evaluated Product” above.
TOE Documentation
2. The supporting guidance documents evaluated were:
• ITSEC E3 Secure Delivery - VPN-1/FireWall-1 NG FP2 ITSEC E3 Evaluation [o]
• Check Point VPN-1/FireWall-1 NG FP2 System Generation/Installation Guide [q]
• Check Point VPN-1/FireWall-1 Next Generation (NG) Feature Pack 2 (FP2) [p]
• Operating Instructions for ITSEC E3 and EAL4 Compliance [r]
• Check Point Getting Started Guide, NG FP2 [m]
• Check Point Desktop Security, NG [s]
• Check Point FireWall-1 Guide, NG FP2 [t]
• Check Point Management Guide, NG FP2 [u]
• Check Point Reference Guide, NG [v]
• Check Point User Management Guide - NG FP2 [n]
• Check Point Virtual Private Networks, NG FP2 [w]
3. Further discussion of the supporting guidance material is given in Section II under the
heading “Installation and Guidance Documentation” above.
TOE Configuration
4. The TOE should be configured in accordance with the guidance documents identified in
paragraph 2 above.
Environmental Configuration
5. The TOE executes on a wide range of computer systems from the family of workstations
and servers which supports one of the following operating systems:
a. Nokia IPSO 3.5 or 3.5.1 for the FireWalls (running on Nokia IP110, IP120, IP330,
IP350, IP380, IP440, IP530, IP650, IP710 or Nokia IP740)
b. Windows NT4 SP 6a for the Management Server, the GUI and the VPN-1
SecureClient.
6. Chapter 4 of [m] provides guidance on minimum NT and IPSO hardware requirements for
the Management Server, FireWall Module and GUI, in terms of disk space, memory and
processor speed.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Annex A Running on Nokia on specified Nokia platforms
Page 12 Issue 1.0 September 2003
7. The product executes on a computer system which supports up to 128 port connections
(note that the VPN-1/FireWall-1 uses the concept of managed ports and does not use the
traditional firewall terms of internal and external network).
8. See, also, the section “Platform Issues” in Annex C for discussion of the issues relating to
the hardware platforms.
9. The Developers used Nokia machines running IPSO 3.5 and 3.5.1 for their functional
testing:
192.168.1.3
10.0.0.3
11.0.0.0/24
Net A
192.168.1.0/24
Internet
10.0.0.0/24
Net B
192.168.2.0/24
10.0.0.1
IP380
IPSO 3.5.1-FCS4
192.168.1.1
10.0.0.2
IP440
IPSO 3.5-FCS14
192.168.1.2
192.168.2.1
IP120
IPSO 3.5-FCS14
10.0.0.4
192.168.2.2
IP330
IPSO 3.5-FCS14
10.0.0.5 Secure Client
10.0.0.10
Scanner
10.0.0.11
192.168.1.12
FW-1 Management Server
FW-1 Logging Server
192.168.1.11
FW-1 GUI
FTP Server
192.168.2.10
Figure 1: Penetration Testing Configuration
10. The Evaluators used the following platforms for their functional and penetration testing.
a. Three Dell Latitude laptops, pre-installed with Windows NT4.0 and Service Pack 6a,
for the Management Server and Logging Server (combined), the GUI and the SecureClient
(configured in a VPN with a FireWall machine).
b. Nokia IP120, IP330, IP380 and IP440 platforms (with Monitored Circuits
Pair/Standalone and operating system configurations specified in Annex C) each installed
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms Annex A
September 2003 Issue 1.0 Page 13
with the TOE Firewall modules (and capable of operating as a Policy Server for relevant
tests).
11. The hardware configuration of these platforms was as follows:
a. The Dell laptop used for the Management Server and Logging Server was installed
with a 500 MHz Pentium III, 256 MB RAM, an 11.2 GB hard disk and a Xircom
Cardbus Ethernet 100+ modem NIC.
b. The Dell laptop used for the SecureClient was installed with a 500 MHz Pentium III,
128 MB RAM, a 12 GB hard disk and a Xircom Ethernet 10/100+ modem NIC.
c. The Dell laptop used for the GUI was installed with a 500 MHz Pentium III, 256 MB
RAM, a 3.99 GB hard disk and a Xircom Cardbus Ethernet 100+ modem NIC.
d. The Nokia IP120 had a National GX1 CPU, 128 MB RAM, a 10 GB Hard disk and
an Intel EtherExpress Pro 10/100B Ethernet NIC.
e. The Nokia IP330 had an AMD-K6 2/256 CPU, 256 MB RAM, a 20 GB Hard disk
and an Intel EtherExpress Pro 10/100B Ethernet NIC.
f. The Nokia IP380 had a Pentium III 700 MHz CPU, 512 MB RAM, a 10 GB Hard
disk and an Intel EtherExpress Pro 10/100B Ethernet NIC.
g. The Nokia IP440 had a Pentium III 600 MHz CPU, 256 MB RAM, a 20 GB Hard
disk and a Digital DC21143 Fast Ethernet NIC.
12. These platforms were networked together as shown in Figure 1 above.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Annex A Running on Nokia on specified Nokia platforms
Page 14 Issue 1.0 September 2003
(This page is intentionally left blank)
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms Annex B
September 2003 Issue 1.0 Page 15
ANNEX B: PRODUCT SECURITY ARCHITECTURE
2. This annex gives an overview of the main product architectural features that are relevant to
the security of the product. Other details of the scope of evaluation are given in the main body of
the report and in Annex A.
Architectural Features
3. The product operates in a distributed configuration which consists of:
• a Management Server residing on a protected LAN,
• a Graphical User Interface (GUI) residing on a separate workstation, but on the same
protected LAN as the Management Server,
• a number of Firewall modules, controlled by the Management Server, which may or
may not reside on the same protected LAN as the Management Server,
• a Policy Server residing on a Firewall module machine on the same protected LAN
as the Management Server, and
• a VPN-1 SecureClient residing on a remote client outside the protected LAN
Design Subsystems
4. The product is made up of 2 major components:
a. VPN-1/FireWall-1 Firewall; and
b. VPN-1 SecureClient
Note that the evaluation covers the product’s firewall functionality and invocation of the
product’s VPN functionality. The VPN functionality is outside the scope of the evaluation.
5. VPN-1/FireWall-1 Firewalls consist of the following components:
a. GUI - the graphical interface engaged by the administrator. This is the original point
of entry of a Firewall Security Policy and is the interface and terminus for viewing log files
and receiving graphical alerts.
b. Management - A component on the Management Server which centrally manages
one or more firewall modules, each of which may be physically distributed. It receives
instructions from a (possibly remote) GUI and distributes these to the firewall machines. It
centrally receives and processes log/alerts from the distributed firewalls, and alerts from
the VPN-1 SecureClients.
c. FireWall Kernel - The main packet filtering/transforming component. Located
within the operating system kernel of each firewall gateway, it intercepts packet flows
between NICs and IP modules. This component is where filtering and address translation
are performed on packets.
d. VPN Kernel - The main cryptographic component where encryption operations are
performed on packets and VPN aspects of the Security Policy are enforced. Performs
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Annex B Running on Nokia IPSO on specified Nokia platforms
Page 16 Issue 1.0 September 2003
IPSec processing on packets according to the Security Policy and reports auditable events
to the FireWall Daemon. (The scope of the TOE only extends to invocation of VPN
functionality).
e. FireWall Daemon - Exists on every Management Server and every VPN/Firewall
machine. On VPN/Firewall machines, receives and installs the Firewall Security Policy on
the Kernel, and processes logs, alerts and traps generated by the Kernel. On the
Management Server, receives transmitted logs/alerts, writing logs to a file and issuing the
alerts, and transmits the Firewall Security Policy to the VPN/Firewall machines.
f. VPN Daemon - Negotiates the IPSec Security Association with IKE peers, sends
logs to the FireWall Daemon, registers the VPN Kernel to the FireWall Kernel when VPN-
1/FireWall-1 is started. Handles requests (traps) from the VPN Kernel for new IPSec
Security Associations. (The scope of the TOE only extends to invocation of VPN
functionality).
g. Utilities - Resides on the Management Server, and is involved in compiling and
loading the Firewall Security Policy and Desktop Security Policy. Provides a command-
line interface means of engaging Management Server functionality.
h. Security Server - Used for user authentication or for when the communication
content requires analysis at levels higher than feasible within the Kernel; e.g. to scan ftp
protocol streams for GETs and PUTs. Resides on the VPN/FireWall machine.
i. Auth Agent - An agent installed on hosts which provides a means for a
VPN/FireWall machine to session-authenticate such hosts. (This functionality is outside
the scope of the evaluation.)
j. Policy Server - The component that receives the Desktop Security Policies from the
Management Server and delivers them to VPN-1 SecureClients, and collects alert data
from VPN-1 SecureClients and sends it to the Management Server.
6. VPN-1 SecureClients consist of the following components:
a. SecureClient Kernel - The main component that enforces the VPN-1 Policy and the
Desktop Security Policy. Located within the operating system kernel of each SecureClient,
it inspects every incoming and outgoing packet, and decides whether to drop it, accept it,
or encrypt/decrypt it.
b. SecureClient VPN Kernel - Performs and enforces the VPN and cryptographic
aspects of encrypted communication, in much the same way as the VPN Kernel on the
VPN-1/FireWall machine. (The scope of the TOE only extends to invocation of VPN
functionality).
c. SecureClient Daemon - Negotiates the IPSec Security Association with IKE peers,
gets Desktop Security Policies from the Policy Server and loads them into the SecureClient
Kernel, and collects alerts from the SecureClient Kernel and transfers them to the Policy
Server. (The scope of the TOE only extends to invocation of VPN functionality).
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms Annex B
September 2003 Issue 1.0 Page 17
d. SecureClient VPN Daemon- Responsible for VPN related tasks and registering the
SecureClient VPN Kernel to the SecureClient Kernel when VPN-1 SecureClient is started.
(The scope of the TOE only extends to invocation of VPN functionality).
e. SecureClient GUI - The graphical interface engaged by the VPN-1 SecureClient
user. It is also the interface and terminus for viewing SecureClient log entries and
receiving popup alerts.
Hardware and Firmware Dependencies
7. The product relies on the correct operation of the platform’s h
ardware and firmware but
otherwise has no security dependencies on the platform’s hardware or firmware.
TSF Interfaces
8. The external interfaces for the VPN-1/FireWall-1 are as follows:
a. The GUI, the administrator’s graphical point of access (using windowing
functionality) for interacting with the product.
b. Command Line Interface - the more expert administrator’s means of interacting with
the product, using command-line instructions.
c. Interface for packets on the Firewall machines - this is the point within the Firewall
Kernel at which packets are intercepted on their normal path between NIC and IP module,
and at which packets are returned after inspection/filtering.
d. Interface for interaction with ‘users’ communicating across the firewall, i.e. what the
user s
ees as a result of the firewall’s mediation (causing connection to be accepted,
dropped, rejected), and the interchange for subscriber authentication.
9. The external interfaces for the VPN-1 SecureClient are as follows:
a. The SecureClient GUI, which provides the user’s graphical point of access (using
windowing functionality) for interacting with the Firewall gateways and policy servers.
b. Interface for packets on SecureClient - the normal point within SecureClient Kernel
at which packets are intercepted on their normal path between NIC and IP module, and at
which packets are returned after inspection/filtering.
c. Interface for interaction with users communicating across SecureClient, i.e. what the
user sees as a result of the SecureClient’s mediation (causing a connection to be accepted,
blocked or encrypted).
10. In addition, within the product there are interfaces for communications between the
product machines in the distributed configuration and communication with external entities (e.g.
LDAP server).
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Annex B Running on Nokia IPSO on specified Nokia platforms
Page 18 Issue 1.0 September 2003
(This page is intentionally left blank)
Check Point VPN-1/FireWall-1 Next Generation (NG) EAL4
Feature Pack 2 (FP2)
Running on Nokia IPSO on specified Nokia platforms Annex C
September 2003 Issue 1.0 Page 19
ANNEX C: PRODUCT TESTING
IT Product Testing
1. Developer's functional tests were carried out by Check Point on Nokia platforms..
2. Coverage of all security functions, subsystems and external interfaces was established from
the test evidence supplied.
3. The Evaluators confirmed the soundness of developer testing, and then performed
additional functional tests and penetration tests.
4. The test configurations used for the Evaluators’ tests were described in Annex A. Coverage
of the various Nokia platforms is discussed below under ‘Platform Issues’
Platform Issues
5. The Security Target claims that the product executes on any computer system from the
family of workstations and servers which supports one of the following operating systems:
a. Nokia IPSO 3.5 or 3.5.1 for the FireWall modules and Policy Servers (running on
Nokia IP110, IP120, IP330, IP350, IP380, IP440, IP530, IP650, IP710 or Nokia IP740)
b. Windows NT4 SP 6a for the Management Server, the GUI and the VPN-1
SecureClient.
6. This is subject to the considerations of the Getting Started Guide [m] (which defines
minimum hardware requirements – note that machine specifications lower than those used for
testing may introduce performance degradation; however no specific problems of this nature
were evident in the course of the evaluation.) and the System Generation/Installation Guide [q]
(which gives guidance on configuration of the evaluated configuration - note that this excludes
options such as hardware accelerators).
7. The Evaluators performed all their tests on a Monitored Circuits pair (comprising an IP380
running IPSO 3.5.1 as Master and an IP440 running IPSO 3.5 as standby)1
. The Evaluators also
performed a selection of tests on IP120, IP330 and IP440 standalone machines, all running IPSO
3.5 (the Monitored Circuits option having been turned off for use of the IP440).
8. The Evaluators satisfied themselves that the overall testing and other evaluation activity
was adequate to address the platform range claimed.
9. The product relies on the underlying operating system for security-relevant functionality
for process separation and time stamping.
1
Note that the effects of device failover from master to standby were outside the scope of the evaluation.
EAL4 Check Point VPN-1/FireWall-1 Next Generation (NG)
Feature Pack 2 (FP2)
Annex C Running on Nokia IPSO on specified Nokia platforms
Page 20 Issue 1.0 September 2003
(This page is intentionally left blank)