122-B COMMON CRITERIA CERTIFICATION REPORT No. CRP238 Juniper Networks JUNOScope IP Service Manager Version 8.2R2 Issue 1.0 July 2007 © Crown Copyright 2007 Reproduction is authorised provided the report is copied in its entirety UK Certification Body CESG, Hubble Road Cheltenham, GL51 0EX United Kingdom ARRANGEMENT ON THE RECOGNITION OF COMMON CRITERIA CERTIFICATES IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of the above Arrangement and as such this confirms that the Common Criteria certificate has been issued by or under the authority of a Party to this Arrangement and is the Party’s claim that the certificate has been issued in accordance with the terms of this Arrangement. The judgements contained in the certificate and Certification Report are those of the Qualified Certification Body which issued it and of the Evaluation Facility which carried out the evaluation. There is no implication of acceptance by other Members of the Agreement Group of liability in respect of those judgements or for loss sustained as a result of reliance placed upon those judgements by a third party. CRP238 – JUNOScope IP Service Manager Page 2 of 20 Issue 1.0 July 2007 CERTIFICATION STATEMENT The product detailed below has been evaluated under the terms of the UK IT Security Evaluation and Certification Scheme and has met the specified Common Criteria requirements. The scope of the evaluation and the assumed usage environment are specified in the body of this report. Sponsor and Developer Juniper Networks, Inc. Product and Version Juniper Networks JUNOScope IP Service Manager 8.2R2 Description The evaluated version of this product routes IP traffic over a network with increasing scalability of the traffic volume with each router model. Each packet is scanned and then compared against a set of rules to determine where the traffic should be routed. CC Part 2 Conformant CC Part 3 Conformant EAL EAL3 augmented by ALC_FLR.3 CLEF BT Date authorised 26 July 2007 The evaluation was carried out in accordance with the requirements of the UK IT Security Evaluation and Certification Scheme as described in United Kingdom Scheme Publication 01 (UKSP 01) and UKSP 02 ([a] - [c]). The Scheme has established a Certification Body, which is managed by CESG on behalf of Her Majesty’s Government. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE in meeting its Security Target [d], which prospective consumers are advised to read. To ensure that the Security Target gave an appropriate baseline for a CC evaluation, it was first itself evaluated. The TOE was then evaluated against this baseline. Both parts of the evaluation were performed in accordance with CC Part 1 [e] and CC Part 3 [g], the Common Evaluation Methodology (CEM) [h], and relevant Interpretations. The issue of a Certification Report is a confirmation that the evaluation process has been carried out properly and that no exploitable vulnerabilities have been found. It is not an endorsement of the product. Trademarks: All product or company names are used for identification purposes only and may be trademarks of their respective owners. CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 3 of 20 TABLE OF CONTENTS CERTIFICATION STATEMENT......................................................................................2 TABLE OF CONTENTS..................................................................................................3 I. EXECUTIVE SUMMARY ........................................................................................4 Introduction .......................................................................................................................4 Evaluated Product and TOE Scope...................................................................................4 Security Claims .................................................................................................................4 Strength of Function Claims ..............................................................................................5 Evaluation Conduct ...........................................................................................................5 Conclusions and Recommendations .................................................................................5 II. PRODUCT SECURITY GUIDANCE .......................................................................7 Introduction .......................................................................................................................7 Delivery.............................................................................................................................7 Installation and Guidance Documentation .........................................................................7 III. EVALUATED CONFIGURATION...........................................................................8 TOE Identification..............................................................................................................8 TOE Documentation..........................................................................................................9 TOE Scope .......................................................................................................................9 TOE Configuration.............................................................................................................9 Environmental Requirements ............................................................................................9 Test Configuration........................................................................................................... 10 IV. PRODUCT SECURITY ARCHITECTURE ............................................................12 Introduction ..................................................................................................................... 12 Product Description and Architecture .............................................................................. 12 Design Subsystems......................................................................................................... 12 Hardware and Firmware Dependencies .......................................................................... 15 Product Interfaces ........................................................................................................... 15 V. PRODUCT TESTING............................................................................................16 IT Product Testing........................................................................................................... 16 Vulnerability Analysis ...................................................................................................... 17 Platform Issues ............................................................................................................... 17 VI. REFERENCES......................................................................................................18 VII. ABBREVIATIONS ................................................................................................20 CRP238 – JUNOScope IP Service Manager Page 4 of 20 Issue 1.0 July 2007 I. EXECUTIVE SUMMARY Introduction 1. This Certification Report states the outcome of the Common Criteria security evaluation of Juniper Networks JUNOScope IP Service Manager 8.2R2 to the Sponsor, Juniper Networks, Inc., and is intended to assist prospective consumers when judging the suitability of the IT security of the product for their particular requirements. 2. Prospective consumers are advised to read this report in conjunction with the Security Target [d], which specifies the functional, environmental and assurance requirements. Evaluated Product and TOE Scope 3. The version of the product evaluated was: Juniper Networks JUNOScope IP Service Manager 8.2R2 4. The Developer was Juniper Networks, Inc. 5. The evaluated configuration of this product is described in this report as the Target of Evaluation (TOE). Details of the TOE Scope, its assumed environment, and the evaluated configuration are given in Chapter III ‘Evaluated Configuration’. 6. It should be noted that the actual release number for the TOE is 8.2R2.4. However, as the ‘fourth’ spin of the 8.2R2 build was the only build released, the two versions are synonymous and are therefore referred to as 8.2R2. 7. Juniper Networks JUNOScope IP Service Manager 8.2R2 provides a web based management interface for the management of IP services for configured devices, such as a Juniper Networks M/T/J Series router. Administrative tasks such as monitoring, configuration and software management of a device can be efficiently performed. 8. An overview of the product and its security architecture can be found in Chapter IV ‘Product Security Architecture’. Security Claims 9. The Security Target [d] fully specifies the TOE’s security objectives, the threats that those objectives counter, and the Security Functional Requirements (SFRs) and security functions to elaborate the objectives. All of the SFRs are taken from CC Part 2 [f]; use of this standard facilitates comparison with other evaluated products. 10. The TOE Security Policy is detailed in the Security Target [d]. 11. The Security Target [d] states that there are no organisational security policies with which the TOE must comply. CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 5 of 20 Strength of Function Claims 12. The minimum Strength of Function (SoF) was SoF-Medium. This was claimed for SFR FIA_SOS.1, in respect of the authentication mechanism using passwords. The Certification Body has determined that this claim was met. 13. The password must be at least 6 characters in length and contain at least one change of character set (upper, lower, numeric, other). Evaluation Conduct 14. The Certification Body monitored the evaluation, which was carried out by the BT Commercial Evaluation Facility (CLEF). The evaluation addressed the requirements specified in the Security Target [d]. The results of this work, completed in July 2007, were reported in the Evaluation Technical Report (ETR) [i]. Conclusions and Recommendations 15. The conclusions of the Certification Body are summarised in the Certification Statement on Page 2. 16. Prospective consumers of Juniper Networks JUNOScope IP Service Manager 8.2R2 should understand the specific scope of the certification by reading this report in conjunction with the Security Target [d]. The TOE should be used in accordance with the environmental assumptions specified in the Security Target. Prospective consumers are advised to check that this matches their identified requirements, and to give due consideration to the recommendations and caveats of this report. 17. This Certification Report is only valid for the evaluated TOE. This is specified in Chapter III ‘Evaluated Configuration’. 18. The TOE should be used in accordance with the supporting guidance documentation included in the evaluated configuration. Chapter II ‘Product Security Guidance’ below includes a number of recommendations relating to the secure receipt, installation, configuration and operation of the TOE. 19. The product provides some features that were not within the scope of the evaluation, as identified in Chapter III ‘Evaluated Configuration’. Those features should therefore not be used if the TOE is to comply with its evaluated configuration. 20. If any changes are proposed to the TOE’s functionality, or to components that were examined during the evaluation, such changes should be handled under the Assurance Continuity Scheme. If the change falls outside the scope of Assurance Continuity, a partial or complete re-evaluation of the TOE should be performed. CRP238 – JUNOScope IP Service Manager Page 6 of 20 Issue 1.0 July 2007 21. Certification is not a guarantee of freedom from security vulnerabilities: there remains a small probability (smaller with greater assurance) that exploitable vulnerabilities may be discovered after a certificate has been awarded. This Certification Report reflects the Certification Body’s view at the time of certification. Consumers (both prospective and existing) should check regularly for themselves whether any security vulnerabilities have been discovered since this report was issued, and, if appropriate, should check with the Vendor to see if any patches exist for the product, and whether these patches have further assurance. The installation of patches for security vulnerabilities, whether or not they have further assurance, should improve the security of the product. CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 7 of 20 II. PRODUCT SECURITY GUIDANCE Introduction 22. The following sections note considerations that are of particular relevance to purchasers of the product. Delivery 23. On receipt of the TOE, the consumer is recommended to check that the evaluated version has been supplied, and to check that the security of the TOE has not been compromised in delivery. 24. Consumers must download the TOE from Juniper Networks’ website at www.juniper.net, as detailed in the JUNOScope Software Release Notes [k]. All administration guidance for the TOE is also on the website. A consumer is required to have a username and password in order to access the secure area of the site. A username and password is provided to the user when they purchase the TOE. 25. Consumers should also download the JUNOScope Software Release Notes [k] and the following guidance from the www.juniper.net website: a. JUNOScope Software User Guide [j]; b. JUNOS Internet Software JUNOScript API Guide [l]. 26. When consumers have downloaded the TOE they are required to validate the MD5 or SHA1 checksums, which are provided both on the www.juniper.net website and in the JUNOScope Software Release Notes [k]. Installation and Guidance Documentation 27. Guidance is provided in the documents detailed in paragraph 25. 28. The JUNOScope Software Release Notes [k] describe the procedures that must be followed to install and configure the product in its evaluated configuration, and to operate it securely. Those notes also describe the procedures that must be followed to configure the environment. Hence it is recommended that those notes are read first. 29. The intended audience of the installation and guidance documents is the administrator. CRP238 – JUNOScope IP Service Manager Page 8 of 20 Issue 1.0 July 2007 III. EVALUATED CONFIGURATION TOE Identification 30. The TOE is identified as: Juniper Networks JUNOScope IP Service Manager 8.2R2 31. The TOE consists of software to monitor and manage router operations via a web- based interface, running on the Sun Solaris operating system. 32. Figure 1 below shows the components and scope of the TOE: Figure 1: Components and Scope of the TOE 33. The following components, included in Figure 1 above, are non-security supporting subsystems within the TOE that are not involved in the implementation of the SFRs: • Looking Glass; • Inventory Manager; • Task Manager; • Syslog. Looking Glass Software Manager Configuration Manager Presentation Layer (HTML) Inventory Manager Browser interface (https) Application Server (Tomcat) JUNOS XNM Task Manager RADIUS Syslog JDBC XML CVS Authentication, Accounting Messages Configs MySQL SQL inventory interface Local (Solaris) syslogd RADIUS server Monitor & Settings Authorization Layer CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 9 of 20 TOE Documentation 34. The relevant guidance documentation for the evaluated configuration is identified in Chapter II ‘Product Security Guidance’. TOE Scope 35. The TOE is identified above under ‘TOE Identification’. 36. The logical boundaries of the TOE are defined by the functions that can be carried out at the TOE external interfaces. These functions include identification and authentication for the administrative functions, management of the security configurations, audit and protection of the TOE itself. 37. There are no security functionality claims relating to the following item: • client web browser. 38. The following items are outside the scope of the evaluation: • use of SSL; • inventory interface to the MySQL database; • importing/exporting of MySQL data from/to another JUNOScope server. TOE Configuration 39. In the evaluated configuration, the TOE runs on Sun Solaris version 9/04 or 10. 40. The underlying operating system is part of the environment. 41. In the evaluated configuration, an external authentication server (e.g. RADIUS) can be used to authenticate administrative connections. Network level diagrams are provided in Figures 1 and 2. Environmental Requirements 42. The Security Target [d] identifies the objectives that are met by the environment, or are met collectively by the TOE and the environment, as follows: a. (OE.AUTH): a RADIUS server must be available for external authentication services; b. (OE.BYPASS): the IT environment for JUNOScope must ensure that the TOE is not bypassed and will provide access control to TOE processes; c. (OE.BROWSE): the IT environment must secure the communication channel between the browser interface and the TOE; d. (OE.CRYPTO): SSL must be enabled for all management traffic. CRP238 – JUNOScope IP Service Manager Page 10 of 20 Issue 1.0 July 2007 43. The Security Target [d] makes physical, personnel and connectivity assumptions as follows: a. (A.LOCATE): the processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorised physical access; b. (A.NOEVIL): the authorised users will be competent, and not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation; c. (A.EAUTH): external authentication services will be available via RADIUS; d. (A.THREAT): the threat level in the environment where the TOE will be deployed is considered low; e. (A.ACCESS): access to data and processes on the Solaris platform underlying the TOE will be restricted to authorised personnel (i.e. JUNOScope Installer); f. (A.CRYPTO): management traffic will be protected using SSL. Test Configuration 44. The environmental configuration used by the developer and the evaluators to test the TOE is summarised below and in Figure 2: Router: Juniper Networks J2300 router running JUNOS 8.1R1.5 Solaris Machine: O/S: Sun Solaris 9/04 RAM: 4 GB CPU: 1800 MHz JUNOScope: 8.2R2 Patches: All Solaris recommended patches as of 16th May 2007 Hard Disk: 73Gb NIC: Sun Internal PCI 10/100 Base T Ethernet RADIUS server: O/S: Microsoft Windows XP Professional SP2 RAM: 4 GB RADIUS: Funk Software Steel-Belted Radius server, Version 5.3.0 PC: O/S: Microsoft Windows XP Professional SP2 Web Browser: Microsoft Internet Explorer 6 RAM: 1GB Evaluators’ Laptop: O/S: Windows XP Professional SP1 RAM: 512 MB CPU: 590 MHz CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 11 of 20 RADIUS Server Router Solaris Machine Serial Connection Hub Evaluators Laptop PC Figure 2 – Test Configuration CRP238 – JUNOScope IP Service Manager Page 12 of 20 Issue 1.0 July 2007 IV. PRODUCT SECURITY ARCHITECTURE Introduction 45. This Chapter gives an overview of the main product architectural features. Other details of the evaluation scope are given in Chapter III ‘Evaluated Configuration’. Product Description and Architecture 46. A description of the product is provided in Chapter 2 of the Security Target [d]. 47. The main protection mechanisms of the product can be summarised as follows: a. Identification and Authentication: The TOE requires users to provide unique identification and authentication data before any administrative access to the TOE is granted. Authentication can be handled either internally (user selected passwords), or through an external RADIUS authentication server in the environment. b. Domain Separation: The underlying Solaris operating system provides fundamental operating system protection mechanisms, such as virtual memory protection, to prevent unauthorised interference with the TOE’s processes and data. c. Access Control Policy: A security attribute based access control policy is applied to all administrative operations within the TOE. 48. The TOE can be managed using XML APIs (JUNOScript), either through HTTP (over SSL) via a web browser, or through a console connection via the Solaris operating system. The console interface only provides the option to install or reconfigure the TOE installation. 49. Auditable events (as defined in the Security Target [d]) are stored in the MySQL database. A reliable timestamp is obtained from the underlying operating system. 50. Figures 1 and 3 of this report detail the logical architecture topology of the TOE. Design Subsystems 51. The high-level design subsystems of the TOE are as follows, detailed in Figure 3: a. Presentation Layer: this handles the communication between the client web browser and the Application Server; b. Authorisation Layer: this authorises all management and operation requests; c. Application Server: this forwards all authorised operation requests to the relevant subsystem for processing; CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 13 of 20 d. Configuration Manager: this handles the management of current or archived configuration files held in CVS; e. Software Manager: this controls the downloading, importing and installation of JUNOS software images across all configured devices; f. Monitor and Settings: this manages the configuration of administrative and management settings; g. XNM: this handles communication between JUNOScope and all managed devices; h. CVS: this controls and handles access requests to the Config DB; i. Config DB: this provides a storage area for the device configuration files; j. RADIUS: this handles the RADIUS authentication requests received for the external RADIUS server; k. JDBC: this handles the read and write operation requests to the MySQL DB; l. MySQL DB: this stores information relating to devices, groups, authorisation, operations and users in a relational database; m. JUNOScope Installer: this consists of two scripts that are used for the initial installation of the TOE and for reconfiguring of TOE installation settings. CRP238 – JUNOScope IP Service Manager Page 14 of 20 Issue 1.0 July 2007 Figure 3 - TOE High-Level Design Subsystems CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 15 of 20 Hardware and Firmware Dependencies 52. The TOE is software only, it has no hardware components. 53. Three functions can be provided by the environment, namely: a. The environment should provide an external server (RADIUS), to support user authentication. b. The environment should provide reliable time stamps for use by the TOE. c. The environment shall enforce separation between the security domains under the scope of the TOE. A description of how this is provided by the environment is detailed in paragraph 47.b. Product Interfaces 54. The external interfaces (i.e. the TOE Security Functions Interface (TSFI)) are: a. Management interface to the TOE: All management traffic to the TOE is received at this interface. This interface is defined by the user commands available to an administrator. b. Device Management interface to the TOE: This interface is defined by the set of JUNOScript API XML commands sent from the TOE to a configured device. 55. There is also an external interface between the underlying operating system and the TOE. However, as that interface is not security enforcing and is not visible to the administrator, it is not detailed in Paragraph 54 above. CRP238 – JUNOScope IP Service Manager Page 16 of 20 Issue 1.0 July 2007 V. PRODUCT TESTING IT Product Testing 56. During their on-site testing, the evaluators consulted the JUNOScope Software User Guide [j] and the JUNOScope Software Release Notes [k], in order to install and generate a secure configuration, and to start-up the TOE. The evaluators performed these tasks on the TOE running on a Sun Solaris version 9/04 platform. 57. The environmental configuration used by the evaluators to test the TOE was equivalent to that used by the developers to test the TOE, as summarised in Figure 2 above. 58. The TOE was tested against the set of external interfaces that comprise the TSFI, as listed in Chapter IV ‘Product Interfaces’ above. 59. The developer performed tests against all aspects of the TSFI. Those tests also exercised: a. all related security functions specified in the Security Target [d]; b. all high-level design subsystems identified in Chapter IV ‘Design Subsystems’ above. 60. All developer tests were either automated or manual, and were driven through a set of scripts. Other than this, no specialist tools or techniques were used. 61. The evaluators performed the following independent testing: a. A sample of the developer’s tests was repeated to validate the developer’s testing. The sample included 25% of the developer’s automated tests and 33% of the developer’s manual tests. b. For each functional area, a test was devised that was different from the tests performed by the developer, wherever possible. 62. The evaluators also devised and performed penetration tests to confirm the non- exploitability of potential vulnerabilities that had been noted during the evaluation, and to confirm the developer’s vulnerability analysis and strength of function claim. 63. The evaluators used the following tools in order to perform their functional and penetration tests: • Tcpreplay, version 1.4.5; • Ethereal, version 0.9.13; • OpenSSL, version 0.9.7c. 64. The evaluators’ on-site functional and penetration tests were performed at Juniper Networks, Sunnyvale, California, from the 21st May to 24th May 2007. CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 17 of 20 Vulnerability Analysis 65. The Evaluators’ vulnerability analysis, which preceded penetration testing, was based on public domain sources and the visibility of the TOE given by the evaluation deliverables. The evaluators did not identify any vulnerabilities, relating to the TOE, in the public domain sources. 66. The evaluators devised functional and penetration tests to test potential vulnerabilities not fully addressed by the developer testing. The evaluators were satisfied that the TOE is resistant to all identified potential vulnerabilities. Platform Issues 67. Chapter III ‘TOE Configuration’ above lists the hardware platforms that are within the scope of the evaluation. 68. Developer tests were performed on all hardware platforms. The evaluators repeated developer tests on the Sun Solaris version 10 and 9/04 platforms. The evaluators performed all of their functional and penetration testing on a Sun Solaris version 9/04 platform. 69. The range of testing performed both by the developer and by the evaluators produced exactly the same results, across the two platforms, and the evaluators did not identify any parts of the TSF that behaved differently on different hardware platforms. CRP238 – JUNOScope IP Service Manager Page 18 of 20 Issue 1.0 July 2007 VI. REFERENCES [a] Description of the Scheme, UK IT Security Evaluation and Certification Scheme, UKSP 01, Issue 6.1, March 2006. [b] CLEF Requirements - Startup and Operation, UK IT Security Evaluation and Certification Scheme, UKSP 02: Part I, Issue 4, April 2003. [c] CLEF Requirements - Conduct of an Evaluation, UK IT Security Evaluation and Certification Scheme, UKSP 02: Part II, Issue 2.1, March 2006. [d] Security Target for Juniper Networks JUNOScope IP Service Manager 8.2R2, Juniper Networks, Inc., Version 1.1, July 2007. [e] Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and General Model, Common Criteria Maintenance Board, CCMB-2005-08-001, Version 2.3, August 2005. [f] Common Criteria for Information Technology Security Evaluation, Part 2: Security Functional Requirements, Common Criteria Maintenance Board, CCMB-2005-08-002, Version 2.3, August 2005. [g] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Requirements, Common Criteria Maintenance Board, CCMB-2005-08-003, Version 2.3, August 2005. [h] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Common Criteria Maintenance Board, CCMB-2005-08-004, Version 2.3, August 2005. [i] Evaluation Technical Report for Juniper Networks JUNOScope IP Service Manager 8.2R2, BT CLEF, LFS/T523/ETR, Version 1.0, June 2007. CRP238 – JUNOScope IP Service Manager July 2007 Issue 1.0 Page 19 of 20 [j] JUNOS Internet Software JUNOScope Software User Guide, Release 8.2, Juniper Networks, Inc., 12 January 2007. [k] JUNOScope 8.2 Software Release Notes (Common Criteria Certified), Juniper Networks, Inc., 25 May 2007. [l] JUNOS Internet Software JUNOScript API Guide, JUNOS Release 8.2, Juniper Networks, Inc., January 2007. CRP238 – JUNOScope IP Service Manager Page 20 of 20 Issue 1.0 July 2007 VII. ABBREVIATIONS This list does not include well known IT terms such as LAN, GUI, HTML, ... and standard Common Criteria abbreviations such as TOE, TSF, ... (see Common Criteria Part 1 [e]): CVS Concurrent Versions System DB Database JDBC Java Database Connectivity XNM XML-based Network Management