DCSSI Direction Centrale de la Sécurité des Systèmes d’Information Protection Profile - Personal Firewall (PP-PFP) Publication date : 14 May 2008 Reference : PP-PFP Version : 1.7 Courtesy Translation Courtesy translation of the protection profile registered and certified by the French Certification Body under the reference DCSSI-PP-2008/01. Protection Profile - Personal Firewall PP-PFP Table of contents 1 INTRODUCTION ......................................................................................................................................... 5 1.1 PROTECTION PROFILE REFERENCE............................................................................................................ 5 1.2 CONTEXT ................................................................................................................................................. 5 1.3 GENERAL OVERVIEW OF THE TARGET OF EVALUATION (TOE)................................................................ 5 1.3.1 TOE type ......................................................................................................................................... 5 1.3.2 Usage and major security features of the TOE ............................................................................... 5 1.3.3 Specific conditions and security specificities of the TOE................................................................ 6 1.3.4 Hardware and software environment.............................................................................................. 7 2 CONFORMANCE CLAIMS ........................................................................................................................ 8 2.1 CONFORMANCE OF THIS PROTECTION PROFILE......................................................................................... 8 2.1.1 Conformance with the Common Criteria ........................................................................................ 8 2.1.2 Conformance with an assurance package....................................................................................... 8 2.1.3 Conformance with a protection profile ........................................................................................... 8 2.2 CONFORMANCE OF SECURITY TARGETS AND PROTECTION PROFILES........................................................ 8 3 SECURITY PROBLEM DEFINITION....................................................................................................... 9 3.1 ASSETS .................................................................................................................................................... 9 3.1.1 Assets in the operational environment ............................................................................................ 9 3.2 USERS .................................................................................................................................................... 12 3.3 THREATS................................................................................................................................................ 13 3.3.1 Threats relative to the TOE in operation ...................................................................................... 14 3.4 ORGANISATIONAL SECURITY POLICIES (OSP)........................................................................................ 17 3.4.1 Policies relative to the services provided...................................................................................... 17 3.4.2 Policies taken from applicable regulations................................................................................... 18 3.5 ASSUMPTIONS........................................................................................................................................ 18 3.5.1 Assumptions concerning personnel............................................................................................... 18 3.5.2 IT environment assumptions.......................................................................................................... 18 3.5.3 Non-IT environment assumptions.................................................................................................. 19 4 SECURITY OBJECTIVES......................................................................................................................... 20 4.1 SECURITY OBJECTIVES FOR THE TOE..................................................................................................... 20 4.1.1 Functional objectives .................................................................................................................... 20 4.1.2 Administration and monitoring ..................................................................................................... 21 4.1.3 Identification, authentication, access control ............................................................................... 21 4.1.4 TOE data security ......................................................................................................................... 21 4.1.5 Security of administration or monitoring data transmission......................................................... 22 4.1.6 Audit and logging.......................................................................................................................... 22 4.1.7 TOE reliability and availability .................................................................................................... 23 4.2 SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT .............................................................. 23 4.2.1 Objectives concerning the personnel ............................................................................................ 23 4.2.2 Objectives relative to the IT environment ..................................................................................... 23 4.2.3 Objectives relative to the non-IT environment .............................................................................. 24 4.3 RATIONALE............................................................................................................................................ 24 4.3.1 Coverage of threats in the operational environment..................................................................... 24 4.3.2 Coverage of organisational security policies................................................................................ 30 4.3.3 Coverage of assumptions .............................................................................................................. 31 4.3.4 Coverage matrix............................................................................................................................ 32 5 EXTENDED COMPONENTS DEFINITION........................................................................................... 34 6 IT SECURITY REQUIREMENTS............................................................................................................ 35 6.1 INTRODUCTION ...................................................................................................................................... 35 6.1.1 Subjects ......................................................................................................................................... 35 6.1.2 Objects .......................................................................................................................................... 36 Page 2 of 92 Protection Profile - Personal Firewall PP-PFP 6.1.3 Information.................................................................................................................................... 36 6.1.4 Operations..................................................................................................................................... 36 6.1.5 Security attributes ......................................................................................................................... 36 6.1.6 External entities ............................................................................................................................ 37 6.1.7 Access control rules ...................................................................................................................... 38 6.2 TOE SECURITY FUNCTIONAL REQUIREMENTS ........................................................................................ 39 6.2.1 Services carried out by the TOE (application and network filtering) ........................................... 40 6.2.2 User identification, authentication & TOE access........................................................................ 49 6.2.3 TOE data security ......................................................................................................................... 56 6.2.4 TOE administration....................................................................................................................... 58 6.2.5 Security of administration or monitoring data transmission......................................................... 60 6.2.6 Audit and logging.......................................................................................................................... 64 6.2.7 TOE reliability and availability .................................................................................................... 70 6.3 SECURITY ASSURANCE REQUIREMENTS FOR THE TOE........................................................................... 71 6.4 RATIONALE............................................................................................................................................ 72 6.4.1 Security requirements / Security objectives................................................................................... 72 6.4.2 Dependencies ................................................................................................................................ 79 6.4.3 Conformity with a PP.................................................................................................................... 81 6.4.4 Extended components.................................................................................................................... 81 APPENDIX A ADDITIONAL DESCRIPTIONS OF THE TOE AND ITS ENVIRONMENT ............ 82 A.1 ARCHITECTURE OF THE TOE ................................................................................................................. 82 A.2 PHYSICAL SCOPE OF THE TOE................................................................................................................ 83 A.3 LOGICAL SCOPE OF THE TOE................................................................................................................. 83 A.4 FUNCTIONAL ROLES............................................................................................................................... 83 A.4.1 Roles recognised by the TOE ........................................................................................................ 83 A.4.2 Other roles .................................................................................................................................... 83 A.5 FUNCTIONALITIES OF THE TOE.............................................................................................................. 84 A.5.1 Services provided by the TOE ....................................................................................................... 84 A.5.2 Services required for the TOE to function correctly ..................................................................... 86 A.5.3 Services for securing the TOE....................................................................................................... 87 A.6 TOE OPERATING ENVIRONMENT............................................................................................................ 88 A.7 TOE EVALUATION PLATFORM................................................................................................................ 88 A.8 POSSIBLE ADDITIONAL FUNCTIONALITIES OF THE PERSONAL FIREWALL (PFP)...................................... 89 APPENDIX B DEFINITIONS AND ACRONYMS .................................................................................. 90 B.1 ACRONYMS............................................................................................................................................ 90 B.2 CONVENTIONS USED .............................................................................................................................. 90 B.3 DEFINITIONS .......................................................................................................................................... 90 APPENDIX C REFERENCES.................................................................................................................... 92 C.1 NORMATIVE REFERENCES ...................................................................................................................... 92 C.2 LAWS AND POLICIES............................................................................................................................... 92 C.3 OTHER DOCUMENTS............................................................................................................................... 92 Page 3 of 92 Protection Profile - Personal Firewall PP-PFP List of tables Table 1: Sensitivity of the various assets .............................................................................................................. 12 Table 2: Security objectives / Security problem definition................................................................................... 33 Table 3: User security properties .......................................................................................................................... 37 Table 4: User - subject links.................................................................................................................................. 38 Table 5: Access control rules................................................................................................................................ 39 Table 6: List of audited events by component ...................................................................................................... 67 Table 7: Requirements for the standard level qualification of a ST...................................................................... 72 Table 8: security functional requirements / security objectives for the TOE........................................................ 74 Table 9: Functional component dependencies ...................................................................................................... 81 List of figures Figure 1: overview of the TOE ............................................................................................................................... 6 Figure 2: Modelling of the TOE and its environment........................................................................................... 35 Figure 3: Architectural diagram of the TOE ......................................................................................................... 82 Figure 4: Filtering levels....................................................................................................................................... 85 Page 4 of 92 Protection Profile - Personal Firewall PP-PFP Page 5 of 92 1 Introduction 1.1 Protection profile reference Title: Protection Profile – Personal Firewall Reference: PP-PFP, Version 1.7, 14 May 2008 Author: Fidens 1.2 Context This PP has been drawn up under the aegis of the Direction Centrale de la Sécurité des Systèmes d’Information (DCSSI). The aim is to provide an administration framework for the certification of personal firewalls to meet the requirements of the public and private sectors with a view to their qualification. 1.3 General overview of the Target of Evaluation (TOE) Note: a detailed description of the TOE can be found in Appendix A . 1.3.1 TOE type This protection profile presents the security objectives and the functional and assurance requirements for a personal firewall (the TOE). This personal firewall is a software component installed on a workstation for the purpose of filtering that workstation’s incoming and outgoing network data flows. 1.3.2 Usage and major security features of the TOE The main purpose of the personal firewall is to analyse and filter data flows entering and leaving a workstation in order to protect it from: - The transmission of the workstation’s local data to the exterior without the basic user’s knowledge (via Trojan horses, spyware, etc.) - The transmission of the workstation’s local data to the exterior via services unauthorised by the organisation’s security policy - Attacks emanating from the network: illegal remote use of local resources, remote corruption or destruction of local data and saturation of the station’s local resources (denial of service type attacks) An administration component of the PFP serves to define the filtering policy and the access rights relating to this policy. Administrative tasks may be carried out by an administrator, by a basic user or by both. It can be undertaken locally, at the workstation, or remotely from an Protection Profile - Personal Firewall PP-PFP Page 6 of 92 administration centre. A logging and monitoring component enables the operations relating to the operation and administration of the personal firewall to be logged and alarms to be issued should the security policy be violated. It also makes it possible to log network flows processed by the personal firewall. Monitoring can take place locally, at the workstation, or remotely from a monitoring centre. Administrator Supervisor Filtering policy application Alarms, logging of administration operations Alarms, flow logging Basic user Administrator Supervisor Local administration operations Local monitoring operations Centralized monitoring operations Centralized administration operations Monitoring Filtering (applicative, network, context sensitive) LAN or WAN Administration Figure 1: overview of the TOE 1.3.3 Specific conditions and security specificities of the TOE This communication filtering component can, as a minimum, perform application filtering and network filtering. Application filtering is associated with a control function for the integrity of applications with access to the network. Network filtering takes into account the notion of contextual or behavioural filtering1 . This personal firewall is intended to be installed and used on a fixed or portable workstation. A portable workstation may be used inside or outside company premises. The security policy implemented takes into account this network environment. The workstation can be multi-user. The personal firewall makes it possible to adapt the security policy according to the basic user of the workstation. The basic user can be an administrator or a privileged workstation user2 . In some organisations, the personal firewall shall have the capacity to operate in a transparent manner for the basic user. 1 Contextual or behavioural filtering is understood to mean the ability of the TOE to filter a packet according to packets already received or issued. 2 This protection profile distinguishes between “basic user”, a term describing a person whose main role is to use the workstation, and “user”, a term describing a person whose role can be that of a basic user, an administrator or a supervisor with or without privileges (i.e. a “root” account under Unix or equivalent under Windows). Protection Profile - Personal Firewall PP-PFP 1.3.4 Hardware and software environment In order to operate, the TOE depends greatly on the operating system used at the workstation in need of protection. This operating system must make it possible to identify workstation users and contribute to the protection of the TOE and its data in relation to these users. The workstation must have at least one network interface and associated software. Page 7 of 92 Protection Profile - Personal Firewall PP-PFP 2 Conformance claims 2.1 Conformance of this protection profile 2.1.1 Conformance with the Common Criteria This protection profile complies with: - Part 2 of the Common Criteria, Version 3.1, Release 2, dated September 2007 (see [CC2]) - Part 3 of the Common Criteria, Version 3.1, Release 2, dated September 2007 (see [CC3]) No recourse has been made to extension or interpretation. 2.1.2 Conformance with an assurance package The level of assurance targeted by this protection profile is EAL3, augmented by the following components: • ALC_FLR.3 • AVA_VAN.3 This level of security assurance complies with the DCSSI reference document “Processus de qualification d’un produit de sécurité – Niveau standard” (see [QUALIF_STD]). 2.1.3 Conformance with a protection profile This protection profile is not dependent on any other protection profile. 2.2 Conformance of security targets and protection profiles This PP requires “demonstrable” conformance of the PP or ST claiming conformance to this PP. The “demonstrable” conformity level allows: - conformity with several protection profiles to be announced - the specification of a higher assurance package - the specification of alternative security functional requirements - a security objective for the operational environment to be transformed into a security objective for the TOE - PP operations to be modified provided that they are more restrictive Application notes detail which assumptions can be partially or completely transformed into an OSP by the STs and PPs in conformity with this PP. These application notes are shown for the assumptions concerned. Page 8 of 92 Protection Profile - Personal Firewall PP-PFP 3 Security problem definition 3.1 Assets The TOE provides services intended to protect the workstation against the untimely transmission of local data (attacks by Trojan horses, KeyLoggers, backdoor viruses, etc.), against the remote use of local resources (CPU time of the machine, ping attacks, etc.) and against the remote destruction or corruption of local data (Trojan horse type of attack, viral application spoofing, direct remote access to static resources - file systems - of the workstation). The TOE protects these assets via: - the analysis and filtering of all incoming and outgoing communications and connections (on local and remote networks) at the workstation - the control of the integrity of the “communicating” applications at the workstation on which it is installed 3.1.1 Assets in the operational environment 3.1.1.1 Sensitive assets protected by the TOE The assets protected by the TOE are: D_data Data stored on the workstation D_appli Applications installed or that can be used on the workstation D_services Workstation services and logical resources D_data This asset corresponds to data stored on the workstation in files or databases. Such data may be user data, configuration data or parameters for applications. This data may be accessed from the exterior and corrupted or made unavailable. It may be exported illegally by a Trojan horse. Sensitivity: confidentiality, integrity, availability D_appli This asset corresponds to applications, programs and libraries of programs installed on the workstation and used by basic users. These applications may be made unavailable, corrupted (insertion of Trojan horses) or contain spy programs (spyware). Sensitivity: integrity, availability D_services Workstation services or logical resources can be protected by the TOE. This is notably the Page 9 of 92 Protection Profile - Personal Firewall PP-PFP Page 10 of 92 case for workstation resources that could become saturated by repeated external access (denial of service type attacks). Sensitivity: availability 3.1.1.2 Sensitive assets of the TOE The sensitive assets of the TOE are: D_software The TOE itself as a software program D_flow_filter Filtering rule for the flow of incoming and outgoing communications D_appli_filter Filtering rule for applications wanting to gain network access D_config TOE configuration parameters D_AC_param Control parameters for local or remote access to the TOE D_flow_audit Logged data relative to the communication activity of the workstation (network flows) D_admin_audit Logged data relative to the administration, monitoring and operation of the TOE: start-up, shutdown, modification of rules, alert levels or configuration parameters, etc. D_alarm Alerts generated upon the detection of attempted attacks D_software This sensitive asset corresponds to all TOE programs. These programs are held in memory and used on the workstation. Sensitivity: integrity, availability D_flow_filter A flow filtering rule defines how the workstation’s incoming and outgoing flows are to be processed in order to determine whether or not these flows are authorised. These flows are flows transmitted by the TCP/IP protocol stack3 . These rules are held in memory on the workstation and can be modified by administrators and possibly by basic users. Sensitivity: confidentiality, integrity D_appli_filter An applications filtering rule determines how to process external connection requests made by workstation applications. Its purpose is to avoid communication outside the workstation with Trojan horse type software programs. It includes controlling the integrity of applications to avoid spoofing of an authorised software program by a malicious software program and the control of communications requested by the application. These rules are held in memory on the workstation and can be modified by administrators and possibly by basic users. Sensitivity: confidentiality, integrity 3 STs in conformity with this PP must specify the proprietary or non-IP protocols covered. Protection Profile - Personal Firewall PP-PFP Page 11 of 92 D_config Among others, configuration parameters of the TOE include: - the general configuration of the TOE - parameters relating to logging and monitoring: the level of logs produced by the TOE, the frequency at which information is transmitted, the level of alerts to be sent and the frequency and address of the server for updates - parameters relating to the administration policy These parameters are stored locally and can be modified locally (through the MMI of the TOE) or remotely (via the remote administration interface). Sensitivity: integrity D_AC_param Control parameters for local and remote access to the TOE include data used for controlling TOE access. This data may notably include: - user4 authentication data (basic users, administrators and supervisors) for local access to the TOE interface - centralised monitoring and administration authentication data - centralised monitoring and administration connection data (server address, security data exchange protocol) - the level of TOE visibility (impossible or partial local access to the TOE interface) These parameters are stored locally and can be modified locally (through the MMI of the TOE) or remotely (via the remote administration interface). Sensitivity: confidentiality, integrity D_flow_audit The TOE supplies monitoring data (connection data, connected addresses, connection information concerning the various flows), which may only be used partially since the transmission of such data can generate considerable traffic. This data is stored and used locally or transmitted to a monitoring entity. Sensitivity: confidentiality, integrity D_admin_audit The TOE logs its own operational (start-up, shutdown) and administration data (modification of rules or parameters). These data are stored and used locally or transmitted to a monitoring entity. Sensitivity: confidentiality, integrity D_alarm The TOE generates alerts that are systematically logged locally; their transmission to the monitoring centre can be configured according to severity. A mechanism exists to guarantee the delayed transmission of these alerts to ensure their 4 Defined in section 3.2 of this PP. Protection Profile - Personal Firewall PP-PFP coherent use; this is also true for portable workstations that are connected to the administration centre in an occasional way. Sensitivity: integrity, availability Application note: publishers of personal firewalls who wish to protect the alerts in confidentiality must specify it in the STs in conformity with this PP. 3.1.1.3 Summary table The following table summarises the security needs of the various identified sensitive assets: Confidentiality Integrity Availability D_data X X X D_appli X X D_services X D_software X X D_flow_filter X X D_appli_filter X X D_config X D_AC_param X X D_flow_audit X X D_admin_audit X X D_alarm X X Table 1: Sensitivity of the various assets 3.2 Users The following individuals and software programs have access to the TOE: U_local_program Workstation programs interacting with the TOE U_remote_program Programs located on remote systems interacting with the TOE across the network U_administrator Administrators in charge of the TOE U_supervisor Supervisors in charge of the TOE U_basic_user Basic users of the workstation U_local_program Programs installed on the workstation hosting the TOE that communicate with the exterior via the TOE. U_remote_program Programs located on remote systems that interact via the network with either the TOE for monitoring or administrative needs, or with the local workstation via the TOE for application needs. Page 12 of 92 Protection Profile - Personal Firewall PP-PFP Page 13 of 92 U_administrator The administrator in charge of the TOE is responsible for the definition and the administration of TOE filtering rules relative to the policy defined by the security officer5 . Tasks can be performed via local or remote access. These users are described as “administrators” in the remainder of this PP. U_supervisor The supervisor in charge of the TOE controls and audits the application by the TOE of the filtering policy defined for workstations by means of alerts and TOE data logs. The supervisor manages alerts sent by the TOE, and monitors and analyses security events logged by the TOE. Tasks can be performed via local or remote access. These users are described as “supervisors” in the remainder of this PP. U_basic_user The basic user uses the workstation on which the TOE is installed in a single or multi-user context. According to the policy defined and authorised by the security officer, the basic user may: - Either be responsible for TOE administration, alone or in collaboration with an administrator, or on the contrary have no administrative responsibilities whatsoever - Either be responsible for TOE monitoring, alone or in collaboration with a supervisor, or on the contrary have no monitoring responsibilities whatsoever The basic user may be an administrator or a privileged user (i.e. with a “root” account under Unix or an equivalent account under Windows) of the workstation. 3.3 Threats Typology and threats origin Threats may occur as a result of: 1. The malfunction of the TOE or of the TOE environment (workstation, network, etc.). 2. A non-privileged basic user of the workstation hosting the TOE preventing the correct operation of the TOE either with malicious intent (fraudulent use, abuse of consented rights), or by mistake (negligence, oversight, ignorance). 3. A privileged user or administrator of the workstation hosting the TOE preventing the correct operation of the TOE by mistake (negligence, oversight). 4. An administrator or supervisor preventing the correct operation of the TOE by mistake (negligence, oversight). 5. Individuals with access to the network to which the workstation is connected acting in a malicious manner, abusing consented rights or making mistakes. In particular, these individuals might: o Try to gain access to the workstation or disrupt its operation o Intercept or tamper with (modify, delete, disrupt, reroute) communications (administration, monitoring or alarm data) between this workstation and other equipments 5 The notion of security officer is defined in section A.4 of this PP. Protection Profile - Personal Firewall PP-PFP Attack potential Individuals performing attacks have a basic attack potential. They correspond to malicious persons possessing the computing skills of a well-informed user. Threats not included In this PP, the following are not considered as being threats to the TOE in operation: 1. Physical disaster, natural events, the loss of basic services and disturbance caused as a result of radiation. 2. Threats occurring as a result of the intentional acts of administrators or supervisors. These are not considered hostile. 3. Threats occurring as a result of the intentional acts of workstation administrators or privileged users. These are not considered hostile. 3.3.1 Threats relative to the TOE in operation Note: the figures in brackets correspond to the numbering system used by the [EBIOS] method. T_eavesdropping (19) An attacker uses the network on which the workstation hosting the TOE is connected to find out what data is being exchanged between the TOE and an administration or monitoring centre. Assets concerned: D_flow_filter, D_appli_filter, D_AC_param, D_flow_audit, D_alarm. This threat is considered high risk. The threat is remembered. T_disclosure (23) An attacker gains access to confidential sensitive TOE assets and uses them to violate the security policy implemented by the TOE. Assets concerned: D_AC_param, D_flow_filter, D_appli_filter, D_flow_audit. This threat is considered high risk. The threat is remembered. T_spoofing (24) An attacker transmits information to the TOE by assuming the identity of an administration or monitoring centre. An attacker transmits information to an administration or monitoring centre by assuming the identity of the TOE. Assets concerned: D_data, D_appli, D_services, D_software, D_flow_filter, D_appli_filter, D_config, D_AC_param, D_flow_audit, D_admin_audit, D_alarm. This threat is considered high risk. The threat is remembered. T_software_trapping (26) A malicious individual with access to the workstation modifies the software to disable or modify one of its functions. Page 14 of 92 Protection Profile - Personal Firewall PP-PFP Assets concerned: D_software, D_services. This threat is considered high risk, but a high attack potential is required for it to be feasible. This threat is however selected. T_flooding (30) Repeated, logged attacks resulting in log file saturation. These attacks may be deliberate or linked to the malfunctioning of a software program; they may occur locally or emanate from the network. Assets concerned: D_flow_audit, D_admin_audit. Repeated attacks resulting in the saturation of a TOE service. These attacks may be deliberate or linked to the malfunctioning of a software program; they may occur locally or emanate from the network. Assets concerned: D_services. This threat is considered high risk. The threat is remembered. T_malfunction (31) A TOE malfunction prevents necessary security functions being performed in relation to the workstation and users (basic users, administrators and supervisors). This malfunction can block the TOE, and prevent access to workstation services. Assets concerned: D_services. This malfunction can also result in the TOE being unable to control access to administration and monitoring functions, or to control network and application flows. In this case, the confidentiality, integrity and availability of TOE sensitive assets and of the workstation may be violated. Assets concerned: D_data, D_appli, D_services, D_software, D_flow_filter, D_appli_filter, D_config, D_AC_param, D_flow_audit, D_admin_audit, D_alarm. This threat is considered high risk. The threat is remembered. T_data_alteration (36) An attacker corrupts (modification, deletion or insertion) sensitive TOE assets on the workstation hosting the TOE or assets protected by the TOE. An attacker corrupts (modification, deletion or insertion) administration or monitoring data during its transmission between the workstation hosting the TOE and a remote site. This attacker may be a local user of the workstation, for example, or a person with remote access to data held in the workstation’s memory or exchanged between the workstation and a remote site. Assets concerned: D_data, D_appli, D_services, D_software, D_flow_filter, D_appli_filter, D_config, D_AC_param, D_flow_audit, D_admin_audit, D_alarm. This threat is considered high risk. The threat is remembered. T_illicit_processing (37) An attacker retrieves data containing information of a personal nature and uses it in a malicious manner. This attacker may, for example, be a basic user of a multi-user workstation authorised to Page 15 of 92 Protection Profile - Personal Firewall PP-PFP Page 16 of 92 access logs. This may also occur during the reuse of a workstation on which the firewall is installed. Assets concerned: D_flow_audit. This threat is considered high risk. The threat is remembered. T_error (38) A basic user or an administrator makes an administrative error (data modification) and causes a TOE malfunction or corrupts the filtering policy. Assets concerned: D_flow_filter, D_appli_filter, D_config, D_AC_param, D_services. This threat is considered high risk. The threat is remembered. T_abuse (39) A user intentionally disables a TOE function resulting in the violation of the security policy. Assets concerned: D_config, D_AC_param. This threat is considered high risk. The threat is remembered. T_filter_inhibition (39, 40) A malicious program or user disables, possibly unobtrusively, the filtering functions of the TOE thereby leaving the workstation unprotected and open to illegal connections Assets concerned: D_flow_filter, D_appli_filter. This threat is considered high risk. The threat is remembered. T_usurpation (40) An unauthorised person gains access to the TOE or to TOE functions to which it does not normally have access and uses them to modify the security policy. Examples: a basic user gaining access to functions reserved for the administrator or supervisor, or a person gaining access to an administration interface of the TOE left unsupervised. An attacker may become aware of the TOE filtering rules and therefore be able to violate the with remote access to data held in the workstation cerned: D_flow_filter, D_appli_filter, D_config, D_AC_param. T_denial (41) administration rights to modify the TOE security policy or to prevent the remembered. security policy implemented by the TOE. Attacker: a workstation user or a person memory. Assets con This threat is considered high risk. The threat is remembered. A user uses his correct operation of the TEO and then denies having made these modifications. Assets concerned: D_flow_filter, D_appli_filter. This threat is considered high risk. The threat is Protection Profile - Personal Firewall PP-PFP 3.4 Organisational security policies (OSP) 3.4.1 Policies relative to the services provided OSP_filtering The TOE shall implement a mechanism, based on the filtering rules, to control network access. It shall make it possible to define several filtering levels. These filtering rules shall take into account the workstation network environment, and connections, users and applications criteria. The TOE shall also provide for contextual filtering. OSP_application_integrity The TOE shall make it possible to control the integrity of applications seeking access to the network, and to detect and specify applications that have been modified. OSP_roles The TOE shall distinguish at the very least between administrator, supervisor and basic user roles. It shall make it possible to track actions performed by the holders of these roles. OSP_admin The TOE shall allow to administer its configuration, locally or by remote, and the filtering rules. All filtering rules shall be visible. Access to the administration module and use of administration functions shall be monitored. OSP_monitoring The TOE shall provide local or remote monitoring of TOE operations. Access to the monitoring module and use of monitoring functions shall be controlled. Only the supervisor shall be authorised to consult and clear logs; no user shall have the right to modify logs. OSP_admin_audit The TOE shall log administrative actions that modify the configuration of the TOE. It shall make it possible to select, sort and view this data according to various criteria (date, user, etc.). OSP_flow_audit The TOE shall be able to log the flows it processes within the scope of the security policy. It shall make it possible to select, sort and view this data according to various criteria (time stamping, user, network address, application, protocol, flow acceptance or rejection, etc.). OSP_sec_pol_violation_detection The TOE shall make it possible, as far as this is possible, to detect attempts made to violate the security policy and signal any such attempts by issuing an alarm. OSP_trusted_configuration It shall be possible to reinstall and reconfigure the TOE to ensure the availability of a trusted TOE on the workstation. Page 17 of 92 Protection Profile - Personal Firewall PP-PFP 3.4.2 Policies taken from applicable regulations OSP_crypto The TOE’s cryptographic mechanisms shall conform to the requirements of the cryptographic specifications of the DCSSI for the standard level of robustness [CRYPT-STD]. 3.5 Assumptions 3.5.1 Assumptions concerning personnel A_admin_no_evil The personnel responsible for the administration or monitoring of the TOE and of the workstation hosting the TOE shall be trustworthy. They shall receive the necessary training and elements to carry out their duties correctly. A_no_priv_user Basic users of the workstation hosting the TOE shall not have “system” privileges or their equivalent for this workstation, or they shall be trusted basic users. 3.5.2 IT environment assumptions A_configuration_control TOE administrators shall have the necessary resources to save, check (against a reference state) and restore a TOE configuration. Application note: TOE contributions to this assumption, if they exist, must be highlighted in the STs and PPs in conformity with this PP in the form of an OSP covering all or part of this assumption. A_enough_resource The workstation hosting the TOE shall provide it with the necessary resources for its operation. Resources concerned: disk space, CPU time, memory, bandwidth, network interface and associated software, MMI, time stamping. A_TOE_protection The workstation hosting the TOE shall ensure the adequate protection of TOE elements (programs, data files, logs) and of the elements required for its operation (time stamping, elements relative to applications, users and connection, etc.). A_known_localization The TOE environment shall place trusted elements at the disposal of the TOE to allow it to determine whether the workstation hosting the TOE is connected inside or outside the company premises. Application note: TOE contributions to this assumption, if they exist, must be highlighted in the STs and PPs in conformity with this PP in the form of an OSP. The TOE could for Page 18 of 92 Protection Profile - Personal Firewall PP-PFP example determine that it is inside the company by mutual authentication with a company authentication server. A_no_bypass The workstation hosting the TOE shall not allow incoming or outgoing network connections to be made that short circuit the TOE and the filtering policy implemented by the TOE. Application note: TOE contributions to this assumption, if they exist, must be highlighted in the STs and PPs in conformity with this PP in the form of an OSP covering all or part of this assumption. A_known_user The TOE environment shall ensure the identification and authentication of users (basic users, administrators, supervisors) who connect, either locally or remotely, to the workstation hosting the TOE and shall be able to supply the TOE with trusted elements relating to these users (identity, role) and required for its operation. 3.5.3 Non-IT environment assumptions A_physical_protection The TOE environment shall ensure sufficient physical protection to limit the risk of TOE integrity coming under attack (equipment and data media). Page 19 of 92 Protection Profile - Personal Firewall PP-PFP Page 20 of 92 4 Security objectives 4.1 Security objectives for the TOE Note: the way these objectives are set out is only intended to make their reading easier. 4.1.1 Functional objectives OT_filtering_level The TOE shall make it possible to define at least the following filtering levels: - Global filtering performed as soon as the TOE is started independently of any user connection; this filtering is controlled by the administrator. - User filtering specific to a basic user (or a group of basic users) performed as soon as that basic user is connected. This filtering is controlled by the administrator, who may delegate the control of all or part of this filtering process to basic user in question. - Adaptive filtering, specific to a basic user (or a group of basic users) generated by a learning mechanism and controlled by the basic user in question. This filtering mechanism may be activated or not by the administrator. User filtering and adaptive filtering must not conflict with global filtering. OT_filtering_criteria The TOE shall make it possible to define filtering rules based on a logical combination of criteria. Such criteria may include: - the application: identification, link between the application and protocols - the communication flow: communication protocols6 , source or destination network addresses, direction (incoming or outgoing), source or destination ports, MAC address etc. - the basic user: identity, role - the workstation’s network environment: the physical interface used, trusted zone (connection inside or outside the company) - the connection context (notion of contextual filtering) OT_application_integrity The TOE shall make it possible to control the integrity of communicating applications and to detect and signal to authorised users all modifications made to these applications. 6 This PP only takes into account the TCP/IP protocol stack (see glossary in appendix). Proprietary protocols other than IP shall be defined by the STs in conformity with this PP. Protection Profile - Personal Firewall PP-PFP 4.1.2 Administration and monitoring OT_administration The TOE shall allow to administer its configuration, locally or by remote, and the filtering rules. All filtering rules applied by the TOE shall be visible. Access to the administration function shall be limited to the administrator (U_administrator). OT_monitoring The TOE shall provide for the local or remote monitoring of TOE operations and of the various security-related events. Access to the monitoring function shall be limited to the supervisor (U_supervisor). 4.1.3 Identification, authentication, access control OT_roles The TOE shall distinguish at the very least between basic user, administrator and supervisor roles. OT_identification The TOE shall have at its disposal a mechanism enabling it to identify in a unique manner all users of administration or monitoring functions. OT_authentication The TOE shall authenticate users of administration and monitoring functions before any use of these functions is made. OT_access_control The TOE shall limit access to administration or monitoring functions to authorised users only. Access control shall cover: access (consultation, modification, deletion) to parameters, filtering rules and logs, and the shutdown or disabling of the TOE. It shall be configurable by the administrator, and based on defined TOE roles. 4.1.4 TOE data security OT_TOE_reuse The TOE shall be able to block access to its parameters (configuration, access control) and filtering rules if necessary (maintenance, deinstallation of software, workstation reassignment, etc.). OT_log_protection The TOE shall have at its disposal a mechanism to protect the confidentiality and integrity of logs. This mechanism shall make it possible to detect the corruption or deletion of an audit record and then inform authorised users (supervisor). This mechanism shall also be able to detect the reaching of a critical log saturation threshold and then inform authorised users. Page 21 of 92 Protection Profile - Personal Firewall PP-PFP 4.1.5 Security of administration or monitoring data transmission OT_remote_admin_authentication The TOE shall guarantee the mutual identification and authentication of remote sites with which it communicates within the context of remote administrative or monitoring operations. OT_remote_admin_integrity The TOE shall guarantee and control the integrity of data shared with remote sites within the context of remote administrative or monitoring operations. OT_remote_admin_confidentiality The TOE shall guarantee the confidentiality of data shared with remote sites within the context of remote administrative or monitoring operations. OT_remote_admin_no_replay The TOE shall ensure that data shared with remote sites within the context of remote administrative or monitoring operations is protected from replay. 4.1.6 Audit and logging OT_flow_audit The TOE shall be able to track and record elements relative to the flows it processes within the scope of the security policy. The administrator shall be able to configure the granularity of these logs. The TOE shall enable authorised users to view these logs according to various selection and sorting criteria (date, basic user, application, protocol, address, status, etc). OT_admin_audit The TOE shall be able to track and record the use of the administration and monitoring functions as well as events relating to its operation (TOE start-up and shutdown, login and logoff of administrators and supervisors, etc). The administrator shall be able to configure the granularity of these logs. The TOE shall enable authorised users to view these logs according to various selection and sorting criteria (date, user, event, result, site, etc.). The TOE shall also enable authorised users to clear these logs. OT_violation_detection The TOE shall, as far as this is possible, detect attempts made to intrude on or violate the security policy and the risk of saturation, and issue an alarm to authorised users when necessary. The administrator shall be able to configure this alert mechanism. OT_violation_reaction The TOE shall react alone, or allow authorised users to react, in order to rapidly block all network access in the event of an alarm and then return to the former nominal state. The administrator shall be able to configure this alert mechanism. It shall be possible to log its use. Page 22 of 92 Protection Profile - Personal Firewall PP-PFP Page 23 of 92 4.1.7 TOE reliability and availability OT_TOE_integrity The TOE shall be able to control the integrity of its configuration data and filtering, administration and logging functions and, if corruption is detected, indicate this by issuing an alarm. Application note: the STs and PPs in conformity with this PP must state which elements (functions, data, etc.) are to be controlled and the integrity control mechanisms used. OT_operational_state The TOE shall allow the holders of authorised roles to know its operational state. OT_crypto The TOE’s cryptographic mechanisms shall conform to the requirements of the cryptographic specifications of the DCSSI for the standard level of robustness [CRYPT-STD]. 4.2 Security objectives for the operational environment 4.2.1 Objectives concerning the personnel OE_admin_no_evil The personnel responsible for the administration or monitoring of the TOE and workstation shall be trustworthy. They shall receive the necessary training and elements to carry out their duties correctly. OE_non_priv_user Basic users of the workstation hosting the TOE shall not have “system” privileges or their equivalent for this workstation, or they shall be trusted users. 4.2.2 Objectives relative to the IT environment OE_configuration_control TOE administrators shall have the necessary resources to save, check (against a reference state) and restore a TOE configuration. OE_enough_resource The workstation hosting the TOE shall provide it with the necessary resources for its operation: disk space, CPU time, memory, bandwidth, network interfaces, MMI, time stamping. Application note: the STs and PPs in conformity with this PP and the manuals of the products OE_TOE_protection The workstation hosting the TOE shall ensure the adequate protection of TOE elements concerned must provide recommendations regarding the amount of resources necessary for the TOE to function correctly, in particular regarding the disk space in order to reduce the risk of a TOE audit log saturation. Protection Profile - Personal Firewall PP-PFP Page 24 of 92 (programs, data files, logs) and of the elements required for its operation (time, application The TOE environment shall supply the TOE with the elements required for its operation, and OE user O The TOE environment shall place trusted elements at the disposal of the TOE to allow it to rkstation hosting the TOE is connected inside or outside the environment with a TOE security objective and revise the associated O The workstation hosting the TOE shall not allow incoming or outgoing network connections hort circuit the TOE and the filtering policy implemented by the TOE. ciated OE_known_user The TOE environment shall ensure the identification and authentication of users (basic users, ervisors) who connect, either locally or remotely, to the workstation vironment The TOE environment shall ensure sufficient physical protection to limit the risk of TOE k (equipment and data media). 4.3.1 Coverage of threats in the operational environment T_eavesdropping (19) Protection: and user identification, connection-related elements, etc.). OE_trusted_known_context ensure such elements are sufficiently trustworthy: information relative to the connection, to users connected locally and to local programs requesting access to the network. Application note: the STs and PPs in conformity with this PP can supplement this security objective for the IT environment with a TOE security objective. In particular, the T manuals must clearly state these elements. E_known_localization determine whether the wo company premises. Application note: the STs and PPs in conformity with this PP can replace this security objective for the IT assumption. In particular, the TOE user manuals must clearly state the elements that will allow this context to be identified. E_no_bypass to be made that s Application note: the STs and PPs in conformity with this PP can replace this security objective for the IT environment with a TOE security objective and revise the asso assumption. administrators, sup hosting the TOE and shall be able to supply the TOE with trusted elements relating to these users (identity, role) and required for its operation. 4.2.3 Objectives relative to the non-IT en OE_physical_protection integrity coming under attac 4.3 Rationale Protection Profile - Personal Firewall PP-PFP Page 25 of 92 OT_remote_ad between the TOE min_confidentiality protects the confidentiality of data exchanged and an administration or monitoring centre. he workstation, data (filters, logs, authentication data, etc.) is protected uthorised access via the workstation (OE_TOE_protection) or the TOE OT_log_protection). , OT_monitoring, OT_identification, OT_authentication, _control protect access to the monitoring functions that allow this data T_spo tion ensures that all network exchanges take ors e risk of spoofing. _admin_integrity and OT_remote_admin_no_replay guarantee ceived by the TOE is not modified, or counterfeit, or replayed and that itted by the TOE is only sent to an authorised system or user. OT_admin_audit y brute force (access code attempts), and attempts stration enables the administrator to modify access codes or TOE n to increase protection from this threat. T_soft Detection: Response: T_disclosure (23) Protection: Regarding the network, OT_remote_admin_authentication ensures that all access to data takes place from an authorised remote site. Regarding t from all una ( Regarding the TOE OT_access to be accessed. Detection: OT_admin_audit makes it possible to log all access to this data through the TOE via administrative or monitoring functions, and to make use of these logs. Response: ofing (24) Protection: OT_remote_admin_authentica place between the TOE and an authorised site. OT_authentication ensures the authentication of administrators and supervis and limits th OT_remote that data re data transm Detection: enables the actions of administrators or supervisors to be logged and these logs to be used. This objective therefore makes it possible to detect attempts made to penetrate b made to send counterfeit or modified data. Response: OT_admini configuratio OE_configuration_control makes it possible to restore a trusted TOE configuration if necessary. ware_trapping (26) Protection: OE_known_user guarantees controlled access to the workstation, which limits the Protection Profile - Personal Firewall PP-PFP Page 26 of 92 risk of threats. OE_TOE_protection guarantees the protection of TOE elements (files) stored on the workstation. tegrity makes it possible to detect TOE corruption or the loss of TOE rency (filters, parameters, etc.), and to issue and alert self-check option). ional_state reveals the operational state of the TOE. necessary, to block network T_floo Attack ess a workstation resource. udit and OT_violation_detection make it possible uration of the workstation countered by the TOE. le, where necessary, to block network n an alarm is detected. Attack h_resource states which resources are required for the nominal correct n_detection makes it possible to inform supervisors of the occurrence s. Detection: OT_TOE_in data cohe (OT_violation_detection + OT_monitoring). When in operation, OT_TOE_integrity does not offer protection against the trapping of the integrity control function itself (no software OT_operat OT_admin_audit, OT_flow_audit and OT_violation_detection allow possible TOE malfunction to be detected. Response: OT_violation_reaction makes it possible, where access when an alarm is detected on the workstation. OE_configuration_control makes it possible to restore a trusted TOE configuration. ding (30) on the workstation’s resources: Protection: OT_filtering_level and OT_filtering_criteria make it possible to block multiple attempts to acc Detection: OT_admin_audit, OT_flow_a to detect sat Response: OT_violation_reaction makes it possib access whe on the TOE: Protection: OE_enoug operation of the TOE. Detection: OT_violatio of saturation OT_admin_audit, OT_flow_audit and OT_violation_detection also allow a possible attack of the TOE to be detected. Response: OT_violation_reaction makes it possible, where necessary, to block network access when an alarm is detected on the workstation. Protection Profile - Personal Firewall PP-PFP Page 27 of 92 T_mal E malfunctions (such as the ring processes or the non-operation of security functions) and informs _monitoring). on makes it possible to detect violations of the security policy m a malfunction. the workstation. T_data cation) and to administration and monitoring functions (OT_access_control) limits the possibility of this threat occurring. ensures that TOE elements are protected by the workstation. d on the workstation. n_control makes it possible to restore a trusted TOE T_illic of flow audit trails exchanged between the TOE and a monitoring centre. OT_remote_admin_authentication ensures that logged elements are orised remote site. he workstation, logs are protected from all access via the workstation function (31) Protection: Detection: OT_operational_state ensures the detection of TO disabling of filte supervisors (OT OT_violation_detecti resulting fro Response: OT_violation_reaction makes it possible, where necessary, to block network access when an alarm is detected on OE_configuration_control makes it possible to restore a trusted TOE configuration. _alteration (36) Protection: Controlling access to the workstation (OE_known_user), to the TOE (OT_authenti OE_TOE_protection Detection: OT_TOE_integrity makes it possible to detect the loss of TOE parameters coherence or of defined filters. OT_admin_audit, OT_flow_audit and OT_violation_detection make it possible to log administrative actions and to detect parameters or filtering rules corruption. Response: OT_violation_reaction makes it possible, where necessary, to block network access when an alarm is detecte OT_administration allows an administrator to correct a corrupted rule or parameter. OE_configuratio configuration. it_processing (37) Protection: Regarding the network, OT_remote_admin_confidentiality protects the confidentiality transmitted to an auth Regarding t (OE_TOE_protection) or the TOE (OT_log_protection). Regarding the TOE, OT_monitoring, OT_identification, OT_authentication, OT_access_control protect access to the monitoring functions that allow this data Protection Profile - Personal Firewall PP-PFP Page 28 of 92 to be accessed. In the event of the reuse of a workstation, OT_TOE_reuse makes it possible to destroy all sensitive data. Detection: OT_admin_audit makes it possible to log all access to this data through the TOE via the audit mechanism. T_erro ts the risk of this threat occurring as a result of use by ersonnel (training and awareness of personnel). n: OT_flow_audit and OT_violation_detection make it trative actions and to detect parameters or filtering rules on_reaction makes it possible, where necessary, to block network n an alarm is detected on the workstation. n_control makes it possible to restore a trusted TOE n. T_abu no_evil limits the risk of this threat occurring as a result of use by ontrol makes it possible to limit user access to only useful elements ctions, etc.) required for their duties. workstation. n_control makes it possible to restore a trusted TOE n. Response: r (38) Protection: OE_Admin_no_evil limi authorised p Detectio OT_admin_audit, possible to log adminis corruption. Response: OT_violati access whe OT_administration allows an administrator to correct a corrupted rule or parameter. OE_configuratio configuratio se (39) Prevention / protection: OE_Admin_ authorised personnel (training and awareness of personnel). OT_access_c (data, fun Detection: OT_admin_audit makes it possible to log administrative actions and to detect parameters or filtering rules corruption. OT_violation_detection makes it possible to detect the consequences of abused rights resulting in an obvious TOE malfunction or a major violation of the security policy. Response: OT_violation_reaction makes it possible, where necessary, to block network access when an alarm is detected on the OT_administration allows an administrator to correct a corrupted rule or parameter. OE_configuratio configuratio Protection Profile - Personal Firewall PP-PFP Page 29 of 92 T_filte tration and monitoring personnel shall be trustworthy (OE_Admin_no_evil). kes it possible to log administrative actions and to detect ction makes it possible to detect the consequences of a disabled figuration_control makes it possible to restore a trusted TOE n. T_usu dit makes it possible to log administrative actions and to detect parameters or filtering rules corruption. _detection makes it possible to detect the consequences of spoofing TOE malfunction or a major violation of the security policy. on_reaction makes it possible, where necessary, to block network nistrator to correct a corrupted rule or OE n. T_den y the personnel. OT_admin_audit makes it possible to log administrative actions and to detect r_inhibition (39, 40) Protection (spoofing): OT_identification and OT_authentication limit the risks of spoofing. Protection (abuse): The adminis Detection: OT_admin_audit ma parameters or filtering rules corruption. OT_violation_dete function resulting in an obvious TOE malfunction or a major violation of the security policy. Response: OT_violation_reaction makes it possible, where necessary, to block network access when an alarm is detected on the workstation. OT_administration allows an administrator to correct a corrupted rule or parameter. OE_con configuratio rpation (40) Protection: OT_identification and OT_authentication limit the risks of spoofing. Detection: OT_admin_au OT_violation resulting in an obvious Response: OT_violati access when an alarm is detected on the workstation. OT_administration allows an admi parameter. OE_configuration_control makes it possible to restore a trusted T configuratio ial (41) Protection: OE_Admin_no_evil limits the risk of this threat occurring as a result of actions performed b Detection: Protection Profile - Personal Firewall PP-PFP Page 30 of 92 parameters or filtering rules corruption. on makes it possible to detect the consequences of an action on_reaction makes it possible, where necessary, to block network nistrator to correct a corrupted rule or ossible to restore a trusted TOE n. 4.3.2 es OSP_f criteria, which defines the criteria used by filtering rules. OT_filtering_level, which defines the various types of filtering (global, user or n_integrity licy. OSP_r security policy is implemented by: icated to the coverage of this policy. trol of users’ actions. OSP_a rganisational security policy is implemented by: ge of this policy. administrative actions. OSP_m anisational security policy is implemented by: actions. OSP_a tional security policy is implemented by: istrative or monitoring actions OT_violation_detecti resulting in a violation of the security policy. Response: OT_violati access when an alarm is detected on the workstation. OT_administration allows an admi parameter. OE_configuration_control makes it p configuratio Coverage of organisational security polici iltering This organisational security policy is implemented by: OT_filtering_ specific). OSP_applicatio This organisational security policy is implemented by: OT_application_integrity, which is dedicated to the coverage of this po oles This organisational OT_roles, which is ded This is supplemented by OT_admin_audit for the con dmin This o OT_administration, which is dedicated to the covera This is supplemented by OT_admin_audit for the control of onitoring This org OT_monitoring, which is dedicated to the coverage of this policy. This is supplemented by OT_admin_audit for the control of monitoring dmin_audit This organisa OT_admin_audit, which covers the audit of admin performed. Protection Profile - Personal Firewall PP-PFP Page 31 of 92 OSP_f onal security policy is implemented by: f this policy. OSP_s ational security policy is implemented by: on, which is dedicated to the coverage of this policy. n regarding an alert. the workstation. rces to OSP_c ty policy is implemented by: policy. 4.3.3 evil ed to the coverage of this A_no_priv_user objective is dedicated to the coverage of this assumption. A_con figuration_control security objective is dedicated to the coverage of this assumption. A_eno ugh_resource security objective is dedicated to the coverage of this assumption. A_TOE otection security objective is dedicated to the coverage of this assumption. rusted_known_context guarantees that data used by the TOE low_audit This organisati OT_flow_audit, which is dedicated to the coverage o ec_pol_violation_detection This organis OT_violation_detecti OT_admin_audit and OT_monitoring for informatio OT_violation_reaction for the processing of alerts at the level of OSP_trusted_configuration This organisational security policy is implemented by: OE_configuration_control guarantees that administrators have the resou back up a trusted configuration and restore it. rypto This organisational securi OT_crypto, which is dedicated to the coverage of this Coverage of assumptions A_admin_no_ The OE_Admin_no_evil security objective is dedicat assumption. The OE_non_priv_user security figuration_control The OE_con ugh_resource The OE_eno _protection The OE_TOE_pr Moreover, OE_t corresponds to data made available by its environment. Protection Profile - Personal Firewall PP-PFP Page 32 of 92 A_known_localization A_kno The OE_known_user security objective is dedicated to the coverage of this on. A_phy The OE_physical_protection security objective is dedicated to the coverage of this . 4.3.4 matrix T_eavesdr ng T_discl T_spoofi T_software_trapping T_floodi T_malfunction T_data_alteration T_illicit_processing T_error T_abuse T_filter_inhibition T_usurpation T_denial OSP_filtering OSP_application_integrit OSP_roles OSP_admin OSP_monitoring OSP_admin_audit OSP_flow_audit viola OSP_trusted_configurati OSP_crypto A_admin_no_evil A_no_priv_user A_configuration_control A_enough_resource A_TOE_protection A_known_localization A_no_bypass A_known_user A_physical_protection The OE_known_localization security objective is dedicated to the coverage of this assumption. Moreover, OE_trusted_known_context guarantees that data used by the TOE corresponds to data made available by its environment. A_no_bypass The OE_no_bypass security objective is dedicated to the coverage of this assumption. wn_user assumpti sical_protection assumption Coverage oppi osure ng ng y tion_detection on OSP_sec_pol_ OT_filtering_level X X OT_filtering_criteria X X OT_application_integrity X OT_roles X OT_administration X X X X X X X X OT_monitoring X X X X X X OT_identification X X X X OT_authentication X X X X X X OT_access_control X X X X OT_TOE_reuse X OT_log_protection X X OT_remote_admin_authenitcation X X X OT_remote_admin_integrity X OT_remote_admin_confidentiality X X OT_remote_admin_no_replay X OT_flow_audit X X X X X OT_admin_audit X X X X X X X X X X X X X X X X OT_violation_detection X X X X X X X X X X OT_violation_reaction X X X X X X X X X X OT_TOE_integrity X X OT_operational_state X X OT_crypto X OE_admin_no_evil X X X X X OE_non_priv_user X Protection Profile - Personal Firewall PP-PFP Page 33 of 92 T_eavesdropping T_disclosure T_spoofing T_software_trapping T_flooding T_malfunction T_data_alteration T_illicit_processing T_error T_abuse T_filter_inhibition T_usurpation T_denial OSP_filtering OSP_application_integrity OSP_roles OSP_admin OSP_monitoring OSP_admin_audit OSP_flow_audit OSP_sec_pol_violation_detection OSP_trusted_configuration OSP_crypto A_admin_no_evil A_no_priv_user A_configuration_control A_enough_resource A_TOE_protection A_known_localization A_no_bypass A_known_user A_physical_protection OE_configuration_control X X X X X X X X X X X OE_enough_ressource X X OE_TOE_protection X X X X X OE_trusted_known_context X X OE_know_localization X OE_no_bypass X OE_known_user X X X OE_physical_protection X Table 2: Security objectiv lem definition es / Security prob Protection Profile - Personal Firewall PP-PFP 5 Extended components definition Not applicable. Page 34 of 92 Protection Profile - Personal Firewall PP-PFP 6 IT security requirements 6.1 Introduction The TOE and its environment can be represented by the following diagram. The TSF is an additional module that is not shown in this diagram. APPLI COMM Remote program Local program Logs, Alarms O.S. Param Param •Basic user •Administrator •Supervisor Administrator Supervisor Parameters (configuration, identification, authentication, access control) Audit (flow, admin) Flow filters Applicative filters FLUX TOE ADMIN Parameters (security, monitoring, administration, auditing) AUDIT Basic user Figure 2: Modelling of the TOE and its environment Application note: The only purpose of this modelling is to detail TOE behaviour at the security level. It does not impose any restrictions in terms of product software architecture and its implementation (the number of modules and functions, the structure of the data, etc.). The STs and PPs in conformity with this PP can adapt this model according to the products concerned. They must in this case indicate the collection between the elements of the adapted model and those of the model described here. 6.1.1 Subjects The various subjects of the TOE are: S_APPLI: This subject implements the application filtering policy and the application integrity control. It takes “ADAPTIVE” filtering into account (see A.5.1.1). It can generate tracking messages and alerts. S_FLOW: This subject implements the network filtering policy. It can generate tracking messages and alerts. S_AUDIT: This subject implements management functions relative to audit logs, the issuing of alerts and tracking messages. S_ADMIN: This subject implements the TOE administration and monitoring functions. It can generate tracking messages and alerts. S_COMM: This subject implements communication functions across the network with remote sites. It can generate tracking messages and alerts. Page 35 of 92 Protection Profile - Personal Firewall PP-PFP 6.1.2 Objects The following objects refer to the sensitive assets of the TOE described in the section 3.1.1.2, with the exception of D_software, which corresponds to the TOE itself: D_FLOW_FILTER: network filtering rules. D_APPLI_FILTER: application filtering rules and application integrity check values. D_FLOW_AUDIT: tracking messages relative to the application and network filtering policy. D_ADMIN_AUDIT: tracking messages relative to administrative operations, monitoring operations and the operation of the TOE. D_ALARM: alert messages. D_AC_PARAM: TOE access control parameters. D_CONFIG: TOE configuration parameters (parameters relative to the TOE environment, to the configuration, to the network context, etc.). The following objects do not appear in section 3.1.1.2. They correspond to TOE assets. D_MON_PAR: configuration parameters of audit and alert monitoring functions (audit level of detail, alert thresholds, etc.). D_SEC_PAR: configuration parameters of the security administration function. 6.1.3 Information D_FLOW_IN: incoming communication flows for a local program (excluding the TOE). D_FLOW_OUT: outgoing communication flows transmitted by a local program (excluding the TOE). 6.1.4 Operations Operations performed by subjects on objects can be grouped into the following categories: C: this operation corresponds to the creation or generation of data (filtering rule, alarm, audit message, basic user access parameter, etc.). W: this operation corresponds to the storing, writing, modification, updating, transmission, display or printing of data R: this operation corresponds to the reading or receipt of data D: this operation corresponds to the removal, the clearing or the resetting of data B: this operation corresponds to the saving of parameters or filtering rules 6.1.5 Security attributes Attributes relative to basic user identification and rights: SA_IDENT: corresponds to the identity of a subject or an object. Possible values for a subject: S_APPLI, S_FLOW, S_COMM, S_ADMIN, S_AUDIT. Possible values for an object: D_FLOW_IN, D_FLOW_OUT, D_ALARM, D_FLOW_FILTER, D_APPLI_FILTER, D_FLOW_AUDIT, D_ADMIN_AUDIT, D_CONFIG, D_AC_PARAM, D_MON_PAR, D_SEC_PAR, S_APPLI, S_FLOW, S_COMM, S_ADMIN, S_AUDIT. SA_ROLE: corresponds to a role. Possible values: ADMINISTRATOR, SUPERVISOR, BASIC USER. Page 36 of 92 Protection Profile - Personal Firewall PP-PFP SA_USER: associated with a subject, it corresponds to the identity of the user linked with this subject; associated with an object (e.g. an application filter), it corresponds to the identity of a user with access right to this object. SA_RIGHT: corresponds to a right owned by a basic user. Possible values: AUDIT (that basic user’s right to consult audit and alert messages). SA_CONNECTION: corresponds to the source of the connection for an administrator or supervisor. Possible values: “LOCAL” (connection on the workstation) or “REMOTE” (connection from a remote site). Attributes relative to the filtering process or used for the filtering process: SA_NETWORK: groups together security attributes relative to the network parameters used for filtering: source address, destination address, source port (or equivalent), destination port (or equivalent), protocol, direction (incoming or outgoing), status (of the connection, used in the event of contextual filtering), MAC address. Application note: the STs and PPs in conformity with this PP must provide the exact list of network parameters used. SA_ADAPTIVITY: makes it possible to define whether a filter (for which the SA_LEVEL attribute has the value “SPECIFIC”) is “PERMANENT” or “ADAPTIVE”, i.e. modifiable by the basic user. SA_ENVIRONMENT: corresponds to the network environment of the workstation. Possible values: “IN” for connections made inside the company, “OUT” for connections made from premises outside the company. SA_DIGEST: corresponds to the integrity check value calculated for a program, alarm or audit message. SA_LEVEL: makes it possible to define if a filter is “GLOBAL” (i.e. valid for everyone) or “SPECIFIC” to one basic user. SA_PROG_ID: corresponds to the identity of a program. 6.1.6 External entities These entities, external to the TOE, referred to as users in this PP, can be either software programs or individuals. They are defined in section 3.2 of this document. Security properties: These users have security properties inherited by subjects with which/whom they establish links: Users Associated security properties U_LOCAL_PROGRAM Program identity, integrity check value U_REMOTE_PROGRAM Program identity, role U_ADMINISTRATOR User identity, role, connection U_SUPERVISOR User identity, role, connection U_BASIC_USER User identity, role Table 3: User security properties Binding: Links (binding) that can be established between users and subjects are as follows: Page 37 of 92 Protection Profile - Personal Firewall PP-PFP S_ADMIN S_COMM S_APPLI S_FLOW S_AUDIT U_LOCAL_PROGRAM X U_REMOTE_PROGRAM X U_ADMINISTRATOR X X U_SUPERVISOR X X U_BASIC_USER X Table 4: User - subject links 6.1.7 Access control rules Access control rules for subjects to objects (or to other subjects considered as objects) and the flow control rules are shown in the following table. Application note: the STs and PPs in conformity with this PP must state the manner in which these access control rules are implemented according to the connection between the model described in this PP and its adaptation. Functions permitted by the access or flow control rule Subjects with access Information or objects accessed Operat ions Access authorised if: Loading of user data and configuration parameters by the TOE S_ADMIN D_AC_PARAM D_CONFIG D_SEC_PAR D_MON_PAR D_APPLI_FILTER D_FLOW_FILTER R SA_IDENT (subject) = S_ADMIN & SA_IDENT (object) = (D_AC_PARAM or D_SEC_PAR or D_APPLI_FILTER or D_FLOW_FILTER or D_MON_PAR or D_CONFIG) Loading of audit parameters by the TOE S_AUDIT D_MON_PAR R SA_IDENT (subject) = S_AUDIT & SA_IDENT (object) = D_MON_PAR Loading of user data and configuration parameters by the TOE S_COMM D_CONFIG D_AC_PARAM R SA_IDENT (subject) = S_COMM & SA_IDENT (object) = (D_CONFIG or D_AC_PARAM) Loading of network filtering rules and parameters by the TOE S_FLOW D_CONFIG D_FLOW_FILTER R SA_IDENT (subject) = S_FLOW & SA_IDENT (object) = (D_CONFIG or D_FLOW_FILTER) Loading of application filtering rules and parameters by the TOE S_APPLI D_CONFIG D_APPLI_FILTER R SA_IDENT (subject) = S_APPLI & SA_IDENT (object) = (D_CONFIG or D_APPLI_FILTER) Management by the administrator of security parameters and filtering rules S_ADMIN D_AC_PARAM D_SEC_PAR D_APPLI_FILTER D_FLOW_FILTER C / W / R / D SA_IDENT (subject) = S_ADMIN & SA_ROLE (subject) = ADMINISTRATOR & SA_IDENT (object) = (D_AC_PARAM or D_SEC_PAR or D_APPLI_FILTER or D_FLOW_FILTER) Management by authorised basic users of their specific adaptive or permanent filters S_ADMIN D_APPLI_FILTER C / W / R / D SA_IDENT (subject) = S_ADMIN & SA_USER (subject) = SA_USER (object) & SA_ROLE (subject) = BASIC USER & SA_LEVEL (object)= (SPECIFIC) & SA_ADAPTIVITY (object) = (ADAPTIVE or PERMANENT) & SA_IDENT (object) = D_APPLI_FILTER Management by supervisors of audit and monitoring parameters S_ADMIN D_MON_PAR C / W / R / D SA_IDENT (subject) = S_ADMIN & SA_ROLE (subject) = SUPERVISOR & SA_IDENT (object) = D_MON_PAR Issuing of alarms and audit messages S_ADMIN S_COMM S_FLOW S_APPLI S_AUDIT W SA_IDENT (subject) = (S_ADMIN or S_COMM or S_APPLI or S_FLOW) & SA_IDENT (object) = S_AUDIT Recording of alerts and audit messages in the logs concerned S_AUDIT D_ALARM D_ADMIN_AUDIT D_FLOW_AUDIT C SA_IDENT (subject) = S_AUDIT & SA_IDENT (object) = (D_ALARM or D_ADMIN_AUDIT or D_FLOW_AUDIT) Relaying of commands issued by remote administrators and supervisors S_COMM S_ADMIN W SA_IDENT (subject) = S_COMM & SA_ROLE (subject) = (ADMINISTRATOR or SUPERVISOR) & SA_IDENT (object) = S_ADMIN Page 38 of 92 Protection Profile - Personal Firewall PP-PFP Page 39 of 92 Functions permitted by the access or flow control rule Subjects with access Information or objects accessed Operat ions Access authorised if: Relaying of responses to commands made by remote administrators and supervisors S_ADMIN S_COMM W SA_IDENT (subject) = S_ADMIN & SA_ROLE (subject) = (ADMINISTRATOR or SUPERVISOR) & SA_IDENT (object) = S_COMM Relaying of supervisors’ commands S_ADMIN S_AUDIT W SA_IDENT (subject) = S_ADMIN & SA_ROLE (subject) = SUPERVISOR & SA_IDENT (object) = S_AUDIT Relaying of requests for reading audit messages and alerts by authorised basic users S_ADMIN S_AUDIT W SA_IDENT (subject) = S_ADMIN & SA_ROLE (subject) = BASIC USER & SA_RIGHT (subject) = AUDIT & SA_IDENT (object) = S_AUDIT Reading or deletion of alerts and audit messages by supervisors S_AUDIT D_ALARM D_ADMIN_AUDIT D_FLOW_AUDIT R / D SA_IDENT (subject) = S_AUDIT & SA_ROLE (subject) = SUPERVISOR & SA_IDENT (object) = (D_ALARM or D_ADMIN_AUDIT or D_FLOW_AUDIT) Reading of alerts and audit messages for authorised basic users S_AUDIT D_ALARM D_FLOW_AUDIT R SA_IDENT (subject) = S_AUDIT & SA_ROLE (subject) = BASIC USER & SA_RIGHT (subject) = AUDIT & SA_IDENT (object) = (D_ALARM or D_FLOW_AUDIT) Relaying of responses to supervisors’ commands and requests for reading audit messages and alerts by authorised basic users S_AUDIT S_ADMIN W SA_IDENT (subject) = S_AUDIT & SA_IDENT (object) = S_ADMIN Saving of TOE parameters S_ADMIN D_AC_PARAM D_CONFIG D_SEC_PAR D_MON_PAR D_APPLI_FILTER D_FLOW_FILTER B SA_IDENT (subject) = S_ADMIN & SA_ROLE (subject) = ADMINISTRATOR & SA_IDENT (object) = (D_AC_PARAM or D_CONFIG or D_SEC_PAR or D_MON_PAR or D_APPLI_FILTER or D_FLOW_FILTER) Relaying by the TOE of incoming packets S_COMM S_FLOW W SA_IDENT (subject) = S_COMM & SA_IDENT (object) = S_FLOW Implementation by the TOE of network filtering rules for incoming or outgoing packets S_FLOW S_COMM S_APPLI W SA_IDENT (subject) = S_FLOW & SA_IDENT (object) = (S_COMM or S_APPLI) & SA_NETWORK (object), SA_ENVIRONMENT (object), SA_LEVEL (object), SA_ADAPTIVITY (object) coherent with the rules defined in D_FLOW_FILTER Implementation by the TOE of application filtering rules for outgoing packets S_APPLI S_FLOW W SA_IDENT (subject) = S_APPLI & SA_IDENT (object) = S_FLOW & SA_NETWORK (subject), SA_ENVIRONMENT (object), SA_LEVEL (object), SA_ADAPTIVITY(object), SA_PROG_ID (object), SA_DIGEST (object) coherent with the rules defined in D_APPLI_FILTER Table 5: Access control rules 6.2 TOE security functional requirements These requirements are set out in the same manner as the TOE security objectives, as follows: - Services carried out by the TOE (i.e. application filtering and network filtering) - Identification, authentication, access to the TOE - Security of TOE parameters and filtering rules - Security of administration and monitoring exchange from a remote site - Audit and security of logs Protection Profile - Personal Firewall PP-PFP - Reliability of the TOE - Other requirements 6.2.1 Services carried out by the TOE (application and network filtering) The following requirements contribute to the TOE’s implementation of the application or network filtering policy. 6.2.1.1 Network filtering of outgoing flows FDP_IFC.1 (ONF) Subset information flow control (network filtering of outgoing flows) Audit - No audit messages for this component Dependencies FDP_IFF.1 (ONF) FDP_IFC.1.1 The TSF shall enforce the [assignment: network filtering policy for outgoing flows] on: [assignment: - subjects: S_FLOW, S_COMM - information: D_FLOW_OUT, D_FLOW_FILTER - operation: W]. FDP_IFF.1 (ONF) Simple security attributes (network filtering of outgoing flows) Audit - Refusal of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes used) - Acceptance of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes used) Dependencies FDP_IFC.1 (ONF) FMT_MSA.3 FDP_IFF.1.1 The TSF shall enforce the [assignment: network filtering policy for outgoing flows] based on the following types of subject and information security attributes: [assignment: - subjects: S_FLOW, S_COMM - subject security attributes: SA_IDENT - information: D_FLOW_OUT, D_FLOW_FILTER - information security attributes: SA_IDENT, SA_NETWORK, SA_ENVIRONMENT, SA_PROG_ID, SA_USER]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: there exists at least one filtering rule selected in D_FLOW_FILTER authorising this flow]. FDP_IFF.1.3 The TSF shall enforce the [assignment: no additional information flow control SFP rules]. Page 40 of 92 Protection Profile - Personal Firewall PP-PFP FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [assignment: no rules that explicitly authorise information flows]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: there exists at least one filtering rule selected in D_FLOW_FILTER prohibiting this flow]. FDP_ETC.2 (ONF) Export of user data with security attributes (network filtering of outgoing flows) Audit - Detail of the export request (associated data: identity of requestor, remote site concerned and result of the request (acceptance or refusal)) Dependencies FDP_IFC.1 (ONF) FDP_ETC.2.1 The TSF shall enforce the [assignment: network filtering policy for outgoing flows] when exporting user data, controlled under the SFP(s), outside of the TOE. FDP_ETC.2.2 The TSF shall export the user data with the user data’s associated security attributes. FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside the TOE, are unambiguously associated with the exported user data. FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported from the TOE: [assignment: no additional exportation control rules]. FDP_IFF.5 (ONF) No illicit information flows (network filtering of outgoing flows) Audit - Result of the identification of an illicit information bypass flow Dependencies FDP_IFC.1 (ONF) FDP_IFF.5.1 The TSF shall ensure that no illicit information flows exist to circumvent [assignment: network filtering policy for outgoing flows]. 6.2.1.2 Network filtering of incoming flows FDP_IFC.1 (INF) Subset information flow control (network filtering of incoming flows) Audit - No audit messages for this component Dependencies FDP_IFF.1 (INF) FDP_IFC.1.1 The TSF shall enforce the [assignment: network filtering policy for incoming flows] on: [assignment: - subjects: S_FLOW, S_COMM - information: D_FLOW_IN, D_FLOW_FILTER - operation: R]. Page 41 of 92 Protection Profile - Personal Firewall PP-PFP FDP_IFF.1 (INF) Simple security attributes (network filtering of incoming flows) Audit - Refusal of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes used) - Acceptance of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes used) Dependencies FDP_IFC.1 (INF) FMT_MSA.3 FDP_IFF.1.1 The TSF shall enforce the [assignment: network filtering policy for incoming flows] based on the following types of subject and information security attributes: [assignment: - subjects: S_FLOW, S_COMM - subject security attributes: SA_IDENT - information: D_FLOW_IN, D_FLOW_FILTER - information security attributes: SA_IDENT, SA_NETWORK, SA_ENVIRONMENT]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: there exists at least one filtering rule selected in D_FLOW_FILTER authorising this flow]. FDP_IFF.1.3 The TSF shall enforce the [assignment: no additional information flow control SFP rules]. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [assignment: no rules that explicitly authorise information flows]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: there exists at least one filtering rule selected in D_FLOW_FILTER prohibiting this flow]. FDP_ITC.1 (INF) Import of user data without security attributes (network filtering of incoming flows) Audit - Detail of the import request (associated data: identity of requestor, remote site concerned and result of the request (acceptance or refusal)) Dependencies FDP_IFC.1 (INF) FMT_MSA.3 FDP_ITC.1.1 The TSF shall enforce the [assignment: network filtering policy for incoming flows] when importing user data, controlled under the SFP(s), from outside of the TOE. FDP_ITC.1.2 The TSF shall ignore any security attributes associated with the user data when imported from outside the TOE. FDP_ITC.1.3 The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TOE: [assignment: no additional importation control rules]. Page 42 of 92 Protection Profile - Personal Firewall PP-PFP FDP_IFF.5 (INF) No illicit information flows (network filtering of incoming flows) Audit - Result of the identification of an illicit information bypass flow Dependencies FDP_IFC.1 (INF) FDP_IFF.5.1 The TSF shall ensure that no illicit information flows exist to circumvent [assignment: network filtering policy for incoming flows]. 6.2.1.3 Application filtering of outgoing flows FDP_IFC.1 (OAF) Subset information flow control (application filtering of outgoing flows) Audit - No audit messages for this component Dependencies FDP_IFF.1 (OAF) FDP_IFC.1.1 The TSF shall enforce the [assignment: application filtering policy for outgoing flows] on: [assignment: - subject: S_APPLI - information: D_FLOW_OUT, D_APPLI_FILTER - operation: R]. FDP_IFF.1 (OAF) Simple security attributes (application filtering of outgoing flows) Audit - Refusal of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes used) - Acceptance of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes used) Dependencies FDP_IFC.1 (OAF) FMT_MSA.3 FDP_IFF.1.1 The TSF shall enforce the [assignment: application filtering policy for outgoing flows] based on the following types of subject and information security attributes: [assignment: - subjects: S_APPLI - subject security attributes: SA_IDENT - information: D_FLOW_OUT, D_APPLI_FILTER - information security attributes: SA_PROG_ID, SA_USER, SA_DIGEST, SA_NETWORK (destination port), SA_ENVIRONMENT, SA_IDENT]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: there exists at least one filtering rule selected in D_APPLI_FILTER authorising this flow]. FDP_IFF.1.3 The TSF shall enforce the [assignment: no additional information flow control SFP rules]. Page 43 of 92 Protection Profile - Personal Firewall PP-PFP FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [assignment: no rules that explicitly authorise information flows]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: there exists at least one filtering rule selected in D_APPLI_FILTER prohibiting this flow]. FDP_ITC.1 (OAF) Import of user data without security attributes (application filtering of outgoing flows) Audit - Detail of the import request (associated data: identity of requestor, remote site concerned and result of the request (acceptance or refusal)) Dependencies FDP_IFC.1 (OAF) FMT_MSA.3 FDP_ITC.1.1 The TSF shall enforce the [assignment: application filtering policy for outgoing flows] when importing user data, controlled under the SFP from outside of the TOE. FDP_ITC.1.2 The TSF shall ignore any security attributes associated with the user data when imported from outside the TOE. FDP_ITC.1.3 The TSF shall enforce the following rules when importing user data controlled under the SFP from outside the TOE: [assignment: no additional importation control rules]. FDP_IFF.5 (OAF) No illicit information flows (application filtering of outgoing flows) Audit - Result of the identification of an illicit information bypass flow Dependencies FDP_IFC.1 (OAF) FDP_IFF.5.1 The TSF shall ensure that no illicit information flows exist to circumvent [assignment: application filtering policy for outgoing flows]. 6.2.1.4 Local program integrity control FTA_TSE.1 (OAF) TOE session establishment (Application filtering of outgoing flows) Audit - Refusal to establish a link for a local program (associated data: reason for the refusal, security parameters used and the security rule on which refusal to establish a link is based) Dependencies none FTA_TSE.1.1 The TSF shall be able to deny session establishment based on [assignment: attributes]. Page 44 of 92 Protection Profile - Personal Firewall PP-PFP Refinement The TSF shall be able to prohibit all local programs (U_LOCAL_PROGRAM) from establishing a session with the application filtering module (S_APPLI) if at least one of the following conditions is met: 1. The integrity check value for this program, calculated when the connection request is made, is different from the integrity check value memorised by the TOE in D_APPLI_FILTER. 2. Other conditions. Application note: The STs in conformity with this PP must state the manner in which the integrity check value is calculated and other conditions selected. 6.2.1.5 Application filtering of incoming flows FDP_IFC.1 (IAF) Subset information flow control (application filtering of incoming flows) Audit - No audit messages for this component Dependencies FDP_IFF.1 (IAF) FDP_IFC.1.1 The TSF shall enforce the [assignment: application filtering policy for incoming flows] on: [assignment: - subject: S_APPLI - information: D_FLOW_IN, D_APPLI_FILTER - operation: W]. FDP_IFF.1 (IAF) Simple security attributes (application filtering of incoming flows) Audit - Refusal of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes used) - Acceptance of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes used) Dependencies FDP_IFC.1 (IAF) FMT_MSA.3 FDP_IFF.1.1 The TSF shall enforce the [assignment: application filtering policy for incoming flows] based on the following types of subject and information security attributes: [assignment: - subject: S_APPLI - subject security attributes: SA_IDENT - information: D_FLOW_IN, D_APPLI_FILTER - information security attributes: SA_DIGEST, SA_NETWORK (source port), SA_ENVIRONMENT, SA_IDENT]. FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [assignment: there exists at least one filtering rule selected in D_APPLI_FILTER authorising this flow]. Page 45 of 92 Protection Profile - Personal Firewall PP-PFP FDP_IFF.1.3 The TSF shall enforce the [assignment: no additional information flow control SFP rules]. FDP_IFF.1.4 The TSF shall explicitly authorise an information flow based on the following rules: [assignment: no rules that explicitly authorise information flows]. FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules: [assignment: there exists at least one filtering rule selected in D_APPLI_FILTER prohibiting this flow]. FDP_ETC.2 (IAF) Export of user data with security attributes (application filtering of incoming flows) Audit - Detail of the request (associated data: filtering rule and attributes upon which acceptance or refusal of the packet is based, status (acceptance or refusal)) Dependencies FDP_IFC.1 (IAF) FDP_ETC.2.1 The TSF shall enforce the [assignment: application filtering policy for outgoing flows] when exporting user data, controlled under the SFP(s), outside of the TOE. FDP_ETC.2.2 The TSF shall export the user data with the user data's associated security attributes. FDP_ETC.2.3 The TSF shall ensure that the security attributes, when exported outside the TOE, are unambiguously associated with the exported user data. FDP_ETC.2.4 The TSF shall enforce the following rules when user data is exported from the TOE: [assignment: no additional exportation control rules]. FDP_IFF.5 (IAF) No illicit information flows (application filtering of incoming flows) Audit - Result of the identification of an illicit information bypass flow Dependencies FDP_IFC.1 (IAF) Subset information flow control FDP_IFF.5.1 The TSF shall ensure that no illicit information flows exist to circumvent [assignment: application filtering policy for incoming flows]. 6.2.1.6 Local program connection FIA_UID.2 (LP) User identification (local program) Audit - Connection of a local program (associated data: identification of the program, connection context) Dependencies none Page 46 of 92 Protection Profile - Personal Firewall PP-PFP FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall require that all local programs (U_LOCAL_PROGRAM) be identified successfully before establishing a link with the application filtering module (S_APPLI). FIA_USB.1 (LP) User-subject binding (local program) Audit - Establishment of a link between a local program and a subject (associated data: identification of the program, identification of the subject, values of the security attributes defined when establishing the link) Dependencies FIA_ATD.1 (LP) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: security attributes: SA_PROG_ID, SA_DIGEST, SA_ENVIRONMENT, SA_USER, SA_NETWORK]. Refinement The TSF shall associate the following security attributes with the application filtering module (S_APPLI) following the establishment of a link between a local program (U_LOCAL_PROGRAM) and the application filtering module (S_APPLI): SA_PROG_ID, SA_DIGEST, SA_ENVIRONMENT, SA_USER, SA_NETWORK FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: the security attributes of S_APPLI are updated according to the security properties of U_LOCAL_PROGRAM in the following manner: - 1. SA_PROG_ID = program identity - 2. SA_DIGEST = value calculated by the TOE for this program - 3. SA_ENVIRONMENT = value corresponding to the network environment of the workstation (“IN” or “OUT”); this value is supplied by the workstation - 4. SA_USER = identity of the user connected to the workstation; this value is supplied by the workstation - 5. SA_NETWORK is assigned the values relative to the network connection; these values are calculated by the TOE according to information taken from the requested network connection]. Application note: The STs in conformity with this PP must state the matter in which the integrity check value is calculated. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: no additional rules for the changing of attributes]. FIA_ATD.1 (LP) User attribute definition (local program) Audit - No audit messages for this component Page 47 of 92 Protection Profile - Personal Firewall PP-PFP Dependencies none FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: security attributes: SA_PROG_ID, SA_DIGEST, SA_ENVIRONMENT, SA_USER, SA_NETWORK]. FTA_SSL.4 (LP) User-initiated termination (local program) Audit - Closing of an interactive session by a local program (associated data: identification of the subject, values of the security attributes defined during the closing of the session) Dependencies none FTA_SSL.4.1 The TSF shall allow [refinement: local program]-initiated termination of the [refinement: local program]'s own interactive session. 6.2.1.7 Remote program connection FIA_UID.1 (RP) Timing of identification (remote program) Audit - Anonymous connection of a remote program (associated data: connection context) Dependencies none FIA_UID.1.1 The TSF shall allow [assignment: list of TSF-mediated actions] on behalf of the user to be performed before the user is identified. Refinement The TSF shall enable remote programs (U_REMOTE_PROGRAM) to establish a link with the communication module (S_COMM) without identifying themselves when these programs are not seeking to communicate with the administration and monitoring module (S_ADMIN). FIA_UID.1.2 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. FIA_USB.1 (RP) User-subject binding (remote program) Audit - Establishment of a link between a remote program and a subject (associated data: identification of the subject, values of the security attributes defined when establishing the link) Dependencies FIA_ATD.1 (RP) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: security attributes: SA_ENVIRONMENT, SA_NETWORK]. Refinement The TSF shall associate the following security attributes with the communication module (S_COMM) following the establishment of a link between a remote program (U_REMOTE_PROGRAM) and the communication module (S_COMM): SA_ENVIRONMENT, SA_NETWORK Page 48 of 92 Protection Profile - Personal Firewall PP-PFP FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: S_COMM’s security attributes are updated in the following manner: - 1. SA_ENVIRONMENT = value corresponding to the network environment of the workstation (“IN” or “OUT”); this value is supplied by the workstation - 2. SA_NETWORK is assigned the values relative to the network connection; these values are calculated by the TOE according to information taken from the requested network connection]. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: no additional rules for the changing of attributes]. FIA_ATD.1 (RP) User attribute definition (remote program) Audit - No audit messages for this component Dependencies none FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: security attributes: SA_NETWORK, SA_ENVIRONMENT]. FTA_SSL.4 (RP) User-initiated termination (remote program) Audit - Closing of an interactive session by a remote program (associated data: identification of the subject, values of the security attributes defined during the closing of the session) Dependencies none FTA_SSL.4.1 The TSF shall allow [refinement: remote program]-initiated termination of the [refinement: remote program]'s own interactive session. 6.2.2 User identification, authentication & TOE access The following requirements help to define users, to generate authentication data and rules relative to the establishment or the ending of sessions by local or remote users. FMT_MTD.1 Management of TSF data Audit - Recording of a new user - Access (successful or not for reading, writing or modification) to a user’s properties Dependencies FMT_SMR.1 FMT_SMF.1 FMT_MTD.1.1 The TSF shall restrict the ability to [selection: change_default, query, modify, delete, clear, record] the: [assignment: 1. Identity of a new user. 2. Role or roles (ADMINISTRATOR, SUPERVISOR, BASIC USER) Page 49 of 92 Protection Profile - Personal Firewall PP-PFP owned by the user] to [assignment: ADMINISTRATOR]. FMT_MTD.3 Secure TSF data Audit - Refusal of authentication data or security properties relative to user management Dependencies FMT_MTD.1 FMT_MTD.3.1 The TSF shall ensure that only secure values are accepted for [assignment: D_AC_PARAM, which contains the authentication data and all security properties relative to user management]. FIA_SOS.1 Verification of secrets Audit - Acceptance or refusal of the authentication data supplied Dependencies none FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [assignment: the authentication data chosen by the administrator include a minimum number of characters mixing upper and lower case letters, figures and non-alphanumeric characters]. Application note: It is for the authors of the STs to choose between the entry of authentication data by the administrator (FI1_SOS.1) and the generation of authentication data by the TOE (FIA_SOS.2). The STs in conformity with this PP must state the minimum number of characters and the conditions relative to the choice of these characters. The STs in conformity with this PP must also indicate, where necessary, the cryptographic mechanisms used to protect this authentication data. FIA_SOS.2 TSF generation of secrets Audit - Generation of authentication data Dependencies none FIA_SOS.2.1 The TSF shall provide a mechanism to generate secrets that meet [assignment: random generation with a minimum number of characters mixing upper and lower case letters, figures and non- alphanumeric characters]. Application note: It is for the authors of the STs to choose between the entry of authentication data by the administrator (FI1_SOS.1) and the generation of authentication data by the TOE (FIA_SOS.2). The STs in conformity with this PP must state the minimum number of characters and the method used for the generation of random numbers. The STs in conformity with this PP must also indicate, where necessary, the cryptographic mechanisms used to protect this authentication data. Page 50 of 92 Protection Profile - Personal Firewall PP-PFP FIA_SOS.2.2 The TSF shall be able to enforce the use of TSF generated secrets for [assignment: the use of this authentication data for establishing the link with the administration and monitoring module (S_ADMIN) or the communication module (S_COMM)]. FIA_UID.2 (LU) User identification (local user) Audit - Connection of a local user (associated data: user identity, connection context) Dependencies none FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall require that each local user (U_ADMINISTRATOR, U_SUPERVISOR, U_BASIC_USER) be successfully identified before authorising the establishment of a link with the administration and monitoring module (S_ADMIN) on behalf of this user. FIA_UID.2 (RU) User identification (remote user) Audit - Connection of a remote user (associated data: user identity, connection context) Dependencies none FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall require that each remote user (U_ADMINISTRATOR, U_SUPERVISOR) be successfully identified before authorising the establishment of a link with the administration and monitoring module (S_ADMIN) on behalf of this user. FIA_UAU.2 (LU) User authentication before any action (local user) Audit - Authentication attempt (successful or not) of a local user Dependencies FIA_UID.1 (covered by FIA_UID.2 (LU)) FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall require that each local user (U_ADMINISTRATOR, U_SUPERVISOR, U_BASIC_USER) be successfully authenticated before authorising the establishment of a link with the administration and monitoring module (S_ADMIN) on behalf of this user. FIA_UAU.2 (RU) User authentication before any action (remote user) Audit - Authentication attempt (successful or not) of a remote user Dependencies FIA_UID.1 (covered by FIA_UID.2 (RU)) Page 51 of 92 Protection Profile - Personal Firewall PP-PFP FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall require that each remote user (U_ADMINISTRATOR, U_SUPERVISOR) be successfully authenticated before authorising the establishment of a link with the administration and monitoring module (S_ADMIN) on behalf of this user. FIA_UAU.7 Protected authentication feedback Audit - No audit messages for this component Dependencies FIA_UAU.1 (covered by FIA_UAU.2 (LU) and FIA_UAU.2 (RU)) FIA_UAU.7.1 The TSF shall provide only [assignment: information indicating keystrokes] to the user while the authentication is in progress. Application note: The STs in conformity with this PP must state if a piece of information (e.g. “asterisks”) is transmitted back to the user or not, and whether or not this enables the number of characters entered by the user to be counted. FIA_AFL.1 Authentication failure handling Audit - Reaching or exceeding one of the alert thresholds during connection (associated data: threshold, number of attempts) - Actions taken (issuing of an alert, blocking of the connection, etc.) Dependencies FIA_UAU.1 (covered by FIA_UAU.2 (LU) and FIA_UAU.2 (RU)) FIA_AFL.1.1 The TSF shall detect when [selection: N1 (or more)] unsuccessful authentication attempts occur related to: [assignment: - 1. Erroneous connection attempts to the administration and monitoring module (S_ADMIN) using the same identity or different identities in less than N2 minutes. - 2. Other rules]. Application note: The STs in conformity with this PP must state the chosen or possible values for N1 and N2 as well as the other selected rules. FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been [selection: met], the TSF shall: [assignment: - 1. Issue an alert. - 2. Take the actions defined by the administrator]. Application note: The STS in conformity with this PP must state the actions the administrator can define in response to exceeding the authentication threshold. FTA_TSE.1 (LU) TOE session establishment (local user) Page 52 of 92 Protection Profile - Personal Firewall PP-PFP Audit - Refusal to establish a link between a local user and a subject (associated data: reason for the refusal, security parameters upon which acceptance or refusal of the establishment of the link are based) Dependencies none FTA_TSE.1.1 The TSF shall be able to deny session establishment based on: [assignment: - 1. Another local user is already connected using the same identity. - 2. Other conditions]. Application note: The STs in conformity with this PP must state the other conditions selected. FTA_TSE.1 (RU) TOE session establishment (remote user) Audit - Refusal to establish a link between a remote user and a subject (associated data: reason for the refusal, security parameters upon which acceptance or refusal of the establishment of the link are based) Dependencies none FTA_TSE.1.1 The TSF shall be able to deny session establishment based on: [assignment: - 1. Another remote user is already connected using the same identity. - 2. Other conditions]. Application note: The STs in conformity with this PP must state the other conditions selected. FIA_USB.1 (LU) User-subject binding (local user) Audit - Establishment of a link between a user and a subject (associated data: identification of the user, identification of the subject, values of the security attributes defined when establishing the link) Dependencies FIA_ATD.1 (LU) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: security attributes: SA_USER, SA_ROLE, SA_CONNECTION]. Refinement The TSF shall associate the following security attributes with the administration and monitoring module (S_ADMIN) following the establishment of a link between a user connected locally (Users concerned: U_BASIC_USER, U_SUPERVISOR, U_ADMINISTRATOR) and the administration and monitoring module (S_ADMIN): SA_USER, SA_ROLE, SA_CONNECTION FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: the security attributes of S_ADMIN are updated according to user security properties in the following manner: - 1. SA_USER = user identity (value taken from D_AC_PARAM). - 2. SA_ROLE = role owned by the user (value from D_AC_PARAM). - 3. SA_CONNECTION = “LOCAL”]. Page 53 of 92 Protection Profile - Personal Firewall PP-PFP Application note: The STs in conformity with this PP must state the conditions selected. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: no additional rules for the changing of attributes]. FIA_ATD.1 (LU) User attribute definition (local user) Audit - No audit messages for this component Dependencies none FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: security attributes: SA_USER, SA_ROLE, SA_CONNECTION]. FIA_USB.1 (LU) User-subject binding (local user) Audit - Establishment of a link between a remote user and a subject (associated data: identification of the user, identification of the subject, values of the security attributes defined when establishing the link) Dependencies FIA_ATD.1 (RU) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: security attributes: SA_USER, SA_ROLE, SA_CONNECTION]. Refinement The TSF shall associate the following security attributes with the communication module (S_COMM) following the establishment of a link between a remote user and the communication module (S_COMM): SA_USER, SA_ROLE, SA_CONNECTION FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: S_COMM’s security attributes are updated in the following manner: - 1. SA_USER = user identity (value from D_AC_PARAM). - 2. SA_ROLE = role held by the user (value from D_AC_PARAM). - 3. SA_CONNECTION = “REMOTE”]. Application note: The STs in conformity with this PP must state the conditions selected. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: no additional rules for the changing of attributes]. FIA_ATD.1 (RU) User attribute definition (remote user) Audit - No audit messages for this component Dependencies none Page 54 of 92 Protection Profile - Personal Firewall PP-PFP FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [assignment: security attributes: SA_USER, SA_ROLE, SA_CONNECTION]. FTA_SSL.3 (RU) TSF-initiated termination (remote user) Audit - Closing of an interactive session by the TSF (associated data: identification of the user, identification of the subject, values of the security attributes defined when closing the interactive session) Dependencies none FTA_SSL.3.1 The TSF shall terminate an interactive session after an [assignment: time interval of user inactivity]. Refinement The TSF shall put an end to the link between the user and the communication module (S_COMM) under the following conditions: 1. A break in the network connection between the remote site and the TOE. 2. Shutdown of the TOE. 3. Removal of the user in D_AC_PARAM. 4. A break in the trusted channel (following the detection of an anomaly on this channel for example) established between the TOE and the remote program and used by this link. 5. Other conditions. Users concerned: U_ADMINISTRATOR, U_SUPERVISOR Application note: The STs in conformity with this PP must state the conditions that can lead to a break in the link by the TSF. FTA_SSL.4 (LU) User-initiated termination (local user) Audit - Closing of an interactive session by a local user (associated data: identification of the user, identification of the subject, values of the security attributes defined when closing the session) Dependencies none FTA_SSL.4.1 The TSF shall allow user-initiated termination of the [refinement: local] user's own interactive session. FTA_SSL.4 (RU) User-initiated termination (remote user) Audit - Closing of an interactive session by a remote user (associated data: identification of the user, identification of the subject, values of the security attributes defined when closing the session) Dependencies none FTA_SSL.4.1 The TSF shall allow user-initiated termination of the [refinement: remote] user’s own interactive session. Page 55 of 92 Protection Profile - Personal Firewall PP-PFP Page 56 of 92 6.2.3 TOE data security The following requirements contribute to the protection of TOE data. 6.2.3.1 Access control to TOE configuration parameters FDP_ACC.1 (PAR) Subset access control (access to configuration parameters) Audit - No audit messages for this component Dependencies FDP_ACF.1 (PAR) FDP_ACC.1.1 The TSF shall enforce the [assignment: access control policy for configuration parameters] on: [assignment: - subjects: S_APPLI, S_FLOW, S_AUDIT, S_ADMIN - objects: D_AC_PARAM, D_CONFIG, D_SEC_PAR, D_MON_PAR, D_APPLI_FILTER, D_FLOW_FILTER - operations: C, W, R, D, B]. FDP_ACF.1 (PAR) Security attribute-based access control (access to configuration parameters) Audit - Refusal or acceptance of the access request (associated data: identity inherited by the user, object concerned and security attributes used) - Saving (associated data: result of the operation, type of data saved) Dependencies FDP_ACC.1 (PAR) FMT_MSA.3 FDP_ACF.1.1 The TSF shall enforce the [assignment: access control policy for configuration parameters] to objects based on the following: [assignment: - subjects: S_APPLI, S_FLOW, S_AUDIT, S_ADMIN - objects: D_AC_PARAM, D_CONFIG, D_SEC_PAR, D_MON_PAR, D_APPLI_FILTER, D_FLOW_FILTER - security attributes: SA_IDENT, SA_ROLE, SA_USER, SA_DIGEST, SA_PROG_ID, SA_NETWORK, SA_ADAPTIVITY, SA_LEVEL]. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the controlled subjects and controlled objects is allowed: [assignment: there exists at least one access control rule selected in Table 5: Access control rules]. following additional rules: [assignment: no rules that explicitly authorise access of subjects to objects]. [assignment: there exists at least one control access rule selected in Table 5: Access control rules prohibiting this access]. Protection Profile - Personal Firewall PP-PFP 6.2.3.2 Filtering rule access control FDP_ACC.1 (FI) Subset access control (access to filtering rules) Audit - No audit messages for this component Dependencies FDP_ACF.1 (FI) FDP_ACC.1.1 The TSF shall enforce the [assignment: access control policy for filtering rules] on: [assignment: - subjects: S_APPLI, S_FLOW, S_COMM, S_ADMIN - objects: D_AC_PARAM, D_FLOW_IN, D_FLOW_OUT, D_APPLI_FILTER, D_FLOW_FILTER - operations: C, W, R, D]. FDP_ACF.1 (FI) Security attribute-based access control (access to filtering rules) Audit - Refusal or acceptance of the access request (associated data: identity inherited by the user, object concerned and security attributes used) - Saving (associated data: result of the operation, type of data saved) Dependencies FDP_ACC.1 (FI) FMT_MSA.3 FDP_ACF.1.1 The TSF shall enforce the [assignment: access control policy for filtering rules] to objects based on the following: [assignment: - subjects: S_APPLI, S_FLOW, S_COMM, S_ADMIN - objects: D_AC_PARAM, D_FLOW_IN, D_FLOW_OUT, D_APPLI_FILTER, D_FLOW_FILTER - security attributes: SA_IDENT, SA_ROLE, SA_USER, SA_DIGEST, SA_PROG_ID, SA_NETWORK, SA_ADAPTIVITY, SA_LEVEL]. FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: [assignment: there exists at least one control access rule selected in Table 5: Access control rules]. FDP_ACF.1.3 The TSF shall explicitly authorise access of subjects to objects based on the following additional rules: [assignment: no rules that explicitly authorise access of subjects to objects]. FDP_ACF.1.4 The TSF shall explicitly deny access of subjects to objects based on the [assignment: there exists at least one control access rule selected in Table 5: Access control rules prohibiting this access]. 6.2.3.3 Other TOE data protection FDP_RIP.1 Subset residual information protection Audit - No audit messages for this component Dependencies none Page 57 of 92 Protection Profile - Personal Firewall PP-PFP FDP_RIP.1.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the [selection: deallocation of the resource from] the following objects: [assignment: D_APPLI_FILTER, D_FLOW_FILTER, D_AC_PARAM, D_FLOW_AUDIT]. 6.2.4 TOE administration FMT_MSA.1 Management of security attributes Audit - Any request (accepted or refused) for access to a security attribute (associated data: identity of the subject, identity of the user, object, attribute, value, type of access requested, status or result of the request) Dependencies FDP_IFC.1 (OAF) + FDP_IFC.1 (ONF) + FDP_IFC.1 (INF) + FDP_IFC (IAF) FMT_SMR.1 and FMT_SMF.1 FMT_MSA.1.1 The TSF shall enforce the [assignment: access control policy for filtering rules and access control policy for configuration parameters] to restrict the ability to [selection: change_default, query, modify, delete] the security attributes: [assignment: - 1. D_APPLI_FILTER, D_FLOW_FILTER: In order to read or modify the security attributes of these objects, the attribute SA_LEVEL of the object shall have the “SPECIFIC” value, the SA_USER attribute of the subject and of the object shall be equal and the SA- ADAPTIVITY attribute shall have the value “ADAPTIVE” - 2. D_AC_PARAM, D_CONFIG: The security attributes of these objects are not modifiable - 3. D_SEC_PAR, D_MON_PAR: The security attributes of these objects are not modifiable - 4. D_FLOW_AUDIT, D_ADMIN_AUDIT, D_ALARM: The security attributes of these objects are not modifiable - 5. D_FLOW_IN, D_FLOW_OUT: In order to read or modify the security attributes of these objects, the security attribute SA_IDENT of the subject shall have the value “S_APPLI” or "S_FLOW”] to [assignment: ADMINISTRATOR, SUPERVISOR, BASIC USER]. Application note: The STs in conformity with this PP shall detail or supplement these rules. FMT_SMR.1 Security roles Audit - Any modification to the role held by a user (Associated data: user identity, role, status or result of the request) Dependencies FIA_UID.1 (covered by FIA_UID.2 (LU) and FIA_UID.2 (RU)) FMT_SMR.1.1 The TSF shall maintain the roles [assignment: ADMINISTRATOR, SUPERVISOR, BASIC USER]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. Page 58 of 92 Protection Profile - Personal Firewall PP-PFP FMT_SMF.1 Specification of Management Functions Audit: - Any request (accepted or refused) for access to a management function (associated data: identity of the subject, identity of the user, object, attribute, value, type of access requested, status or result of the request) Dependencies none FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: [assignment: - 1. Monitoring of the TOE and display of the filtering policy. - 2. Management of the audit and display parameters for audit messages. - 3. Management of TOE users (basic users, administrators, supervisors). - 4. Management of the filtering policy. - 5. Management of TOE configuration parameters]. FMT_MSA.3 Static attribute initialisation Audit - Any request (accepted or refused) for modification to the initial value of a security attribute (associated data: identity of the subject, identity of the user, object, attribute, value, type of access requested, status or result of the request) Dependencies FMT_MSA.1 and FMT_SMR.1 FMT_MSA.3.1 The TSF shall enforce the [assignment: filtering policies] to provide [selection: restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [assignment: ADMINISTRATOR, BASIC USER] to specify alternative initial values to override the default values when an object or information is created. FMT_MSA.4 Security attribute value inheritance Audit - Creation of an object or of a subject (associated data: identity of the subject or of the object + list of security attributes) Dependencies FDP_IFC.1 (OAF) + FDP_IFC.1 (ONF) + FDP_IFC.1 (INF) + FDP_IFC (IAF) FMT_MSA.4.1 The TSF shall use the following rules to set the value of security attributes: [assignment: - 1. Creation of a D_APPLI_FILTER or D_FLOW_FILTER object: - where the SA_ROLE attribute of the subject (S_ADMIN) is different from “ADMINISTRATOR”, the attribute SA_LEVEL takes as its value the identity of the user and the attribute SA_ADAPTIVITY takes as its value “ADAPTIVE” - where the SA_ROLE of the subject (S_ADMIN) is “ADMINISTRATOR”, the attribute SA_LEVEL takes as its value “ GLOBAL” - for D_APPLI_FILTER, the attribute SA_DIGEST takes the value calculated by the TOE for this program Page 59 of 92 Protection Profile - Personal Firewall PP-PFP - 2. Creation of a D_FLOW_AUDIT or D_ADMIN_AUDIT object: the SA_DIGEST attribute takes the value calculated by the TOE. This attribute makes it possible to control of the integrity of the object and the linking of this message with previous objects of the same type (i.e. D_FLOW_AUDIT or D_ADMIN_AUDIT)]. Application note: The STs in conformity with this PP must provide a list of the other rules implemented for initialising security attributes when subjects or objects are created. The STs in conformity with this PP must state the calculation method of the integrity check value of the program and the scope of this integrity check value. The STs in conformity with this PP must state the calculation method of the integrity check value corresponding to a D_FLOW_AUDIT or D_ADMIN_AUDIT object and the scope of this integrity check value. 6.2.5 Security of administration or monitoring data transmission The following requirements contribute to establishing a trusted channel between the TOE and a remote administration or monitoring site. FIA_UID.2 (TC) User identification before any action (trusted channel) Audit - Connection of a remote program (associated data: identification of the program, connection context) Dependencies none FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall require that any remote program (U_REMOTE_PROGRAM) wishing to communicate with the administration and monitoring module (S_ADMIN) be successfully identified before the latter can establish a link with the communication module (S_COMM). FIA_UAU.2 (TC) User authentication before any action (mutual authentication) Audit - Authentication attempt (successful or not) of a remote program. Dependencies FIA_UID.1 (RP) FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. Refinement The TSF shall authenticate all remote programs (U_REMOTE_PROGRAM) making a connection for administration or monitoring purposes before the latter can establish a link with the communication module (S_COMM). FIA_USB.1 (TC) User-subject binding (trusted channel) Page 60 of 92 Protection Profile - Personal Firewall PP-PFP Page 61 of 92 Audit - Establishment of a link between a remote program and a subject (associated data: identification of the program, identification of the subject, values of the security attributes defined when establishing the link). Dependencies FIA_ATD.1 (TC) FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [assignment: security attributes: SA_ENVIRONMENT, SA_NETWORK]. Refinement The TSF shall associate the following security attributes to the communication module (S_COMM) following the establishment of a link between a remote program (U_REMOTE_PROGRAM) and the communication module (S_COMM): SA_ENVIRONMENT, SA_NETWORK FIA_USB.1.2 The TSF shall enforce the following rules on the initial association of user security attributes with subjects acting on the behalf of users: [assignment: the security attributes of S_COMM are updated according to the security properties of U_REMOTE_PROGRAM in the following manner: 1. SA_ENVIRONMENT = value corresponding to the network environment of the workstation (“IN” or “OUT”); this value is supplied by the workstation 2. SA_NETWORK is assigned the values relative to the network connection. These values are calculated by the TOE according to information taken from the requested network connection]. FIA_USB.1.3 The TSF shall enforce the following rules governing changes to the user security attributes associated with subjects acting on the behalf of users: [assignment: no additional rules for the changing of attributes]. FIA_ATD.1 (TC) User attribute definition (trusted channel) Audit - No audit messages for this component dencies FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to , Depen none individual users: [assignment: security attributes: SA_ENVIRONMENT SA_NETWORK]. FTA_SSL.3 (TC) TSF-initiated termination (trusted channel) Audit - Closing of an interactive session by the TSF (associated data: identification Dependencies none FTA_SSL.3.1 The TSF shall terminate an interactive session after an [assignment: time Refinement The TSF shall put an end to the link between a remote program and the the TOE. of the user, identification of the subject, values of the security attributes defined when closing the interactive session) interval of user inactivity]. communication module (S_COMM) under the following conditions: 1. A break in the network connection between the remote site and 2. Shutdown of the TOE. Protection Profile - Personal Firewall PP-PFP Page 62 of 92 3. A break in the trusted channel (following the detection of an anomaly on Applica e STs in conformity with this PP must specify the conditions that can lead this channel for example) established between the TOE and the remote program and used by this link. 4. Other conditions. tion note: Th to a break in the link by the TSF. FTA_SSL.4 (TC) User-initiated termination (trusted channel) Audit - Closing of an interactive session by a remote program (associated data: Dependencies FTA_SSL.4.1 The TSF shall allow [refinement: remote program]-initiated termination of identification of the subject, values of the security attributes defined during the closing of the session) none the [refinement: remote program]'s own interactive session. FPT_ITI.1 Inter-TSF detection of modification Audit - Result of the detection of a modification, deletion or insertion of data Dependencies FPT_ITI.1.1 The TSF shall provide the capability to detect modification of all TSF data n Application note: e STs in conformity with this PP must specify the anomalies taken into FPT_ITI.1.2 The TSF shall provide the capability to verify the integrity of all TSF data (associated data: result of detecting an anomaly, corrupted data) - Action taken (issuing of an alert) none during transmission between the TSF and another trusted IT product withi the following metric: [assignment: detection of any anomaly, such as the modification, deletion or insertion of data in messages relative to D_FLOW_FILTER, D_APPLI_FILTER, D_CONFIG, D_AC_PARAM, D_ALARM, D_FLOW_AUDIT, D_ADMIN_AUDIT, D_FLOW_IN, D_FLOW_OUT, D_MON_PAR, D_SEC_PAR]. Th account and the mechanisms used. transmitted between the TSF and another trusted IT product and perform [assignment: Issuing an alert] if modifications are detected. FPT_RPL.1 Replay detection Audit - Result of the detection of a replay attack (associated data: result of the uing of an alert) Dependencies detection of an attack, the element replayed, the network address of the source of replay) - Action taken (iss none Protection Profile - Personal Firewall PP-PFP Page 63 of 92 FPT_RPL.1.1 The TSF shall detect replay for the following entities: [assignment: administration or monitoring commands received from a remote program]. FPT_RPL.1.2 The TSF shall perform [assignment: ignore the message and issue an alarm] when replay is detected. FPT_ITC.1 Inter-TSF confidentiality during transmission Audit - No audit messages for this component dencies FPT_ITC.1.1 The TSF shall protect all TSF data transmitted from the TSF to another trusted Refinement The TSF shall protect the confidentially of data transmitted across the network manates from UDIT, Application not s in conformity with this PP must detail the methods used. Depen none IT product from unauthorised disclosure during transmission. by the communication module (S_COMM) to a remote program (U_REMOTE_PROGRAM) linked to this subject when this data e the administration and monitoring module (S_ADMIN). Data concerned: D_ALARM, D_FLOW_AUDIT, D_ADMIN_A D_AC_PARAM, D_CONFIG, D_SEC_PAR, D_MON_PAR e: ST FTP_ITC.1 Inter-TSF trusted channel Audit - Authentication by the TOE of a remote program (associated data: success or e TOE and a ted Dependencies FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another ls FTP_ITC.1.2 The TSF shall permit [selection: a remote program via the trusted Application note: e STs in conformity with this PP must state the authentication method FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for the ) failure of the operation, identity of the remote program) - Any anomaly detected during communication between th remote user (associated data: determination of a user’s identity, corrup data) None trusted IT product that is logically distinct from other communication channe and provides assured identification of its end points and protection of the channel data from modification or disclosure. (U_REMOTE_PROGRAM)] to initiate communication channel. Th used. [assignment: ensuring the confidentiality and controlling integrity of data (data concerned: D_AC_PARAM, D_CONFIG, D_SEC_PAR, D_MON_PAR, D_FLOW_FILTER, D_APPLI_FILTER shared between the communication module (S_COMM) and a remote program (U_REMOTE_PROGRAM) to which it is linked Protection Profile - Personal Firewall PP-PFP Page 64 of 92 through the network when this data is intended for the administration and monitoring module (S_ADMIN)]. Application note: e STs in conformity with this PP must state the methods used (for ensuring Th confidentiality and controlling integrity) and the anomalies taken into account. FPT_TDC.1 Inter-TSF basic TSF data consistency Audit - Result of using the mechanisms ensuring the coherency TSF data dencies FPT_TDC.1.1 The TSF shall provide the capability to consistently interpret [assignment: Application note: e STs in conformity with this PP must detail the data requiring FPT_TDC.1.2 The TSF shall use [assignment: list of interpretation rules to be applied Application note: e STs in conformity with this PP must detail the interpreting rules. 6.2.6 Audit and logging ribute to the implementation of the audit function, logging, Depen none list of TSF data types] when shared between the TSF and another trusted IT product. Th interpretation. by the TSF] when interpreting the TSF data from another trusted IT product. Th The following components cont the detection of attacks and responses to attacks. FAU_GEN.1 Audit data generation Audit - No audit messages for this component encies FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable p and shut-down of the audit functions ions (defined each Application note: e STs in conformity with this PP must provide an accurate list of audited Depend FPT_STM.1 events: a) Start-u b) All auditable events for the [selection: operat component) giving rise to the creation of an audit message (see Table 6: List of audited events by component)] level of audit; and c) [assignment: other specifically defined auditable events]. Th events and operations giving rise to the recording of an audit message. Component Associated audit messages ONF) his component (associated data: identity inherited by the user, object concerned and security attributes used) FDP_IFC.1 ( - No audit messages for t FDP_IFF.1 (ONF) - Refusal of an outgoing access request Protection Profile - Personal Firewall PP-PFP Page 65 of 92 Component Associated audit messages sed) FDP_ETC.2 (ONF) efusal)) FDP_IFC.1 (INF) ity inherited by the user, used) sed) FDP_ITC.1 (INF) refusal)) FDP_IFC.1 (OAF) used) sed) FDP_ITC.1 (OAF) refusal)) FTA_TSE.1 (OAF) ata: reason for the refusal, l to establish a link is based) FDP_IFF.1 (IAF) used) sed) FDP_ETC.2 (IAF) nce or refusal)) FIA_UID.2 (LP) f the program, connection tion of the program, identification of the subject, values of the security attributes FIA_ATD.1 (LP) FTA_SSL.4 (LP) y a local program (associated data: identification of the defined during the closing of the session) FIA_USB.1 (RP) a: ng the FIA_ATD.1 (RP) FTA_SSL.4 (RP) sing of an interactive session by a remote program (associated data: identification of utes defined during the closing of the session) ata or security properties relative to user management FIA_SOS.1 (LU) connection context) (RU) ciated data: user identity, connection context) nnection (associated data: FTA_TSE.1 (LU) ee a local user and a subject (associated data: reason for tablishment of FTA_TSE.1 (RU) - Acceptance of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes u - Detail of the export request (associated data: identity of requestor, remote site concerned and result of the request (acceptance or r FDP_IFF.5 (ONF) - Result of the identification of an illicit information bypass flow - No audit messages for this component FDP_IFF.1 (INF) - Refusal of an incoming access request (associated data: ident object concerned and security attributes - Acceptance of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes u - Detail of the import request (associated data: identity of requestor, remote site concerned and result of the request (acceptance or FDP_IFF.5 (INF) - Result of the identification of an illicit information bypass flow - No audit messages for this component FDP_IFF.1 (OAF) - Refusal of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes - Acceptance of an outgoing access request (associated data: identity inherited by the user, object concerned and security attributes u - Detail of the import request (associated data: identity of requestor, remote site concerned and result of the request (acceptance or FDP_IFF.5 (OAF) - Result of the identification of an illicit information bypass flow - Refusal to establish a link for a local program (associated d security parameters used and the security rule on which refusa FDP_IFC.1 (IAF) - No audit messages for this component - Refusal of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes - Acceptance of an incoming access request (associated data: identity inherited by the user, object concerned and security attributes u - Detail of the request (associated data: filtering rule and attributes upon which accepta or refusal of the packet is based, status (acceptance FDP_IFF.5 (IAF) - Result of the identification of an illicit information bypass flow - Connection of a local program (associated data: identification o context) FIA_USB.1 (LP) - Establishment of a link between a local program and a subject (associated data: identifica defined when establishing the link) - No audit messages for this component - Closing of an interactive session b subject, values of the security attributes FIA_UID.1 (RP) - Anonymous connection of a remote program (associated data: connection context) - Establishment of a link between a remote program and a subject (associated dat identification of the subject, values of the security attributes defined when establishi link) - No audit messages for this component - Clo the subject, values of the security attrib FMT_MTD.1 - Recording of a new user - Access (successful or not for reading, writing or modification) to a user’s properties FMT_MTD.3 - Refusal of authentication d - Acceptance or refusal of the authentication data supplied FIA_SOS.2 - Generation of authentication data FIA_UID.2 - Connection of a local user (associated data: user identity, FIA_UID.2 - Connection of a remote user (asso FIA_UAU.2 (LU) - Authentication attempt (successful or not) of a local user FIA_UAU.2 (RU) - Authentication attempt (successful or not) of a remote user FIA_UAU.7 - No audit messages for this component FIA_AFL.1 - Reaching or exceeding one of the alert thresholds during co threshold, number of attempts) - Actions taken (issuing of an alert, blocking of the connection, etc.) - Refusal to establish a link betw n the refusal, security parameters upon which acceptance or refusal of the es the link are based) - Refusal to establish a link between a remote user and a subject (associated data: reason Protection Profile - Personal Firewall PP-PFP Page 66 of 92 Component Associated audit messages urity parameters upon which acceptance or refusal of the establishment FIA_USB.1 (LU) n of the subject, values of the security attributes defined when FIA_ATD.1 (LU) FIA_USB.1 (RU) link between a remote user and a subject (associated data: f the subject, values of the security attributes FIA_ATD.1 (RU) FTA_SSL.3 (RU) y the TSF (associated data: identification of the user, e security attributes defined when closing the FTA_SSL.4 (LU) of the subject, values of the security attributes defined when closing FTA_SSL.4 (RU) e ication of the subject, values of the security attributes defined when closing FDP_ACC.1 (PAR) FDP_ACF.1 (PAR) cceptance of the access request (associated data: identity inherited by the ibutes used) FDP_ACC.1 (FI) FDP_ACF.1 (FI) y inherited by the ibutes used) FDP_RIP.1 FMT_MSA.1 associated data: er, object, attribute, value, type of access FMT_SMR.1 tatus or ubject, identity of the user, object, attribute, value, type of access FMT_MSA.3 subject, identity of the user, object, attribute, FMT_MSA.4 C) FIA_USB.1 (TC) link between a remote program and a subject (associated data: of the security attributes FIA_ATD.1 (TC) FTA_SSL.3 (TC) the TSF (associated data: identification of the user, e security attributes defined when closing the FTA_SSL.4 (TC) of of the security attributes defined during the closing of the session) FPT_RPL.1 ciated data: result of the detection of an network address of the source of replay) FPT_ITC.1 FTP_ITC.1 emote program (associated data: success or failure of gram) for the refusal, sec of the link are based) - Establishment of a link between a user and a subject (associated data: identification of the user, identificatio establishing the link) - No audit messages for this component - Establishment of a identification of the user, identification o defined when establishing the link) - No audit messages for this component - Closing of an interactive session b identification of the subject, values of th interactive session) - Closing of an interactive session by a local user (associated data: identification of the user, identification the session) - Closing of an interactive session by a remote user (associated data: identification of th user, identif the session) - No audit messages for this component - Refusal or a user, object concerned and security attr - Saving (associated data: result of the operation, type of data saved) - No audit messages for this component - Refusal or acceptance of the access request (associated data: identit user, object concerned and security attr - Saving (associated data: result of the operation, type of data saved) - No audit messages for this component - Any request (accepted or refused) for access to a security attribute ( identity of the subject, identity of the us requested, status or result of the request) - Any modification to the role held by a user (Associated data: user identity, role, s result of the request) FMT_SMF.1 - Any request (accepted or refused) for access to a management function (associated data: identity of the s requested, status or result of the request) - Any request (accepted or refused) for modification to the initial value of a security attribute (associated data: identity of the value, type of access requested, status or result of the request) - Creation of an object or of a subject (associated data: identity of the subject or of the object + list of security attributes) FIA_UID.2 (T - Connection of a remote program (associated data: identification of the program, connection context) FIA_UAU.2 (TC) - Authentication attempt (successful or not) of a remote program - Establishment of a identification of the program, identification of the subject, values defined when establishing the link). - No audit messages for this component - Closing of an interactive session by identification of the subject, values of th interactive session) - Closing of an interactive session by a remote program (associated data: identification the subject, values FPT_ITI.1 - Result of the detection of a modification, deletion or insertion of data (associated data: result of detecting an anomaly, corrupted data) - Action taken (issuing of an alert) - Result of the detection of a replay attack (asso attack, the element replayed, the - Action taken (issuing of an alert) - No audit messages for this component - Authentication by the TOE of a r the operation, identity of the remote pro - Any anomaly detected during communication between the TOE and a remote user Protection Profile - Personal Firewall PP-PFP Page 67 of 92 Component Associated audit messages tity, corrupted data) FPT_TDC.1 FAU_SAA.1 efusal, connection (SUP) FAU_SAR.1 (USR) it messages for this component data (associated data: identification of the user , action taken) FAU_STG.4 ed data: size reached) t of reaching the maximum size for an audit file FPT_TST.1 FRU_RSA.1 (RES) e number of simultaneous network connections (associated by c mponent FAU_GEN.1.2 The TSF e following licable), Application no must provide a detailed and exhaustive list (associated data: determination of a user’s iden - Result of using the mechanisms ensuring the coherency TSF data - Rejection of an incoming connection (associated data: reason for r context) FAU_SAA.3 - Rejection of an incoming connection (associated data: reason for refusal, connection context) FAU_SAR.1 - No audit messages for this component - No aud FAU_SAR.2 - An unsuccessful attempt to read audit FAU_SAR.3 - No audit messages for this component FAU_ARP.1 - Actions taken by the TSF following the detection of a potential violation of the security policy (associated data: type of violation FAU_STG.1 - No audit messages for this component - Reaching the maximum size for an audit file (associat - Action(s) taken by the TSF in the even (associated data: audit file) - Results and details of tests undertaken - Reaching of a quota for th data: quota reached) Table 6: List of audited events o shall record within each audit record at least th information: a) Date and time of the event, type of event, subject identity (if app and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: any other relevant information connected to this operation or event (see Table 6: List of audited events by component)]. te: The STs in conformity with this PP of recorded information. FAU_GEN.2 User ide y ntit association Audit Dep - No audit messages for this component ndencies F tions of identified users, the TSF shall be Application no must provide an accurate list of audited to the r cordi th r n e FAU_GEN.1 and FIA_UID.1 (RP) AU_GEN.2.1 For audit events resulting from ac able to associate each auditable event with the identity of the user that caused the event. te: The STs in conformity with this PP events and operations giving rise e ng of e use ’s identity i an audit message. FAU_SAA.1 Potential violation analysis Audit: - Rejection of an incoming connection (associated data: reason for refusal, ext) dencies connection cont Depen FAU_GEN.1 Audit data generation Protection Profile - Personal Firewall PP-PFP Page 68 of 92 FAU_SAA.1 of rules in monitoring the audited events and based upon these rules indicate a potential violation of the enforcement FAU_SAA.1.2 T nforce the following rules for monitoring audited events: a) Accumulation or combination of [assignment: more than N3 “Refusal ity of Application no The STs in conformity with this PP must specify the selected or possible lues for N3 and N4 as well as the other rules used. .1 The TSF shall be able to apply a set of the SFRs. he TSF shall e of an incoming access request (associated data: inherited ident the user, object concerned, security attributes used)” in the last N4 minutes] known to indicate a potential security violation b) [assignment: any other rules]. te: va FAU_SAA.3 Simple attack heuristics Audit - Rejection of an incoming connection (associated data: reason for refusal, connection context) dencies F F shall be able to maintain an internal representation of the following signature events: [assignment: stem greater than N3 in the last N4 minutes. Application no The STs in conformity with this PP must provide the list of events chosen and cify the selected or possible values for N3, N4 and N5. FAU_SAA.3.2 T inst the record of system activity discernible from an examination of [assignment: ewer Application no The STs in conformity with this PP must specify what this other information is. T the SFRs when a system event is found to match a signature event that Depen none AU_SAA.3.1 The TS - 1. Number of simultaneous connections from the network greater than N5. - 2. Number of refusals for an incoming access request from a same remote sy - 3. Other events that may indicate a violation of the enforcement of the SFRs. te: spe he TSF shall be able to compare the signature events aga - 1. Number of active connections. - 2. Number of connection attempts having taken place in f than N4 minutes. - 3. Other information.] te: FAU_SAA.3.3 he TSF shall be able to indicate a potential violation of the enforcement of indicates a potential violation of the enforcement of the SFRs. FAU_SAR.1 (SUP) Audit review Audit - No audit messages for this component Protection Profile - Personal Firewall PP-PFP Page 69 of 92 Dependencies FAU_GEN.1 Audit data generation .1 The TSF shall provide [assignment: users holding a SUPERVISOR role] w audit messages and alarm FAU_SAR.1 ith the capability to read [assignment: messages] from the audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.1 (USR) Audit review (user access) Audit - No audit messages for this component .1 The TSF shall provi assignment: users with an “audit” right] with the c essages and alerts] from the Dependencies FAU_GEN.1 Audit data generation FAU_SAR.1 de [ apability to read [assignment: audit m audit records. FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information. FAU_SAR.2 Restricted audit review Audit - An unsuccessful attempt to read audit data (associated data: identification Dependencies FAU_SAR.1 Audit review FAU_SAR.2.1 T u cit read-access. of the user he TSF shall prohibit all users read access to the audit records, except those sers that have been granted expli FAU_SAR.3 Selectable audit review Audit - No audit messages for this component The TSF shall provide the ability to apply [assignment: methods of s ta based on [assignment: criteria selection criteria can be used. Dependencies FAU_SAR.1 Audit review FAU_SAR.3.1 election and/or ordering] of audit da with logical relations]. Application note: The STs in conformity with this PP must specify the available selection and viewing methods and which FAU_ARP.1 Security alarms Audit - Actions taken by the TSF following the detection of a potential violation of y (associated data: type of violation, action taken) endencies FAU_SAA.1 the security polic Dep Protection Profile - Personal Firewall PP-PFP Page 70 of 92 FAU_ARP.1.1 T u Application note: al violation of the security policy. he TSF shall take [assignment: actions defined by the administrator] pon detection of a potential security violation. The STs in conformity with this PP must specify the action that an administrator can select in response to a potenti FAU_STG.1 Prevention of audit data loss Audit dit messages for this component Dependencies FAU_GEN.1 audit records in the audit trail from unauthorised deletion. F ble to [selection: prevent] unauthorised modifications to the stored audit records in the audit trail. - No au FAU_STG.1.1 The TSF shall protect the stored AU_STG.1.1 The TSF shall be a FAU_STG.4 P ta loss revention of audit da Audit - Reaching the maximum size for an audit file (associated data: size reache - Action(s) taken by the TSF in the event o d) f reaching the maximum size for an audit file (associated data: audit file) FAU_STG.4.1 T “ w e oldest stored audit records”] and t: other actions to be taken in case of audit storage failure] if the audit trail is full. Refinement Application no s PP must detail which actions are taken when one of the audit files is full it are managed 6.2.7 TOE re ty Dependencies FAU_STG.1 he TSF shall [selection, choose one of: “ignore audited events”, prevent audited events, except those taken by the authorised user ith special rights”, “overwrite th [assignmen The files concerned are audit files (D_FLOW_AUDIT, D_ADMIN_AUDIT) and the alert file (D_ALARM). te: - The STs in conformity with thi - The STs in conformity with this PP must specify the maximum sizes for aud and alert files or how they liability and availabili FPT_TST.1 TSF testing dertaken ll run a suite of self tests [selection: during initial start-up, periodically during normal operation, at the request of the a rrect operation of [selection: nment: parts of TSF], the TSF]. Audit - Results and details of tests un Dependencies none FPT_TST.1.1 The TSF sha uthorised user] to demonstrate the co [assig Protection Profile - Personal Firewall PP-PFP Page 71 of 92 Application note: The STs in conformity with this PP must detail the tests undertaken list of the TSF components tested. and give a FPT_TST.1.2 The TSF shall provide authorised users with the capability to verify the grity of [selection: [assignment: parts of TSF], TSF data]. Application not The STs in conformity with this PP must detail the mechanisms used for that F TSF shall provide authorised users with the capability to verify the i inte e: carrying out this integrity inspection and give a list of TOE components have undergone an integrity check. PT_TST.1.3 The ntegrity of stored TSF executable code. FRU_RSA.1 (R access) ES) Maximum quotas (incoming - Reaching of a quota for the number of Audit simultaneous network connections (associated data: quota reached) RU_RSA.1.1 The TSF shall enforce maximum quotas of the following resources: [ r _PROGRAM)] can use [selection: taneously]. Application note: for these 6.3 Security assurance requirements for the TOE The TOE sh AVA_VAN.3. Dependencies none F assignment: network access from remote sites] that [selection: emote programs (U_REMOTE simul The STs in conformity with this PP must specify the possible values quotas. all be evaluated according to EAL3 augmented by components ALC_FLR.3 and This corresponds to the assurance package provided for the standard lev security target (see [QUALIF_STD]) defined by the “QS” column of the fol el qualification of a lowing table: Assurance components for each evaluation level Assurance classes Assurance families EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 QS ADV_ARC 1 1 1 1 1 1 1 ADV_FSP 1 2 3 4 5 5 6 3 ADV_IMP 1 1 2 2 ADV_INT 2 3 3 ADV_SPM 1 1 Development ADV_TDS 1 2 3 4 5 6 2 AGD_OPE 1 1 1 1 1 1 1 1 Guidance documents AGD_PRE 1 1 1 1 1 1 1 1 ALC_CMC 1 2 3 4 4 5 5 3 ALC_CMS 1 2 3 4 5 5 5 3 ALC_DEL 1 1 1 1 1 1 1 Life-cycle support ALC_DVS 1 1 1 2 2 1 Protection Profile - Personal Firewall PP-PFP Page 72 of 92 Assurance components for each evaluation level Assurance classes Assurance families EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7 QS ALC_FLR 3 ALC_LCD 1 1 1 1 2 1 ALC_TAT 1 2 3 3 ASE_CCL 1 1 1 1 1 1 1 1 ASE_ECD 1 1 1 1 1 1 1 1 ASE_INT 1 1 1 1 1 1 1 1 ASE_OBJ 1 2 2 2 2 2 2 2 ASE_REQ 1 2 2 2 2 2 2 2 ASE_SPD 1 1 1 1 1 1 1 Security Target evaluation ASE_TSS 1 1 1 1 1 1 1 1 ATE_COV 1 2 2 2 3 3 2 ATE_DPT 1 2 3 3 4 1 ATE_FUN 1 1 1 1 2 2 1 Tests ATE_IND 1 2 2 2 2 2 3 2 Vulnerability assessment AVA_VAN 1 2 2 3 4 5 5 3 Table 7: R ts for the andard level qualification of a ST Application note: STs in conformity with this PP must respect the as ranc package required for the standar alification. 6.4 Ra 6.4.1 rity objectives ecurity objectives for the TOE OT_filtering_leve OT_filtering ia OT_applicati tegrit OT_administ OT_monitori OT_roles OT_identifi OT_authenticatio OT_access_control OT_TOE_reuse OT_log_pr auth ion OT_remote_adm n_integrity i OT_remote_admin_no_replay OT_flow_audit OT_admin_audit OT_violation_detection OT_violation_reaction OT_TOE_integrity OT_operational_state OT_crypto equiremen st su e d level qu tionale Security requirements / Secu 6.4.1.1 Coverage of s l _criter on_in ration ng cation n otection i _ i y n OT_remote_adm enticat n_confidentiality OT_remote_adm FDP_IFC.1 (ONF) X X FDP_IFF.1 (ONF) X X FDP_ETC.2 (ONF) X X FDP_IFF.5 (ONF) X X FDP_IFC.1 (INF) X X FDP_IFF. (INF) 1 X X FDP_ITC.1 (INF) X X X X FDP_IFF.5 (INF) X X FDP_IFC.1 (OAF) X X FDP_IFF.1 (OAF) X X FDP_ITC.1 (OAF) X X FDP_IFF.5 (OAF) X X FTA_TSE.1 (OAF) X FDP_IFC.1 (IAF) X X FDP_IFF.1 (IAF) X X FDP_ETC.2 (IAF) X X Protection Profile - Personal Firewall PP-PFP Page 73 of 92 OT_filtering_level OT_filtering_criteria OT_application_integrity OT_administration OT_monitoring OT_roles OT_identification OT_authentication OT_access_control OT_TOE_reuse OT_log_protection OT_remote_admin_authentication OT_remote_admin_integrity OT_remote_admin_confidentiality OT_remote_admin_no_replay OT_flow_audit OT_admin_audit OT_violation_detection OT_violation_reaction OT_TOE_integrity OT_operational_state OT_crypto FDP_IFF.5 (IAF) X X FIA_UID.2 (LP) X X X FIA_USB.1 (LP) X X FIA_ATD.1 (LP) X X X FTA_SSL.4 (LP) X X X FIA_UID.1 (RP) X X FIA_USB.1 (RP) X X FTA_SSL.4 (RP) X X FIA_ATD.1 (RP) X X FMT_MTD.1 X X X X X FMT_MTD.3 X X X X X FIA_SOS.1 X X X X FIA_SOS.2 X X X X FIA_UID.2 (LU) X X X FIA_UID.2 (RU) X X X FIA_UAU.2 (LU) X X X FIA_UAU.2 (RU) X X X FIA_UAU.7 X X X X X FIA_AFL.1 X X X X X FTA_TSE.1 (RU) X X X FTA_TSE.1 (LU) X X X FIA_USB.1 (LU) X X X X FIA_ATD.1 (LU) X X X X FIA_USB.1 (RU) X X X X FIA_ATD.1 (RU) X X X X FTA_SSL.3 (RU) X X X X FTA_SSL.4 (LU) X X X X FTA_SSL.4 (RU) X X X X FDP_ACC.1 (FI) X X X FDP_ACF.1 (FI) X X X FDP_ACC.1 (PAR) X X X X X X FDP_ACF.1 (PAR) X X X X X X FMT_MSA.1 X X X X X FMT_SMR.1 X FMT_SMF.1 X X X X X X FMT_MSA.3 X X X X X FMT_MSA.4 X X X X X FDP_RIP.1 X FIA_UID.2 (TC) X FIA_UAU.2 (TC) X X FTP_ITC.1 X X X X X FIA_USB.1 (TC) X X X X FIA_ATD.1 (TC) X X X X FTA_SSL.3 (TC) X X X X X FTA_SSL.4 (TC) X X X X X FPT_ITI.1 X X FPT_RPL.1 X FPT_ITC.1 X X FPT_TDC.1 X X X X Protection Profile - Personal Firewall PP-PFP Page 74 of 92 OT_filtering_level OT_filtering_criteria OT_application_integrity OT_administration OT_monitoring OT_roles OT_identification OT_authentication OT_access_control OT_TOE_reuse OT_log_protection OT_remote_admin_authentication OT_remote_admin_integrity OT_remote_admin_confidentiality OT_remote_admin_no_replay OT_flow_audit OT_admin_audit OT_violation_detection OT_violation_reaction OT_TOE_integrity OT_operational_state OT_crypto FAU_GEN.1 X X FAU_GEN.2 X X FAU_SAA.1 X FAU_SAA.3 X FAU_SAR.1 (SUP) X X FAU_SAR.1 (USR) X X FAU_SAR.2 X X FAU_SAR.3 X X FAU_ARP.1 X FAU_STG.1 X FAU_STG.4 X FPT_TST.1 X X FRU_RSA.1 (RES) X X Table 8: / ec ri o jectiv s f r t e E ring_level, O _f te ng criteria P_IFF , I F ONF, NF define the fil ering poli es o a pl d F iltering p filtering rules must be implemented for flows ring of ted for flows emanating from outside the TOE (i.e. application filtering of t exception (i.e. no by-pass) security functional requirements s u ty b e o h TO OT_filte T il ri _ FD .1 (OAF A , I ) t ci t be p ie . DP_ICF.1 (OAF, IAF, ONF, INF) specify that the TOE implements these f olicies. FDP_ETC.2 (ONF, IAF) specify which leaving the TOE (i.e. network filtering of outgoing flows and application filte incoming flows). FDP_ITC.1 (INF) and FDP_ITC.1 (OAF) specify which filtering rules are to be implemen outgoing flows and network filtering of incoming flows). FDP_IFF.5 (OAF, IAF, ONF, INF) ensure that the TOE controls all incoming and outgoing flows withou FPT_TDC.1 details the data needing to be interpreted and the interpreting rules for mechanisms ensuring the coherency of TSF data. FIA_UID.1 (RP) specifies that remote programs (other than those used for remote administration or remote monitoring) do not need to identify themselves before establishing a link with the TOE. FIA_UID.2 (LP) specifies that local programs need to identify themselves before establishing a link with the TOE. FIA_USB.1 (LP, RP) and FIA_ATD.1 (LP, RP) define the inheritance rules of security attributes for the application filtering module and the network filtering module. FTA_SSL.4 (LP) and FTA_SSL.4 (RP) specify that local or remote programs can end their interactive session. FMT_MSA.1, FMT_MSA.3 and FMT_MSA.4 specify the rules relative to the Protection Profile - Personal Firewall PP-PFP Page 75 of 92 definition or modification of security attributes. OT_ap ocal programs need identify themselves before FIA_ATD.1 (LP) specifies that the TOE manages the integrity check values rograms. OT_ad T_MSA.4 specify the rules relative to the definition of security attributes. ing to be interpreted and the interpreting rules for (LU, RU) specify that the TOE authenticates users or the allocation ised users to gain access to data they are responsible for managing. ) and FTA_SSL.4 (LU, RU) define the conditions relative to a break OT_ro verning the allocation of security attributes (including the role) according authorised users access to the functions they are allowed to use. plication_integrity FIA_UID.2 (LP) specifies that l establishing a link with the TOE, thereby enabling the TOE to search for the associated integrity check value for comparison. associated with local p FTA_TSE.1 (OAF) implements the integrity check for local programs seeking to make outgoing connections. FTA_TSE.1 (OAF) issues an audit message in the event of the corruption of a local program. ministration, OT_monitoring FMT_MTD.1 and FMT_MTD.3 specify the recording conditions of users; FIA_SOS.1 and FIA_SOS.2 define criteria relative to user authentication data. FMT_MSA.1, FMT_MSA.3 and FM FPT_TDC.1 details the data need mechanisms ensuring the coherency of data exchanged within the context of remote monitoring and remote administration. FIA_UID.2 (LU, RU) specify that the TOE begins by identifying users before taking any other action; FIA_UAU.2 before establishing a link. FIA_UAU.7 specifies that the TOE shall not provide any information to the user as long as this user is not authenticated. FIA_AFL.1 specifies the conditions required for the TOE to signal user connection errors. FDP_ITC.1 (INF) specifies the rules authorising the transmission of data to the communication module. FTA_TSE.1 (LU, RU) specify the rules for establishing a link between a user and the TOE. FIA_USB.1 (LU, RU) and FIA_ATD.1 (LU, RU) specify the rules f of security attributes enabling authorised users to access the functions they are allowed to use. FDP_ACC.1 (PAR, FI) and FDP_ACF.1 (PAR, FI) present the rules enabling author FMT_SMF.1 specifies that the TOE logs and records the use of administration and monitoring functions. FTA_SSL.3 (RU in the connection between a user and the TOE that results in the blocking of access authorisation for this user via the administration and monitoring module. les FMT_MTD.1, FMT_MTD.3 and FMT_SMR.1 specify user recording conditions and also stipulate which roles can be allocated to the user. FIA_USB.1 (LU, RU) and FIA_ATD.1 (LU, RU) specify the rules go Protection Profile - Personal Firewall PP-PFP Page 76 of 92 OT_identification identifying users before any user. LU, RU) specify that the TOE associates security attributes to sessions OT_au ify the recording conditions of users, including trols authentication data quality. U, RU) specify that the TOE authenticates users before establishing a es no information to the user as long as OT_ac TOE provides no information to the user as long as data and TOE that the TOE applies the filtering policies defined by AR, FI). FMT_MTD.1 and FMT_MTD.3 specify the recording conditions for users. FIA_UID.2 (LU, RU) specify that the TOE begins by other action. FTA_TSE.1 (LU, RU) define the conditions under which the establishment of a session can be refused to a local or remote FIA_USB.1 ( in order to control what local and remote users can do. FIA_ATD.1 (LU, RU) specify which security attributes are to be maintained for local or remote users. FTA_SSL.3 (RU) specifies that the TOE can terminate the administration or monitoring sessions of remote users. FTA_SSL.4 (LU, RU) specify that local or remote users can terminate TOE administration or monitoring sessions. FMT_SMF.1 specifies that the TOE logs and records the identity of users requesting access to administration and monitoring functions. thentication FMT_MTD.1 and FMT_MTD.3 spec the recording of authentication data. FIA_SOS.1 specifies that the TOE con FIA_SOS.2 specifies the conditions required for the TOE to generate authentication data. FIA_UAU.2 (L link. FIA_UAU.7 specifies that the TOE provid this user is not authenticated. FMT_SMF.1 specifies that the TOE logs and records the result of authenticating users requesting access to administration and monitoring functions. FIA_AFL.1 specifies the rules for managing multiple connection attempts and enables them to be countered. cess_control FIA_UAU.7 specifies that the this user is not authenticated. FDP_ACF.1 (PAR, FI) define the conditions required to access functions. FDP_ACC.1 (PAR, FI) specify FDP_ACF.1 (P FMT_MSA.1, FMT_MSA.3 and FMT_MSA.4 specify the rules relative to the definition or modification of security attributes. FMT_SMF.1 specifies that the TOE logs and records the result of requests made by users to access to administration and monitoring functions. Protection Profile - Personal Firewall PP-PFP Page 77 of 92 FTA_SSL.4 (LP) defines the conditions restricting access by a local program to the TOE. FTA_SSL.3 (TC) and FTA_SSL.4 (TC) define the conditions restricting access by a remote program to the TOE for establishing a communication channel with the ditions relative to a break OT_TO OT_lo h users are to read audit data. threshold. cifies that the TOE is able to perform an integrity check on audit data OT_re FIA_USB.1 (TC) and FIA_ATD.1 (TC) define the establishment of a link between sted the TOE provides no data to a user (administrator or OT_re th a remote site. _SSL.4 (TC) specify the conditions required for breaking administration and monitoring module. FTA_SSL.3 (RU) and FTA_SSL.4 (LU, RU) define the con in the connection between a user and the TOE that results in the blocking of access authorisation for this user via the administration and monitoring module. E_reuse FDP_RIP.1 specifies that it is possible to render unavailable or delete sensitive TOE data. g_protection FAU_SAR.1 (SUP), FAU_SAR.1 (USR) and FAU_SAR.2 specify whic authorised FAU_STG.1 and FAU_STG.4 specify that the audit logs are protected from all risk of saturation, and that an alarm is issued and actions taken in the event of reaching a critical FPT_ITI.1 spe transmitted to an authorised user. mote_admin_authentication FIA_UID.2 (TC) and FIA_UAU.2 (TC) specify the conditions required for identifying and authenticating a remote site by the TOE (i.e. a remote program). FTP_ITC.1 specifies that the TOE authenticates itself to remote programs to establish a trusted channel. the TOE and the remote site. FTA_SSL.3 (TC) and FTA_SSL.4 (TC) specify the conditions required for breaking a link established between the TOE and a remote site within the context of a tru channel. FIA_UAU.7 specifies that supervisor) as long as this user is not authenticated. mote_admin_integrity FTP_ITC.1 and FPT_ITI.1 specify that the TOE is capable of establishing a trusted channel enabling the control of the integrity of administration or monitoring data shared wi FIA_USB.1 (TC) and FIA_ATD.1 (TC) define the establishment of a link between the TOE and the remote site. FTA_SSL.3 (TC) and FTA a link established between the TOE and a remote site within the context of a trusted channel. Protection Profile - Personal Firewall PP-PFP Page 78 of 92 OT_re channel guaranteeing the g data exported to a remote site. .1 (TC) define the establishment of a link between king OT_re e TOE ensures protection against the replay of data .1 specifies that the TOE establishes a trusted channel enabling the control tion or monitoring data shared with a remote site. and FTA_SSL.4 (TC) specify the conditions required for breaking OT_flo vents are audited and the contents of audit messages. 1 (SUP), FAU_SAR.1 (USR) and FAU_SAR.2 specify which users are authorised to read audit data and alerts. .3 specifies how these authorised users can select them, sort them and sed OT_ad pecifies which events are audited and the contents of audit messages. AR.1 (SUP), FAU_SAR.1 (USR) and FAU_SAR.2 specify which users are authorised to read audit data and alerts. specifies how these authorised users can select them, sort them and sed mote_admin_confidentiality FTP_ITC.1 specifies that the TOE establishes a trusted confidentiality of administration or monitoring data imported from a remote site. FPT_ITC.1 specifies that the TOE ensures the confidentiality of administration or monitorin FIA_USB.1 (TC) and FIA_ATD the TOE and the remote site. FTA_SSL.3 (TC) and FTA_SSL.4 (TC) specify the conditions required for brea a link established between the TOE and a remote site within the context of a trusted channel. mote_admin_no_replay FPT_RPL.1 specifies that th shared with remote sites within the context of remote administration or monitoring operations. FTP_ITC of the integrity of administra FIA_USB.1 (TC) and FIA_ATD.1 (TC) define the establishment of a link between the TOE and the remote site. FTA_SSL.3 (TC) a link established between the TOE and a remote site within the context of a trusted channel. w_audit FAU_GEN.1 specifies which e FAU_GEN.2 specifies the identity of the user at the source of the audited event. FAU_SAR. FAU_SAR display them. FDP_ACC.1 (PAR) and FDP_ACF.1 (PAR) specify the rules enabling authori users to modify audit and monitoring parameters including the granularity of the audit. min_audit FAU_GEN.1 s FAU_GEN.2 specifies the identity of the user at the source of the audited event. FAU_S FAU_SAR.3 display them. FDP_ACC.1 (PAR) and FDP_ACF.1 (PAR) specify the rules enabling authori users to modify audit and monitoring parameters including the granularity of the audit. Protection Profile - Personal Firewall PP-PFP Page 79 of 92 FMT_SMF.1 specifies that the TOE logs and records the use of administration and monitoring functions. OT_vio AA.1 and FAU_SAA.3 specify which events are considered by the TOE as the conditions required for the TOE to signal user connection errors. specifies that the TOE generates an alert in the event of an OT_vio P.1 specifies that the TOE automatically implements actions defined by the OE to process user connection errors. ) specifies that the TOE ensures protection against attempts made OT_TOE_integrity T.1 specifies that TOE integrity is checked on start-up. OT_op FPT_TST.1 specifies that the TOE tests its operation on start-up, periodically or at an authorised user. OT_cr SOS.2, FIA_UAU.2 (TC) and FTP_ITC.1 implement the rules endencies Functio lation_detection FAU_S being potential security violations and which shall lead to the issuing of an alert. FIA_AFL.1 specifies FRU_RSA.1 (RES) attempt made to saturate the TOE by remote access. lation_reaction FAU_AR administrator in case of a security violation being detected. FIA_AFL.1 specifies the conditions required for the T FRU_RSA.1 (RES to saturate the TOE by remote access. FPT_TS erational_state the request of ypto FIA_SOS.1, FIA_ defined in this document. 6.4.2 Dep nal component dependencies are as follows: Components Dependencies FDP_IFC.1 (ONF) FDP_IFF.1 (ONF) This component is a selected component FDP_IFF.1 (ONF) FDP_IFC.1 (ONF) These components are selected components FMT_MSA.3 FDP_ETC.2 (ONF) FDP_IFC.1 (ONF) This component is a selected component FDP_IFF.5 (ONF) FDP_IFC.1 (ONF) This component is a selected component FDP_IFC.1 (INF) his component is a selected component FDP_IFF.1 (INF) T FDP_IFF.1 (INF) FDP_IFC.1 (INF) FMT_MSA.3 These components are selected components FDP_ITC.1 (INF) FDP_IFC.1 (INF) FMT_MSA.3 These components are selected components FDP_IFF.5 (INF) FDP_IFC.1 (INF) This component is a selected component FDP_IFC.1 (OAF) FDP_IFF.1 (OAF) This component is a selected component FDP_IFF.1 (OAF) FDP_IFC.1 (OAF) FMT_MSA.3 These components are selected components Protection Profile - Personal Firewall PP-PFP Page 80 of 92 Components Dependencies FDP_ITC.1 (OAF) AF) These components are selected components FDP_IFC.1 (O FMT_MSA.3 FDP_IFF.5 (OAF) AF) This component is a selected component FDP_IFC.1 (O FTA_TSE.1 (OAF) None FDP_IFC.1 (IAF) FDP_IFF.1 (IAF) This component is a selected component FDP_IFF.1 (IAF) FDP_IFC.1 (IAF) FMT_MSA.3 These components are selected components FDP_ETC.2 (IAF) FDP_IFC.1 (IAF) This component is a selected component FDP_IFF.5 (IAF) AF) This component is a selected component FDP_IFC.1 (I FIA_UID.2 (LP) None FIA_USB.1 (LP) FIA_ATD.1 (LP) his component is a selected component T FIA_ATD.1 (LP) None FTA_SSL.4 (LP) None FIA_UID.1 (RP) None FIA_USB.1 (RP) FIA_ATD.1 (RP) This component is a selected component FIA_ATD.1 (RP) None FTA_SSL.4 (RP) None FMT_MTD.1 FMT_SMR.1 FMT_SMF.1 ts These components are selected componen FMT_MTD.3 FMT_MTD.1 his component is a selected component T FIA_SOS.1 None FIA_SOS.2 None FIA_UID.2 (LU) None FIA_UID.2 (RU) None FIA_UAU.2 (LU) o FIA_UID.1, is a selected component FIA_UID.1 The component FIA_UID.2 (LU), hierarchical t FIA_UAU.2 (RU) UID.1, is selected component FIA_UID.1 The component FIA_UID.2 (RU), hierarchical to FIA_ a FIA_UAU.7 FIA_UAU.1 he components FIA_UID.2 (LU) and FIA_UAU.2 (RU), ierarchical to FIA_UID.1, are selected components T h FIA_AFL.1 FIA_UAU.1 he components FIA_UID.2 (LU) and FIA_UAU.2 (RU), T hierarchical to FIA_UID.1, are selected components FTA_TSE.1 (LU) None FTA_TSE.1 (RU) None FIA_USB.1 (LU) FIA_ATD.1 (LU) lected component This component is a se FIA_ATD.1 (LU) None FIA_USB.1 (RU) FIA_ATD.1 (RU) This component is a selected component FIA_ATD.1 (RU) None FTA_SSL.3 (RU) None FTA_SSL.4 (LU) None FTA_SSL.4 (RU) None FDP_ACC.1 (PAR) FDP_ACF.1 (PAR) This component is a selected component FDP_ACF.1 (PAR) CC.1 (PAR) hese components are selected components FDP_A FMT_MSA.3 T FDP_ACC.1 (FI) FDP_ACF.1 (FI) his component is a selected component T FDP_ACF.1 (FI) FDP_ACC.1 (FI) SA.3 hese components are selected components FMT_M T FDP_RIP.1 None FMT_MSA.1 FDP_IFC.1 (IAF) FDP_IFC.1 (OAF) FDP_IFC.1 (INF) ts FDP_IFC.1 (ONF) FMT_SMR.1 FMT_SMF.1 These components are selected componen FMT_SMR.1 D.1 his component is not selected, but this requirement is FIA_UI T Protection Profile - Personal Firewall PP-PFP Page 81 of 92 Components Dependencies covered by components FIA_UID.2 (LU) and FIA_UID.2 (RU) FMT_SMF.1 None FMT_MSA.3 These components are selected components FMT_MSA.1 FMT_SMR.1 FMT_MSA.4 FDP_IFC.1 AF) NF) INF) FDP_IFC (IAF) These components are selected components (O FDP_IFC.1 (O FDP_IFC.1 ( FIA_UID.2 (TC) None FIA_UAU.2 (TC) P) FIA_UID.1 (R This component is a selected component FIA_USB.1 (TC) C) This component is a selected component FIA_ATD.1 (T FIA_ATD.1 (TC) None FTA_SSL.3 (TC) None FTA_SSL.4 (TC) None FPT_ITI.1 None FPT_RPL.1 None FPT_ITC.1 None FTP_ITC.1 None FPT_TDC.1 None FAU_GEN.1 FTP_STM.1 his component is not retained but the TOE obtains these ata from the Operating System which implements this nction. T d fu FAU_GEN.2 FAU_GEN.1 D.1 (RP) his component is a selected component his component is a selected component FIA_UI T T FAU_SAA.1 FAU_GEN.1 his component is a selected component T FAU_SAA.3 None FAU_SAR.1 (SUP) FAU_GEN.1 This component is a selected component FAU_SAR.1 (USR) FAU_GEN.1 This component is a selected component FAU_SAR.2 FAU_SAR.1 nent is a selected component (see FAU_SAR.1 This compo (SUP) & FAU_SAR.1 (USR)) FAU_SAR.3 see FAU_SAR.1 FAU_SAR.1 This component is a selected component ( (SUP) & FAU_SAR.1 (USR)) FAU_ARP.1 FAU_SAA.1 his component is a selected component T FAU_STG.1 FAU_GEN.1 This component is a selected component FAU_STG.4 FAU_STG.1 This component is a selected component FPT_TST.1 None FRU_RSA.1 (RES) None Table 9: Func nform PP 6.4.4 Extended components tional component dependencies 6.4.3 Co ity with a Not applicable. Not applicable. Protection Profile - Personal Firewall PP-PFP Page 82 of 92 Appendix A Additional descriptions of the TOE and its environment A.1 Architecture of the TOE The following diagram presents an example of a PFP architecture: Network APPLICATIONS (browser, mail, FTP, telnet, other applications...) Network layer 3 and 4 (TCP/IP, NetBT, etc...) Applicative filter Network filter Rules Data base TOE Physical network interfaces (Ethernet, PPP, Wi-Fi, modem, etc...) User interface Incoming flows Outgoing flows Operating system System level User level Hardware Remote Monitoring & administration Audit log Local users Configuration Data Trusted channel Figure 3: Architectural diagram of the TOE The TOE exchanges flows with its environment via the following interfaces: - A “system” interface enabling interactions between the TOE and workstation programs (operating system, other programs) - A “network” interface used by administrators and supervisors connected remotely - A “local MMI” used by administrators, supervisors or basic users connected locally to the workstation Interfaces used for “functional” purposes are not shown in this list. The STs in conformity with this PP must specify if the TOE provides specific drivers to be used in place of those available on the workstation. Protection Profile - Personal Firewall PP-PFP Page 83 of 92 A.2 Physical scope of the TOE The physical scope of the TOE comprises: - The TOE installation kit - Associated documentation - - - - The va as follows: - - of the workstation - - - - Note: the h of those recognised trator in charge of .4.1 Roles recognised by the TOE stances) to the their duties. A.3 Logical scope of the TOE The logical scope of the TOE comprises the following components: TOE software TOE administration parameters The filtering rules adopted by the TOE Monitoring data, alarms and logs A.4 Functional roles rious functional roles linked to the operation of the workstation and the TOE are The security officer The system, network and office application administrator in charge The system supervisor in charge of the workstation The administrator in charge of the TOE 7 The supervisor in charge of the TOE8 The basic user of the workstation olders of administration or monitoring roles recognised by the TOE and by the host machine may be independent. In particular, an adminis the TOE is not necessarily a system administrator. A The holders of these roles have access (local or remote according to circum TOE to fulfil their duties or to make use of the rights at their disposal. Roles can be allocated to different persons or not, according to the security policy chosen by the organisation. These roles are defined in section 3.2 of this document. A.4.2 Other roles The holders of these roles do not require access to the TOE to fulfil 7 Designated as “administrator” in the body of the protection profile. 8 Designated as “supervisor” in the body of the protection profile. Protection Profile - Personal Firewall PP-PFP Page 84 of 92 Security officer Security officers define the filtering policy to be implemented by administrators. In a n charge of teams responsible for the monitoring or System administrator stalling the TOE as an application on the d administration of the workstation at the system ss. stem and network administration for workstations. y the TOE Filtering of communications unications filtering is to ensure a filtering of flows at the level of DP), and the standard protocols of proprietary non-IP protocols (NetBT for PP must indicate, if applicable, the non-IP destination address, source or destination port, incoming or outgoing direction, MAC address, interface used, etc.); this filtering takes into account contextual or behavioural filtering9 f communicating applications (identification, link Filtering levels: vels of filtering: global, user, adaptive. Global filtering is applied as soon as the workstation is started up whether or not a user is connected to the workstation. centralised context, they may be i administration of security. System administrators are in charge of in workstation, and of the configuration an and network level. Tasks can be performed via local or remote acce System supervisor System supervisors control and audit sy A.5 Functionalities of the TOE A.5.1 Services provided b A.5.1.1 The main objective of comm the TCP/IP protocol stack. This filtering takes into account the standard protocols of the network layer (IP, ICMP) and of the transport layer (TCP, U of application layers (5, 6 and 7). The PP does not cover the taking into account example). The STs in conformity with this protocols taken into account. Communications filtering comprises the following filtering methods: - Filtering based on the protocol analysis of flows (conformity to filtering rules defined according to criteria such as protocol, source or - Filtering based on the analysis o between the program and the protocol) Filtering must also take into account the network environment (connection inside or outside the company). The TOE offers three le capacity to filter a packet according to 9 Contextual or behavioural filtering is understood to mean the TOE’s packets already received or sent. Protection Profile - Personal Firewall PP-PFP Page 85 of 92 Global filtering can be configured during the installation of the PFP and modified, and is a basic user (or to a group of basic users). It is applied as soon as ic user of the group) connects to the workstation. specific to a basic user (or to a group of basic users). Filtering is ing mechanism that enables basic users to build a filtering policy This mechanism contributes to an intuitive configuration of the PFP, avoiding presenting the ork notions. It limits configuration errors. This ring policies created by the TOE administrator. The learning mechanism can be enabled or disabled by a TOE administrator. These three notions can be represented graphically as follows: controlled by the TOE administrator. User filtering is specific to this basic user (or any bas This filtering is controlled by the TOE administrator, who may delegate the control of all or part of this filtering process to the basic user in question. Adaptive filtering is generated by a learn adapted to their needs by validating connections over time as the workstation is used basic user with complex security or netw filtering must remain coherent with the filte Global User Adapted Controlled by administrator Controlled By user s. he mechanisms used for this application integrity check do not fall within the scope of the described in the STs in conformity with this PP. A.5.1.3 Protection against attacks . The TOE administrator can configure the actions to be taken by the TOE in response to Figure 4: Filtering levels A.5.1.2 Application integrity control As a complement to filtering functions, the PFP offers the capability to control the integrity of applications that established network connection This integrity check is based on integrity check values enabling the detection of application corruption. T PP. They must be The TOE can react to counter certain attacks, of a denial of service or saturation type, targeting workstation resources these attacks (e.g. the issuing of an alert or the blocking of flows). Protection Profile - Personal Firewall PP-PFP Page 86 of 92 A.5.2 Services required for the TOE to function correctly Administration and monitoring services are required for the TOE to function correctly. These rvices can be shared among various functional roles (see § 3.2 and A.4). d outside the company or during stallations). ust be on must - By a TOE administrator applying company policy, operating locally or in a centralised - - ng g to a The T this may rang ty policy The TOE administrator has access arameters, in particular to all the filtering rules and parameters relative to parameters that might be hidden from a basic user. les (user or adaptive level) specified for this Monitoring involves the ability to view information (audit logs and audit messages, alerts, Logging involves the recording of critical or non-critical events in a log that may be consulted ole may access monitoring services; these roles must be c user or processed by a se A.5.2.1 Administration PFP administration may be centralised (e.g. the workstation is connected to the local company network) or local (e.g. the workstation is use in It mainly covers the management of parameters and filtering rules. It also concerns the disabling / reactivation of TOE services. Only the holders of a specific role may access administration services; these roles m assigned to the persons in charge of these services. In order to cover the various organisational and operational modes, PFP administrati be possible: manner, without basic user control By a basic user alone defining their own filtering rules In a collaborative manner between the TOE administrator, responsible for defini basic rules, and a basic user, who then refines them (e.g. over time accordin learning model according to the connection requirements of applications) OE administrator can configure a basic user’s ability to modify the security policy; e from granting total freedom to fully blocking access to securi modification. Visibility of configuration parameters and filtering rules to all TOE configuration p analysed flows, including the rules and technical A basic user may have access to the filtering ru basic user. The TOE administrator must be able to configure this access. A.5.2.2 Monitoring and logging monitoring parameters) at a remote site or on the workstation. It must be interoperable with administration functions in order to react to an alert for example. at a later time. Only the holders of a specific r assigned to the persons in charge of these services. Recorded or transmitted information can be used locally by a basi Protection Profile - Personal Firewall PP-PFP Page 87 of 92 person in charge of monitoring. An intermediate situation exists, whereby the basic user and nerated upon the detection of attempted attacks he level of alerts transmitted by the TOE can be configured in such a way as to limit the mount of information to that strictly required. ompany) in such a way as to inform the basic user or the supervisor in charge onitoring information when the workstation is portable workstations). an access control mechanism for administration and monitoring functions: anagement of parameters, filters, logs, TOE shutdown, etc.. of roles allocated to authorised g: The TOE ensures the authenticity and integrity of the flows it transmits. It can also ensure ls the integrity and the authenticity of the flows it cal administration and monitoring: he TOE identifies and authenticates users who connect to the administration or monitoring the supervisor in charge of the TOE can work together to use monitoring information, alarms and logs. The TOE can track: - analysed and filtered flows - local or remote administration operations - alerts ge The use of logged information is configured in such a way as to limit flows transmitted to the monitoring entity or presented to an authorised user. T a The transmission of alarms can be configured according to connection contexts (inside or outside the c of the TOE. A mechanism can be used to transfer m connected to the monitoring centre (deferred transmission for A.5.3 Services for securing the TOE A.5.3.1 Protection of administration and monitoring functions The TOE has m This access control mechanism is based notably on the use users. Protection of remote administration and monitorin The TOE identifies and authenticates users who connect to the administration or monitoring interface, and attributes a role according to their identity. the confidentiality of these flows. It contro receives. It has at its disposal a protection mechanism offering protection from saturation attacks targeting administration or monitoring functions. Protection of lo T interface, and attributes them a role according to their identity. Protection Profile - Personal Firewall PP-PFP Page 88 of 92 A.5.3.2 Protection of logs The TOE controls access to logs according to the roles held by the user. A.5.3.3 Protection of the TOE ponents and indicate any detected loss of TOE) of its status (active or inactive) re network interfaces (Ethernet, WIFI, STN, ed password). It may be connected directly to the company network - Periods: may be used any day or at any time ISP, Internet café, Hotel), public WIFI access (station, train, airport, etc.) ing environment. In led, etc. OE evaluation platform he TOE evaluation platform must be representative of normal contexts of TOE use, must possess at least one network second workstation interconnected with the workstation hosting the TOE. This - A third workstation interconnected with the workstation hosting the TOE. This mote administration and monitoring The STs in conformity with this PP must accurately describe the platform to be used. The TOE must: - Control the integrity of some of its com integrity - Inform the user (basic user or supervisor in charge of the A.6 TOE operating environment The personal firewall application is designed to be installed on a workstation equipped with an operating system and possessing one or mo IRDA, USB, etc.). This workstation may be shared among several users, each of whom has personal access (a user account + associat or used as a portable workstation. Being portable multiplies use contexts and network environments: - Access conditions: ADSL or STN ( The STs in conformity with this PP must accurately describe the operat particular, they must indicate the workstation constraints to be respected: operating system version, drivers to be used, the order in which software is instal A.7 T T administration and monitoring. It must include at least: - The workstation hosting the TOE. This workstation interface. The drivers used to drive network interfaces must be those supplied with the TOE or recommended in the TOE documentation. - A workstation makes it possible to exchange data with the TOE and to evaluate the TOE filtering function. workstation makes it possible to evaluate re functions. - A network to which these workstations are connected enabling the simulation of TOE operating environment network configurations. Protection Profile - Personal Firewall PP-PFP Page 89 of 92 A.8 Possible additional functionalities of the personal firewall (PFP) y manufacturers in response to specific basic user requirements. These functionalities do not fall within the he STs in conformity with this PP by developing the The following filtering possibilities have not been included: d filtering, URL filtering, content filtering - Control of file transfer s with host systems: a connection between the port will not be taken into account (although a ring function by the basic user involves offering the basic o enable him to perform who must be able to authorise its be audited, as must the communications carried out in res. bits of the various basic users that can be refined at a later rs. ence of the TOE on a given to the protection of sensitive data of a personal or private nature (see This section presents additional functionalities that can be offered b scope of this PP, but can be included in t associated security analysis. Filtering: - Time-base Furthermore, filtering is limited to connection workstation and an external disk via a USB connection between this workstation and another workstation via the same USB port and a modem will be taken into account). Temporary disabling of filtering by the basic user: The temporary disabling of the filte user the possibility to temporarily disable filtering rules in order t communications that are normally blocked. This function must be controlled by the TOE administrator, implementation. The temporary disabling of the filtering function by the basic user must require the use of a code and must this operational mode. It must be possible to automatically re-enable the rules disabled by this mechanism when no longer used. This function can also be implemented by adopting organisational measu Global learning mode: This learning mode provides for the dynamic generation of a workstation filtering policy according to the connection ha date by TOE administrato Confidentiality of TOE processes: Confidentiality of TOE processes involves hiding the exist workstation with regard to basic users or attackers. Respect for regulations: As a result of its data protection potential, the TOE contributes to the respect of laws and regulations relative [L78]). Protection Profile - Personal Firewall PP-PFP Page 90 of 92 Appendix B Definitions and acronyms B.1 Acronyms PFP Personal Firewall otection Profile ollowing list shows the roots used for the various elements. PP Pr ST Security Target TOE Target of Evaluation TSF TOE Security Functions TSP TOE Security Policy B.2 Conventions used The f Root Elements described by this root pment environment erational environment A_ Security attributes ssets and objects .3 Definitions documentation with the (functional and assurance) requirements formulated in the security target. ) consisting of all hardware, software and firmware of the TOE that must be relied upon for the correct enforcement of the TSP. T_ Threats relative to the TOE and the TOE operational environment TD_ Threats concerning the TOE develo OSP_ Organisational security policy A_ Assumption OT_ Security objectives for the TOE OE_ Security objectives for the op S_ TOE subjects S D_ Sensitive TOE a U_ Users (programs or individuals) interacting with the TOE B Security Target (ST) Reference document for the TOE evaluation: the certificate awarded by the DCSSI will attest conformity of the product and its Target of Evaluation (TOE The product to be evaluated and its associated documentation. TOE Security Functionality (TSF) A set Protection Profile - Personal Firewall PP-PFP Page 91 of 92 TCP/IP protocol stack ard protocols of the network layer (IP, ICMP) and of the transport layer (TCP, UDP), and the standard protocols of application layers (5, 6 and 7). P) to manage, protect and distribute assets within a TOE. n, correction or addition) to the Common Criteria; the list of ble at the following site: www.commoncriteriaportal.org “TCP/IP protocol stack” is understood to mean the stand TOE Security Policy (TS Set of rules stipulating how Interpretation An addition (clarificatio interpretations is availa Protection Profile - Personal Firewall PP-PFP Page 92 of 92 Appendix C References C.1 Normative references Common Criteria for Information Technology Security Evaluation, Part 1: Introduction and general model, September 2006, Version 3.1, Revision 1, CC2] art 2: Security Functional Components, September 2007, Version 3.1, Revision 2, CCMB-2007-09-002 [CC3] Common Criteria for Information Technology Security Evaluation, Part 3: Security Assurance Components, September 2007, Version 3.1, Revision 2, CCMB-2007-09-003 [CEM] Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, September 2007, Version 3.1, Revision 2, CCMB- 2007-09-004 [QUALIF_STD] Processus de qualification d'un produit de sécurité – Niveau standard. DCSSI, Version 1.1, 18 March 2008, N°549/SGDN/DCSSI/SDR [CRYPT-STD] Cryptographic mechanisms – Rules and recommendations about the choice and parameters sizes of cryptographic mechanisms with standard robustness level (regularly updated version) C.2 Laws and policies [L78] Amended law of 6 January 1978 relative to data processing, computer files and individual liberties C.3 Other documents [EBIOS] EBIOS method (Expression of needs and identification of security objectives), Version 2, 5 February 2004 [CC1] CCMB-2006-09-001 Common Criteria for Information Technology Security Evaluation, P [