of 92/92
Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0 Page 1 of 92 Security Target Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Document Reference: Document Status: Document Version: Issue Date: Junos_15.1X49-D60_ST_1.0 Released 1.0 24 January 2017

Security Target Junos 15.1X49-D60 for SRX platforms (NDPP ... · Juniper Networks, Inc. Junos 15.1 X49-D60 for SRX platforms. This Security Target (ST) defines a set of assumptions

  • View
    6

  • Download
    0

Embed Size (px)

Text of Security Target Junos 15.1X49-D60 for SRX platforms (NDPP ... · Juniper Networks, Inc. Junos 15.1...

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 1 of 92

    Security Target

    Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP)

    Document Reference: Document Status: Document Version: Issue Date:

    Junos_15.1X49-D60_ST_1.0 Released 1.0 24 January 2017

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 2 of 92

    Prepared For: Prepared By:

    Juniper Networks, Inc.

    1133 Innovation Way

    Sunnyvale, CA 94089, USA

    www.juniper.net

    BAE Systems Applied Intelligence, Pty Ltd

    Level 1, 14 Childers Street

    Canberra ACT 2601, Australia

    www.baesystems.com/ai

    Abstract

    This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), Juniper Networks, Inc. Junos 15.1 X49-D60 for SRX platforms. This Security Target (ST) defines a set of assumptions about the aspects of the environment, a list of threats that the product intends to counter, a set of security objectives, a set of security requirements and the IT security functions provided by the TOE which meet the set of requirements.

    Amendment history

    Version Date Revisions

    0.1 13-AUG-15 Initial draft

    0.2 09-SEP-15 Update platform specification

    0.3 07-JAN-16 Update platform specification

    0.4 21-APR-16 Update platform specification and major rework of SFRs

    0.5 28-NOV-16 Updated due to developer feedback.

    0.6 11-JAN-17 Updated due to developer feedback.

    1.0 24-JAN-17 Updated due to ETR Feedback

    Copyright statement

    Copyright © 2015 Juniper Networks, Inc.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 3 of 92

    Table of contents

    1  Introduction.................................................................................................................. 7 1.2 TOE Reference ......................................................................................................... 71.1 ST Reference ............................................................................................................ 7   1.3 Document Organization ............................................................................................ 7

       1.4 Document Conventions............................................................................................. 8

       1.5 Document Terminology ............................................................................................. 8

       1.6 TOE Overview......................................................................................................... 12

        

    1.7  TOE Description...................................................................................................... 12 

    1.7.1 Overview............................................................................................................. 12 

    1.7.2 Physical Boundary.............................................................................................. 13   

    1.7.3 Logical Boundary................................................................................................ 14   

    1.7.4 Summary of Out-of-Scope Items ........................................................................ 16   

    1.7.5 TOE Security Functional Policies ....................................................................... 17      

    1.7.6  TOE Product Documentation.............................................................................. 17 2  Conformance Claims................................................................................................. 18 

     2.2  Protection Profile Conformance Claim .................................................................... 182.1 CC Conformance Claim .......................................................................................... 18 

    2.2.1 TOE Type Consistency....................................................................................... 18 

    2.2.2 Security Problem Definition Consistency............................................................ 18   

    2.2.3 Security Objectives Consistency ........................................................................ 18   

    .2.4 Security Functional Requirements Consistency ................................................. 18    

    .2.5  Security Assurance Requirements Consistency................................................. 192  2  

    2.3  Package Claim ........................................................................................................ 19 3  Security Problem Definition...................................................................................... 20 

    3.2 Organizational Security Policies.............................................................................. 223.1 Threats .................................................................................................................... 20   

       3.3  Assumptions............................................................................................................ 22 

    4  Security Objectives ................................................................................................... 24 4.2 Security Objectives for the Operational Environment ............................................. 264.1 Security Objectives for the TOE.............................................................................. 24   

       4.3  Security Objectives Rationale ................................................................................. 27 

    5  Extended Components Definition ............................................................................ 28 5.1  Rationale for Extended Components ...................................................................... 29 

    6  Security Requirements.............................................................................................. 30  

    6.1.1  Security Audit (FAU)........................................................................................... 32 6.1  Security Functional Requirements .......................................................................... 30

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 4 of 92

    6.1.2 Cryptographic Support (FCS) ............................................................................. 37   6.1.4 Identification and Authentication (FIA)................................................................ 416.1.3 User Data Protection (FDP)................................................................................ 41   6.1.5 Security Management (FMT).............................................................................. 43

       6.1.6 Protection of the TSF (FPT) ............................................................................... 45

       6.1.7 TOE Access (FTA) ............................................................................................. 46

       6.1.8 Trusted Path/Channel (FTP) .............................................................................. 47

        

    .1.9  Stateful Traffic/Packet Filtering (FFW and FPF)................................................ 48 

    .1.10  Intrusion Prevention System (IPS) ..................................................................... 536  

    6.2 CC Component Hierarchies and Dependencies ..................................................... 576  

    6.3 Security Assurance Requirements.......................................................................... 57    

    6.4  Security Requirements Rationale............................................................................ 58 

    6.4.1 Security Functional Requirements...................................................................... 58 

    6.4.2 Sufficiency of Security Requirements................................................................. 58   

    6.4.3 Security Assurance Requirements ..................................................................... 61   

    6.4.4 Security Assurance Requirements Rationale ..................................................... 61      

    6.4.5  Security Assurance Requirements Evidence ..................................................... 61 7  TOE Summary Specification..................................................................................... 63 

    7.2 Security Audit .......................................................................................................... 637.1 TOE Security Functions .......................................................................................... 63   

     7.3 Cryptographic Support ............................................................................................ 66

     .3.1  IPSEC Support ................................................................................................... 70   

    7.4 User Data Protection............................................................................................... 727  

    7.5 Identification and Authentication ............................................................................. 73   

    7.6 Security Management ............................................................................................. 76   

    7.7 Protection of the TSF .............................................................................................. 78   

    7.8 TOE Access ............................................................................................................ 80    

    7.9  Trusted Path/Channels ........................................................................................... 81 

    7.10 Stateful Traffic/Packet Filtering (FWEP and VPNEP) ............................................. 81 

       7.11  Intrusion Prevention System ................................................................................... 86 

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 5 of 92

    List of Tables

    Table 1-1 – ST Organization and Section Descriptions ........................................................................ 8 Table 1-3 - Evaluated Configuration of the TOE................................................................................. 14Table 1-2 – Acronyms Used in Security Target .................................................................................. 12 Table 1-4 – Logical Boundary Descriptions ........................................................................................ 16

     Table 3-1 – Threats from the NDPP addressed by the TOE .............................................................. 21

     Table 3-2 - Threats from the FWEP addressed by the TOE............................................................... 21

     Table 3-3 - Threats from the VPNEP not already included in FWEP.................................................. 21

     Table 3-4 – Organizational Security Policy required by NDPP ........................................................... 22

     Table 3-5 – Organizational Security Policy required by IPSEP .......................................................... 22

     Table 3-6 – Assumptions from the NDPP ........................................................................................... 22

     Table 3-7 - Assumptions from the FWEP and IPSEP......................................................................... 23

     Table 4-1 – TOE Security Objectives from NDPP .............................................................................. 24

     Table 4-2 TOE Security Objectives from FWEP ................................................................................. 25

     Table 4-3 TOE Security Objectives from VPNEP not already covered by FWEP or NDPP ............... 25

     Table 4-4 – Operational Environment Security Objectives from NDPP. ............................................. 26

     Table 4-5 - Operational Environment Security Objectives from FWEP............................................... 27

     Table 6-1 – TOE Security Functional Requirements .......................................................................... 32

     Table 6-2 - Audit Events and Details from NDPP ............................................................................... 34

     Table 6-3 - Audit Events and Details from FWEP............................................................................... 34

     Table 6-4 - Audit Events and Details from VPNEP ............................................................................. 35

     Table 6-5 - Audit Events and Details from IPSEP............................................................................... 37

     Table 6-6 – Rationale for TOE SFRs to Objectives from NDPP ......................................................... 59

     Table 6-7 – Rationale for TOE SFRs to Objectives from FWEP......................................................... 59

     Table 6-8 - Rationale for TOE SFRs to Objectives from VPNEP........................................................ 60

     Table 6-9 - Rationale for TOE SFRs to Objectives from IPSEP ......................................................... 60

     Table 6-10 – Security Assurance Requirements ................................................................................ 61

     Table 6-11 – Security Assurance Rationale and Measures................................................................ 62

     Table 7-1 – CAVS Certificate Results................................................................................................. 67

     Table 7-2 - Key Zeroization Handling ................................................................................................. 70

      

    Table 7-3 - Traffic filtering RFCs......................................................................................................... 84 

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 6 of 92

    List of Figures

    Figure 1 - TOE Boundary.................................................................................................................... 14 

    REMAINDER OF THIS PAGE INTENTIONALLY LEFT BLANK 

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 7 of 92

    1 Introduction This section identifies the Security Target (ST), Target of Evaluation (TOE), Security Target organization, document conventions, and terminology. It also includes an overview of the evaluated product.

    1.1 ST Reference

    ST Title Security Target: Juniper Networks, Inc. Junos 15.1X49-D60 for SRX Platforms

    ST Revision 1.0

    ST Publication Date

    24 January 2017

    Author BAE Systems Applied Intelligence, Pty Limited

    1.2 TOE Reference

    TOE Reference Juniper Networks, Inc. Junos 15.1X49-D60 for SRX Platforms

    1.3 Document Organization

    This Security Target follows the following format:

    SECTION TITLE DESCRIPTION

    1 Introduction Provides an overview of the TOE and defines the hardware and software that make up the TOE as well as the physical and logical boundaries of the TOE

    2 Conformance Claims Lists evaluation conformance to Common Criteria versions, Protection Profiles, or Packages where applicable

    3 Security Problem Definition Specifies the threats, assumptions and organizational security policies that affect the TOE

    4 Security Objectives Defines the security objectives for the TOE/operational environment and provides a rationale to demonstrate that the security objectives satisfy the threats

    5 Extended Components Definition

    Describes extended components of the evaluation (if any)

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 8 of 92

    6 Security Requirements Contains the functional and assurance requirements for this TOE

    7 TOE Summary Specification Identifies the IT security functions provided by the TOE and also identifies the assurance measures targeted to meet the assurance requirements.

    Table 1-1 – ST Organization and Section Descriptions

    1.4 Document Conventions

    The notation, formatting, and conventions used in this Security Target are consistent with those used in Version 3.1 of the Common Criteria. Selected presentation choices are discussed here to aid the Security Target reader. The Common Criteria allows several operations to be performed on functional requirements: The allowable operations defined in Part 2 of the Common Criteria are refinement, selection, assignment and iteration.

    Assignment: Indicated with italicized text; Refinement made by PP author: Indicated with bold text and strikethroughs,

    if necessary; Selection: Indicated with underlined text; Assignment within a Selection: Indicated with italicized and underlined text; Iteration: Indicated by appending the iteration number in parenthesis, e.g.,

    (1), (2), (3).

    Explicitly stated SFRs are identified by having a label ‘EXT’ after the requirement name for TOE SFRs. When not embedded in a Security Functional Requirement, italicized text is used for both official document titles and text meant to be emphasized more than plain text.

    1.5 Document Terminology

    The following table describes the acronyms used in this document:

    TERM DEFINITION

    AES Advanced Encryption Standard

    ANSI American National Standards Institute

    API Application Program Interface

    ATM Asynchronous Transfer Method

    BGP Border Gateway Protocol

    CC Common Criteria version 3.1

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 9 of 92

    CCEVS Common Criteria Evaluation Validation Scheme

    CCIMB Common Criteria Interpretations Management Board

    CCM Counter with Cipher Block Chaining-Message Authentication Code

    CLNP Connectionless Network Protocol

    CLNS Connectionless Network Service

    CM Configuration Management

    CSP Critical security parameter

    DFA Deterministic Finite Automaton

    DES Data Encryption Standard

    DH Diffie Hellman

    DMZ Demilitarized Zone

    DoD Department of Defense

    EAL Evaluation Assurance Level

    ECC Elliptic Curve Cryptography

    ECDSA Elliptic Curve Digital Signature Algorithm

    ESP Encapsulating Security Payload

    FFC Finite Field Cryptography

    FIPS Federal Information Processing Standard

    FIPS-PUB 140-2 Federal Information Processing Standard Publication

    FTP File Transfer Protocol

    FWEP Firewall Extended Package

    GIG Global Information Grid

    GUI Graphical User Interface

    HMAC Keyed-Hash Authentication Code

    HTTP Hypertext Transfer Protocol

    I&A Identification and Authentication

    IATF Information Assurance Technical Framework

    ICMP Internet Control Message Protocol

    ID Identification

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 10 of 92

    IDS Intrusion Detection System

    IETF Internet Engineering Task Force

    IKE Internet Key Exchange

    IP Internet Protocol

    IPsec Internet Protocol Security

    IPsec ESP Internet Protocol Security Encapsulating Security Payload

    IPv6 Internet Protocol Version 6

    IPX Internetwork Packet Exchange

    ISAKMP Internet Security Association and Key Management Protocol

    IS-IS Intermediate System-to-Intermediate System

    ISO International Organization for Standardization

    IT Information Technology

    Junos Juniper Operating System

    LDP Label Distribution Protocol

    MAC Mandatory Access Control

    MRE Medium Robustness Environment

    NAT Network Address Translation

    NBIAT&S Network Boundary Information Assurance Technologies and Solutions Support

    NDPP Network Devices Protection Profile

    NIAP National Information Assurance Program

    NIST National Institute of Standards Technology

    NSA National Security Agency

    NTP Network Time Protocol

    OSI Open Systems Interconnect

    OSP Organizational Security Policy

    OSPF Open Shortest Path First

    PAM Pluggable Authentication Module

    PFE Packet Forwarding Engine

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 11 of 92

    PIC/PIM Physical Interface Card/Module

    PKI Public Key Infrastructure

    PP Protection Profile

    PRNG Pseudo Random Number Generator

    RE Routing Engine

    RFC Request for Comment

    RIP Routing Information Protocol

    RNG Random Number Generator

    RNG Random Number Generator

    RSA Rivest, Shamir, Adelman

    SA Security Association

    SCEP Simple Certificate Enrollment Protocol

    SFP Security Functional Policy

    SFR Security Functional Requirement

    SHA Secure Hash Algorithm

    SMTP Simple Mail Transfer Protocol

    SNMP Simple Network Management Protocol

    SOF Strength of Function

    SSH Secure Shell

    SSL Secure Sockets Layer

    ST Security Target

    TBD To Be Determined

    TCP/IP Transmissions Control Protocol/ Internet Protocol

    TDEA Triple Data Encryption Algorithm

    TFTP Trivial File Transfer Protocol

    TOE Target of Evaluation

    TSC TOE Scope of Control

    TSE TOE Security Environment

    TSF TOE Security Function

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 12 of 92

    TSFI TSF interfaces

    TSP TOE Security Policy

    TTAP/CCEVS Trust Technology Assessment Program/ Common Criteria Evaluation Standard Scheme

    UDP User Datagram Protocol

    URL Uniform Research Locator

    VPN Virtual Private Network

    VPNEP Virtual Private Network Extended Package

    Table 1-2 – Acronyms Used in Security Target

    1.6 TOE Overview

    The TOE is Juniper Networks, Inc. Junos 15.1X49-D60 for SRX Platforms which primarily supports the definition of and enforces information flow policies among network nodes. The routers provide for stateful inspection of every packet that traverses the network and provide central management to manage the network security policy. All information flow from one network node to another passes through an instance of the TOE. Information flow is controlled on the basis of network node addresses, protocol, type of access requested, and services requested. In support of the information flow security functions, the TOE ensures that security-relevant activity is audited, that their own functions are protected from potential attacks, and provides the security tools to manage all of the security functions. The TOE provides virtual private network (VPN) support, allowing site-to-site, hub-and spoke and remote access VPNs. The TOE also implements Intrusion Prevention System functionality. It is capable to monitor information flows to detect potential attacks based on pre-defined attack signature and anomaly characteristics in the traffic.

    The Junos 15.1X49-D60 for SRX Platforms may also be referred to as the TOE in this document.

    1.7 TOE Description

    1.7.1 Overview

    Each Juniper Networks routing platform is a complete routing system that supports a variety of high-speed interfaces (up to 10 Gbps) for medium/large networks and network applications. Juniper Networks routers share common Junos software, features, and technology for compatibility across platforms.

    The routers are physically self-contained, housing the software, firmware and hardware necessary to perform all router functions. The hardware has two

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 13 of 92

    components: the router itself and various PIC/PIMs, which allow the routers to communicate with the different types of networks that may be required within the environment where the routers are used.

    Each instance of the TOE consists of the following major architectural components:

    The Routing Engine (RE) runs the Junos software and provides Layer 3 routing services and network management for all operations necessary for the configuration and operation of the TOE and controls the flow of information through the TOE, including Network Address Translation (NAT) and all operations necessary for the encryption/decryption of packets for secure communication via the IPSec protocol.

    The Packet Forwarding Engine (PFE) provides all operations necessary for transit packet forwarding

    The Routing Engine and Packet Forwarding Engine perform their primary tasks independently, while constantly communicating through a high-speed internal link. This arrangement provides streamlined forwarding and routing control and the capability to run Internet-scale networks at high speeds.

    The routers support numerous routing standards for flexibility and scalability as well as IETF IPSec protocols. These functions can all be managed through the Junos software, either from a connected terminal console or via a network connection. Network management can be secured using IPsec, SNMP v3, and SSH protocols. All management, whether from a user connecting to a terminal or from the network, requires successful authentication.

    The TOE supports intrusion detection and prevention functionality, which allows it to detect and react to potential attacks in real time. The detection component of the IPS can be based on attack signatures which specify the characteristics of the potentially malicious traffic based on a variety of packet headers payload data attributes. Anomaly detection based on deviation of the monitored traffic from expected values is also supported.

    Juniper Networks security devices accomplish routing through a process called a Virtual Router (VR). A security device divides its routing component into two or more VRs with each VR maintaining its own list of known networks in the form of a routing table, routing logic, and associated security zones.

    The TOE is managed and configured via Command Line Interface using IPSec connections and does not depend on FTP or SSL to operate correctly.

    1.7.2 Physical Boundary

    The TOE is a combined hardware/software TOE and is defined as the Junos 15.1X49-D60 for SRX Platforms. The TOE boundary is shown below.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 14 of 92

    Routing Engine

    Packet Forwarding Engine

    Hardware

    NTP Server Syslog ServerManagement

    Platform

    Network

    External interface

    Internal interface

    TOE ComponentIT Environment Component

    Figure 1 - TOE Boundary

    The physical boundary is defined as the entire router chassis. In order to comply with the evaluated configuration, the following hardware and software components should be used:

    TOE COMPONENT VERSION/MODEL NUMBER

    Software Version Junos Version 15.1X49-D60

    Hardware Platforms SRX300, SRX320, SRX340, SRX345, SRX550M, and SRX5400E,SRX5400X, SRX5600E,SRX5600X SRX5800E and SRX5800X

    Table 1-3 - Evaluated Configuration of the TOE

    The TOE interfaces are comprised of the following:

    1. Network interfaces which pass traffic 2. Management interface through which handle administrative actions.

    1.7.3 Logical Boundary

    This section outlines the boundaries of the security functionality of the TOE; the logical boundary of the TOE includes the security functionality described in the following table:

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 15 of 92

    TSF DESCRIPTION

    Security Audit Junos auditable events are stored in the syslog files, and can be sent to an external log server (via IPSec). Auditable events include start-up and shutdown of the audit functions, authentication events, service requests, as well as the events listed in the table in Section 6. Audit records include the date and time, event category, event type, username, and the outcome of the event (success or failure). Local syslog storage limits are configurable and are monitored. In the event of storage limits being reached the oldest logs will be overwritten.

    Cryptographic Support The TOE includes a baseline cryptographic module that provides confidentiality and integrity services for authentication and for protecting communications with adjacent systems.

    User Data Protection/Information Flow Control

    The TOE is designed to forward network packets (i.e., information flows) from source network entities to destination network entities based on available routing information. This information is either provided directly by TOE users or indirectly from other network entities (outside the TOE) configured by the TOE users. The TOE has the capability to regulate the information flow across its interfaces; traffic filters can be set in accordance with the presumed identity of the source, the identity of the destination, the transport layer protocol, the source service identifier, and the destination service identifier (TCP or UDP port number).

    Identification and Authentication

    The TOE requires users to provide unique identification and authentication data before any administrative access to the system is granted. .The devices also require that applications exchanging information with them successfully authenticate prior to any exchange.

    SSH, Telnet, File Transfer Protocol (FTP), and Secure Socket Layer (SSL) are out of scope.

    Security Management The TOE provides an authorized Administrator role that is responsible for:

    the configuration and maintenance of cryptographic elements related to the establishment of secure connections to and from the evaluated product;

    the regular review of all audit data;

    all administrative tasks (e.g., creating the security policy).

    The devices are managed through a Command Line Interface (CLI). The CLI is accessible through remote administrative session.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 16 of 92

    Protection of the TSF The TOE provides protection mechanisms TSF data (e.g. cryptographic keys, administrator passwords). Another protection mechanism is to ensure the integrity of any software/firmware updates are can be verified prior to installation. The TOE provides for both cryptographic and non-cryptographic self-tests, and is capable of automated recovery from failure states. Also, reliable timestamp is made available by the TOE.

    TOE Access The TOE can be configured to terminate interactive user sessions, and to present an access banner with warning messages prior to authentication.

    Trusted Path/Channels The TOE creates trusted channels between itself and remote trusted authorized IT product (e.g. syslog server) entities that protect the confidentiality and integrity of communications. The TOE creates trusted paths between itself and remote administrators and users that protect the confidentiality and integrity of communications.

    Stateful Traffic/Packet Filtering

    The TOE provides stateful network traffic filtering based on examination of network packets and the application of information flow rules.

    Intrusion Prevention The TOE can be configured to analyze IP-based network traffic forwarded to the TOE’s interfaces, and detect violations of administratively-defined IPS policies. The TOE is capable of initiating a proactive response to terminate/interrupt an active potential threat, and to initiate a response in real time that would cause interruption of the suspicious traffic flow.

    Table 1-4 – Logical Boundary Descriptions

    1.7.4 Summary of Out-of-Scope Items

    The following items are out of the scope of the evaluation:

    External syslog server

    Use of telnet, since it violates the Trusted Path requirement set (see Security Requirements)

    Use of FTP, since it violates the Trusted Path requirement set (see Security Requirements)

    Use of SNMP, since it violates the Trusted Path requirement set (see Security Requirements)

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 17 of 92

    Management via J-Web, since it violates the Trusted Path requirement set (see Security Requirements)

    Media use (other than during installation of the TOE)

    SSH

    TLS

    1.7.5 TOE Security Functional Policies

    Since the NDPP, FWEP, VPNEP and IPSEP do not require it, the TOE does not support any Security Functional Policy.

    1.7.6 TOE Product Documentation

    The TOE includes the following product documentation:

    Junos® OS Common Criteria Evaluated Configuration Guide for SRX Series Security Devices, Release 15.1X49-D60, 21-Dec-16

    Junos® OS Common Criteria and FIPS Evaluated Configuration Guide for SRX Series Security Devices, Release 15.1X49-D60, 10-Jan-16

    Junos® 15.1X49 for SRX Series Platforms – SRX Guidance Annex, Version 1.0, 18-Jan-17

    Junos® 15.1X49 for SRX Series Platforms – SRX Running Processes, Version 1.0, 18-Jan-17

    Complete Software Guide for SRX Series Services Gateways, Release 15.1X49-D60 (Volume 1), 25-Sep-2016

    Complete Software Guide for SRX Series Services Gateways, Release 15.1X49-D60 (Volume 2), 25-Sep-2016

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 18 of 92

    2 Conformance Claims 2.1 CC Conformance Claim

    The TOE is Common Criteria Version 3.1 Revision 3 (July 2009) Part 2 extended and Part 3 conformant.

    2.2 Protection Profile Conformance Claim

    The TOE claims exact conformance to the following U.S. Government approved Protection Profiles (PP):

    Security Requirements for Network Devices, Version 1.1, 08 June 2012 (NDPP)

    Security Requirements for Network Devices Errata #3, 3 November 2014

    Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall, Version 1.0, 19 December 2011 (FWEP)

    Network Device Protection Profile (NDPP) Extended Package VPN Gateway, Version 1.1, 12 April 2013 (VPNEP)

    Network Device Protection Profile (NDPP) Extended Package for Intrusion Prevention Systems, Version 1.0, 26 June 2014 (IPSEP)

    2.2.1 TOE Type Consistency

    The NDPP, extended as indicated above, and the TOE describe network device systems, of the following types: firewall, virtual private network and intrusion prevention system.

    2.2.2 Security Problem Definition Consistency

    This ST claims exact conformance to the referenced PPs. The threats, assumptions, and organizational security policies in the ST are identical to the threats, assumptions, and organizational security policies in the PPs.

    2.2.3 Security Objectives Consistency

    This ST claims exact conformance to the objectives in the referenced PPs. No additions or deletions to the objectives have been made. All objectives are consistent with the PPs.

    2.2.4 Security Functional Requirements Consistency

    This ST claims exact conformance to the security functional requirements in the referenced PPs.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 19 of 92

    2.2.5 Security Assurance Requirements Consistency

    This ST claims exact conformance to the security assurance requirements in the referenced PPs.

    2.3 Package Claim

    The TOE claims conformance to Security Requirements for Network Devices, Version 1.1, 08 June 2012, as updated in Security Requirements for Network Devices Errata #3, 3 November 2014, the Network Device Protection Profile (NDPP) Extended Package Stateful Traffic Filter Firewall, Version 1.0, 19 December 2011 (FWEP), Network Device Protection Profile (NDPP) Extended Package VPN Gateway, Version 1.1, 12 April 2013 (VPNEP), the Network Device Protection Profile (NDPP) Extended Package for Intrusion Prevention Systems, Version 1.0, 26 June 2014 (IPSEP) and no other assurance or functional packages.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 20 of 92

    3 Security Problem Definition The security problem to be addressed by the TOE is described by threats and policies that are common to network devices, as opposed to those that might be targeted at the specific functionality of a specific type of network device, as specified in [NDPP], [FWEP], [VPNEP], and [IPSEP].

    This chapter identifies assumptions as A.assumption, threats as T.threat and policies as P.policy.

    Note that the assumptions, threats, and policies are the same as those found in [NDPP], [FWEP], [VPNEP] and [IPSEP] such that this TOE serves to address the Security Problem.

    3.1 Threats

    The following threats are addressed by the TOE, as detailed in table 4 of [NDPP] Annex A.

    THREAT DESCRIPTION

    T.ADMIN_ERROR An administrator may unintentionally install or configure the TOE incorrectly, resulting in ineffective security mechanisms.

    T.TSF_FAILURE Security mechanisms of the TOE may fail, leading to a compromise of the TSF.

    T.UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE. These actions may remain undetected and thus their effects cannot be effectively mitigated.

    T.UNAUTHORIZED_ACCESS A user may gain unauthorized access to the TOE data and TOE executable code. A malicious user, process, or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources. A malicious user, process, or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data.

    T.UNAUTHORIZED_UPDATE A malicious party attempts to supply the end user with an update to the product that may compromise the security features of the TOE.

    T.USER_DATA_REUSE User data may be inadvertently sent to a destination not intended by the original sender.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 21 of 92

    Table 3-1 – Threats from the NDPP addressed by the TOE

    The following threats are addressed by the TOE, as detailed in section 5.1.2 of [FWEP].

    THREAT DESCRIPTION

    T.NETWORK_DISCLOSURE Sensitive information on a protected network might be disclosed resulting from ingress- or egress-based actions.

    T. NETWORK_ACCESS Unauthorized access may be achieved to services on a protected network from outside that network, or alternately services outside a protected network from inside the protected network.

    T.NETWORK_MISUSE Access to services made available by a protected network might be used counter to Operational Environment policies.

    T.NETWORK_DOS Attacks against services inside a protected network, or indirectly by virtue of access to malicious agents from within a protected network, might lead to denial of services otherwise available within a protected network.

    Table 3-2 - Threats from the FWEP addressed by the TOE

    The following threats are addressed by the TOE, as detailed in section 2 of [VPNEP].

    THREAT DESCRIPTION

    T.DATA_INTEGRITY Known malicious external devices able to communicate with devices on the protected network or devices on the protected network establish communications with those external devices then the data contained within the communications may be susceptible to a loss of integrity.

    T. REPLAY_ATTACK Unauthorized individuals gains access to the system and may have the opportunity to conduct a “replay” attack.

    Table 3-3 - Threats from the VPNEP not already included in FWEP

    Note that no additional threats are included in [IPSEP].

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 22 of 92

    3.2 Organizational Security Policies

    An organizational security policy is a set of rules, practices, and procedures imposed by an organization to address its security needs. The TOE is required to meet the following organizational security policies, as specified in table 5 of [NDPP] Annex A. :

    POLICY DESCRIPTION

    P.ACCESS_BANNER The TOE shall display an initial banner describing restrictions of use, legal agreements, or any other appropriate information to which users consent by accessing the TOE.

    Table 3-4 – Organizational Security Policy required by NDPP

    In addition, the TOE is required to meet the following organizational security policy, as specified in Table 7-3 of [IPSEP]:

    POLICY DESCRIPTION

    P.ANALYZ Analytical processes and information to derive conclusions about potential intrusions must be applied to IPS data and appropriate response actions taken.

    Table 3-5 – Organizational Security Policy required by IPSEP

    3.3 Assumptions

    This section contains assumptions regarding the security environment and the intended usage of the TOE, as specified in table 3 of [NDPP] Annex A.

    ASSUMPTION DESCRIPTION

    A.NO_GENERAL_PURPOSE It is assumed that there are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE.

    A.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is assumed to be provided by the environment.

    A.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.

    Table 3-6 – Assumptions from the NDPP

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 23 of 92

    The following assumption regarding the security environment and the intended usage of the TOE, is specified in section 5.1.1 of [FWEP] and Section 7.1.1 of [IPSEP].

    ASSUMPTION DESCRIPTION

    A.CONNECTIONS It is assumed that the TOE is connected to distinct networks in a manner that ensures that the TOE security policies will be enforced on all applicable network traffic flowing among the attached networks.

    Table 3-7 - Assumptions from the FWEP and IPSEP

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 24 of 92

    4 Security Objectives 4.1 Security Objectives for the TOE

    The IT Security Objectives for the TOE are detailed below, as specified in table 6 of [NDPP] Annex A.

    OBJECTIVES DESCRIPTION

    O.PROTECTED_COMMUNICATIONS The TOE will provide protected communication channels for administrators, other parts of a distributed TOE, and authorized IT entities.

    O.VERIFIABLE_UPDATES The TOE will provide the capability to help ensure that any updates to the TOE can be verified by the administrator to be unaltered and (optionally) from a trusted source.

    O.SYSTEM_MONITORING The TOE will provide the capability to generate audit data and send those data to an external IT entity.

    O.DISPLAY_BANNER The TOE will display an advisory warning regarding use of the TOE.

    O.TOE_ADMINISTRATION The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE, and provide protections for logged-in administrators.

    O.RESIDUAL_INFORMATION_CLEARING The TOE will ensure that any data contained in a protected resource is not available when the resource is reallocated.

    O.SESSION_LOCK The TOE shall provide mechanisms that mitigate the risk of unattended sessions being hijacked.

    O.TSF_SELF_TEST The TOE will provide the capability to test some subset of its security functionality to ensure it is operating properly.

    Table 4-1 – TOE Security Objectives from NDPP

    The IT Security Objectives for the TOE are detailed below, as specified in section 5.2.1 of [FWEP].

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 25 of 92

    OBJECTIVES DESCRIPTION

    O.ADDRESS_FILTERING The TOE will provide the means to filter and log network packets based on source and destination addresses.

    O.PORT_FILTERING The TOE will provide the means to filter and log network packets based on source and destination transport layer ports.

    O.STATEFUL_INSPECTION The TOE will determine if a network packet belongs to an allowed established connection before applying the ruleset.

    O.RELATED_CONNECTION_FILTERING For specific protocols, the TOE will dynamically permit a network packet flow in response to a connection permitted by the ruleset.

    Table 4-2 TOE Security Objectives from FWEP

    The IT Security Objectives for the TOE are detailed below, as specified in section 3 of [VPNEP].

    OBJECTIVES DESCRIPTION

    O.CRYPTOGRAPHIC_FUNCTIONS The TOE will implement cryptographic capabilities to maintain confidentiality and allow for detection and modification of data that is transmitted outside of the TOE.

    O.AUTHENTICATION The TOE shall provide authentication ability (IPSec) to allow a VPN peer to establish VPN connectivity with another VPN peer. VPN endpoints authenticate each other to ensure they are communicating with an authorized external IT entity.

    O.FAIL_SECURE The TOE will shut down upon discovery of a problem reported via the self-test mechanism.

    Table 4-3 TOE Security Objectives from VPNEP not already covered by FWEP or NDPP

    The IT Security Objectives for the TOE are detailed below, as specified in section 7.2.1 of [IPSEP].

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 26 of 92

    OBJECTIVES DESCRIPTION

    O.IPSSENSE

    The IPS must collect and store information about all events that may indicate an IPS policy violation related to misuse, inappropriate access, or malicious activity on monitored networks.

    O.IPSANALYZE

    The IPS must apply analytical processes to network traffic data collected from monitored networks and derive conclusions about potential intrusions or network traffic policy violations.

    O.IPSREACT

    The IPS must respond appropriately to its analytical conclusions about IPS policy violations.

    4.2 Security Objectives for the Operational Environment

    The security objectives for the operational environment are detailed below, as specified in table 7 of [NDPP] Annex A.

    OBJECTIVE DESCRIPTION

    OE.NO_GENERAL_PURPOSE There are no general-purpose computing capabilities (e.g., compilers or user applications) available on the TOE, other than those services necessary for the operation, administration and support of the TOE.

    OE.PHYSICAL Physical security, commensurate with the value of the TOE and the data it contains, is provided by the environment.

    OE.TRUSTED_ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner.

    Table 4-4 – Operational Environment Security Objectives from NDPP.

    The security objectives for the operational environment are detailed below, as specified in section 5.2.2 of [FWEP] and section 7.2.2 of [IPSEP].

    OBJECTIVE DESCRIPTION

    OE.CONNECTIONS TOE administrators will ensure that the TOE is installed in a manner that will allow the TOE to effectively enforce its policies on network traffic flowing among attached networks.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 27 of 92

    Table 4-5 - Operational Environment Security Objectives from FWEP

    4.3 Security Objectives Rationale

    As these objectives for the TOE and operational environment are the same as those specified in [NDPP], [FWEP], [VPNEP] and [IPSEP],the rationales provided in the prose in section 3 of [NDPP],in the tables in [NDPP] Annex A, section 5 of [FWEP], section 3 of [VPNEP] and section 7.3 of [IPSEP] are wholly applicable to this security target as the statements of threats, assumptions, OSPs and security objectives provided in this security target are the same as those defined in the [NDPP], [FWEP], [VPNEP] and [IPSEP].

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 28 of 92

    5 Extended Components Definition The following extended components are defined by the NDPP. The definition of these components is given in [NDPP].

    FAU_STG_EXT.1

    FCS_CKM_EXT.4

    FCS_RBG_EXT.1

    FIA_PMG_EXT.1

    FIA_UIA_EXT.1

    FIA_UAU_EXT.5

    FPT_SKP_EXT.1

    FPT_APW_EXT.1

    FPT_TUD_EXT.1

    FPT_TST_EXT.1

    FTA_SSL_EXT.1

    The following extended components are defined by the FWEP. The definition of these components is given in [FWEP].

    FFW_RUL_EXT.1

    The following extended components are defined by the VPNEP. The definition of these components is given in [VPNEP].

    FCS_IPSEC_EXT.1

    FIA_PSK_EXT.1

    FIA_X509_EXT.1

    FPF_RUL_EXT.1

    The following extended components are defined by the IPSEP. The definition of these components is given in [IPSEP]

    IPS_NTA_EXT.1

    IPS_IPB_EXT.1

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 29 of 92

    IPS_SBD_EXT.1

    IPS_ABD_EXT.1

    5.1 Rationale for Extended Components

    This ST includes these extended components to conform to the NDPP, FWEP, VPNEP and IPSEP requirements.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 30 of 92

    6 Security Requirements The security requirements that are levied on the TOE and the Operational environment are specified in this section of the ST.

    6.1 Security Functional Requirements

    This section specifies the security functional requirements (SFRs) for the TOE, organized by CC class as specified in [NDPP], [FWEP], [VPNEP] and [IPSEP].

    The following table identifies all the SFR’s implemented by the TOE.

    CLASS HEADING CLASS_FAMILY DESCRIPTION

    FAU_GEN.1(1) Audit Data Generation

    FAU_GEN.1(2) Audit Data Generation (IPS)

    FAU_GEN.2 User Identity Association

    Security Audit

    FAU_STG_EXT.1 External Audit Trail Storage

    FCS_CKM.1(1), (2) Cryptographic Key Generation (for asymmetric keys)

    FCS_CKM_EXT.4 Cryptographic Key Zeroization

    FCS_COP.1(1) Cryptographic Operation (for data encryption/decryption)

    FCS_COP.1(2), (3) Cryptographic Operation (for cryptographic signature)

    FCS_COP.1(4) Cryptographic Operation (for cryptographic hashing)

    FCS_COP.1(5) Cryptographic Operation (for keyed-hash message authentication)

    FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)

    Cryptographic Support

    FCS_IPSEC_EXT.1 Extended: Internet Protocol Security (IPSec) Protocol

    User Data Protection FDP_RIP.2 Full residual information protection

    FIA_AFL.1 Authentication Failure Handling Identification and Authentication

    FIA_PMG_EXT.1 User Identification and Authentication

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 31 of 92

    FIA_UIA_EXT.1 Extended: Password-based Authentication Mechanism

    FIA_UAU_EXT.2 Extended: Password-based Authentication Mechanism

    FIA_UAU.7 Protected Authentication Feedback

    FIA_X509_EXT.1 Extended: X.509 Certificates

    FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition

    FMT_MOF.1 Management of Security Function Behavior

    FMT_MTD.1 Management of TSF Data (for general TSF data)

    FMT_SMF.1(1), (2) Specification of Management Functions

    Security Management

    FMT_SMR.2 Security Roles

    FPT_FLS.1 Fail Secure

    FPT_SKP_EXT.1 Extended: Protection of TSF Data (for reading of all symmetric keys)

    FPT_APW_EXT.1 Extended: Protection of Administrator Passwords

    FPT_STM.1 Reliable Time Stamps

    FPT_TUD_EXT.1 Extended: Trusted Update

    Protection of the TSF

    FPT_TST_EXT.1 TSF Testing

    FTA_SSL_EXT.1 TSF-initiated session locking

    FTA_SSL.3(1), (2) TSF-initiated termination

    FTA_SSL.4 User-initiated termination

    TOE Access

    FTA_TAB.1 Default TOE access banners

    FTP_ITC.1(1), (2) Inter-TSF trusted channel Trusted Path/Channels

    FTP_TRP.1 Trusted path

    FFW_RUL_EXT.1 Stateful Traffic Filtering Stateful Traffic/Packet Filtering

    FPF_RUL_EXT.1 Packet Filtering

    IPS_NTA_EXT.1 Network Traffic Analysis Intrusion Prevention System

    IPS_IPB_EXT.1 IP Blocking

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 32 of 92

    IPS_SBD_EXT.1 Signature-Based IPS Functionality

    IPS_ABD_EXT.1 Anomaly-Based IPS Functionality

    Table 6-1 – TOE Security Functional Requirements

    6.1.1 Security Audit (FAU)

    6.1.1.1 FAU_GEN.1(1) Audit Data Generation

    FAU_GEN.1.1(1) The TSF shall be able to generate an audit record of the following auditable events:

    a) Start-up and shut-down of the audit functions;

    b) All auditable events for the not specified level of audit; and

    c) All Administrative actions;

    d) [Specifically defined auditable events listed in Table 6-2 - Audit Events and Details, Table 6-3 - Audit Events and Details from FWEP, and Table 6-4 - Audit Events and Details from VPNEP].

    FAU_GEN.1.2(1) The TSF shall record within each audit record at least the following information:

    a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and

    b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [information specified in column three of Table 6-2 - Audit Events and Details, Table 6-3 - Audit Events and Details from FWEP, and Table 6-4 - Audit Events and Details from VPNEP].

    REQUIREMENT AUDITABLE EVENTS ADDITIONAL DETAILS

    FAU_GEN.1(1), (2) None.

    FAU_GEN.2 None.

    FAU_STG_EXT.1 None.

    FCS_CKM.1(1), (2) None.

    FCS_CKM_EXT.4 None.

    FCS_COP.1(1) None.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 33 of 92

    FCS_COP.1(2), (3) None.

    FCS_COP.1(4) None.

    FCS_COP.1(5) None.

    FCS_RBG_EXT.1 None.

    FDP_RIP.2 None.

    FIA_PMG_EXT.1 None.

    FIA_PSK_EXT.1 None.

    FIA_UIA_EXT.1 All use of the identification and authentication mechanism.

    Provided user identity, origin of the attempt (e.g., IP address).

    FIA_UAU_EXT.2 All use of the authentication mechanism

    Origin of the attempt (e.g., IP address).

    FIA_UAU.7 None.

    FMT_MTD.1 None.

    FMT_SMF.1(1), (2) None.

    FMT_SMR.2 None.

    FPT_SKP_EXT.1 None.

    FPT_APW_EXT.1 None.

    FPT_STM.1 Changes to the time. The old and new values for the time.

    Origin of the attempt (e.g., IP address).

    FPT_TUD_EXT.1 Initiation of update. No additional information.

    FPT_TST_EXT.1 Indication that TSF self-test was completed.

    Any additional information generated by the tests beyond “success” or “failure”.

    FTA_SSL_EXT.1 Any attempts at unlocking of an interactive session.

    No additional information

    FTA_SSL.3 The termination of a remote session by the session locking mechanism.

    No additional information.

    FTA_SSL.4 The termination of an interactive session.

    No additional information.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 34 of 92

    FTA_TAB.1 None.

    FTP_ITC.1 Initiation of the trusted channel.

    Termination of the trusted channel.

    Failure of the trusted channel functions.

    Identification of the initiator and target of failed trusted channels establishment attempt.

    FTP_TRP.1

    Initiation of the trusted channel.

    Termination of the trusted channel.

    Failures of the trusted path functions.

    Identification of the claimed user identity.

    Table 6-2 - Audit Events and Details from NDPP

    REQUIREMENT AUDITABLE EVENTS ADDITIONAL DETAILS

    Application of rules configured with the ‘log’ operation

    Source and destination addresses

    Source and destination ports

    Transport Layer Protocol

    TOE Interface

    FFW_RUL_EXT.1

    Indication of packets dropped due to too much network traffic

    TOE interface that is unable to process packets

    Table 6-3 - Audit Events and Details from FWEP

    REQUIREMENT AUDITABLE EVENTS ADDITIONAL DETAILS

    FCS_IPSEC_EXT.1 Session Establishment with peer Source and destination addresses

    Source and destination ports

    TOE Interface

    FIA_X509_EXT.1 Establishing session with CA Source and destination addresses

    Source and destination ports

    TOE Interface

    FIA_PSK_EXT.1 None. None.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 35 of 92

    Application of rules configured with the ‘log’ operation

    Source and destination addresses

    Source and destination ports

    Transport Layer Protocol

    TOE Interface

    FPF_RUL_EXT.1

    Indication of packets dropped due to too much network traffic

    TOE interface that is unable to process packets

    Table 6-4 - Audit Events and Details from VPNEP

    6.1.1.2 FAU_GEN.1(2) Audit Data Generation

    FAU_GEN.1.1(2) Refinement: The TSF shall be able to generate an IPS audit record of the following auditable IPS events:

    a) Start-up of the IPS functions;

    b) All IPS auditable events for the not specified level of audit; and

    c) All Administrative actions;

    d) [All dissimilar IPS events;

    e) All dissimilar IPS reactions;

    f) Totals of similar events occurring within a specified time period; and

    g) Totals of similar reactions occurring within a specified time period].

    FAU_GEN.1.2(2) Refinement: The TSF shall record within each IPS auditable event record at least the following information:

    a) Date and time of the event, type of event and/or reaction, subject identity, and the outcome (success or failure) of the event; and

    b) For each IPS auditable event type, based on the auditable event definitions of the functional components included in the PP/ST, [information specified in column three Table 6-5 - Audit Events and Details from IPSEP].

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 36 of 92

    REQUIREMENT AUDITABLE EVENTS ADDITIONAL DETAILS

    FMT_SMF.1(2) Modification of an IPS policy element.

    Identifier or name of the modified IPS policy element (e.g. which signature, baseline, or known-good/known-bad list was modified.

    IPS_NTA_EXT.1 Modification of which IPS policies are active on a TOE interface.

    Enabling/disabling a TOE interface with IPS policies applied.

    Modification of which mode(s) is/are active on a TOE interface.

    Identification of the TOE interface, and (when applicable) the IPS policy and interface mode.

    IPS_IPB_EXT.1 Inspected traffic matches a list of known-good or known-bad addresses applied to an IPS policy.

    Source and destination IP addresses (and, if applicable, indication of whether the source and/or destination address matched the list).

    TOE interface that received the packet.

    Network-based action by the TOE (e.g. allowed, blocked, sent reset)

    IPS_SBD_EXT.1 Inspected traffic matches a signature-based IPS policy.

    Name or identifier of the matched signature.

    Source and destination IP addresses.

    The content of the header fields that were determined to match the signature.

    TOE interface that received the packet.

    Network-based action by the TOE (e.g. allowed, blocked, sent reset)

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 37 of 92

    IPS_ABD_EXT.1 Inspected traffic matches an anomaly-based IPS policy.

    Source and destination IP addresses.

    The content of the header fields that were determined to match the policy.

    TOE interface that received the packet.

    Aspect of the anomaly-based IPS policy rule that triggered the event (e.g. throughput, time of day, frequency, etc.)

    Network-based action by the TOE (e.g. allowed, blocked, sent reset to source IP, sent blocking notification to firewall)

    Table 6-5 - Audit Events and Details from IPSEP

    6.1.1.3 FAU_GEN.2 User Identity Association

    FAU_GEN.2.1 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event.

    6.1.1.4 FAU_STG_EXT.1 External Audit Trail Storage

    FAU_STG_EXT.1.1 The TSF shall be able to transmit the generated audit data to an external IT entity using a trusted channel implementing the IPSec protocol.

    6.1.2 Cryptographic Support (FCS)

    6.1.2.1 FCS_CKM.1(1) Cryptographic Key Generation (for asymmetric keys)

    FCS_CKM.1.1(1) Refinement: The TSF shall generate asymmetric cryptographic keys used for key establishment in accordance with

    NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” for elliptic curve-based key establishment schemes and implementing “NIST curves” P-256, P-384 and no other curves (as defined in FIPS PUB 186-3, “Digital Signature Standard”

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 38 of 92

    NIST Special Publication 800-56A, “Recommendation for Pair-Wise Key Establishment Schemes Using Discrete Logarithm Cryptography” for finite field-based key establishment schemes;

    and specified cryptographic key sizes equivalent to, or greater than, a symmetric key strength of 112 bits.

    6.1.2.2 FCS_CKM.1(2) Cryptographic Key Generation (for asymmetric keys)

    FCS_CKM.1.1(2) Refinement: The TSF shall generate asymmetric cryptographic keys used for IKE peer authentication in accordance with a:

    FIPS PUB 186-3, “Digital Signature Standard (DSS)”, Appendix B.3 for RSA schemes;

    FIPS PUB 186-3, “Digital Signature Standard (DSS)”, Appendix B.4 for ECDSA schemes and implementing “NIST curves” P-256, P-384 and no other curves;

    and specified cryptographic key sizes equivalent to, or greater than, a symmetric key strength of 112 bits.

    6.1.2.3 FCS_CKM_EXT.4 Cryptographic Key Zeroization

    FCS_CKM_EXT.4.1 The TSF shall zeroize all plaintext secret and private cryptographic keys and CSPs when no longer required.

    6.1.2.4 FCS_COP.1(1) Cryptographic Operation (for data encryption/decryption)

    FCS_COP.1.1(1) Refinement: The TSF shall perform [encryption and decryption] in accordance with a specified cryptographic algorithm AES operating in GCM, CBC, [no other modes] and cryptographic key sizes 128-bits, 256-bits, [no other key sizes] that meets the following:

    FIPS PUB 197, “Advanced Encryption Standard (AES)”

    NIST SP 800-38A, NIST SP 800-38D, [no other standards]

    6.1.2.5 FCS_COP.1(2) Cryptographic Operation (for cryptographic signature)

    FCS_COP.1.1(2) Refinement: The TSF shall perform cryptographic signature services in accordance with a RSA Digital Signature Algorithm (rDSA) with a key size (modulus) of 2048 bits or greater

    that meets the following:

    RSA Digital Signature Algorithm

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 39 of 92

    o FIPS PUB 186-2 or FIPS PUB 186-3, "Digital Signature Standard"

    6.1.2.6 FCS_COP.1(3) Cryptographic Operation (for cryptographic signature)

    FCS_COP.1.1(3) Refinement: The TSF shall perform cryptographic signature services in accordance with a Elliptic Curve Digital Signature Algorithm (ECDSA) with a key size of 256 bits or greater

    that meets the following:

    Elliptic Curve Digital Signature Algorithm

    o FIPS PUB 186-3, “Digital Signature Standard” o The TSF shall implement “NIST curves” P-256, P-384

    and no other curves (as defined in FIPS PUB 186-3, “Digital Signature Standard”).

    6.1.2.7 FCS_COP.1(4) Cryptographic Operation (for cryptographic hashing)

    FCS_COP.1.1(4) Refinement: The TSF shall perform [cryptographic hashing services] in accordance with a specified cryptographic algorithm SHA-256, SHA-384, SHA-512 and message digest sizes 256, 384, 512 bits that meet the following: FIPS Pub 180-3, “Secure Hash Standard.”

    6.1.2.8 FCS_COP.1(5) Cryptographic Operation (for keyed-hash message authentication)

    FCS_COP.1.1(5) Refinement: The TSF shall perform [keyed-hash message authentication] in accordance with a specified cryptographic algorithm HMAC- SHA-256, SHA-384, key size 256, 384 (in bits) used in HMAC, and message digest sizes 256, 384 bits that meet the following: FIPS Pub 198-1, "The Keyed-Hash Message Authentication Code, and FIPS Pub 180-3, “Secure Hash Standard.”

    6.1.2.9 FCS_RBG_EXT.1 Extended: Cryptographic Operation (Random Bit Generation)

    FCS_RBG_EXT.1.1 The TSF shall perform all random bit generation (RBG) services in accordance with NIST Special Publication 800-90 using HMAC_DRBG (256) seeded by an entropy source that accumulated entropy from a TSF-hardware-based noise source, and other independent TSF-hardware-based noise source.

    FCS_RBG_EXT.1.2 The deterministic RBG shall be seeded with a minimum of 256 bits of entropy at least equal to the greatest security strength of the keys and hashes that it will generate.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 40 of 92

    6.1.2.10 FCS_IPSEC_EXT.1 Extended: Internet Protocol Security (IPsec) Communications

    FCS_IPSEC_EXT.1.1 The TSF shall implement the IPsec architecture as specified in RFC 4301.

    FCS_IPSEC_EXT.1.2 The TSF shall implement tunnel mode

    FCS_IPSEC_EXT.1.3 The TSF shall have a nominal, final entry in the SPD that matches anything that is otherwise unmatched, and discards it.

    FCS_IPSEC_EXT.1.4 The TSF shall implement the IPsec protocol ESP as defined by RFC 4303 using the cryptographic algorithms AES-GCM-128, AES-GCM-256 as specified in RFC 4106, AES-CBC-128, AES-CBC-256 (both specified by RFC 3602) together with a Secure Hash Algorithm (SHA)-based HMAC.

    FCS_IPSEC_EXT.1.5 The TSF shall implement the protocol: IKEv1 as defined in RFCs 2407, 2408, 2409, RFC 4109, no other RFCs for extended sequence numbers and RFC 4868 for hash functions; IKEv2 as defined in RFCs 5996 (with mandatory support for NAT traversal as specified in section 2.23) and RFC 4868 for hash functions.

    FCS_IPSEC_EXT.1.6 The TSF shall ensure the encrypted payload in the IKEv1, IKEv2 protocol uses the cryptographic algorithms AES-CBC-128, AES-CBC-256 as specified in RFC 6379 and AES-GCM-128, AES-GCM-256 as specified in RFC5282.

    FCS_IPSEC_EXT.1.7 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main mode.

    FCS_IPSEC_EXT.1.8 The TSF shall ensure that IKEv2 SA lifetimes can be configured by an Administrator based on number of bytes packets or length of time, where the time values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs, IKEv1 SA lifetimes can be configured by an Administrator based on number of bytes packets or length of time, where the time values can be limited to: 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs.

    FCS_IPSEC_EXT.1.9 The TSF shall generate the secret value x used in the IKE Diffie-Hellman key exchange (“x” in gx mod p) using the random bit generator specified in FCS_RBG_EXT.1, and having a length of at least 224 (for DH Group 14), 256 (for DH Groups 19 and 24) or 384 (for DH Group 20) bits.

    FCS_IPSEC_EXT.1.10 The TSF shall generate nonces used in IKE exchanges in a manner such that the probability that a specific nonce value will be repeated during the life a specific IPsec SA is less than 1 in 2^224, 2^256, or 2^384.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 41 of 92

    FCS_IPSEC_EXT.1.11 The TSF shall ensure that all IKE protocols implement DH Groups 14 (2048-bit MODP), 19 (256-bit Random ECP), and 24 (2048-bit MODP with 256-bit POS), 20 (384-bit Random ECP), no other DH groups.

    FCS_IPSEC_EXT.1.12 The TSF shall ensure that all IKE protocols perform peer authentication using a RSA, ECDSA that use X.509v3 certificates that conform to RFC 4945 and pre-shared keys.

    FCS_IPSEC_EXT.1.13 The TSF shall be able to ensure by default that the strength of the symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the IKEv1 Phase 1, IKEv2 IKE_SA connection is greater than or equal to the strength of the symmetric algorithm (in terms of the number of bits in the key) negotiated to protect the IKEv1 Phase 2, IKEv2 CHILD_SA connection.

    6.1.3 User Data Protection (FDP)

    6.1.3.1 FDP_RIP.2 Full Residual Information Protection

    FDP_RIP.2.1 The TSF shall ensure that any previous information content of a resource is made unavailable upon the allocation of the resource to all objects.

    6.1.4 Identification and Authentication (FIA)

    6.1.4.1 FIA_AFL.1 Authentication Failure Handling

    FIA_AFL.1.1 Refinement: The TSF shall detect when an Administrator configurable positive integer of successive unsuccessful authentication attempts occur related to administrators attempting to authenticate remotely.

    FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met, the TSF shall prevent the offending remote administrator from successfully authenticating until an Administrator defined time period has elapsed.

    6.1.4.2 FIA_PMG_EXT.1 Password Management

    FIA_PMG_EXT.1.1 The TSF shall provide the following password management capabilities for administrative passwords:

    1. Passwords shall be able to be composed of any combination of upper and lower case letters, numbers, and the following special characters “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)” and the complete set of standard ASCII characters and control characters;

    2. Minimum password length shall be settable by the Security Administrator, and support passwords of 15 characters or greater;

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 42 of 92

    6.1.4.3 FIA_UAU_EXT.2 Extended: Password-based Authentication Mechanism

    FIA_UAU_EXT.2.1 The TSF shall provide a local password-based authentication mechanism, none to perform administrative user authentication.

    6.1.4.4 User Identification and Authentication (FIA_UIA_EXT.1)

    FIA_UIA_EXT.1.1 The TSF shall allow the following actions prior to requiring the non-TOE entity to initiate the identification and authentication process:

    Display the warning banner in accordance with FTA_TAB.1;

    arp services.

    FIA_UIA_EXT.1.2 The TSF shall require each administrative user to be successfully identified and authenticated before allowing any other TSF-mediated actions on behalf of that administrative user.

    6.1.4.5 FIA_UAU.7 Protected Authentication Feedback

    FIA_UAU.7.1 The TSF shall provide only obscured feedback to the administrative user while the authentication is in progress at the local console.

    6.1.4.6 FIA_X509_EXT.1 Extended: X.509 Certificates

    FIA_X509_EXT.1.1 The TSF shall use X.509v3 certificates as defined by RFC 5280 to support authentication for IPsec and no other protocols connections.

    FIA_X509_EXT.1.2 The TSF shall store and protect certificate(s) from unauthorized deletion and modification.

    FIA_X509_EXT.1.3 The TSF shall provide the capability for authenticated Administrators to load X.509v3 certificates into the TOE for use by the security functions specified in this PP.

    FIA_X509_EXT.1.4 The TSF shall generate a Certificate Request Message as specified in RFC 2986 and be able to provide the following information in the request: public key, Common Name, Organization, Organizational Unit, and Country.

    FIA_X509_EXT.1.5 The TSF shall validate the certificate using the Online Certificate Status Protocol (OCSP) as specified in RFC 2560, a Certificate Revocation List (CRL) as specified in RFC 5759.

    FIA_X509_EXT.1.6 The TSF shall validate a certificate path by ensuring the presence of the basicConstraints extension is present and the cA flag is set to TRUE for all CA certificates.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 43 of 92

    FIA_X509_EXT.1.7 The TSF shall not treat a certificate as a CA certificate if the basicConstraints extension is not present or the cA flag is not set to TRUE.

    FIA_X509_EXT.1.8 The TSF shall not establish an SA if a certificate or certificate path is deemed invalid.

    FIA_X509_EXT.1.9 The TSF shall not establish an SA if the distinguished name (DN) contained in a certificate does not match the expected DN for the entity attempting to establish a connection.

    FIA_X509_EXT.1.10 When the TSF cannot establish a connection to determine the validity of a certificate, the TSF shall, at the option of the administrator, establish an SA or disallow the establishment of an SA.

    6.1.4.7 FIA_PSK_EXT.1 Extended: Pre-Shared Key Composition

    FIA_PSK_EXT.1.1 The TSF shall be able to use pre-shared keys for IPsec.

    FIA_PSK_EXT.1.2 The TSF shall be able to accept text-based pre-shared keys that:

    are 22 characters and 1 to 255 characters;

    composed of any combination of upper and lower case letters, numbers, and special characters (that include: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, and “)”).

    FIA_PSK_EXT.1.3 The TSF shall condition the text-based pre-shared keys by using SHA-1, conversion of the text string into an authentication value as per RFC 2409 for IKEv1 or RFC 4306 for IKEv2, using the pseudo-random function that is configured as the hash algorithm for the IKE exchanges.

    FIA_PSK_EXT.1.4 The TSF shall be able to accept bit-based pre-shared keys.

    6.1.5 Security Management (FMT)

    6.1.5.1 FMT_MOF.1 Management of Security Functions Behavior

    FMT_MOF.1.1 Refinement: The TSF shall restrict the ability to enable, disable, determine and modify the behavior of all of the security functions of the TOE identified in this EP to an authenticated Administrator (from VPNEP).

    6.1.5.2 FMT_MTD.1 Management of TSF Data (for general TSF data)

    FMT_MTD.1.1 The TSF shall restrict the ability to manage the TSF data to the Security Administrators.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 44 of 92

    6.1.5.3 FMT_SMF.1(1) Specification of Management Functions (NDPP, FWEP, VPNEP)

    FMT_SMF.1.1(1) The TSF shall be capable of performing the following management functions:

    Ability to administer the TOE locally and remotely;

    Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates;

    Ability to configure Firewall rules (from FWEP)

    Ability to configure the cryptographic functionality, (from VPNEP)

    Ability to configure the IPsec functionality, (from VPNEP) Ability to enable, disable, determine and modify the behavior of all

    the security functions of the TOE identified in this EP to the Administrator, (from VPNEP)

    Ability to configure all security management functions identified in other sections of this EP. (from VPNEP)

    No other capabilities.

    6.1.5.4 FMT_SMF.1(2) Specification of Management Functions (IPSEP)

    FMT_SMF.1.1(2) The TSF shall be capable of performing the following security management functions:

    1) Enable, disable signatures applied to sensor interfaces, and determine the behavior of IPS functionality

    2) Modify these parameters that define the network traffic to be collected and analyzed:

    a) Source IP addresses (host address and network address)

    b) Destination IP addresses (host address and network address)

    c) Source port (TCP and UDP)

    d) Destination port (TCP and UDP)

    e) Protocol (IPv4 and IPv6)

    f) ICMP type and code

    3) Update (import) signatures

    4) Create custom signatures

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 45 of 92

    5) Configure anomaly detection

    6) Enable and disable actions to be taken when signature or anomaly matches are detected

    7) Modify thresholds that trigger IPS reactions

    8) Modify the duration of traffic blocking actions

    9) Modify the known-good and known-bad lists (of IP addresses or address ranges)

    10) Configure the known-good and known-bad lists to override signature-based IPS policies

    6.1.5.5 FMT_SMR.2 Restrictions on Security Roles

    FMT_SMR.2.1 The TSF shall maintain the roles:

    Authorized Administrator

    FMT_SMR.2.2 The TSF shall be able to associate users with roles.

    FMT_SMR.2.3 The TSF shall ensure that the conditions

    Authorized Administrator role shall be able to administer the TOE locally;

    Authorized Administrator role shall be able to administer the TOE remotely;

    are satisfied.

    6.1.6 Protection of the TSF (FPT)

    6.1.6.1 FPT_SKP_EXT.1Extended: Protection of TSF Data (for reading of all symmetric keys)

    FPT_SKP_EXT.1.1 The TSF shall prevent reading of all pre-shared keys, symmetric keys, and private keys.

    6.1.6.2 FPT_APW_EXT.1Extended: Protection of Administrator Passwords

    FPT_APW_EXT.1.1 The TSF shall store passwords in non-plaintext form.

    FPT_APW_EXT.1.2 The TSF shall prevent the reading of plaintext passwords.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 46 of 92

    6.1.6.3 FPT_FLS.1 Fail Secure

    FPT_FLS.1.1 Refinement: The TSF shall shutdown when the following types of failures occur: failure of the power-on self-tests, failure of integrity check of the TSF executable image, failure of noise source health tests.

    6.1.6.4 FPT_STM.1 Reliable Time Stamps

    FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own use.

    6.1.6.5 FPT_TUD_EXT.1 Extended: Trusted Update

    FPT_TUD_EXT.1.1 The TSF shall provide security administrators the ability to query the current version of the TOE firmware/software.

    FPT_TUD_EXT.1.2 The TSF shall provide security administrators the ability to initiate updates to TOE firmware/software.

    FPT_TUD_EXT.1.3 The TSF shall provide a means to verify firmware/software updates to the TOE using a digital signature mechanism prior to installing those updates.

    6.1.6.6 FPT_TST_EXT.1: TSF Testing

    FPT_TST_EXT.1.1 The TSF shall run a suite of self tests during initial start-up (on power on) to demonstrate the correct operation of the TSF.

    FPT_TST_EXT.1.2 The TSF shall provide the capability to verify the integrity of stored TSF executable code when it is loaded for execution through the use of the TSF-provided cryptographic service specified in FCS_COP.1(2).

    6.1.7 TOE Access (FTA)

    6.1.7.1 FTA_SSL_EXT.1 TSF-initiated Session Locking

    FTA_SSL_EXT.1.1 The TSF shall for local interactive sessions,

    terminate the session

    after a Security Administrator-specified time interval of session inactivity.

    6.1.7.2 FTA_SSL.3(1) TSF-initiated Termination

    FTA_SSL.3.1(1) Refinement: The TSF shall terminate a remote interactive session after a [Security Administrator-configurable time interval of session inactivity].

    6.1.7.3 FTA_SSL.3(2) TSF-initiated Termination (VPNEP)

    FTA_SSL.3.1(2) Refinement: The TSF shall terminate a remote VPN client session after a [Administrator-configurable time interval of session inactivity].

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 47 of 92

    6.1.7.4 FTA_SSL.4 User-initiated Termination

    FTA_SSL.4.1 The TSF shall allow Administrator-initiated termination of the Administrator’s own interactive session.

    6.1.7.5 FTA_TAB.1 Default TOE Access Banners

    FTA_TAB.1.1 Refinement: Before establishing an administrative user session the TSF shall display a Security Administrator-specified advisory notice and consent warning message regarding use of the TOE.

    6.1.8 Trusted Path/Channel (FTP)

    6.1.8.1 FTP_ITC.1(1) Inter-TSF Trusted Channel (Prevention of Disclosure)

    FTP_ITC.1.1(1) Refinement: The TSF shall use IPSec to provide a trusted communication channel between itself and authorized IT entities supporting the following capabilities: audit server, no other capabilities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

    FTP_ITC.1.2(1) The TSF shall permit the TSF, or the authorized IT entities to initiate communication via the trusted channel.

    FTP_ITC.1.3(1) The TSF shall initiate communication via the trusted channel for export of audit logs to syslog servers.

    6.1.8.2 FTP_ITC.1(2) Inter-TSF trusted channel

    FTP_ITC.1.1(2) Refinement: The TSF shall use IPsec, and no other protocols to provide a trusted communication channel between itself and all authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from disclosure and detection of modification of the channel data.

    6.1.8.3 FTP_TRP.1Trusted Path

    FTP_TRP.1.1 Refinement: The TSF shall use IPSec to provide a trusted communication path between itself and remote administrators that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from disclosure and detection of modification of the communicated data.

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 48 of 92

    FTP_TRP.1.2 Refinement: The TSF shall permit remote administrators to initiate communication via the trusted path.

    FTP_TRP.1.3 The TSF shall require the use of the trusted path for initial administrator authentication and all remote administration actions.

    6.1.9 Stateful Traffic/Packet Filtering (FFW and FPF)

    6.1.9.1 FFW_RUL_EXT.1 Stateful Firewall Filtering

    FFW_RUL_EXT.1.1 The TSF shall perform Stateful Traffic Filtering on network packets processed by the TOE.

    FFW_RUL_EXT.1.2 The TSF shall process the following network traffic protocols:

    Internet Control Message Protocol version 4 (ICMPv4)

    Internet Control Message Protocol version 6 (ICMPv6)

    Internet Protocol (IPv4)

    Internet Protocol version 6 (IPv6)

    Transmission Control Protocol (TCP)

    User Datagram Protocol (UDP)

    and be capable of inspecting network packet header fields defined by the following RFCs to the extent mandated in the other elements of this SFR

    RFC 792 (ICMPv4)

    RFC 4443 (ICMPv6)

    RFC 791 (IPv4)

    RFC 2460 (IPv6)

    RFC 793 (TCP)

    RFC 768 (UDP)

    FFW_RUL_EXT.1.3 The TSF shall allow the definition of Stateful Traffic Filtering rules using the following network protocol fields:

    ICMPv4

    o Type o Code

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 49 of 92

    ICMPv6

    o Type o Code

    IPv4

    o Source address o Destination Address o Transport Layer Protocol

    IPv6

    o Source address o Destination Address o Transport Layer Protocol

    TCP

    o Source Port o Destination Port

    UDP

    o Source Port o Destination Port

    and distinct interface.

    FFW_RUL_EXT.1.4 The TSF shall allow the following operations to be associated with Stateful Traffic Filtering rules: permit, deny, and log.

    FFW_RUL_EXT.1.5 The TSF shall allow the Stateful Traffic Filtering rules to be assigned to each distinct network interface.

    FFW_RUL_EXT.1.6 The TSF shall:

    a) accept a network packet without further processing of Stateful Traffic Filtering rules if it matches an allowed established session for the following protocols: TCP, UDP, ICMP based on the following network packet attributes:

  • Security Target - Junos 15.1X49-D60 for SRX platforms (NDPP, TFFWEP, VPNEP, IPSEP) Version 1.0

    Page 50 of 92

    1. TCP: source and destination addresses, source and destination ports, sequence number, Flags;

    2. UDP: source and destination addresses, source and destination ports;

    3. ICMP: source and destination addresses, type, code, no other protocols.

    b) Remove existing traffic flows from the set of established traffic flows based on the following: session inactivity timeout, completion of the expected information flow.

    FFW_RUL_EXT.1.7 The TSF shall be able to process the following network protocols:

    1. FTP,

    2. no other protocols,

    to dynamically define rules or establish sessions allowing network traffic of the following types:

    FTP: TCP data sessions in accordance with the FTP protocol as specified in RFC 959,

    none.

    FFW_RUL_EXT.1.8 The TSF shall enforce the following default Stateful Traffic Filtering rules on all network traffic:

    1. The TSF shall reject and be capable of logging packets which are invalid fragments;

    2. The TSF shall reject and be capable of logging fragmented IP packets which cannot be re-assembled completely;

    3. The TSF shall reject and be capable of logging network packets where the source address of the network packet is equal to the address of the network interface where the network packet was received;

    4. The TSF shall reject and be capable of logging network packets where the source address of the network packet does not be