Stonesoft StoneGate Firewall v.2.0.5 COMMON CRITERIA 2010. 9. 3.¢  Stonesoft StoneGate Firewall v.2.0.5

  • View
    2

  • Download
    0

Embed Size (px)

Text of Stonesoft StoneGate Firewall v.2.0.5 COMMON CRITERIA 2010. 9. 3.¢  Stonesoft StoneGate...

  • Stonesoft StoneGate Firewall v.2.0.5 COMMON CRITERIA SECURITY TARGET

    VERSION 3.13

    Shari Galitzer

    August 7, 2003

    Suite 100 West♦7927 Jones Branch Drive♦McLean, VA 22102-3305♦703 848-0883♦Fax 703 848-0960

  • TABLE OF CONTENTS

    SECTION PAGE

    1 SECURITY TARGET INTRODUCTION 7

    1.1 SECURITY TARGET IDENTIFICATION 7 1.2 SECURITY TARGET OVERVIEW 7 1.3 COMMON CRITERIA CONFORMANCE CLAIMS 8 1.4 TERMINOLOGY 8

    2 TOE DESCRIPTION 11

    2.1 PRODUCT TYPE 11 2.2 TOE SECURITY FUNCTIONS 12 2.3 TOE SCOPE AND EVALUATED CONFIGURATION 14

    3 TOE SECURITY ENVIRONMENT 16

    3.1 SECURE USAGE ASSUMPTIONS 16 3.2 ORGANIZATIONAL SECURITY POLICIES 17 3.3 THREATS TO SECURITY 17

    4 SECURITY OBJECTIVES 19

    4.1 SECURITY OBJECTIVES FOR THE TOE 19 4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT 20

    5 IT SECURITY REQUIREMENTS 22

    5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS 22 5.1.1 FAU – Audit 23 5.1.2 FCS – Cryptographic Support 25 5.1.3 FDP – User Data Protection 27 5.1.4 FIA – Identification and Authentication 29 5.1.5 FMT – Security Management 30 5.1.6 FPT – Protection of the TOE Security Functions 32 5.1.7 FRU – Resource Utilization 33 5.1.8 FTP – Trusted path/channels 33 5.1.9 Strength of Function Requirement 33

    5.2 SECURITY FUNCTIONAL REQUIREMENTS FOR THE IT ENVIRONMENT 33 5.3 TOE SECURITY ASSURANCE REQUIREMENTS 36

    6 TOE SUMMARY SPECIFICATION 38

    6.1 IT SECURITY FUNCTIONS 38 6.1.1 Audit 39 6.1.2 Cryptographic Functionality (CRYPTO-1) 40 6.1.3 User Data Protection 41 6.1.4 High Availability (HA-1) 44 6.1.5 Identification and Authentication (I&A-1) 44 6.1.6 Security Management and Protection of Security Functions 45

    6.2 ASSURANCE MEASURES 45

    7 PP CLAIMS 49

    8 RATIONALE 50

    8.1 SECURITY OBJECTIVES RATIONALE 50

  • iii

    8.1.1 Policies 51 8.1.2 Threats 51

    8.2 SECURITY REQUIREMENTS RATIONALE 53 8.2.1 Assurance Rationale 58 8.2.2 SOF Rationale 58 8.2.3 Security Requirements are Justified 59 8.2.4 Justification for explicit requirements 60 8.2.5 Rationale for SAR Dependencies 60

    8.3 RATIONALE FOR TOE SUMMARY SPECIFICATION 61 8.4 RATIONALE FOR PP CONFORMANCE 62

    9 ACRONYMS 63

    10 REFERENCES 64

  • iv

    TABLE OF FIGURES

    PAGE FIGURE 2.1 TOE OPERATING ENVIRONMENT ...............................................................................................12 FIGURE 2.2 TOE BOUNDARY AND IT ENVIRONMENT ...................................................................................15

  • v

    TABLE OF TABLES

    TABLE PAGE TABLE 5.1 – FUNCTIONAL COMPONENTS ..........................................................................................................22 TABLE 5.2 – TOE AUDITABLE EVENTS .............................................................................................................23 TABLE 5.3 – TSF DATA MANAGEMENT ............................................................................................................30 TABLE 5.4 – MANAGEMENT SERVER AUDITABLE EVENTS ...............................................................................34 TABLE 5.5 - ASSURANCE COMPONENTS ............................................................................................................37 TABLE 6.1 – SECURITY FUNCTIONS MAPPED TO SECURITY FUNCTIONAL REQUIREMENTS..............................38 TABLE 6.2 – ASSURANCE EVALUATION EVIDENCE...........................................................................................46 TABLE 8.1 MAPPING THE SECURITY ENVIRONMENT TO THE SECURITY OBJECTIVES.......................................50 TABLE 8.2 ALL IT SECURITY OBJECTIVES FOR THE TOE ARE NECESSARY .....................................................50 TABLE 8.3 SECURITY OBJECTIVE TO REQUIREMENTS MAPPING.......................................................................53 TABLE 8.4 ALL SECURITY REQUIREMENTS FOR THE TOE ARE NECESSARY ....................................................54 TABLE 8.5 – FUNCTIONAL COMPONENT DEPENDENCIES ..................................................................................59 TABLE 8.6 – SFR TO SECURITY FUNCTION MAPPING .......................................................................................61

  • vi

    Revision History

    Version 1.0, First submission of the ST to the CygnaCom SEL for evaluation and to StoneSoft for comment.

    Version 1.1 Incorporated comments from StoneSoft and minor corrections. Version 2.0 Rewritten for new TOE definition and no PP compliance claims. Version 2.1 Incorporated edits from Klaus review and added general statement on threats and

    assets protected. Version 3.0

    For evaluation to address EORs and review from R&D. Note: the rationale section is not complete and some CC and general format and presentation requirements are not complete. To assist with the development and review process, the document is in 4 files: 1a.) IntroandEnv.3.0.doc (refers to 1b.) Figure1.1FirewallStystemArchitecture.doc), 2.) Section5.3.0.doc, 3.) TSS.3.0.doc, and 4.)Rationale.3.0.doc.

    Version 3.1 Addressed EORs Version 3.2 Incorporated comments from R&D Version 3.3 Addressed EORs Version 3.4 Addressed remaining issues from ST EORs, before TOE evaluation. Version 3.5 Combined into 1 file, fixed formatting, update references, and a couple of minor

    edits/nits. Version 3.6 Addressed changes based on evaluation results to date. Version 3.7 April 9, 2003. Address changes based on evaluation results to date. Version 3.8 April 18, 2003. Address changes based on evaluation results to date: additional

    key sizes for DSA, and application note for A.ADMINTRUSTED. Version 3.9 May 22, 2003 address changes based on evaluation results to date. Version 3.10 June 16, 2003. Addresses changes based on HMAC-SHA details and a few

    other minor edits. Version 3.11 June 30, 2003. Removed Client as a kind of SGW, and removed IPSec AH only

    and AH+ESP. Version 3.12 July 1, 2003. Removed DSA from the scope of the evaluation. Version 3.13 August 7, 2003. Updated evaluation evidence table, updated HMAC_SHA-1

    requirement, and a couple of minor edits.

  • 7

    1 SECURITY TARGET INTRODUCTION

    1.1 SECURITY TARGET IDENTIFICATION

    TOE Identification: Stonesoft StoneGate Firewall version 2.0.5 ST Title: Stonesoft StoneGate Firewall version 2.0.5 Common Criteria Security Target ST Version: 3.13 Assurance level: EAL4, augmented with ALC_FLR.1, Basic flaw remediation, and AVA_VLA.3, Moderately resistant. CC Version: 2.1 Registration: Keywords: Firewall, VPN, High Availability, Traffic Filter, Application Proxy

    1.2 SECURITY TARGET OVERVIEW

    The StoneSoft StoneGate Firewall is a high availability firewall and Virtual Private Network (VPN) solution for securing data communication channels and enabling continuous network connectivity. The StoneGate Firewall is based on Multi-Layer Inspection technology that combines both stateful and application-level inspection technology to control connectivity and information flow between internal and external networks. It also provides a means to keep the internal hosts IP-address private from external users. The VPN security services are based on the IPSec standard and allow users multiple cryptographic support options. As part of a cluster, the StoneGate Firewall provides high availability of these firewall security services for the users and servers protected by the cluster of firewalls when a node in the cluster or a network connection to a node fail. The StoneGate Firewall product runs on a hardened Linux operating system that is shipped with the product. The product runs on a single or multi-processor Intel or SPARC platform. The product also includes a distributed management system comprising a management server, log server and Graphic User Interface (GUI) to support the management and operation of the firewall. The security features within the scope of the ST include:

    • Connection level information flow control for IP packets including network-through- application level packet filtering, and connection redirection for FTP, HTTP, and SMTP traffic.

    • VPN data protection; • Privacy for hosts IP-address on the internal network using static Network Address

    Translation (NAT); • High Availability for network security services;

  • 8

    • Audit generation; and • Management and protection functions to support the security services.

    This ST was developed by CygnaCom Solutions under contract with Stonesoft.

    1.3 COMMON CRITERIA CONFORMANCE CLAIMS

    This TOE conforms to the following CC specifications:

    • &RPPRQ�&ULWHULD�IRU�,QIRUPDWLRQ�7HFKQRORJ\�6HFXULW\�(YDOXDWLRQ�3DUW����6HFXULW\�IXQFWLRQDO� requirements, Version 2.1, August 1999, ISO/IEC 15408-2:

    o Part 2 extended; o Components FAU_GEN.1-NIAP-0410, FAU_STG.NIAP-0414, FAU_STG.1-NIAP-

    0423, and FDP_IFF.1-NIAP-0407 are used to comply with NIAP interpretations; o Component FMT_SMF.1, Specification of Management Functions, is a new

    component from CCIMB interpretation #65; o FPT_SEP_EXP.1 and FPT_SEP_ENV.1 are explicit functional components and are

    included to reflect how the software TOE and its IT environment work together to en