Transcription
SonicWall SonicOS Enhanced V6.5.4 withVPN and IPS on TZ , SOHO, NSa, and SMAppliances Security TargetAcumen Security, LLC.Document Version: 2.01
Table Of Contents123452Security Target Introduction . 61.1Security Target and TOE Reference . 61.2TOE Overview . 61.3TOE Environment . 61.4TOE Architecture . 71.4.1Physical Boundaries . 71.4.2Security Functions provided by the TOE . 81.4.2.1 Security Audit . 81.4.2.2 Cryptographic Support . 81.4.2.3 Identification and Authentication . 91.4.2.4 Security Management . 91.4.2.5 Protection of the TSF . 91.4.2.6 TOE Access . 91.4.2.7 Trusted Path/Channels. 91.4.2.8 Stateful Traffic Filtering. 91.4.3TOE Documentation . 101.5Functionality Excluded from the Evaluated Configuration . 10Conformance Claims . 112.1CC Conformance . 112.2Protection Profile Conformance . 112.3Conformance Rationale . 112.3.1Technical Decisions . 11Security Problem Definition . 173.1Threats . 173.2Assumptions . 183.3Organizational Security Policies . 19Security Objectives . 204.1Security Objectives for the Operational Environment . 20Security Requirements. 215.1Conventions . 225.2Security Functional requirements. 225.2.1Audit (FAU) . 225.2.1.1 FAU GEN.1 Audit data generation . 225.2.1.2 FAU GEN.2 User identity association . 245.2.1.3 FAU STG EXT.1 Protected Audit Event Storage . 245.2.2Cryptographic Support (FCS) . 255.2.2.1 FCS CKM.1 Cryptographic Key Generation . 255.2.2.2 FCS CKM.2 Cryptographic Key Establishment . 255.2.2.3 FCS CKM.4 Cryptographic Key Destruction . 25
5.2.2.4 FCS COP.1/DataEncryption Cryptographic Operation (AES Data Encryption/Decryption) . 255.2.2.5 FCS COP.1/SigGen Cryptographic Operation (Signature Generation and Verification). 255.2.2.6 FCS COP.1/Hash Cryptographic Operation (Hash Algorithm) . 265.2.2.7 FCS COP.1/KeyedHash Cryptographic Operation (Keyed Hash Algorithm) . 265.2.2.8 FCS HTTPS EXT.1 HTTPS Protocol . 265.2.2.9 FCS IPSEC EXT.1 IPsec Protocol . 265.2.2.10FCS RBG EXT.1 Random Bit Generation . 275.2.2.11FCS TLSS EXT.1 TLS Server Protocol . 285.2.3User Data Protection (FDP) . 285.2.3.1 FDP RIP.2 Full residual information protection . 285.2.4Identification and Authentication (FIA) . 285.2.4.1 FIA AFL.1 Authentication Failure Heading . 285.2.4.2 FIA PMG EXT.1 Password Management . 285.2.4.3 FIA UIA EXT.1 User identification and authentication . 285.2.4.4 FIA UAU EXT.2 Password-based Authentication Mechanism . 295.2.4.5 FIA UAU.7 Protected Authentication Feedback . 295.2.4.6 FIA X509 EXT.1/Rev X.509 Certificate Validation . 295.2.4.7 FIA X509 EXT.2 X.509 Certificate Authentication . 295.2.4.8 FIA X509 EXT.3 X.509 Certificate Requests . 295.2.5Security Management (FMT) . 295.2.5.1 FMT MOF.1/ManualUpdate Management of security functions behaviour . 295.2.5.2 FMT MOF.1/Services Management of security functions behaviour . 305.2.5.3 FMT MTD.1/CryptoKeys Management of TSF Data . 305.2.5.4 FMT MTD.1/CoreData Management of TSF data . 305.2.5.5 FMT SMF.1 Specification of Management Functions . 305.2.5.6 FMT SMR.2 Restrictions on Security Roles . 305.2.6Protection of TSF (FPT) . 305.2.6.1 FPT APW EXT.1 Protection of administrator passwords . 305.2.6.2 FPT SKP EXT.1 Protection of TSF Data (for reading of all pre-shared, symmetric andprivate keys) . 315.2.6.3 FPT STM EXT.1 Reliable Time Stamps . 315.2.6.4 FPT TST EXT.1 TSF testing. 315.2.6.5 FPT TUD EXT.1 Trusted update . 315.2.7TOE Access (FTA) . 315.2.7.1 FTA SSL EXT.1 TSF-initiated Session Locking . 315.2.7.2 FTA SSL.3 TSF-initiated Termination . 315.2.7.3 FTA SSL.4 User-initiated Termination . 315.2.7.4 FTA TAB.1 Default TOE Access Banners . 325.2.8Trusted Path/Channel (FTP) . 325.2.8.1 FTP ITC.1 Inter-TSF trusted channel . 325.2.8.2 FTP TRP.1/Admin Trusted path . 323
5.2.9Stateful Traffic Filter Firewall (FFW) . 325.2.9.1 FFW RUL EXT.1 Stateful traffic filtering . 325.3TOE SFR Dependencies Rationale for SFRs . 345.4Security Assurance Requirements . 345.5Rationale for Security Assurance Requirements . 345.6Assurance Measures . 356TOE Summary Specification . 364
Revision HistoryVersion2.05DateAugust 2021DescriptionUpdated for Assurance Continuity
1 Security Target Introduction1.1 Security Target and TOE ReferenceThis section provides information needed to identify and control this ST and its TOE.CategoryST TitleST VersionST DateST AuthorTOE IdentifierTOE Software VersionTOE DeveloperKey WordsIdentifierSonicWall SonicOS Enhanced V6.5.4 with VPN and IPS on TZ, SOHO, NSa, and SMAppliances Security Target2.0August 2021Acumen Security, LLC.SonicWall SonicOS Enhanced V6.5.4 with VPN and IPS on TZ, SOHO, NSa, and SMAppliances6.5.4.4-44n-federal-12nSonicWall, Inc.FirewallTable 1 TOE/ST Identification1.2 TOE OverviewThe TOE is comprised of the SonicWall SonicOS Enhanced v6.5.4 software running either on purposebuilt TZ, SOHO, NSa, and SM hardware appliance platforms.The appliance firewall capabilities include stateful packet inspection. Stateful packet inspectionmaintains the state of network connections, such as Transmission Control Protocol (TCP) streams andUser Datagram Protocol (UDP) communication, traveling across the firewall. The firewall distinguishesbetween legitimate packets and illegitimate packets for the given network deployment. Only packetsadhering to the administrator-configured access rules are permitted to pass through the firewall; allothers are rejected.The appliance capabilities include deep-packet inspection (DPI) used for intrusion prevention anddetection. These services employ stream-based analysis wherein traffic traversing the product is parsedand interpreted so that its content might be matched against a set of signatures to determine theacceptability of the traffic. Only traffic adhering to the administrator-configured policies is permitted topass through the TOE.The appliances support Virtual Private Network (VPN) functionality, which provides a secure connectionbetween the device and the audit server. The appliances support authentication and protect data fromdisclosure or modification during transfer.The appliances are managed through a web based Graphical User Interface (GUI). All managementactivities may be performed through the web management GUI via a hierarchy of menu buttons.Administrators may configure policies and manage network traffic, users, and system logs. Theappliances also have local console access where limited administrative functionality to configure thenetwork, perform system updates, and view logs.1.3 TOE EnvironmentThe following components are required for operation of the TOE in the evaluated configuration.1. Management Console - Any computer that provides a supported browser may be used to accessthe GUI.6
2. An audit server supporting the syslog protocol with an IPsec peer supporting IKEv2 and ESP inthe cryptographic protocols defined in section 5.2.2.9 of this document.1.4 TOE Architecture1.4.1 Physical BoundariesThe TOE is a software and hardware TOE. It is a combination of a particular SOHO, TZ, NSa, and SMhardware appliance and the SonicOS v6.5.4.4-44n-federal-12n software. The following table lists all theinstances of the TOE that operate in the evaluated configuration. All listed TOE instances offer the samecore functionality but vary in number of processors, physical size, and supported connections.Appliance SeriesTZSOHONSaSMHardware ModelTZ 300PTZ 300TZ300WTZ 350WTZ400TZ400WTZ500TZ500WTZ600TZ 600PSOHO 250SOHO 250WNSa 2650NSA 3600NSa 3650NSA 4600NSa 4650NSA 5600NSa 5650NSA 6600NSa 6650NSa 9250NSa 9450NSa 9650SM 9200SM 9400SM 9600SM 9800Operational EnvironmentCavium Octeon III CN7020-800Cavium Octeon III CN7020-800Cavium Octeon III CN7020-800Cavium Octeon III CN7020-800Cavium Octeon III CN7130-800Cavium Octeon III CN7130-800Cavium Octeon III CN7130-1000Cavium Octeon III CN7130-1000Cavium Octeon III CN7130-1400Cavium Octeon III CN7130-1400Cavium Octeon III CN7020-800Cavium Octeon III CN7020-800Cavium Octeon III CN7130-1600Cavium Octeon II CN6635-800Cavium Octeon III CN7130-1600Cavium Octeon II CN6640-1100Cavium Octeon II CN6645-1200Cavium Octeon II CN6645-1300Cavium Octeon II CN6645-1500Cavium Octeon II CN6870-1000Cavium Octeon II CN6870-1200Cavium Octeon II CN6870-1200Cavium Octeon II CN6880-1400Cavium Octeon II CN6880-1400Cavium Octeon II CN6870-1000Cavium Octeon II CN6880-1200Cavium Octeon II CN6880-1200Cavium Octeon II CN6640-1100Cavium Octeon II CN6880-1200Table 2 TOE Appliance Series and ModelsThe underlying platform that comprises the TOE has common hardware characteristics. These differingcharacteristics effect only non-TSF relevant functionality, such as throughput, processing speed, numberand type of connections, and amount of internal storage.In the evaluated configuration, the devices are placed in “Network Device Protection Profile (NDPP)”mode. “NDPP mode” is a configuration setting.7
The SonicWall appliances are designed to filter traffic based on a set of rules created by a systemadministrator. The audit server provides a platform for sorting and viewing the log files that areproduced by the appliance.1.4.2 Security Functions provided by the TOEThe TOE provides the security functionality required by [FWcPP].1.4.2.1 Security AuditThe TOE generates audit records for administrative activity, security related configuration changes,cryptographic key changes and startup and shutdown of the audit functions. The audit events areassociated with the administrator who performs them, if applicable. The audit records are transmittedover an IPsec VPN tunnel to an external audit server in the IT environment for storage.1.4.2.2 Cryptographic SupportThe TOE provides cryptographic functions (key generation, key establishment, key destruction,cryptographic operation) to secure remote administrative sessions over Hypertext Transfer ProtocolSecure (HTTPS)/Transport Layer Security (TLS), and to support Internet Protocol Security (IPsec) toprovide VPN functionality and to protect the connection to the audit server.AlgorithmAESSHSDRBGECDSA (186)RSA (186)8DescriptionUsed for symmetricencryption/decryptionFCS TLSS EXT.1FCS IPSEC EXT.1FCS COP.1/DataEncryptionCryptographic hashing servicesFCS TLSS EXT.1FCS IPSEC EXT.1FCS RBG EXT.1FCS COP.1/SigGenFCS COP.1/HashFCS COP.1/KeyedHashDeterministic random bit generationFCS TLSS EXT.1FCS IPSEC EXT.1FCS RBG EXT.1FCS CKM.1Key Generation, SigGen, SigVerFCS IPSEC EXT.1FCS CKM.1FCS COP.1/SigGenFPT TUD EXT.1Mode SupportedCAVP Cert. #CBC (128, 256)GCM (128, 256)C743SHA (1, 256, 384, 512)C743Hash (SHA-256)C743P-256, P-384C743Key GenerationFCS TLSS EXT.1FCS IPSEC EXT.1FCS CKM.1n (2048)C743SigGen (PKCS1 V1.5)FCS TLSS EXT.1FCS IPSEC EXT.1FCS COP.1/SigGenn 2048 SHA(256, 384, 512)C743
AlgorithmDescriptionSigVer (PKCS1 v1.5)FCS TLSS EXT.1FCS IPSEC EXT.1FCS COP.1/SigGenMode SupportedCAVP Cert. #n 2048 SHA(1, 256, 384, 512)C743HMACKeyed hashing servicesFCS TLSS EXT.1FCS IPSEC EXT.1FCS COP.1/KeyedHashSHA (1, 256, 384, 512)C743KAS ECCSP 800-56AFCS IPSEC EXT.1FCS CKM.2Key Agreement (Initiator,Responder)EC: P-256, SHA-512ED: P-384, SHA-512C743RSAPKCS1 v1.5FCS TLSS EXT.1FCS CKM.2RSA Key EstablishmentVendorAffirmedTable 3 CAVP Certificate References1.4.2.3 Identification and AuthenticationThe TOE provides a password-based logon mechanism. This mechanism enforces minimum strengthrequirements and ensures that passwords are obscured when entered. The TOE also validates andauthenticates X.509 certificates for all certificate use.1.4.2.4 Security ManagementThe TOE provides management capabilities via a Web-based GUI, accessed over HTTPS. Managementfunctions allow the administrators to configure and update the system, manage users and configure theVirtual Private Network (VPN) functionality.1.4.2.5 Protection of the TSFThe TOE prevents the reading of plaintext passwords and keys. The TOE provides a reliable timestampfor its own use. To protect the integrity of its security functions, the TOE implements a suite of self-testsat startup and shuts down if a critical failure occurs. The TOE verifies the software image when it isloaded. The TOE ensures that updates to the TOE software can be verified using a digital signature.1.4.2.6 TOE AccessThe TOE monitors local and remote administrative sessions for inactivity and either locks or terminatesthe session when a threshold time period is reached. An advisory notice is displayed at the start of eachsession.1.4.2.7 Trusted Path/ChannelsThe TSF provides IPsec VPN tunnels for trusted communication between itself and an audit server. TheTOE implements HTTPS for protection of communications between itself and the Management Console.1.4.2.8 Stateful Traffic FilteringThe TOE restricts the flow of network traffic between protected networks and other attached networksbased on addresses and ports of the network nodes originating (source) and/or receiving (destination)applicable network traffic, as well as on established connection information.9
1.4.3 TOE Documentation SonicWall SonicOS 6.5 Common Criteria Addendum, Version 2.01.5 Functionality Excluded from the Evaluated ConfigurationThe following features/functionality are excluded from this evaluation: 10Although SonicWall SonicOS Enhanced supports several authentication mechanisms, thefollowing mechanisms are excluded from the evaluated configuration:o Remote Authentication Dial-In User Service (RADIUS)o Lightweight Directory Access Protocol (LDAP)o Active Directory (AD)o eDirectory authenticationCommand Line Interface (CLI) (Secure Shell (SSH))Hardware FailoverReal-time Blacklist (Simple Mail Transfer Protocol (SMTP))Global Security Client (including Group VPN)Global Management SystemSonicPointVoice over IP (VoIP)Network Time Protocol (NTP)AntivirusApplication FirewallIntrusion Prevention System (IPS)VPN Gateway – Note: IPsec functionality for securing TOE traffic is in scope.
2 Conformance Claims2.1 CC ConformanceThis TOE is conformant to: Common Criteria for Information Technology Security Evaluations Part 1, Version 3.1, Revision 4,September 2012Common Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 4,September 2012: Part 2 extendedCommon Criteria for Information Technology Security Evaluations Part 3, Version 3.1, Revision 4,September 2012: Part 3 conformant2.2 Protection Profile ConformanceThe TOE for this ST claims exact conformance to the collaborative Protection Profile for Stateful TrafficFilter Firewalls (v2.0 Errata 20180314, 14-March-2018) [FWcPP].2.3 Conformance RationaleThe security problem definition, security objectives and security requirements in this Security Target areall taken from the Protection Profile performing only operations defined there.2.3.1 Technical DecisionsThe following Technical Decisions have been considered for this evaluation:TDTD0484: NIT Technical Decisionfor Interactive sessions inFTA SSL EXT.1 & FTATD0483: NIT Technical Decisionfor Applicability ofFPT APW EXT.1TD0482: NIT Technical Decisionfor Identification of usage ofcryptographic schemesTD0481: NIT Technical Decisionfor FCS (D)TLSC EXT.X.2 IPaddresses in reference identifiersTD0480: NIT Technical Decisionfor Granularity of audit eventsTD0478: NIT Technical Decisionfor Application Notes forFIA X509 EXT.1 iterationsTD0477: NIT Technical Decisionfor Clarifying FPT TUD EXT.1Trusted UpdateTD0476: NIT Technical Decisionfor Conflicting FW rules cannot beconfiguredTD0475: NIT Technical Decisionfor Separate traffic considerationfor SSH rekey11REFERENCECPP FW V2.0EApplicableYesCPP FW V2.0EYesCPP FW V2.0EYesCPP FW V2.0ENoCPP ND V2.0EYesCPP FW V2.0EYesCPP ND V2.0EYesCPP FW V2.0EYesCPP FW V2.0ENoExclusion RationaleFCS TLSC EXT.x.2 functionality isnot included in this TOE.FCS SSH* EXT functionality is notincluded in this TOE.
TDTD0453: NIT Technical Decisionfor Clarify authenticationmethods SSH clients can use toauthenticate SSH seTD0451: NIT Technical Decisionfor ITT Comm UUID ReferenceIdentifierTD0447: NIT Technical Decisionfor Using 'diffie-hellman-groupexchange-sha256' inFCS SSHC/S EXT.1.7TD0425: NIT Technical Decisionfor Cut-and-paste Error forGuidance AATD0423: NIT Technical Decisionfor Clarification about applicationof RfI#201726rev2TD0412: NIT Technical Decisionfor FCS SSHS EXT.1.5 SFR and AAdiscrepancyTD0411: NIT Technical Decisionsfor FCS SSHC EXT.1.5, Test 1 –Server and client side seem to beconfusedTD0410: NIT technical decision forRedundant assurance activitiesassociated with FAU GEN.1TD0409: NIT decision forApplicability of FIA AFL.1 to keybased SSH authenticationTD0408: NIT Technical Decisionfor Local vs Remote administratoraccountsTD0402: NIT Technical Decisionfor RSA-based FCS CKM.2SelectionTD0400: NIT Technical Decisionfor FCS CKM.2 and elliptic curvebased key establishmentTD0399: NIT Technical Decisionfor Manual installation of CRL(FIA X509 EXT.2)TD0398: NIT Technical Decisionfor FCS SSH*EXT.1.1 RFCs forAES-CTRTD0397: NIT Technical Decisionfor Fixing AES-CTR Mode TestsTD0396: NIT Technical Decisionfor FCS TLSC EXT.1.1, Test 212REFERENCECPP FW V2.0EApplicableNoExclusion RationaleFCS SSHC EXT.1 functionality isnot included in this TOE.CPP FW V2.0ENoThis TD does not change therequirements.CPP FW V2.0ENoThis TD does not change therequirements.CPP ND V2.0EYesCPP FW V2.0EYesCPP FW V2.0ENoFCS SSH* EXT functionality is notincluded in this TOE.CPP FW V2.0ENoFCS SSH* EXT functionality is notincluded in this TOE.CPP ND V2.0EYesCPP ND V2.0EYesCPP FW V2.0EYesCPP FW V2.0EYesCPP FW V2.0EYesCPP ND V2.0EYesCPP FW V2.0ENoCPP ND V2.0EYesCPP ND V2.0ENoFCS SSH* EXT functionality is notincluded in this TOE.FCS TLSC EXT.1 functionality isnot included in this TOE.
TDTD0395: NIT Technical Decisionfor Different Handling of TLS1.1and TLS1.2TD0394: NIT Technical Decisionfor Audit of ManagementActivities related to CryptographicKeysTD0343: NIT Technical Decisionfor Updating FCS IPSEC EXT.1.14TestsTD0342: NIT Technical Decisionfor TLS and DTLS Server TestsTD0341: NIT Technical Decisionfor TLS wildcard checkingTD0340: NIT Technical Decisionfor Handling of thebasicConstraints extension in CAand leaf certificatesTD0339: NIT Technical Decisionfor Making password-basedauthentication optional inFCS SSHS EXT.1.2TD0338: NIT Technical Decisionfor Access Banner VerificationTD0337: NIT Technical Decisionfor Selections inFCS SSH* EXT.1.6TD0336: NIT Technical Decisionfor Audit requirements forFCS SSH* EXT.1.813REFERENCECPP ND V2.0EApplicableYesCPP FW V2.0EYesND SD V2.0,FCS IPSEC EXT.1.14,CPP FW V2.0E,CPP ND V2.0END SD V2.0,FCS DTLSS EXT.1,FCS DTLSS EXT.2,FCS TLSS EXT.1,FCS TLSS EXT.2,CPP ND V2.0END SD V2.0,FCS TLSC EXT.1.2,FCS TLSC EXT.2.2,FCS DTLSC EXT.1.2,FCS DTLSC EXT.2.2,CPP ND V2.0EFIA X509 EXT.1.1,CPP FW V2.0E,CPP ND V2.0EYesND SD V2.0,FCS SSHS EXT.1.2,CPP FW V2.0E,CPP ND V2.0END SD V2.0,FTA TAB.1,CPP ND V2.0END SD V2.0,FCS SSHC EXT.1,FCS SSHS EXT.1,CPP FW V2.0E,CPP ND V2.0END SD V2.0,FCS SSHC EXT.1.8,FCS SSHS EXT.1.8,CPP ND V2.0ENoExclusion RationaleYesNoFCS [D]TLSC EXT.[1 2]functionality is not included in thisTOE.YesFCS SSHS EXT.1 functionality isnot included in this TOE.YesNoFCS SSH[C S] EXT.1 functionalityis not included in this TOE.NoFCS SSH[C S] EXT.1 functionalityis not included in this TOE.
TDTD0335: NIT Technical Decisionfor FCS DTLS Mandatory CipherSuitesTD0334: NIT Technical Decisionfor Testing SSH when passwordbased authentication is notsupportedTD0333: NIT Technical Decisionfor Applicability ofFIA X509 EXT.3TD0324: NIT Technical Decisionfor Correction of section numbersin SD Table 1TD0323: NIT Technical Decisionfor DTLS server testing - EmptyCertificate Authorities listTD0322: NIT Technical Decisionfor TLS server testing - EmptyCertificate Authorities listTD0321: Protection of NTPcommunicationsTD0291: NIT Technical Decisionfor DH14 and FCS CKM.1TD0290: NIT Technical Decisionfor physical interruption oftrusted path/channel14REFERENCEFCS DTLSC EXT.1.1,FCS DTLSC EXT.2.1,FCS DTLSS EXT.1.1,FCS DTLSS EXT.2.1,FCS TLSC EXT.1.1,FCS TLSC EXT.2.1,FCS TLSS EXT.1.1,FCS TLSS EXT.2.1,CPP FW V2.0E,CPP ND V2.0END SD V2.0,FCS SSHC EXT.1.9,CPP ND V2.0EApplicableYesExclusion RationaleNoFCS SSHC EXT.1 functionality isnot included in this TOE.ND SD V2.0,FIA X509 EXT,CPP FW V2.0E,CPP ND V2.0ETable 1,CPP ND V2.0EYesND SD V2.0,FCS DTLSS EXT.2.7,FCS DTLSS EXT.2.8,CPP ND V2.0END SD V.1.0, ND SDV2.0,FCS TLSS EXT.2.4,FCS TLSS EXT.2.5,CPP ND V2.0EFTP ITC.1,FPT STM EXT.1,CPP FW V2.0E,CPP ND V2.0EFCS CKM.1CPP FW V1.0,CPP FW v2.0,CPP FW V2.0E,CPP ND V1.0,CPP ND V2.0,CPP ND V2.0E,ND SD V.1.0, ND SDV2.0FTP ITC.1, FTP TRP.1,FPT ITT.1CPP ND V1.0,CPP ND V2.0,CPP ND V2.0E,ND SD V.1.0, ND SDV2.0NoFCS DTLSS EXT.2 functionality isnot included in this TOE.NoFCS TLSS EXT.2 functionality isnot included in this TOE.YesYesYesYes
TDTD0289: NIT Technical Decisionfor FCS TLSC EXT.x.1 Test 5eTD0281 : NIT Technical Decisionfor Testing both thresholds forSSH rekeyTD0259: NIT Technical Decisionfor Support for X509 ssh rsaauthentication IAW RFC 6187TD0257: NIT Technical Decisionfor UpdatingFCS DTLSC EXT.x.2/FCS TLSC EXT.x.2 Tests 1-4TD0256: NIT Technical Decisionfor Handling of TLS connectionswith and without mutualauthenticationTD0228: NIT Technical Decisionfor CA certificates basicConstraints validation15REFERENCECPP ND V1.0,CPP ND V2.0,CPP ND V2.0EFCS TLSC EXT.1.1,FCS TLSC EXT.2.1,FCS DTLSC EXT.1.1(only ND SD V2.0) ,FCS DTLSC EXT.2.1(only ND SD V2.0)FCS SSHC EXT.1.8,FCS SSHS EXT.1.8,CPP ND V1.0,CPP ND V2.0,CPP ND V2.0END SD V1.0, ND SDV2.0CPP FW v2.0,CPP FW V2.0E,CPP ND V2.0,CPP ND V2.0EFCS SSHC EXT.1.5/FCS SSHS EXT.1.5ND SD V1.0, ND SDV2.0,FCS DTLSC EXT.1.2/FCS DTLSC EXT.2.2Tests 1-4 (ND SDV2.0),FCS TLSC EXT.1.2/FCS TLSC EXT.2.2, Tests1-4 (ND SD V1.0, NDSD V2.0)CPP ND V1.0,CPP ND V2.0,CPP ND V2.0END SD V1.0, ND SDV2.0,FCS DTLSC EXT.2.5(ND SD V2.0),FCS TLSC EXT.2 (NDSD V1.0, ND SD V2.0)CPP ND V1.0,CPP ND V2.0,CPP ND V2.0END SD V1.0, ND SDV2.0,FIA X509 EXT.1.2CPP FW V1.0,CPP ND V1.0,CPP ND V2.0,CPP ND V2.0EApplicableNoExclusion RationaleFCS [D]TLSC EXT.[1 2]functionality is not included in thisTOE.NoFCS SSH[C S] EXT.1 functionalityis not included in this TOE.NoFCS SSH[C S] EXT.1 functionalityis not included in this TOE.NoFCS [D]TLSC EXT.[1 2]functionality is not included in thisTOE.NoFCS [D]TLSC EXT.2 functionality isnot included in this TOE.Yes
16
3 Security Problem DefinitionThe security problem definition has been taken from [FWcPP] and is reproduced here for theconvenience of the reader. The security problem is described in terms of the threats that the TOE isexpected to address, assumptions about the operational environment, and any organizational securitypolicies that the TOE is expected to enforce.Since this TOE is not a distributed TOE, items that only apply to distributed TOE
TOE Identifier SonicWall SonicOS Enhanced V6.5.4 with VPN and IPS on TZ, SOHO, NSa, and SM Appliances TOE Software Version 6.5.4.4-44n-federal-12n TOE Developer SonicWall, Inc. Key Words Firewall Table 1 TOE/ST Identification 1.2 TOE Overview The TOE is comprised of the SonicWall SonicOS Enhanced v6.5.4 software running either on purpose
