WIXLIB

Functionality Excluded from the EvaluationThe Check Point Software Blades R7x product can provide a broad rangeof services (product types), features and capabilities. Some of theserequire additional products or licenses to be installed on the Check PointSoftware Blades R7x appliance and/or on the Security ManagementServer.This section describes additional features and capabilities that areexcluded from the evaluated configuration: SNMP daemon: Check Point Software Blades appliances provideoptional SNMP daemons that can be used for remote management.These daemons are disabled in the evaluated configuration.WebUI: The evaluated configuration operating systems provide Webbased configuration interfaces as an alternative to the Check PointSoftware Blades appliance CLI. This interface is disabled in the TOEevaluated configuration.CLIs and SSH: Check Point Software Blades appliances andoperating systems include CLI interfaces that are used for initialinstallation and configuration of the appliance, the OS and thesoftware. A CLI is also provided on the Security Management Server.The CLI can be accessed from a directly connected console orremotely using the SSH protocol.In the evaluated configuration, these CLIs should not be used after thisinstallation stage. All management of the TOE should be performedvia the Security Management Server and Management GUIs. If theappliance must be reconfigured (e.g. a NIC is added to the appliance),it should be reinstalled to ensure that it remains in a secureconfiguration.17

Security Environment ConsiderationsThe following issues should be taken into account when preparing thesecurity environment of the Check Point Software Blades evaluatedconfiguration: Physical Access Control: Physical access must be controlled. TheSecurity Management Server, SmartConsole workstations, and firewallappliances must be located in secure locations, protected from physicalaccess by unauthorized persons. Permitted Applications: You may not install any general-purposeapplications, public data or other capabilities that are outside theevaluated configuration on any firewall or Security ManagementServer host. In particular, you must not install services (e.g. an FTPserver) that can be accessed remotely by non-administrative users. Trustworthy Administrators: Only trustworthy Administratorsshould receive authorization to manage the evaluated configuration. Traffic Mediation: A configured firewall shall mediate traffic for atleast two networks. You must ensure that all information pathsbetween mediated networks pass through a firewall in the evaluatedconfiguration. Administrative Workstation: Check Point Software Blades shall bemanaged from an administrative workstation, running SmartConsole.Use of CLI or Web interfaces is restricted to product installation. Oncethe product is operational, the only administrator interfaces used byauthorized administrators are SmartConsole and other supportedOPSEC applications. Preventing Access by Untrusted Users: The following componentsmust be installed on subnets connected to a firewall interface that isprotected by the Security Policy such that they cannot be accessed byuntrusted users: Security Management Server host SmartConsole hosts OPSEC applications An external authentication server that is used to supportSecurID single-use authentication, if any.18

RADIUS and NTP servers: The communication with a RADIUS orNTP server if any is protected using a MD5 shared secret. Secretsshould be chosen out of a sufficiently large range (at least 16 randomlyselected octets) in order to provide protection against exhaustivesearch attacks. It is also recommended to periodically change theseshared secrets, in order to improve resistance to replay attacks.Single-Use Password Authentication: The evaluated configurationsupports authentication of administrators, Telnet and FTP users, and ofremote access VPN users by sending the user-entered username andpassword using the RADIUS or SecurID protocols to an externalauthentication server. In the evaluated configuration, this should onlybe used in conjunction with single-use password mechanisms, e.g. theRSA SecurID hardware or software tokens. Multiple-use passwordsare inherently insecure if used over an unencrypted or physicallyinsecure network.Dedicated Cluster Synchronization Networks: Synchronizationinformation exchanged between cluster members (over defined Syncinterfaces) contains sensitive information. This information is notcryptographically protected by the Security Gateway. The evaluatedconfiguration therefore requires that all cluster members should be colocated. To secure the synchronization interfaces, cluster membersshould be directly connected by a cross cable, or in a cluster with threeor more members, use a dedicated hub or switch. No users should begiven remote or local access to cluster synchronization networks.19

Chapter2Secure Delivery ProceduresIn This ChapterOverviewHardware DeliverySoftware DeliveryLicense Confirmation and Verificationpage 20page 21page 25page 31OverviewThis section provides information on verifying the secure delivery of theCheck Point Check Point Software Blades product. Product deliveryconsists of hardware and software components.The Check Point Software Blades product is not sold by Check Pointdirectly to customers. Instead, Check Point makes use of established ValueAdded Resellers (VARs), Original Equipment Manufacturers (OEM’s)and other distributors, to sell its software and hardware. A customerpurchases the certified system by placing an order for the software with adistributor. Customers purchase third-party evaluated hardware directlyfrom the hardware manufacturer.Note - Check Point provides a resource for locating distributors athttp://www.checkpoint.com/sales/index.html.20

The customer is then responsible for completing the installation andconfiguration of the evaluated configuration, as described in this guidancedocument.Hardware DeliveryHardware PlatformsThe evaluated configuration includes three types of hardware platforms:gateway appliance platforms, Security Management Server platforms, andSmartConsole (Management GUI) platforms. Corresponding R7x softwaremust be installed on each platform.The customer purchases one or more of the appliance hardware platformsidentified in the Check Point Software Blades R7x Security Target, andinstalls the Check Point Software Blades software. On platforms runningthe Check Point SecurePlatform operating system, the softwareinstallation also installs the operating system.A separate hardware platform from the list of Check Point SecurePlatformappliances identified in the Security Target should be used for the SecurityManagement Server. The customer installs the operating system andsoftware.One or more SmartConsole hosts should be installed. SmartConsole isinstalled on a standard PC workstation running a Microsoft Windowsoperating system. The workstation is not considered part of the Target ofEvaluation, and is not specified in the Security Target.The product supports the following Microsoft Windows operating systems(or later versions thereof): Windows XP Home & Professional (SP3) Windows Vista (Ultimate, Enterprise, Business, Home Premium,or Home Basic) (SP1)21

Windows Server 2003 (Standard, Enterprise, or DatacenterEdition) (SP1-2) Windows Server 2008The SmartConsole machine hardware must meet the following minimumrequirements: CPU – Intel Pentium IV or 2 GHz equivalent processor Memory – 512 Mb, Disk Space – 500 Mb CD-ROM drive, Video Adapter with minimum resolution: 1024 x768Hardware Acquisition and DeliveryThe Check Point software depends on the correct operation of theunderlying hardware and firmware in order to meet the securityrequirements of the evaluated configuration. The hardware platformsidentified in the Security Target have been vetted for compatibility withthese requirements. It is important that the customer ensure that validhardware has been received.The Check Point SecurePlatform operating system runs on commodityhardware. This is hardware that is used by many organizations, for manypurposes. Because of the diversity of the supported hardware platforms, anadversary will not be able to install a Trojan Horse in hardware that istargeted for Check Point software in general, or for a specific customer'sorganizational border protection devices in particular.Check Point security appliances are manufactured by a trusted CheckPoint supplier, and shipped from regional distribution centers directly tothe customer-specified location.The following are recommendations that can be used to further mitigatethe risks of hardware substitution: 22Buy hardware from people you trust. In particular, it is goodpractice to purchase hardware directly from the hardware vendor,

according to the procedures provided on the hardware vendor’sWeb site. Prefer new hardware to used or refurbished equipment. Attempt to make hardware purchases seem random. If possible, donot identify upfront the purpose for which these platforms aregoing to be used. Use platform types that have been purchased byyour organization for other purposes as well. Use reputable commercial carriers to deliver hardware to yourorganization. Request tracking information and use shipper Websites to determine that the hardware did not take any suspiciousroutes or was mislaid enroute. Where possible, pick it up yourself. Apply physical access controls throughout the hardware platform'slifetime, including any periods of time when the hardware is instorage, before product installation.If the hardware is to be installed in extreme environmental conditions(heat, cold, humidity, power spikes, vibration, etc.), verify that theseconditions are compatible with the hardware vendor's specifications.Hardware Verification ProcedureUse the following steps to verify that valid hardware has been received:1. Examine the outside packaging and markings of the delivery containercontaining the hardware to ensure that it arrived via the contractedcommercial carrier from the hardware vendor.2. Examine the shipping and tracking information available with thepackage to look for any unexpected information related to the timingand route for the shipment. If there is any doubt about the veracity ofthe shipment, contact the vendor and confirm that the product wasindeed ordered by your organization and sent by the vendor.3. Visually examine the hardware platform to determine that it is labeledin accordance with the hardware vendor's standard markings, and thatit matches the platform model that was ordered.23

Note - Follow the hardware vendor's guidance to disconnect or disableany wake on LAN (WoL), Lights Out Management (LOM) or any otherNIC-related remote management functionality.In particular, on Check Point security appliances, if the appliance hasbeen delivered with a LOM card installed, do not enable the card in theBIOS menu.24

Software DeliverySoftware Package DistributionEach release of the product is identified by a unique reference that consistsof a release number and (after the initial base release) a Hot Fix Accumulator (HFA) designator.Check Point releases and hot fixes are distributed to customers on CDROMs, or as downloadable packages off the Check Point Web site. TheHFA installation is applied as an upgrade to the General Availability (GA)release, or to previous HFAs, replacing one or more packages with newerbuilds of those packages.Note - Releases distributed electronically as .iso files contain CD-ROMimages. A CD-ROM created from such an image is considered to be anequivalent distribution and should be verified as described below for thenormal CD-ROM package distribution. HFA and hot fix packages aretypically distributed as compressed file archives that are installed as anupgrade to an already-installed appliance.The unique reference for the evaluated software is ‘R7x’. As identified inthe Check Point Software Blades R7x Security Target, the referencedsoftware is comprised of the following Check Point software:SoftwareCheck Point Security GatewayCheck Point Security Management and SmartConsoleGAHFAR70.1 R7x hotfixR71.1 R7x hotfixNote – The R70.1 release is made available either as a GA release, orapplied as a HFA updating the R70 base release. Both installations(R70.1 and R70 with HFA R70.1) are equivalent.25

The Check Point Software Blades GA CD-ROMs, as well as allaccompanying product documentation, are labeled externally with theproduct name and release number (for the base release).HFA DownloadsAs part of Check Point's Common Criteria-evaluated flaw remediationprocedures, Check Point publishes updated Hot Fix Accumulators (HFAs)and provides them to customers with a Software Subscription license.The customer should check for updated Check Point Software BladesHFAs on ex.html. Ifyou are installing the evaluated HFA, download it from the download linkprovided in SecureKnowledge solution sk66143. This will ensure that youare using the precise HFA package used for the evaluation.WARNING - HFA downloads other than the identified evaluatedversions are outside the evaluated configuration:The Common Criteria evaluation was performed on the identified HFAs.Other HFAs might include changes to the product that violate evaluatedsecurity requirements.However, it should be noted that the Check Point process forimplementing and distributing HFAs was included in the evaluation.Given the above mentioned caveat, Check Point does recommend thatcustomers download and install the latest HFA available. This may onlybe performed during installation; therefore, when a new HFA is published,you must reinstall to apply the HFA.Download the HFA package for the SecurePlatform operating system (youwill be asked to log in to your Check Point User Center account and agreeto the Software Subscription Download Agreement. See Appendix A User Center Registration and Access for instructions on accessing theCheck Point User Center).26

Check Point Security Appliance Software DistributionThe Check Point security appliances are delivered with the appropriateCheck Point Software Blades software pre-installed on the appliance.However, in order to insure that the installed software version is identicalto the evaluated version, it is recommended to download an appliancespecific image of the R7x software from the Check Point Web site.Software Delivery VerificationWhen accepting receipt of the software package, the customer shouldverify that the software case does not show any signs of tampering.The customer should calculate hashes of CD-ROMs, software images andHFA downloads to verify that they are identical to the correspondingmaster copy signatures presented below. The ISO file size can be used as asanity check. Hashes for HFA downloads will be posted on the CheckPoint Web site when the new HFA is available. You may also call CheckPoint to verify the HFA signature.Tip - SecureKnowledge Solution sk77840 includes a utility (cd2iso) thatcan be used to calculate MD5, SHA-1, and SHA-256 hashes for codeintegrity verification for both downloaded files and for CD-ROMs.27

Evaluated Software Hash ValuesThe hashes for the evaluated software images are as follows:R70 Gateway Software and R70.1 HFAApplies to: Open Servers, Check Point 2012 Appliances.File NameMD5SHA-1SHA-256Check PointR70 heck PointR70 HFA 0.1 Gateway Appliance Image for UTM-1Applies to: Check Point UTM-1 security appliances.File NameMD5SHA-1SHA-256Check PointR70 1 70.1 Gateway Appliance Image for Power-1 xx70 and 11000 SeriesApplies to: Check Point Power-1 xx70 and 11000 Series Appliances.File NameMD5SHA-1SHA-256Check PointR70 1 1Check pointR70 1 4C28

R7x Gateway hotfixApplies to: All Gateway appliances.File NameMD5SHA-1SHA-256Check PointR70 2BA0R71.10 Security Management SoftwareApplies to: Open Servers.File NameMD5SHA-1SHA-256Check PointR71 10 71.10 Security Management Software Image for Smart-1Applies to: Check Point Smart-1 security appliances.File NameMD5SHA-1SHA-256Check PointR71 10 CCCF545593F4F6

Chapter 8, First Time Login, describes the first administrator login into SmartConsole after the installation. Appendix A, Check Point User Center, describes the use of the Check Point award-winning support site. Appendix B, Appliance Installation, explains how to re-image and configure Check Point security appliances.