WIXLIB

F5 Networks – FirePass Security TargetF5 NetworksFirePass 4100 Version 5.5.2Security TargetEAL 2 ALC FLR.1, ADV SPM.1Release Date:December 19, 2007Document ID:06-1023-R-0018Version:1.3Prepared By:InfoGard Laboratories, Inc.Prepared For:F5 Networks401 Elliott Avenue WestSeattle, WA 98119 2006, 2007 F5 Networks1

F5 Networks – FirePass Security TargetTable of Contents1INTRODUCTION. 61.11.21.31.41.51.61.6.11.6.22IDENTIFICATION . 6CC CONFORMANCE CLAIM . 6OVERVIEW . 6ORGANIZATION . 7DOCUMENT CONVENTIONS . 7DOCUMENT TERMINOLOGY . 8ST Specific Terminology . 8Acronyms . 10TOE DESCRIPTION . 122.1OVERVIEW . 122.2ARCHITECTURE DESCRIPTION . 132.2.1SSL Module . 142.2.2Policy Engine. 152.2.3Web Applications Mode Module . 152.2.4Authentication Module. 152.2.5Application Access Mode Module. 152.2.6Network Access Mode Module. 162.2.7Networking Module/Operating System . 162.2.8Administrator Console . 162.2.9Network Access Plug-In . 162.2.10Endpoint Security Plug-In. 162.2.11Statement of Non-Bypassibility of the TSF. 172.3PHYSICAL BOUNDARIES . 172.3.1Hardware Components . 172.3.2Software Components . 172.4LOGICAL BOUNDARIES. 182.4.1Security Audit . 182.4.2Identification and Authentication . 192.4.3Endpoint Security . 202.4.4Network Access Mode . 222.4.5Web Applications Mode Access . 222.4.6Policy Based Resource Management . 232.4.7Security Management . 232.4.8Secure Communications . 242.4.9Protection of TOE Functions . 242.5ITEMS EXCLUDED FROM THE TOE . 253TOE SECURITY ENVIRONMENT . 263.1ASSUMPTIONS . 263.1.1Personnel Assumptions . 263.1.2Physical Environment Assumptions . 263.1.3Operational Assumptions. 263.2THREATS . 263.3ORGANIZATIONAL SECURITY POLICIES . 274SECURITY OBJECTIVES . 284.14.2SECURITY OBJECTIVES FOR THE TOE . 28SECURITY OBJECTIVES FOR THE ENVIRONMENT . 29 2006, 2007 F5 Networks2

F5 Networks – FirePass Security Target4.34.44.54.65MAPPING OF SECURITY ENVIRONMENT TO SECURITY OBJECTIVES . 29RATIONALE FOR THREAT COVERAGE . 30RATIONALE FOR ORGANIZATIONAL POLICY COVERAGE. 32RATIONALE FOR ASSUMPTION COVERAGE . 32IT SECURITY REQUIREMENTS . 345.1TOE SECURITY FUNCTIONAL REQUIREMENTS . 355.1.1Class FAU: Security audit . 355.1.2Class FCS: Cryptographic key management . 365.1.3Class FDP: User data protection . 375.1.4Class FIA: Identification and authentication . 415.1.5Class FMT: Security management. 425.1.6Class FPT: Protection of the TSF. 445.1.7Class FRU: Resource Utilisation . 455.1.8Class FTA – TOE Access . 465.2EXPLICITLY STATED TOE SECURITY FUNCTIONAL REQUIREMENTS . 465.2.1Class FAU: Security Audit (Explicitly Stated) . 465.2.2Class FDP: User Data Protection (Explicitly Stated) . 485.2.3Class FIA: Identification and authentication (Explicitly Stated) . 485.2.4Class FPT: Protection of the TSF (Explicitly Stated) . 485.3IT ENVIRONMENT SECURITY FUNCTIONAL REQUIREMENTS . 495.3.1Class FPT: Protection of the TSF. 495.4EXPLICITLY STATED IT ENVIRONMENT SECURITY FUNCTIONAL REQUIREMENTS . 505.4.1Class FIA: Identification and authentication . 505.5TOE STRENGTH OF FUNCTION CLAIM. 505.6TOE SECURITY ASSURANCE REQUIREMENTS . 505.6.1ACM CAP.2 Configuration items . 515.6.2ADO DEL.1 Delivery procedures . 525.6.3ADO IGS.1 Installation, generation, and start-up procedures . 525.6.4ADV FSP.1 Informal functional specification . 525.6.5ADV HLD.1 Descriptive high-level design . 535.6.6ADV RCR.1 Informal correspondence demonstration . 545.6.7ADV SPM.1 Informal TOE security policy model . 545.6.8AGD ADM.1 Administrator guidance . 555.6.9AGD USR.1 User guidance . 555.6.10ATE COV.1 Evidence of coverage . 565.6.11ATE FUN.1 Functional testing . 565.6.12ATE IND.2 Independent testing – sample . 575.6.13AVA SOF.1 Strength of TOE security function evaluation . 575.6.14AVA VLA.1 Developer vulnerability analysis . 585.6.15ALC FLR.1 Basic flaw remediation . 585.7RATIONALE FOR TOE SECURITY REQUIREMENTS. 605.7.1TOE Security Functional Requirements . 605.8RATIONALE FOR IT ENVIRONMENT SECURITY REQUIREMENTS . 655.9RATIONALE FOR EXPLICITLY STATED SECURITY REQUIREMENTS . 655.9.1TOE Security Assurance Requirements . 665.10RATIONALE FOR IT SECURITY REQUIREMENT DEPENDENCIES . 675.11RATIONALE FOR INTERNAL CONSISTENCY AND MUTUALLY SUPPORTIVE . 695.12RATIONALE FOR STRENGTH OF FUNCTION CLAIM . 696TOE SUMMARY SPECIFICATION . 706.1TOE SECURITY FUNCTIONS . 706.1.1Security Audit . 706.1.2Identification and Authentication . 736.1.3Endpoint Security . 75 2006, 2007 F5 Networks3

F5 Networks – FirePass Security twork Access Mode . 77Web Applications Mode Access . 81Policy Based Resource Management . 82Security Management . 84Secure Communications . 86Protection of TOE Functions . 87SECURITY ASSURANCE MEASURES . 94RATIONALE FOR TOE SECURITY FUNCTIONS . 96APPROPRIATE STRENGTH OF FUNCTION CLAIM . 98RATIONALE FOR SECURITY ASSURANCE MEASURES . 987PROTECTION PROFILE CLAIMS . 1018RATIONALE . 1028.18.28.38.4SECURITY OBJECTIVES RATIONALE . 102SECURITY REQUIREMENTS RATIONALE . 102TOE SUMMARY SPECIFICATION RATIONALE . 102PROTECTION PROFILE CLAIMS RATIONALE . 102List of TablesTable 1: ST Organization and Description . 7Table 2: Physical Scope and Boundary: Hardware. 17Table 3: Physical Scope and Boundary: Software . 18Table 4: Threats & IT Security Objectives Mappings . 30Table 5: Functional Requirements . 35Table 6: Audit Events . 47Table 7: Assurance Requirements: EAL2 Augmented ALC FLR.1, ADV SPM.1 . 51Table 8: SFR and Security Objectives Mapping. 62Table 9: SFR and Security Objectives Mapping. 65Table 10: Explicitly Stated SFR Rationale . 66Table 11: SFR Dependencies . 68Table 12: TOE State Change during Failover process. 91Table 13: Assurance Requirements: EAL2 Augmented ALC FLR.1, ADV SPM.1 . 95Table 14: TOE Security Function to SFR Mapping . 98Table 15: Rationale for Security Assurance Measures . 100 2006, 2007 F5 Networks4

F5 Networks – FirePass Security TargetList of FiguresFigure 1: FirePass TOE Architecture/Boundaries . 13Figure 2: TOE Internal Architecture . 14Document HistoryReleaseNumberDateAuthorDetails1.312/19/07M. McAlisterFinal Release Version 2006, 2007 F5 Networks5

F5 Networks – FirePass Security Target1 IntroductionThis section identifies the Security Target (ST), Target of Evaluation (TOE), conformanceclaims, ST organization, document conventions, and terminology. It also includes an overviewof the evaluated product.1.1 IdentificationTOE Identification:FirePass 4100 Version 5.5.2 Hotfix HF-552-10ST Identification:ST Publication Date:F5 NetworksFirePass 4100 Version 5.5.2Security TargetEAL 2 ALC FLR.1, ADV SPM.1December 19, 2007ST Version Number:Version 1.3Authors:M. McAlister (InfoGard)1.2 CC Conformance ClaimThe TOE is Common Criteria (CC) Version 2.21 Part 2 extended.The TOE is Common Criteria (CC) Version 2.2 Part 3 conformant at EAL2 Augmented withALC FLR.1, ADV SPM.1.The TOE is also compliant with all International interpretations with effective dates on or beforeSeptember 1, 2006.This TOE is not conformant to any Protection Profiles (PPs).1.3 OverviewThe TOE is a hardware and software based Virtual Private Networking (VPN) appliance thatenables remote Users to access protected networks securely using the Microsoft InternetExplorer web browser. The F5 FirePass SSL VPN appliance establishes these secureconnections using Secure Socket Layer (SSL) techniques and can proxy connections to fileservers, email servers, web application servers and desktop PC applications. Since the FirePassmanages the authentication of clients and coordinates the appropriate access, intranet resourcesare protected from direct access from the Internet.FirePass has three operational modes based on the client/network relationship. 1Web Applications Mode denotes secure public application layer access to intranet webCommon Criteria (CC) for Information Technology Security Evaluation – January 2004, Version 2.2. 2006, 2007 F5 Networks6

F5 Networks – FirePass Security Targetservers & web applications that allows access from various public client sources such asvarious desktop operating systems, airport kiosks, PDA, or cellular phones. Application Access Mode securely connects to specific application servers such as Oracleor Microsoft Exchange. This mode is not included in the Evaluated Configuration. Network Access Mode allows for secure network layer access using FirePass client plugins that establishes a layer 3 connection using Point to Point Protocol (PPP) over SSLtechniques.The FirePass appliances are also scalable allowing clustering of multiple units to increasecapacity. Maximum availability and reliability is assured through redundant pair configurationwith two FirePass units in parallel operating in Active-Standby mode. The Common CriteriaEvaluated configuration includes the FirePass 4100 appliance in a redundant pair configuration.1.4 ovides an overview of the Security Target.2TOE DescriptionDefines the hardware and software that make up the TOE,and the physical and logical boundaries of the TOE.3TOE SecurityEnvironmentContains the threats, assumptions and organizationalsecurity policies that affect the TOE.4Security ObjectivesContains the security objectives the TOE is attempting tomeet and the corresponding rationale.5IT Security Requirements Contains the functional and assurance requirements forthis TOE and the corresponding rationale.6TOE SummarySpecificationA description of the security functions and assurances thatthis TOE provides and the corresponding rationale.7PP ClaimsProtection Profile Conformance Claims8RationaleContains pointers to the rationales contained throughoutthe document.Table 1: ST Organization and Description1.5 Document ConventionsThe CC defines four operations on security functional and assurance requirements. Theconventions below define the conventions used in this ST to identify these operations. When 2006, 2007 F5 Networks7

F5 Networks – FirePass Security TargetNIAP interpretations are included in requirements, the changes from the interpretations aredisplayed as refinements.Assignment:indicated with bold textSelection:indicated with underlined textRefinement:additions indicated with bold text and italicsdeletions indicated with strike-through bold text and italicsIteration:indicated with typical CC requirement naming followed by a lower case letterfor each iteration (e.g., FMT MSA.1a)The explicitly stated requirements claimed in this ST are denoted by the “ EXP” extension in theunique short name for the explicit security requirement.1.6 Document TerminologyPlease refer to CC Part 1 Section 2.3 for definitions of commonly used CC terms.1.6.1ST Specific TerminologyAdmin (full access)This refers to the top Administrative role with full privileges,access and control over all FirePass functions.Administrator ConsoleThis refers to the Administrator GUI which allows AdministrativeUsers to manage the appliance through a AdministratorWorkstation in the IT Environment via the AdministratorManagement port on the FirePass appliance.ClientWithin the context of this security target, the Client refers to theExternal VPN User role, located outside of the internal network,who establishes VPN sessions through the TOE to allocatedinternal network resources. Synonymous with External VPN User.ControllerWithin this document, the term Controller is used in the context ofFirePass Controller and is synonymous with the appliance term.The FirePass Controller, FirePass Appliance and FirePass TOE allrepresent the TOE product.Web Applications ModeWeb Applications Mode access is supported through a layer 7connection for public secure access to Internal Web Portals andIntranet applications. Dynamic parsing and patching of HTML,JavaScript, and other content is performed as part of this function. 2006, 2007 F5 Networks8