Transcription
BSI-DSZ-CC-0966-2015forgenuscreen 5.0fromgenua gmbh
BSI - Bundesamt für Sicherheit in der Informationstechnik, Postfach 20 03 63, D-53133 BonnPhone 49 (0)228 99 9582-0, Fax 49 (0)228 9582-5477, Infoline 49 (0)228 99 9582-111Certification Report V1.0CC-Zert-327 V5.13
BSI-DSZ-CC-0966-2015 (*)Firewallgenuscreen 5.0fromgenua gmbhPP Conformance:NoneFunctionality:Product specific Security TargetCommon Criteria Part 2 extendedAssurance:Common Criteria Part 3 extendedEAL 4 augmented by ALC FLR.2, ASE TSS.2 andAVA VAN.4The IT Product identified in this certificate has been evaluated at an approved evaluationfacility using the Common Methodology for IT Security Evaluation (CEM), Version 3.1extended by advice of the Certification Body for components beyond EAL 5 forconformance to the Common Criteria for IT Security Evaluation (CC), Version 3.1. CC andCEM are also published as ISO/IEC 15408 and ISO/IEC 18045.(*) This certificate applies only to the specific version and release of the product in itsevaluated configuration and in conjunction with the complete Certification Report andNotification. For details on the validity see Certification Report part A chapter 4The evaluation has been conducted in accordance with the provisions of the certificationscheme of the German Federal Office for Information Security (BSI) and the conclusionsof the evaluation facility in the evaluation technical report are consistent with the evidenceadduced.This certificate is not an endorsement of the IT Product by the Federal Office forInformation Security or any other organisation that recognises or gives effect to thiscertificate, and no warranty of the IT Product by the Federal Office for InformationSecurity or any other organisation that recognises or gives effect to this certificate, iseither expressed or implied.SOGISRecognition Agreementfor components up toEAL 4Common CriteriaRecognition Arrangementfor components up toEAL 2Bonn, 3 December 2015For the Federal Office for Information SecurityBernd KowalskiHead of DepartmentL.S.Bundesamt für Sicherheit in der InformationstechnikGodesberger Allee 185-189 - D-53175 Bonn -Postfach 20 03 63 - D-53133 BonnPhone 49 (0)228 99 9582-0 - Fax 49 (0)228 9582-5477 - Infoline 49 (0)228 99 9582-111
Certification ReportBSI-DSZ-CC-0966-2015This page is intentionally left blank.4 / 34
BSI-DSZ-CC-0966-2015Certification ReportPreliminary RemarksUnder the BSIG1 Act, the Federal Office for Information Security (BSI) has the task ofissuing certificates for information technology products.Certification of a product is carried out on the instigation of the vendor or a distributor,hereinafter called the sponsor.A part of the procedure is the technical examination (evaluation) of the product accordingto the security criteria published by the BSI or generally recognised security criteria.The evaluation is normally carried out by an evaluation facility recognised by the BSI or byBSI itself.The result of the certification procedure is the present Certification Report. This reportcontains among others the certificate (summarised assessment) and the detailedCertification Results.The Certification Results contain the technical description of the security functionality ofthe certified product, the details of the evaluation (strength and weaknesses) andinstructions for the user.1Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009,Bundesgesetzblatt I p. 28215 / 34
Certification ReportBSI-DSZ-CC-0966-2015ContentsA. Certification.71. Specifications of the Certification Procedure.72. Recognition Agreements.73. Performance of Evaluation and Certification.94. Validity of the Certification Result.95. Publication.10B. Certification Results.111. Executive Summary.122. Identification of the TOE.133. Security Policy.154. Assumptions and Clarification of Scope.155. Architectural Information.166. Documentation.177. IT Product Testing.178. Evaluated Configuration.199. Results of the Evaluation.1910. Obligations and Notes for the Usage of the TOE.2011. Security Target.2112. Definitions.2113. Bibliography.24C. Excerpts from the Criteria.25CC Part 1:.25CC Part 3:.26D. Annexes.336 / 34
s of the Certification ProcedureCertification ReportThe certification body conducts the procedure according to the criteria laid down in thefollowing: Act on the Federal Office for Information Security2 BSI Certification and Approval Ordinance3 BSI Schedule of Costs4 Special decrees issued by the Bundesministerium des Innern (Federal Ministry of theInterior) DIN EN ISO/IEC 17065 standard BSI certification: Scheme documentation describing the certification process(CC-Produkte) [3] BSI certification: Scheme documentation on requirements for the Evaluation Facility, itsapproval and licencing process (CC-Stellen) [3] Common Criteria for IT Security Evaluation (CC), Version 3.1 5 [1] also published asISO/IEC 15408. Common Methodology for IT Security Evaluation (CEM), Version 3.1 [2] also publishedas ISO/IEC 18045. BSI certification: Application Notes and Interpretation of the Scheme (AIS) [4]2.Recognition AgreementsIn order to avoid multiple certification of the same product in different countries a mutualrecognition of IT security certificates - as far as such certificates are based on ITSEC orCC - under certain conditions was agreed.2.1.European Recognition of ITSEC/CC – Certificates (SOGIS-MRA)The SOGIS-Mutual Recognition Agreement (SOGIS-MRA) Version 3 became effective inApril 2010. It defines the recognition of certificates for IT-Products at a basic recognitionlevel and, in addition, at higher recognition levels for IT-Products related to certain SOGISTechnical Domains only.2Act on the Federal Office for Information Security (BSI-Gesetz - BSIG) of 14 August 2009,Bundesgesetzblatt I p. 28213Ordinance on the Procedure for Issuance of Security Certificates and approval by the Federal Office forInformation Security (BSI-Zertifizierungs- und -Anerkennungsverordnung - BSIZertV) of 17 December2014, Bundesgesetzblatt 2014, part I, no. 61, p. 22314Schedule of Cost for Official Procedures of the Bundesamt für Sicherheit in der Informationstechnik(BSI-Kostenverordnung, BSI-KostV) of 03 March 2005, Bundesgesetzblatt I p. 5195Proclamation of the Bundesministerium des Innern of 12 February 2007 in the Bundesanzeiger dated23 February 2007, p. 37307 / 34
Certification ReportBSI-DSZ-CC-0966-2015The basic recognition level includes Common Criteria (CC) Evaluation Assurance LevelsEAL 1 to EAL 4 and ITSEC Evaluation Assurance Levels E1 to E3 (basic). For"Smartcards and similar devices" a SOGIS Technical Domain is in place. For "HW Deviceswith Security Boxes" a SOGIS Technical Domains is in place, too. In addition, certificatesissued for Protection Profiles based on Common Criteria are part of the recognitionagreement.The new agreement has been signed by the national bodies of Austria, Finland, France,Germany, Italy, The Netherlands, Norway, Spain, Sweden and the United Kingdom. Thecurrent list of signatory nations and approved certification schemes, details on recognition,and the history of the agreement can be seen on the website at https://www.sogisportal.eu.The SOGIS-MRA logo printed on the certificate indicates that it is recognised under theterms of this agreement by the nations listed above.This certificate is recognized according to the rules of SOGIS-MRA, i.e. up to and includingCC part 3 EAL 4 components. The evaluation contained the components ALC FLR.2,ASE TSS.2 and AVA VAN.4 that are not mutually recognised in accordance with theprovisions of the SOGIS MRA. For mutual recognition the EAL 4 components of theseassurance families are relevant.2.2.International Recognition of CC – Certificates (CCRA)The international arrangement on the mutual recognition of certificates based on the CC(Common Criteria Recognition Arrangement, CCRA-2014) has been ratified on 08September 2014. It covers CC certificates based on collaborative Protection Profiles (cPP)(exact use), CC certificates based on assurance components up to and including EAL 2 orthe assurance family Flaw Remediation (ALC FLR) and CC certificates for ProtectionProfiles and for collaborative Protection Profiles (cPP).The CCRA-2014 replaces the old CCRA signed in May 2000 (CCRA-2000). Certificatesbased on CCRA-2000, issued before 08 September 2014 are still under recognitionaccording to the rules of CCRA-2000. For on 08 September 2014 ongoing certificationprocedures and for Assurance Continuity (maintenance and re-certification) of oldcertificates a transition period on the recognition of certificates according to the rules ofCCRA-2000 (i.e. assurance components up to and including EAL 4 or the assurancefamily Flaw Remediation (ALC FLR)) is defined until 08 September 2017.As of September 2014 the signatories of the new CCRA-2014 are governmentrepresentatives from the following nations: Australia, Austria, Canada, Czech Republic,Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan,Malaysia, The Netherlands, New Zealand, Norway, Pakistan, Republic of Korea,Singapore, Spain, Sweden, Turkey, United Kingdom, and the United States.The current list of signatory nations and approved certification schemes can be seen onthe website: http://www.commoncriteriaportal.org.The Common Criteria Recognition Arrangement logo printed on the certificate indicatesthat this certification is recognised under the terms of this agreement by the nations listedabove.As this certificate is a re-certification of a certificate issued according to CCRA-2000 thiscertificate is recognized according to the rules of CCRA-2000, i.e. up to and including CCpart 3 EAL 4 components. The evaluation contained components above EAL 4 that are notmutually recognised in accordance with the provisions of the CCRA-2000, for mutualrecognition the EAL 4 components of these assurance families are relevant.8 / 34
BSI-DSZ-CC-0966-20153.Certification ReportPerformance of Evaluation and CertificationThe certification body monitors each individual evaluation to ensure a uniform procedure, auniform interpretation of the criteria and uniform ratings.The product genuscreen 5.0 has undergone the certification procedure at BSI. This is are-certification based on BSI-DSZ-CC-0823-2014. Specific results from the evaluationprocess BSI-DSZ-CC-0823-2014 were re-used.The evaluation of the product genuscreen 5.0 was conducted by secuvera GmbH. Theevaluation was completed on 4 November 2015. secuvera GmbH is an evaluation facility(ITSEF)6 recognised by the certification body of BSI.For this certification procedure the sponsor and applicant is: genua gmbh.The product was developed by: genua gmbh.The certification is concluded with the comparability check and the production of thisCertification Report. This work was completed by the BSI.4.Validity of the Certification ResultThis Certification Report only applies to the version of the product as indicated. Theconfirmed assurance package is only valid on the condition that all stipulations regarding generation, configuration and operation, as given in thefollowing report, are observed, the product is operated in the environment described, as specified in the following reportand in the Security Target.For the meaning of the assurance levels please refer to the excerpts from the criteria atthe end of the Certification Report or in the CC itself.The Certificate issued confirms the assurance of the product claimed in the Security Targetat the date of certification. As attack methods evolve over time, the resistance of thecertified version of the product against new attack methods needs to be re-assessed.Therefore, the sponsor should apply for the certified product being monitored within theassurance continuity program of the BSI Certification Scheme (e.g. by a re-certification).Specifically, if results of the certification are used in subsequent evaluation and certificationprocedures, in a system integration process or if a user's risk management needs regularlyupdated results, it is recommended to perform a re-assessment on a regular e.g. annualbasis.In order to avoid an indefinite usage of the certificate when evolved attack methods requirea re-assessment of the products resistance to state of the art attack methods, themaximum validity of the certificate has been limited. The certificate issued on3 December 2015 is valid until 2 December 2020. Its validity can be re-newed byre-certification.The owner of the certificate is obliged:1. when advertising the certificate or the fact of the product's certification, to refer tothe Certification Report as well as to provide the Certification Report, the SecurityTarget and user guidance documentation mentioned herein to any customer of theproduct for the application and usage of the certified product,6Information Technology Security Evaluation Facility9 / 34
Certification ReportBSI-DSZ-CC-0966-20152. to inform the Certification Body at BSI immediately about vulnerabilities of theproduct that have been identified by the developer or any third party after issuanceof the certificate,3. to inform the Certification Body at BSI immediately in the case that security relevantchanges in the evaluated life cycle, e.g. related to development and production sitesor processes, occur, or the confidentiality of documentation and information relatedto the Target of Evaluation (TOE) or resulting from the evaluation and certificationprocedure where the certification of the product has assumed this confidentialitybeing maintained, is not given any longer. In particular, prior to the dissemination ofconfidential documentation and information related to the TOE or resulting from theevaluation and certification procedure that do not belong to the deliverablesaccording to the Certification Report part B, or for those where no disseminationrules have been agreed on, to third parties, the Certification Body at BSI has to beinformed.In case of changes to the certified version of the product, the validity can be extended tothe new versions and releases, provided the sponsor applies for assurance continuity (i.e.re-certification or maintenance) of the modified product, in accordance with the proceduralrequirements, and the evaluation does not reveal any security deficiencies.5.PublicationThe product genuscreen 5.0, has been included in the BSI list of certified products, whichis published regularly (see also Internet: https://www.bsi.bund.de and [5]). Furtherinformation can be obtained from BSI-Infoline 49 228 9582-111.Further copies of this Certification Report can be requested from the developer 7 of theproduct. The Certification Report may also be obtained in electronic form at the internetaddress stated above.This page is intentionally left blank.7genua gmbhDomagkstrasse 785551 Kirchheim10 / 34
BSI-DSZ-CC-0966-2015B.Certification ReportCertification ResultsThe following results represent a summary of the Security Target of the sponsor for the Target of Evaluation, the relevant evaluation results from the evaluation facility, and complementary notes and stipulations of the certification body.11 / 34
Certification Report1.BSI-DSZ-CC-0966-2015Executive SummaryThe TOE genuscreen 5.0 is a distributed stateful packet filter firewall system with VPNcapabilities and central configuration. It provides basic IPv6 support and protects networksat the border to the Internet by filtering incoming and outgoing data traffic. It protects dataflow between several protected networks against unauthorised inspection andmodification. It consists of software on a number of machines (genuscreen appliances)that work as network filters, hereafter called firewall components, and the managementsystem (genucenter management system), a central component to manage this network offirewall components.The firewall components are initialised on a secure network from the management system.After initialisation, the firewall components can be distributed to the locations of thenetworks they are protecting.The genuscreen firewall components filter incoming and outgoing traffic for multiplenetworks and can thus enforce a given security policy on the data flow. The filter isimplemented in the kernel of the firewall components’ operating system, OpenBSD. Thefirewall components can work as bridges or routers.The firewall components can provide confidentiality and integrity for data traffic passingbetween the networks. This Virtual Private Network function is achieved by IPsecencryption and authentication mechanisms. Alternatively, an encrypted tunnel not usingthe transport layer but the application layer can be build up with SSH connections.Interfaces of the firewall components can be classified at level high or low. Traffic oninterfaces with a low classification is not transferred as cleartext.The management system component provides administrators with a Graphical UserInterface (GUI) to initialise and manage the firewall components from a central server. Themanagement system also allows collecting audit data and monitoring.The TOE contains cryptographic functionality. The cryptographic algorithms are part of theTOE. This includes the random number generator which is of class DRG.3 (see AIS20 [4]).The physical scope of TOE consists only of software and documentation. The TOE doesnot include any hardware or firmware. The genucenter must be operated on real hardware.Running the genucenter in a virtual machine is out of scope for this TOE.The Security Target [6] is the basis for this certification. It is not based on a certifiedProtection Profile.The TOE Security Assurance Requirements (SAR) are based entirely on the assurancecomponents defined in Part 3 of the Common Criteria (see part C or [1], Part 3 for details).The TOE meets the assurance requirements of the Evaluation Assurance Level EAL 4augmented by ALC FLR.2, ASE TSS.2 and AVA VAN.4.The TOE Security Functional Requirements (SFR) relevant for the TOE are outlined in theSecurity Target [6], chapter 6. They are selected from Common Criteria Part 2 and some ofthem are newly defined. Thus the TOE is CC Part 2 extended.The TOE Security Functional Requirements are implemented by the following TOESecurity Functionality:TOE Security FunctionalityAddressed issueSF PFPacket Filter12 / 34
BSI-DSZ-CC-0966-2015Certification ReportTOE Security FunctionalityAddressed issueSF RSClassificationSF IPSECIPsec FilteringSF SSHLDSSH Launch DaemonSF IAIdentification and AuthenticationSF AUAuditSF SSHSSH ChannelSF ADMAdministrationSF GENGeneral Management FacilitiesTable 1: TOE Security FunctionalitiesFor more details please refer to the Security Target [6], chapter 7.The assets to be protected by the TOE are defined in the Security Target [6], chapter 3.Based on these assets the TOE Security Problem is defined in terms of Assumptions,Threats and Organisational Security Policies. This is outlined in the Security Target [6],chapter 3.This certification covers the configurations of the TOE as outlined in chapter 8.The vulnerability assessment results as stated within this certificate do not include a ratingfor those cryptographic algorithms and their implementation suitable for encryption anddecryption (see BSIG Section 9, Para. 4, Clause 2).The certification results only apply to the version of the product indicated in the certificateand on the condition that all the stipulations are kept as detailed in this CertificationReport. This certificate is not an endorsement of the IT product by the Federal Office forInformation Security (BSI) or any other organisation that recognises or gives effect to thiscertificate, and no warranty of the IT product by BSI or any other organisation thatrecognises or gives effect to this certificate, is either expressed or implied.2.Identification of the TOEThe Target of Evaluation (TOE) is called:genuscreen 5.0,The following table outlines the TOE deliverables:No TypeIdentifierRelease1HWManagement ServerN/AModel: gz200, gz400, gz600and gz800Two or more FirewallComponentsModel: gs100b, gs100c,gs300, gs400, gs500,gs600, gs700 and gs800Hardware (not part of the TOE)2SWFirewall ComponentInstallation CD genuscreenVersion 5.0 ZCD-ROM5.0 ZForm of DeliveryPatchlevel 413 / 34
Certification ReportBSI-DSZ-CC-0966-2015No TypeIdentifierReleaseForm of Delivery3SWManagement ServerInstallation CDgenucenter Version 5.0 Z5.0 ZPatchlevel 4CD-ROM4Doc.genucenter InstallationsundKonfigurationshandbuch,Version 5.0, Ausgabe 26.Mai 2015, Revisiongenucenter Version 5.0 004(76532b81d2df286a67319a327d44f90fff5dd9bd) [8]5.0 ZManual and CD-ROM5Doc.genuscreen InstallationsundKonfigurationshandbuch,Version: 5.0 Z; Stand 13.Mai 2015, Revision:50.D047 [9]5.0 ZManual and CD-ROM6Doc.LizenzschreibenN/ALetterTable 2: Deliverables of the TOEAll listed parts on the CD-ROM are delivered on the corresponding CD-ROM (genucenterand genuscreen).The user is able to verify the authenticity of the delivered TOE. The procedure is describedin detail in the guidance documentation [8] and [9]. The valid checksums are published onthe genua website. The valid checksums of the TOE are:For genucenter 0ed33a95877GENUCENTER 500 004 1d28747089a51aa699e157089a1For genuscreen 8fd9f8fcc31790e41db49dd628614 / 34
BSI-DSZ-CC-0966-2015Certification ReportGENUSCREEN 500 HANDBUCH f24a21ddd5085d1351e3fNote:The TOE (Software, Documentation) is delivered with the OpenBSD-platform and thenecessary hardware.The hardware of the product (not part of the TOE) is composed at Pyramid Computers andand shipped by DHL to the customer site on behalf of genua. The delivery includes thegenuscreen software (CD-ROM).The licence information is sent to the customer by genua.All systems without integrated CD-Drive, i.e. genuscreen 100 series, are fully composed atgenua including software installation. These systems are shipped to the customer by UPS.3.Security PolicyThe Security Policy is expressed by the set of Security Functional Requirements andimplemented by the TOE. The following securtiy policies are defined for the TOE.Five policies are explictly defined: FW-SFP: creation, modification, deletion and application of firewall security policy rules. RS-SFP: interface classification. IKE-SFP: cryptographic functions in relation to the key management of the VPNconnections between the firewall components. SSH-SFP: flow control functions in relation to the communication between themanagement system and the firewall components. SSHLD-SFP: flow control functions in relation to the SSH launch daemoncommunication between the firewall components.All other policies are implictly defined and cover the following areas: IPSEC: flow control functions in relation to the VPN connections between the firewallcomponents. Administration Policy (implemented by SF ADM). Identification and Authentication Policy (implemented by SF IA). Audit Policy (implemented by SF AU). General Management Facilities Policy (implemented by SF GEN). Random Number Generation (implemented by FCS RNG).4.Assumptions and Clarification of ScopeThe Assumptions defined in the Security Target and some aspects of Threats andOrganisational Security Policies are not covered by the TOE itself. These aspects lead tospecific security objectives to be fulfilled by the TOE-Environment. The following topics areof relevance: OE.PHYSEC, OE.INIT, OE.NOEVIL, OE.SINGEN, OE.TIMESTMP,OE.ADMIN, and OE.HANET. Details can be found in the Security Target [6], chapter 4.2.15 / 34
Certification Report5.BSI-DSZ-CC-0966-2015Architectural InformationThe TOE is the software part of the firewall system genuscreen 5.0 developed by genuagmbh.The TOE consists of several firewall components that work as network filters and encrypting gateways, a central Management Server that is used to configure, administrate and monitor thefirewall components.The Management Server allows authorised administrators to configure filter rules andprotection policies on the firewall components by use of a web-based graphical userinterface (GUI) at the Management Server. It also enables authorised administrators toupdate the software on the firewall components. The GUI must be used from a trustedmachine connected to the management Server through a trusted network.After installation, all communication between the Management Server and the firewallcomponents is protected by Secure Shell (SSH) transforms against eavesdropping andmodification.The firewall components employ IPsec and SSH-based encryption and authentication toprotect data flows between the subnets assigned to them by the authorised administrators.The firewall components can be used in an optional high availability (HA) setup (forgenuscreen) where the firewall components synchronize their internal states. In case ofone system breaks down the function of this component is resumed by the other.Management consists of definition / modification and transmission of firewall policies andsecurity policies for network traffic. The GUI also allows transfer of audit data from thefirewall components.The TOE provides VPN and firewall functionality and is easy to manage. It protectsnetworks at the border of the Internet by filtering data. It also protects the data flowbetween several protected networks against unauthorised inspection and modification. Itconsists of software on at least two machines (genuscreen appliances), which filterincoming and outgoing traffic for multiple networks. The firewall components (genuscreenappliances) provide confidentiality and integrity for data traffic passing between thenetworks by using IPsec encryption / authentication functionality. Alternatively, anencrypted tunnel using the application layer can be build up from SSH connections. Thiscomposition is referred to as the SSH launch daemon. The firewall components can workas bridges and routers. Interfaces of the firewall components can be classified optionally.Traffic sent to or received from interfaces with classification is not transported in clear text.Cryptographic operations are part of the TOE. This includes the random number generatorwhich is of class DRG.3 (see AIS20 [4]). The TOE provides basic IPv6 support.The GUI of the management server supports three types of user roles, i.e. Administrator,Revisor and Service. The Management Server allows to collect audit data and monitoring.All components are initialised in a secure network.The communication server (represented by an additional genuscreen appliance) betweenthe genuscreen appliances and the genucenter management system avoids exposing thegenucenter to the Internet.The firewall components have a local GUI, too, which can be activated (i.e. when theconnectivity to the management system got lost). The GUI of the firewall components16 / 34
BSI-DSZ-CC-0966-2015Certification Reportsupports two types of roles, i.e. Administrator and Revisor. The firewall components canlocally store log files.The Firewall Components consist of
The CCRA-2014 replaces the old CCRA signed in May 2000 (CCRA-2000). Certificates based on CCRA-2000, issued before 08 September 2014 are still under recognition according to the rules of CCRA-2000. For on 08 September 2014 ongoing certification procedures and for Assurance Continuity (maintenance and re-certification) of old
