Transcription
McAfee Firewall Enterprise v8.2.0 andMcAfee Firewall Enterprise Control Center v5.2.0Security Target10 January 2012Version 1.1Prepared By:Primasec LtdForMcAfee Inc2340 Energy Park DriveSt. Paul, MN 55108USA
McAfee Firewall EnterpriseSecurity TargetMcAfee IncorporatedContents12Introduction . 51.1ST Introduction . 51.2Security Target, TOE and CC Identification . 61.3Conformance Claims . 61.3.1Common Criteria . 61.3.2Protection Profile . 61.4Conventions . 71.5Terminology & Acronyms . 81.6References . 11TOE Description . 122.1Product Type . 122.2Application Context . 122.3Physical and Logical Boundaries . 122.3.1Evaluation Application Context . 122.3.2Proxy agents to be Evaluated . 132.3.3Features not to be Evaluated . 132.3.4Physical Scope and Boundary . 132.3.5Logical Scope and Boundary . 152.43Security problem definition . 193.1Assumptions . 193.2Threats . 193.2.1Threats Addressed by the TOE. 193.2.2Threat to be Addressed by Operating Environment. 203.345TOE Documentation . 18Organisational security policies. 20Security objectives . 214.1Security objectives for the TOE. 214.2Security objectives for the environment . 22Security requirements . 235.1Security functional requirements . 235.1.1FMT SMR.1 Security roles . 245.1.2FIA ATD.1 User attribute definition . 245.1.3FIA UID.2 User identification before any action . 24Page 2 of 65
McAfee Firewall EnterpriseSecurity TargetMcAfee Incorporated5.1.4FIA AFL.1 Authentication failure handling . 245.1.5FIA UAU.5 Multiple authentication mechanisms . 255.1.6FIA UAU.8 (X) Invocation of authentication mechanism . 255.1.7FIA SOS.2 TSF Generation of secrets . 265.1.8FDP IFC.1 Subset information flow control (1) . 265.1.9FDP IFC.1 Subset information flow control (2) . 275.1.10FDP IFC.1 Subset information flow control (3) . 275.1.11FDP IFF.1 Simple security attributes (1) . 275.1.12FDP IFF.1 Simple security attributes (2) . 295.1.13FDP IFF.1 Simple security attributes (3) . 315.1.14FDP UCT.1 Basic data exchange confidentiality . 325.1.15FTP ITC.1 Inter-TSF trusted channel . 325.1.16FMT MSA.1 Management of security attributes (1) . 325.1.17FMT MSA.1 Management of security attributes (2) . 335.1.18FMT MSA.1 Management of security attributes (3) . 335.1.19FMT MSA.1 Management of security attributes (4) . 335.1.20FMT MSA.1 Management of security attributes (5) . 335.1.21FMT MSA.1 Management of security attributes (6) . 335.1.22FMT MSA.3 Static attribute initialization . 335.1.23FMT MTD.1 Management of TSF data (1) . 335.1.24FMT MTD.1 Management of TSF data (2) . 345.1.25FMT MTD.2 Management of limits on TSF data . 345.1.26FDP RIP.1 Subset residual information protection . 345.1.27FCS COP.1 Cryptographic operation (1 data encryption) . 345.1.28FCS COP.1 Cryptographic operation (2 cryptographic signature services) . 345.1.29FCS COP.1 Cryptographic operation (3 cryptographic hashing) . 345.1.30FCS COP.1 Cryptographic operation (4 cryptographic key agreement). 345.1.31FCS CKM.1 Cryptographic key generation (1) . 355.1.32FCS CKM.1 Cryptographic key generation (2) . 355.1.33FCS CKM.4 Cryptographic key destruction . 355.1.34FPT STM.1 Reliable time stamps . 355.1.35FAU GEN.1 Audit data generation . 355.1.36FAU SAR.1 Audit review . 365.1.37FAU SAR.3 Selectable audit review. 36Page 3 of 65
McAfee Firewall EnterpriseSecurity Target67McAfee Incorporated5.1.38FAU STG.1 Protected audit trail storage . 365.1.39FAU STG.4 Prevention of audit data loss . 375.1.40FMT MOF.1 Management of security functions behaviour (1) . 375.1.41FMT MOF.1 Management of security functions behaviour (2) . 375.2Security assurance requirements. 375.3Definition of Extended Components . 39TOE Summary Specification . 406.1Security audit (SF-FAU) . 406.2Cryptographic support (SF-FCS) . 416.3User data protection (SF-FDP) . 436.4Identification and authentication (SF-FIA). 476.5Security management (SF-FMT). 496.6Protection of the TSF (SF-FPT) . 50Rationale . 517.1Rationale for TOE security objectives . 517.2Rationale for security objectives for the environment . 527.3Rationale for security requirements . 537.4Dependency rationale . 597.5Rationale for TOE summary specification . 617.6Rationale for security assurance requirements. 647.7Loss of audit data . 64Page 4 of 65
McAfee Firewall EnterpriseSecurity Target1Introduction1.1ST IntroductionMcAfee IncorporatedThis section presents the Security Target (ST) and Target of Evaluation (TOE) identification,ST conventions, ST conformance claims, and the ST organization. The TOE is McAfeeFirewall Enterprise 8.2.0 and McAfee Firewall Enterprise Control Center 5.2.0.Within this ST, “McAfee Firewall” is used to identify the combination hardware and softwarerequired to manage and operate the TOE. There are two possible configurations, reflectingtwo separate management options.Configuration A comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system,the McAfee Firewall Admin Console client software,the hardware or virtual platform for running the firewall software.Configuration B comprises: the McAfee Firewall Enterprise software, including its SecureOS operating system,the McAfee Firewall Enterprise Control Center (“Control Center”) Managementserver software,the hardware or virtual platform for running the Control Center Management serversoftware,the Control Center client software.The specific firewall software version and management tool versions to be evaluated are allspecified in Section 1.2.McAfee Firewall is a firewall and access control security platform for the enterprise; McAfeeFirewall configured in its operational environment delivers strong security while maintainingperformance and scalability. It provides access control of communication and informationflow between two or more networks, usually the Internet and internal networks, usingapplication-level proxy and packet filtering technology. The operational environment for theMcAfee Firewall software is a dedicated McAfee appliance platform or virtual appliance,supporting a typical Intel-based instruction architecture. The configured McAfee Firewallprovides the highest levels of security by using SecureOS , an enhanced UNIX operatingsystem that employs McAfee's patented Type Enforcement security technology. TypeEnforcement technology protects McAfee Firewall by separating all processes and serviceson the firewall.McAfee Firewall supports user identification and authentication (I&A) where "user" is definedto be a human user acting in an Administrative role, an authenticated proxy user, or anauthorized IT entity. It provides the capability to pass and block information flows based on aset of rules defined by the Administrator. Additionally, it enforces security policies whichrestrict host-to-host connections to common Internet services such as: Telnet, File TransferProtocol (FTP), Hypertext Transfer Protocol (HTTP and HTTPS), and Simple Mail TransferProtocol (SMTP). McAfee Firewall supports encryption for remote administration, remoteproxy users and authorized IT entities (e.g. certificate server, NTP server), and generatesaudit data of security relevant events. McAfee Firewall also provides VPN capability toencrypt out-going traffic flowing to a geographically separated enclave and decrypt incoming traffic from such an enclave.Page 5 of 65
McAfee Firewall EnterpriseSecurity TargetMcAfee IncorporatedThis ST contains the following additional sections: 1.2TOE Description (Section 2)Security Problem Definition (Section 3)Security Objectives (Section 4)Security Requirements (Section 5)TOE Summary Specification (Section 6)Rationale (Section 8).Security Target, TOE and CC IdentificationST Title –McAfee Firewall Enterprise v8.2.0 and McAfee Firewall Enterprise Control Center5.2.0 Security TargetST Version – 1.1ST Date – 10 January 2012TOE Identification – McAfee Firewall Enterprise 8.2.0 and McAfee Firewall EnterpriseControl Center 5.2.0 with patch 520P01Software: McAfee Firewall 8.2.0, together with either McAfee Firewall Enterprise(Sidewinder) Admin Console 5.05 (Configuration A) or McAfee Firewall Enterprise ControlCenter 5.2.0 (Configuration B)The TOE runs on any 64 bit hardware or virtual platform for which a license can bepurchased from McAfee (see list of platforms in section 2.3.4.1).TOE Developer – McAfeeEvaluation Sponsor – McAfeeCC Identification – Common Criteria for Information Technology Security Evaluation,Version 3.1r31.3Conformance Claims1.3.1Common CriteriaThis TOE and ST are conformant to the following CC specifications:[CC PART2] Extended[CC PART3] ConformantAssurance Level: EAL 4 augmented with ALC FLR.31.3.2Protection ProfileThis TOE and ST are conformant to [FWPP] (Augmented).The TOE type is a firewall, and the TOE type in the PP is stated to be a firewall. The TOEtype is therefore consistent with the PP.The statement of security problem definition in the ST is consistent with that in the PP. Allthreats, assumptions and organizational security policies in the PP are included in the ST.One threat has been added to address confidentiality and integrity of network traffic insupport of claims made in relation to VPNs.Page 6 of 65
McAfee Firewall EnterpriseSecurity TargetMcAfee IncorporatedThe statement of security objectives in the ST is consistent with that in the PP. The securityobjectives for the TOE in the ST include all those in the PP. One security objective for theTOE has been added, covering use of VPN. This does not conflict with the other objectives.One of the security objectives for the TOE has been repeated in the statement of securityobjectives for the environment, to reflect use of an external single-use authentication server.Some of the security objectives for the environment have been reworded for clarity, but ineach case the objective is unaltered.The statement of security requirements in the ST is consistent with that in the PP. Additionalsecurity functional requirements have been added to reflect use of VPN. These additionalsecurity functional requirements are consistent with those from the PP. An additionalsecurity functional requirement has been added to reflect use of an external authenticationserver. This approach was validated with the PP authors during evaluation of an earlierversion of the TOE in 2007.The security assurance requirements in the ST are hierarchical to those in the PP. The PPcalls up EAL2 augmented with ALC FLR.2, whereas the TOE uses EAL4 augmented withALC FLR.3.1.4ConventionsSince this security target is claiming compliance with a protection profile, the conventionsused are intended to highlight the completion of operations made within this security target.While this security target will include the operations made by the protection profile upon theCC requirements it is not the author’s intent to highlight those operations (i.e., use bold,italics or special fonts). Therefore, keywords (e.g. selection, assignment and refinement)and formatting (e.g., special fonts) used within the protection profile to designate operationsare being removed by this ST. The brackets used by the protection profile to designateoperations completed by the PP are left in the requirements.The following conventions have been applied to indicate operations that this ST is making tothe requirements in the protection profile: Security Functional Requirements – Part 2 of the CC defines the approved set ofoperations that may be applied to functional requirements: iteration, assignment, selection,and refinement.o Iteration: allows a component to be used more than once with varying operations. In theST, iteration is indicated by a number in brackets placed at the end of the component.For example FDP ACC.1 (1) and FDP ACC.1 (2) indicate that the ST includes twoiterations of the FDP ACC.1 requirement, 1 and 2.o Assignment: allows the specification of an identified parameter. Assignments areindicated using bold and are surrounded by brackets (e.g., [assignment]). Note that anassignment within a selection would be identified in italics and with embedded boldbrackets (e.g. [[selected-assignment]]).o Selection: allows the specification of one or more elements from a list. Selections areindicated using bold italics and are surrounded by brackets (e.g., [selection]).o Refinement: allows the addition of details. Refinements are indicated using bold, foradditions, and strike-through, for deletions (e.g., “ all objects ” or “ some big things ”).Page 7 of 65
McAfee Firewall EnterpriseSecurity TargetMcAfee Incorporated Other sections of the ST – Other sections of the ST use bolding to highlight text ofspecial interest, such as captions.1.5Terminology & AcronymsIn the Common Criteria, many terms are defined in Section 4 of [CCPART1]. The followingterms are a subset of those definitions. They are listed here to aid the user of the SecurityTarget.External EntityAny entity (human or IT) outside the TOE thatinteracts (or may interact) with the TOE.UserSame as External EntityAuthorized UserA user who may, in accordance with the SFRs,perform an operation.RoleA predefined set of rules establishing the allowedinteractions between a user and the TOE.IdentityA representation (e.g., a string) uniquely identifyingan authorized user, which can either be the full orabbreviated name of that user or a pseudonym.Authentication dataInformation used to verify the claimed identity of auser.In addition to the above general definitions, this Security Target provides the followingspecialized definitions:Administrator – Any human user who has been identified and authenticated to act in theadministrative role defined in the ST. An “authorized administrator” is an administrator whomay, in accordance with the SFRs, perform an operation. A “non-administrator” is,obviously, someone who is not an administrator.Application-Level Proxy – A proxy server acts on behalf of the user. All requests fromclients to the Internet go to the proxy server first. The proxy evaluates the request, and ifallowed, re-establishes it on the outbound side to the Internet. Likewise, responses from theInternet go to the proxy server to be evaluated. The proxy then relays the message to theclient. Both client and server think they are communicating with one another, but, in fact, aredealing only with the proxy. Proxy servers are available for common Internet services; forexample, an HTTP proxy is used for Web access, and an FTP proxy is used for filetransfers. Such proxies are called "application-level proxies” because they are dedicated toa particular application and protocol, and are aware of the content of the packets being sent.Authenticated Proxy User – A user who has been identified and authenticated to satisfythe requirements for using a proxy according to the authenticated policy enforced by theTOE. A “proxy user” is any user, either authenticated or not, who is sending traffic through aproxy according to any security policy enforced by the TOE. A “remote proxy user” is aproxy user who is also a remote user.Authorized IT entity – Any IT entity outside the TOE that may, in accordance with theSFRs, perform an operation on the TOE.Page 8 of 65
McAfee Firewall EnterpriseSecurity TargetMcAfee IncorporatedLocal Administration Console – This is a physically connected, generic hardware platform(part of the IT environment) running the McAfee Firewall Administration Console client (partof the TOE). Both the local administration console hardware and its network connection tothe McAfee Firewall are physically protected. McAfee Firewall must be configured to acceptadministrative commands from the local administration console.Local Administrator – This is an administrator who uses a local administration console tomanage McAfee Firewall.Remote Administration Console – This is also a generic hardware platform running theMcAfee Firewall Administration Console client; it has a network connection to McAfeeFirewall, but it is not a local administration console. McAfee Firewall must be configured toaccept administrative commands from such a remote administration console.Remote User - A user that communicates with the TOE by means of a network connection.Since administrators are users, a “remote administrator” is an administrator who is also aremote user.Remote Administrator – This is an administrator who uses a remote administrationconsole or Control Center to manage the McAfee Firewall.Single-Use Authentication –Data for single-use authentication can be something the userhas or knows, but not something the user is. Examples of single-use authentication datainclude single-use passwords, encrypted time-stamps, and/or random numbers from asecret lookup table.The following abbreviations are used in this Security Target:AESAdvanced Encryption StandardANSIAmerican National Standards InstituteBSDBerkley Software DistributionCCCommon Criteria for Information Technology Security EvaluationCDCompact DiskCPUCentral Processing UnitDSADigital Signature AlgorithmEALEvaluation Assurance LevelECBElectronic CodebookESPEncapsulating Security PayloadFIPSFederal Information Processing StandardFIPS PUBFederal Information Processing Standard PublicationFLRFlaw RemediationFTPFile Transfer ProtocolGHzGigahertzGUIGraphical User InterfaceHTTPHypertext Transfer ProtocolHTTPSHypertext Transfer Protocol SecurePage 9 of 65
McAfee Firewall EnterpriseSecurity TargetI&AIdentification and AuthenticationICMPInternet Control Message ProtocolIKEInternet Key ExchangeIPSECInternet Protocol SecurityITInformation TechnologyLANLocal Area NetworkMBMegabyteMMUMemory Management UnitNATNetwork Address TranslationNTPNetwork Time ProtocolOSOperating SystemOSPOrganizational Security PolicyPCPersonal ComputerPPProtection ProfilePRNGPseudo Random Number GeneratorPS/2Personal System/2RAMRandom Access MemoryRDSARSA Digital Signature AlgorithmRFCRequest For CommentRNGRandom Number GeneratorSASecurity AssociationSARSecurity Assurance RequirementSFPSecurity Function PolicySFRSecurity Functional RequirementSHASecure Hash AlgorithmSMTPSimple Mail Transfer ProtocolSSLSecure Sockets LayerSTSecurity TargetSVGASuper Video Graphics ArrayTCP/IPTransmission Control Protocol/Internet ProtocolTLSTransport Layer SecurityTOETarget of EvaluationTSCTSF Scope of ControlTSFTOE Security FunctionsMcAfee IncorporatedPage 10 of 65
McAfee Firewall EnterpriseSecurity Target1.6McAfee IncorporatedTSPTOE Security PolicyURLUniform Resource LocatorUSUnited StatesVPNVirtual Private NetworkReferencesThe following documentation was used to prepare this ST:[CC PART1]Common Criteria for Information TechnologySecurity Evaluation – Part 1: Introduction andgeneral model, dated July 2009, version 3.1 revision3, CCMB-2009-07-001.[CC PART2]Common Criteria for Information TechnologySecurity Evaluation – Part 2: Security functionalcomponents, dated July 2009, version 3.1 revision 3,CCMB-2009-07-002.[CC PART3]Common Criteria for Information TechnologySecurity Evaluation – Part 3: Security assurancecomponents, dated July 2009, version 3.1 revision 3,CCMB-2009-07-003.[CEM]Common Methodology for Information TechnologySecurity Evaluation – July 2009, version 3.1 revision3, CCMB-2009-07-004.[FWPP]U.S. Government Protection Profile for Applicationlevel Firewall in Basic Robustness EnvironmentsVersion 1.1, July 25, 2007.[FIPS 140-2]Security Requirements for Cryptographic Modules,Federal Information Processing Standard , May 2001[FIPS 180-3]Secure Hash Standard (SHS), Federal InformationProcessing Standard, Oct 2008[FIPS 197]Advanced Encryption Standard, Federal InformationProcessing Standard, Nov 2001[SP 800-57]Recommendation for Key Management, NISTSpecial Publication, March 2007Page 11 of 65
McAfee Firewall EnterpriseSecurity Target2McAfee IncorporatedTOE DescriptionThis section provides context for the TOE evaluation by identifying the product type anddescribing the evaluated configuration.2.1Product TypeThe McAfee Firewall, operating with two or more network interfaces, provides a hybridfirewall solution that supports both application-level proxy and packet filtering. The McAfeeFirewall software version consists of a collection of integrated firewall applications andSecureOS, a secure operating system. This OS is an extended version of the FreeBSDUNIX operating system. It includes McAfee's patented Type Enforcement securitytechnology, additional network separation control, network-level packet filtering support andimproved auditing facilities. SecureOS also provides the secured computing environment inwhich all McAfee Firewall application layer processing is done. McAfee Firewall alsoprovides VPN capability between separated network enclaves.In addition to the McAfee Firewall hardware or virtual platform running the firewallapplication with SecureOS, the TOE also includes one of the following two configurations:Configuration AThe Admin Console client software (McAfee Firewall Enterprise (Sidewinder) AdminConsole). The Admin Console is separately installed on a generic Windows platform that ispart of the IT environment: it is used to manage McAfee Firewall.Configuration BThe McAfee Firewall Enterprise Control Center (“Control Center”) Management serversoftware, the hardware or virtual platform for running the Control Center Management serversoftware, and the Control Center client software.2.2Application ContextMcAfee Firewall operates in an environment where it provides a single point of connectivitybetween at least two networks. Typically one network is viewed as the inside of anorganization, where there is some assumption of control over access to the computingnetwork. The other network is typically viewed as an external network, similar to the Internet,where there is no practical control over the actions of its processing entities. McAfeeFirewall's role is to limit and control all information flow between the networks.2.3Physical and Logical Boundaries2.3.1Evaluation Application ContextThe following contextual assumptions apply to the TOE:a) It shall be newly installed and configured in accordance with the directivescontained in the supplied guidance documentation;b) Physical access to the configured McAfee Firewall shall be controlled;c) The configured McAfee Firewall shall be connected only to networks between whichit controls information flow;d) The configured McAfee Firewall shall manage traffic for at least two (2) networks, atleast one of which is designated as internal and one is designated as external;Page 12 of 65
McAfee Firewall EnterpriseSecurity TargetMcAfee Incorporatede) The configured McAfee Firewall shall support administrative operations via a GUIapplication, known as Admin Console, running on a Windows system, or via ControlCenter;f) If the configured McAfee Firewall is connected to an administrative workstationeither directly or remotely, the communications are encrypted using TLS and theworkstation is phys
McAfee Firewall software is a dedicated McAfee appliance platform or virtual appliance, . McAfee Firewall supports encryption for remote administration, remote proxy users and authorized IT entities (e.g. certificate server, NTP server), and generates audit data of security relevant events. McAfee Firewall also provides VPN capability to
