Transcription
McAfee Firewall Enterprise v7.0.1.02Security Target8 Nov 2010Version 1.3Prepared By:Primasec LtdForMcAfee Inc2340 Energy Park DriveSt. Paul, MN 55108USAMcAfee Inc.Page 1 of 60
Contents12Introduction . 51.1ST Introduction . 51.2Security Target, TOE and CC Identification . 51.3Conformance Claims . 61.3.1Common Criteria . 61.3.2Protection Profile . 61.4Conventions . 71.5Terminology & Acronyms . 71.6References . 10TOE Description . 122.1Product Type . 122.2Application Context . 122.3Physical and Logical Boundaries . 122.3.1Evaluation Application Context . 122.3.2Proxy agents to be Evaluated . 132.3.3Features not to be Evaluated . 132.3.4Physical Scope and Boundary . 132.3.5Logical Scope and Boundary . 142.43Security problem definition . 183.1Assumptions . 183.2Threats . 183.2.1Threats Addressed by the TOE. 183.2.2Threat to be Addressed by Operating Environment. 193.345TOE Documentation . 17Organisational security policies. 19Security objectives . 204.1Security objectives for the TOE. 204.2Security objectives for the environment . 21Security requirements . 225.1Security functional requirements . 225.1.1FMT SMR.1 Security roles . 235.1.2FIA ATD.1 User attribute definition . 235.1.3FIA UID.2 User identification before any action . 235.1.4FIA AFL.1 Authentication failure handling . 23McAfee Inc.Page 2 of 60
5.1.5FIA UAU.5 Multiple authentication mechanisms . 235.1.6FIA UAU.8 (X) Invocation of authentication mechanism . 245.1.7FIA SOS.2 TSF Generation of secrets . 255.1.8FDP IFC.1 Subset information flow control (1) . 255.1.9FDP IFC.1 Subset information flow control (2) . 255.1.10FDP IFC.1 Subset information flow control (3) . 265.1.11FDP IFF.1 Simple security attributes (1) . 265.1.12FDP IFF.1 Simple security attributes (2) . 285.1.13FDP IFF.1 Simple security attributes (3) . 305.1.14FDP UCT.1 Basic data exchange confidentiality . 315.1.15FTP ITC.1 Inter-TSF trusted channel . 315.1.16FMT MSA.1 Management of security attributes (1) . 315.1.17FMT MSA.1 Management of security attributes (2) . 315.1.18FMT MSA.1 Management of security attributes (3) . 315.1.19FMT MSA.1 Management of security attributes (4) . 315.1.20FMT MSA.1 Management of security attributes (5) . 315.1.21FMT MSA.1 Management of security attributes (6) . 325.1.22FMT MSA.3 Static attribute initialization . 325.1.23FMT MTD.1 Management of TSF data (1) . 325.1.24FMT MTD.1 Management of TSF data (2) . 325.1.25FMT MTD.2 Management of limits on TSF data . 325.1.26FDP RIP.1 Subset residual information protection . 325.1.27FCS COP.1 Cryptographic operation (1 data encryption) . 325.1.28FCS COP.1 Cryptographic operation (2 cryptographic signature services) . 335.1.29FCS COP.1 Cryptographic operation (3 cryptographic hashing) . 335.1.30FCS COP.1 Cryptographic operation (4 cryptographic key agreement). 335.1.31FPT STM.1 Reliable time stamps . 335.1.32FAU GEN.1 Audit data generation . 335.1.33FAU SAR.1 Audit review . 345.1.34FAU SAR.3 Selectable audit review. 345.1.35FAU STG.1 Protected audit trail storage . 345.1.36FAU STG.4 Prevention of audit data loss . 355.1.37FMT MOF.1 Management of security functions behaviour (1) . 355.1.38FMT MOF.1 Management of security functions behaviour (2) . 355.2Security assurance requirements. 35McAfee Inc.Page 3 of 60
5.367Definition of Extended Components . 37TOE Summary Specification . 386.1Security audit (SF-FAU) . 386.2Cryptographic support (SF-FCS) . 396.3User data protection (SF-FDP) . 406.4Identification and authentication (SF-FIA). 436.5Security management (SF-FMT). 456.6Protection of the TSF (SF-FPT) . 46Rationale . 477.1Rationale for TOE security objectives . 477.2Rationale for security objectives for the environment . 487.3Rationale for security requirements . 497.4Dependency rationale . 557.5Rationale for TOE summary specification . 577.6Rationale for security assurance requirements. 597.7Loss of audit data . 59McAfee Inc.Page 4 of 60
1Introduction1.1ST IntroductionThis section presents the Security Target (ST) and Target of Evaluation (TOE) identification,ST conventions, ST conformance claims, and the ST organization. The TOE is McAfeeFirewall Enterprise 7.0.1.02HW02.Within this ST, “McAfee Firewall” is used to identify the combination of a particular version ofthe McAfee Firewall Enterprise software, including its SecureOS operating system, thecorresponding Admin console client software, and the hardware or virtual platform forrunning the firewall software. The specific firewall software version, management toolversion, and hardware/virtual platforms to be evaluated are all specified in Section 1.2.McAfee Firewall is a firewall and access control security platform for the enterprise; McAfeeFirewall configured in its operational environment delivers strong security while maintainingperformance and scalability. It provides access control of communication and informationflow between two or more networks, usually the Internet and internal networks, usingapplication-level proxy and packet filtering technology. The operational environment for theMcAfee Firewall software is a dedicated McAfee appliance platform or virtual appliance,supporting a typical Intel-based instruction architecture. The configured McAfee Firewallprovides the highest levels of security by using SecureOS , an enhanced UNIX operatingsystem that employs McAfee's patented Type Enforcement security technology. TypeEnforcement technology protects McAfee Firewall by separating all processes and serviceson the firewall.McAfee Firewall supports user identification and authentication (I&A) where "user" is definedto be a human user acting in an Administrative role, an authenticated proxy user, or anauthorized IT entity. It provides the capability to pass and block information flows based on aset of rules defined by the Administrator. Additionally, it enforces security policies whichrestrict host-to-host connections to common Internet services such as: Telnet, File TransferProtocol (FTP), Hypertext Transfer Protocol (HTTP and HTTPS), and Simple Mail TransferProtocol (SMTP). McAfee Firewall supports encryption for remote administration, remoteproxy users and authorized IT entities (e.g. certificate server, NTP server), and generatesaudit data of security relevant events. McAfee Firewall also provides VPN capability toencrypt out-going traffic flowing to a geographically separated enclave and decrypt incoming traffic from such an enclave.This ST contains the following additional sections: 1.2TOE Description (Section 2)Security Problem Definition (Section 3)Security Objectives (Section 4)Security Requirements (Section 5)TOE Summary Specification (Section 6)Rationale (Section 8).Security Target, TOE and CC IdentificationST Title –McAfee Firewall Enterprise v7.0.1.02 Security TargetST Version – 1.3ST Date – 8 November 2010McAfee Inc.Page 5 of 60
TOE Identification – McAfee Firewall Enterprise 7.0.1.02HW02Software: McAfee Firewall Enterprise 7.0.1.02HW02revB, McAfee Firewall Enterprise(Sidewinder) Admin Console 4.10Hardware: Models S1104, FW-410F, FW-510F, FW-1100F, FW-2100F, FW-2150F, FW4150F, FW-2150F-VX04, and RM700F; also VMware (3.5 or 4) ESX Server, and RiverbedSteelhead 250, 550, and 1050 appliancesTOE Developer – McAfeeEvaluation Sponsor – McAfeeCC Identification – Common Criteria for Information Technology Security Evaluation,Version 3.1r31.3Conformance Claims1.3.1Common CriteriaThis TOE and ST are conformant to the following CC specifications:[CC PART2] Extended[CC PART3] ConformantAssurance Level: EAL 4 augmented with ALC FLR.31.3.2Protection ProfileThis TOE and ST are conformant to [FWPP] (Augmented).The TOE type is a firewall, and the TOE type in the PP is stated to be a firewall. The TOEtype is therefore consistent with the PP.The statement of security problem definition in the ST is consistent with that in the PP. Allthreats, assumptions and organizational security policies in the PP are included in the ST.One threat has been added to address confidentiality and integrity of network traffic insupport of claims made in relation to VPNs.The statement of security objectives in the ST is consistent with that in the PP. The securityobjectives for the TOE in the ST include all those in the PP. One security objective for theTOE has been added, covering use of VPN. This does not conflict with the other objectives.One of the security objectives for the TOE has been repeated in the statement of securityobjectives for the environment, to reflect use of an external single-use authentication server.Some of the security objectives for the environment have been reworded for clarity, but ineach case the objective is unaltered.The statement of security requirements in the ST is consistent with that in the PP. Additionalsecurity functional requirements have been added to reflect use of VPN. These additionalsecurity functional requirements are consistent with those from the PP. An additionalsecurity functional requirement has been added to reflect use of an external authenticationserver. This approach was validated with the PP authors during evaluation of an earlierversion of the TOE in 2007.The security assurance requirements in the ST are hierarchical to those in the PP. The PPcalls up EAL2 augmented with ALC FLR.2, whereas the TOE uses EAL4 augmented withALC FLR.3.McAfee Inc.Page 6 of 60
1.4ConventionsSince this security target is claiming compliance with a protection profile, the conventionsused are intended to highlight the completion of operations made within this security target.While this security target will include the operations made by the protection profile upon theCC requirements it is not the author’s intent to highlight those operations (i.e., use bold,italics or special fonts). Therefore, keywords (e.g. selection, assignment and refinement)and formatting (e.g., special fonts) used within the protection profile to designate operationsare being removed by this ST. The brackets used by the protection profile to designateoperations completed by the PP are left in the requirements.The following conventions have been applied to indicate operations that this ST is making tothe requirements in the protection profile: Security Functional Requirements – Part 2 of the CC defines the approved set ofoperations that may be applied to functional requirements: iteration, assignment, selection,and refinement.o Iteration: allows a component to be used more than once with varying operations. In theST, iteration is indicated by a number in brackets placed at the end of the component.For example FDP ACC.1 (1) and FDP ACC.1 (2) indicate that the ST includes twoiterations of the FDP ACC.1 requirement, 1 and 2.o Assignment: allows the specification of an identified parameter. Assignments areindicated using bold and are surrounded by brackets (e.g., [assignment]). Note that anassignment within a selection would be identified in italics and with embedded boldbrackets (e.g. [[selected-assignment]]).o Selection: allows the specification of one or more elements from a list. Selections areindicated using bold italics and are surrounded by brackets (e.g., [selection]).o Refinement: allows the addition of details. Refinements are indicated using bold, foradditions, and strike-through, for deletions (e.g., “ all objects ” or “ some big things ”). Other sections of the ST – Other sections of the ST use bolding to highlight text ofspecial interest, such as captions.1.5Terminology & AcronymsIn the Common Criteria, many terms are defined in Section 4 of [CCPART1]. The followingterms are a subset of those definitions. They are listed here to aid the user of the SecurityTarget.External EntityAny entity (human or IT) outside the TOE thatinteracts (or may interact) with the TOE.UserSame as External EntityAuthorized UserA user who may, in accordance with the SFRs,perform an operation.RoleA predefined set of rules establishing the allowedinteractions between a user and the TOE.McAfee Inc.Page 7 of 60
IdentityA representation (e.g., a string) uniquely identifyingan authorized user, which can either be the full orabbreviated name of that user or a pseudonym.Authentication dataInformation used to verify the claimed identity of auser.In addition to the above general definitions, this Security Target provides the followingspecialized definitions:Administrator – Any human user who has been identified and authenticated to act in theadministrative role defined in the ST. An “authorized administrator” is an administrator whomay, in accordance with the SFRs, perform an operation. A “non-administrator” is,obviously, someone who is not an administrator.Application-Level Proxy – A proxy server acts on behalf of the user. All requests fromclients to the Internet go to the proxy server first. The proxy evaluates the request, and ifallowed, re-establishes it on the outbound side to the Internet. Likewise, responses from theInternet go to the proxy server to be evaluated. The proxy then relays the message to theclient. Both client and server think they are communicating with one another, but, in fact, aredealing only with the proxy. Proxy servers are available for common Internet services; forexample, an HTTP proxy is used for Web access, and an FTP proxy is used for filetransfers. Such proxies are called "application-level proxies” because they are dedicated toa particular application and protocol, and are aware of the content of the packets being sent.Authenticated Proxy User – A user who has been identified and authenticated to satisfythe requirements for using a proxy according to the authenticated policy enforced by theTOE. A “proxy user” is any user, either authenticated or not, who is sending traffic through aproxy according to any security policy enforced by the TOE. A “remote proxy user” is aproxy user who is also a remote user.Authorized IT entity – Any IT entity outside the TOE that may, in accordance with theSFRs, perform an operation on the TOE.Local Administration Console – This is the physically connected, generic hardwareplatform (part of the IT environment) running the McAfee Firewall Administration Consoleclient (part of the TOE). Both the local administration console hardware and its networkconnection to the McAfee Firewall are physically protected. McAfee Firewall must beconfigured to accept administrative commands from the local administration console.Local Administrator – This is an administrator who uses a local administration console tomanage McAfee Firewall.Remote Administration Console – This is also a generic hardware platform running theMcAfee Firewall Administration Console client; it has a network connection to McAfeeFirewall, but it is not a local administration console. McAfee Firewall must be configured toaccept administrative commands from such a remote administration console.Remote User - A user that communicates with the TOE by means of a network connection.Since administrators are users, a “remote administrator” is an administrator who is also aremote user.Remote Administrator – This is an administrator who uses a remote administrationconsole to manage McAfee Firewall.McAfee Inc.Page 8 of 60
Single-Use Authentication –Data for single-use authentication can be something the userhas or knows, but not something the user is. Examples of single-use authentication datainclude single-use passwords, encrypted time-stamps, and/or random numbers from asecret lookup table.The following abbreviations are used in this Security Target:AESAdvanced Encryption StandardANSIAmerican National Standards InstituteBSDBerkley Software DistributionCCCommon Criteria for Information Technology Security EvaluationCDCompact DiskCPUCentral Processing UnitDSADigital Signature AlgorithmEALEvaluation Assurance LevelECBElectronic CodebookESPEncapsulating Security PayloadFIPSFederal Information Processing StandardFIPS PUBFederal Information Processing Standard PublicationFLRFlaw RemediationFTPFile Transfer ProtocolGHzGigahertzGUIGraphical User InterfaceHTTPHypertext Transfer ProtocolHTTPSHypertext Transfer Protocol SecureI&AIdentification and AuthenticationICMPInternet Control Message ProtocolIKEInternet Key ExchangeIPSECInternet Protocol SecurityITInformation TechnologyLANLocal Area NetworkMBMegabyteMMUMemory Management UnitNATNetwork Address TranslationNTPNetwork Time ProtocolOSOperating SystemOSPOrganizational Security PolicyPCPersonal ComputerMcAfee Inc.Page 9 of 60
1.6PPProtection ProfilePRNGPseudo Random Number GeneratorPS/2Personal System/2RAMRandom Access MemoryRDSARSA Digital Signature AlgorithmRFCRequest For CommentRNGRandom Number GeneratorSASecurity AssociationSARSecurity Assurance RequirementSFPSecurity Function PolicySFRSecurity Functional RequirementSHASecure Hash AlgorithmSMTPSimple Mail Transfer ProtocolSSLSecure Sockets LayerSTSecurity TargetSVGASuper Video Graphics ArrayTCP/IPTransmission Control Protocol/Internet ProtocolTLSTransport Layer SecurityTOETarget of EvaluationTSCTSF Scope of ControlTSFTOE Security FunctionsTSPTOE Security PolicyURLUniform Resource LocatorUSUnited StatesVPNVirtual Private NetworkReferencesThe following documentation was used to prepare this ST:[CC PART1]Common Criteria for Information TechnologySecurity Evaluation – Part 1: Introduction andgeneral model, dated July 2009, version 3.1 revision3, CCMB-2009-07-001.[CC PART2]Common Criteria for Information TechnologySecurity Evaluation – Part 2: Security functionalcomponents, dated July 2009, version 3.1 revision 3,CCMB-2009-07-002.McAfee Inc.Page 10 of 60
[CC PART3]Common Criteria for Information TechnologySecurity Evaluation – Part 3: Security assurancecomponents, dated July 2009, version 3.1 revision 3,CCMB-2009-07-003.[CEM]Common Methodology for Information TechnologySecurity Evaluation – July 2009, version 3.1 revision3, CCMB-2009-07-004.[FWPP]U.S. Government Protection Profile for Applicationlevel Firewall in Basic Robustness EnvironmentsVersion 1.1, July 25, 2007.[FIPS 140-2]Security Requirements for Cryptographic Modules,Federal Information Processing Standard , May 2001[FIPS 180-3]Secure Hash Standard (SHS), Federal InformationProcessing Standard, Oct 2008[FIPS 197]Advanced Encryption Standard, Federal InformationProcessing Standard, Nov 2001[SP 800-57]Recommendation for Key Management, NISTSpecial Publication, March 2007McAfee Inc.Page 11 of 60
2TOE DescriptionThis section provides context for the TOE evaluation by identifying the product type anddescribing the evaluated configuration.2.1Product TypeMcAfee Firewall operating with two or more network interfaces provides a hybrid firewallsolution that supports both application-level proxy and packet filtering. The McAfee Firewallsoftware version consists of a collection of integrated firewall applications and SecureOS, asecure operating system. This OS is an extended version of the FreeBSD UNIX operatingsystem. It includes McAfee's patented Type Enforcement security technology, additionalnetwork separation control, network-level packet filtering support and improved auditingfacilities. SecureOS also provides the secured computing environment in which all McAfeeFirewall firewall application layer processing is done. McAfee Firewall also provides VPNcapability between separated network enclaves.In addition to the McAfee Firewall appliance model running the firewall application withSecureOS, the TOE also includes the Admin Console client software (McAfee FirewallEnterprise (sidewinder) Admin Console). The Admin Console is separately installed on ageneric windows platform that is part of the IT environment: it is used to manage McAfeeFirewall.2.2Application ContextMcAfee Firewall operates in an environment where it provides a single point of connectivitybetween at least two networks. Typically one network is viewed as the inside of anorganization, where there is some assumption of control over access to the computingnetwork. The other network is typically viewed as an external network, similar to the Internet,where there is no practical control over the actions of its processing entities. McAfeeFirewall's role is to limit and control all information flow between the networks.2.3Physical and Logical Boundaries2.3.1Evaluation Application ContextThe following contextual assumptions apply to the TOE:a) It shall be newly installed and configured in accordance with the directivescontained in the supplied guidance documentation;b) Physical access to the configured McAfee Firewall shall be controlled;c) The configured McAfee Firewall shall be connected only to networks between whichit controls information flow;d) The configured McAfee Firewall shall manage traffic for at least two (2) networks, atleast one of which is designated as internal and one is designated as external;e) The configured McAfee Firewall shall support administrative operations via a GUIapplication, known as Admin Console, running on a Windows system;f) The configured McAfee Firewall shall be connected to its administrative workstationeither directly or remotely, but in either case the communications are encrypted andthe workstation is physically protected;g) Only authorized administrators shall be allowed physical access to the McAfeeFirewall hardware computing platform or to the administrative workstation for suchpurposes as starting the system.McAfee Inc.Page 12 of 60
2.3.2Proxy agents to be EvaluatedThe FTP, HTTP, HTTPS, SMTP, Telnet, and Generic proxy agents are all included withinthe scope of the evaluation. Other protocol-aware proxy agents and services provided byMcAfee Firewall are excluded from the scope of the evaluation.2.3.3Features not to be EvaluatedMcAfee Firewall provides additional capabilities by means of optional “add-on” features thatrequire additional equipment and/or licensing. The following extra functionality of this typeis specifically excluded from the scope of this evaluation:a)b)c)d)e)f)g)Failover/High Availability;Anti-Virus;SmartFilter (URL Filtering);Signature based IPS;Policy Acceleration Network Cards;SSL Termination;McAfee Firewall Enterprise Control Center (product to manage multiple McAfeeFirewalls);h) Network analysis capability;i)Security Reporter (optional tool to view audit)McAfee Firewall includes functions that are explicitly excluded from the scope of theevaluation:a) Built-in servers other than ICMP;b) Trusted Source (reputation service for email senders);c) Use of the command line to manage the TOE (disabled in the evaluatedconfiguration).2.3.4Physical Scope and BoundaryThe TOE consists of McAfee Firewall software Version 7.0.1.02, which includes the firewallapplication and the SecureOS operating system, running on a dedicated McAfee applianceplatform or virtual appliance. The TOE also includes the Admin Console client software (theMcAfee Firewall Enterprise (Sidewinder) Admin Console version 4.10). This software isprovided with every McAfee Firewall appliance, and it is also provided as a separate part ofevery McAfee Firewall software product distribution. The administration client software runson a generic computi
McAfee Firewall software is a dedicated McAfee appliance platform or virtual appliance, . McAfee Firewall supports encryption for remote administration, remote proxy users and authorized IT entities (e.g. certificate server, NTP server), and generates audit data of security relevant events. McAfee Firewall also provides VPN capability to
