Transcription
PA-500, PA-2000 Series, and PA-4000Series FirewallsSecurity PolicyVersion: CPalo Alto NetworksRevision Date: 5/31/2011www.paloaltonetworks.com 2011 Palo Alto Networks. May be reproduced only in its original entirety (withoutrevision). Palo Alto Networks, PAN-OS, and Panorama are trademarks of Palo Alto Networks, Inc. All othertrademarks are the property of their respective owners.P/N 880-000018-00C
Palo Alto Networks880-000018-00CCHANGE RECORDTable 1 - Change RecordRevisionDateAuthorA8/23/2010N. CampagnaInitial authoringB1/24/2011N. CampagnaAdded detail to the identity and authentication ofIPSec endpoints.C5/31/2011N. CampagnaAdded FW Version 3.1.7-h1Palo Alto Networks Firewall Security PolicyDescription of ChangePage 2 of 49
Palo Alto Networks880-000018-00CContents1Module Overview . 62Security Level . 133Modes of Operation . 143.1FIPS Approved Mode of Operation . 143.2Approved and Allowed Algorithms. 153.3Non‐Approved, Non‐Allowed Algorithms . 154Ports and Interfaces . 175Identification and Authentication Policy . 195.16Assumption of Roles . 19Access Control Policy . 216.1Roles and Services . 216.2Unauthenticated Services. 216.3Definition of Critical Security Parameters (CSPs) . 225.3a Definition of Public Keys. 236.4Definition of CSPs Modes of Access . 257Operational Environment . 268Security Rules . 269Physical Security Policy . 289.1Physical Security Mechanisms . 289.2Operator Required Actions . 3210Mitigation of Other Attacks Policy . 3311References . 3312Definitions and Acronyms . 3313Appendix A – PA‐500 – FIPS Accessories/Tamper Seal Installation . 3514Appendix B ‐ PA‐2000 Series – FIPS Accessories/Tamper Seal Installation . 4015Appendix C ‐ PA‐4000 Series – FIPS Accessories/Tamper Seal Installation . 44Palo Alto Networks Firewall Security PolicyPage 3 of 49
Palo Alto Networks880-000018-00CTablesTable 1 ‐ Change Record . 2Table 2 ‐ Validated Version Information . 11Table 3 ‐ Module Security Level Specification. 13Table 4 ‐ FIPS Approved Algorithms Used in Current Module . 15Table 5 – FIPS Allowed Algorithms Used in Current Module . 15Table 6 ‐ Non‐Approved, Non‐Allowed Algorithms Used in Current Module . 15Table 7 – PA‐500 FIPS 140‐2 Ports and Interfaces . 17Table 8 – PA‐2000 Series FIPS 140‐2 Ports and Interfaces . 17Table 9 – PA‐4000 Series FIPS 140‐2 Ports and Interfaces . 17Table 10 ‐ Roles and Required Identification and Authentication . 19Table 11 – Strengths of Authentication Mechanisms . 20Table 12 – Authenticated Service Descriptions. 21Table 13 – Authenticated Services . 21Table 14 ‐ Unauthenticated Services . 21Table 15 ‐ Private Keys and CSPs . 22Table 16 ‐ Public Keys . 23Table 17 ‐ CSP Access Rights within Roles & Services . 25Table 18 ‐ Inspection/Testing of Physical Security Mechanisms. 32FiguresFigure 1 ‐ PA‐500 Front Image . 8Figure 2 ‐ PA‐500 Back Image . 8Figure 3 ‐ PA‐500 with Front Opacity Sheild . 8Figure 4 ‐ PA‐500 with Side Opacity Shield . 8Figure 5 ‐ PA‐2020 / PA‐2050 Front Images . 9Figure 6 ‐ PA‐2020 / PA‐2050 Back Image . 9Figure 7 ‐ PA‐2020 / PA‐2050 Front Opacity Shield . 9Figure 8 ‐ PA‐2020 / PA‐2050 with Side Opacity Shield . 9Figure 9 ‐ PA‐4020 / PA‐4050 Front Image . 10Figure 10 ‐ PA‐4060 Front Image . 10Figure 11 ‐ PA‐4020 / PA‐4050 / PA‐4060 Back Image. 10Figure 12 ‐ Logical Block Diagram . 12Palo Alto Networks Firewall Security PolicyPage 4 of 49
Palo Alto Networks880-000018-00CFigure 13 ‐ PA‐500 Front Tamper Seal Placement (1) . 28Figure 14 ‐ PA‐500 Left Side Tamper Seal Placement (2) . 28Figure 15 ‐ PA‐500 Right Side Tamper Seal Placement (2) . 29Figure 16 ‐ PA‐500 Rear Tamper Seal Placement (4) . 29Figure 17 ‐ PA‐2000 Series Front Tamper Seal Placement (1). 29Figure 18 ‐ PA‐2000 Series Left Side Tamper Seal Placement (3) . 29Figure 19 ‐ PA‐2000 Series Right Side Tamper Seal Placement (3) . 30Figure 20 ‐ PA‐2000 Series Rear Tamper Seal Placement (2) . 30Figure 21 ‐ PA‐4000 Series Rear Tamper Seal Placement – From Top (4). 30Figure 22 ‐ PA‐4000 Series Rear Side Tamper Seal Placement – From Underside (4) . 31Figure 23 ‐ PA‐4000 Series Right Side Tamper Seal Placement (1) . 31Figure 24 ‐ PA‐4000 Series Left Side Tamper Seal Placement (1) . 31Palo Alto Networks Firewall Security PolicyPage 5 of 49
Palo Alto Networks880-000018-00C1 Module OverviewThe Palo Alto Networks PA-500, PA-2000 Series, and PA-4000 Series firewalls (hereafter referred toas the modules) are multi-chip standalone modules that provide network security by enablingenterprises to see and control applications, users, and content – not just ports, IP addresses, and packets– using three unique identification technologies: App-ID, User-ID, and Content-ID. Theseidentification technologies, found in Palo Alto Networks' enterprise firewalls, enable enterprises tocreate business-relevant security policies – safely enabling organizations to adopt new applications,instead of the traditional “all-or-nothing” approach offered by traditional port-blocking firewalls usedin many security infrastructures.Features and Benefits Application visibility and control: Accurate identification of the applications traversing thenetwork enables policy-based control over application usage at the firewall, the strategic centerof the security infrastructure. Visualization tools: Graphical visibility tools, customizable reporting and logging enablesadministrators to make a more informed decision on how to treat the applications traversing thenetwork. Application browser: Helps administrators quickly research what the application is, its’behavioral characteristics and underlying technology resulting in a more informed decisionmaking process on how to treat the application. User-based visibility and control: Seamless integration with enterprise directory services(Active Directory, LDAP, eDirectory) facilitates application visibility and policy creation basedon user and group information, not just IP address. In Citrix and terminal services environments,the identity of users sitting behind Citrix or terminal services can be used to enable policy-basedvisibility and control over applications, users and content. An XML API enables integration withother, 3rd party user repositories. Real-time threat prevention: Detects and blocks application vulnerabilities, viruses, spyware,and worms; controls web activity; all in real-time, dramatically improving performance andaccuracy. File and data filtering: Taking full advantage of the in-depth application inspection beingperformed by App-ID, administrators can implement several different types of policies thatreduce the risk associated with unauthorized file and data transfer. Legacy firewall support: Support for traditional inbound and outbound port-based firewall rulesmixed with application-based rules smoothes the transition to a Palo Alto Networks nextgeneration firewall.Palo Alto Networks Firewall Security PolicyPage 6 of 49
Palo Alto Networks880-000018-00C Networking architecture: Support for dynamic routing (OSPF, RIP, BGP), virtual wire modeand layer 2/layer 3 modes facilitates deployment in nearly any networking environment. Policy-based Forwarding: Forward traffic based on policy defined by application, sourcezone/interface, source/destination address, source user/group, and service. Virtual Systems: Create multiple virtual “firewalls” within a single device as a means ofsupporting specific departments or customers. Each virtual system can include dedicatedadministrative accounts, interfaces, networking configuration, security zones, and policies for theassociated network traffic. VPN connectivity: Secure site-to-site connectivity is enabled through standards-based IPSecVPN support while remote user access is delivered via SSL VPN connectivity. Quality of Service (QoS): Deploy traffic shaping policies (guaranteed, maximum and priority)to enable positive policy controls over bandwidth intensive, non-work related applications suchas streaming media while preserving the performance of business applications. Real-time bandwidth monitor: View real-time bandwidth and session consumption forapplications and users within a selected QoS class. Purpose-built platform: combines single pass software with parallel processing hardwareto deliver the multi-Gbps performance necessary to protect today’s high speed networks.Palo Alto Networks Firewall Security PolicyPage 7 of 49
Palo Alto Networks880-000018-00CNote: Modules are shown in figures with no opacity shields included to demonstrate module interfacesand other physical characteristics. Pictures are included of each chassis with the opacity shields inplace.Figure 1 - PA-500 Front ImageFigure 2 - PA-500 Back ImageFigure 3 - PA-500 with Front Opacity SheildFigure 4 - PA-500 with Side Opacity ShieldPalo Alto Networks Firewall Security PolicyPage 8 of 49
Palo Alto Networks880-000018-00CFigure 5 - PA-2020 / PA-2050 Front ImagesFigure 6 - PA-2020 / PA-2050 Back ImageFigure 7 - PA-2020 / PA-2050 Front Opacity ShieldFigure 8 - PA-2020 / PA-2050 with Side Opacity ShieldPalo Alto Networks Firewall Security PolicyPage 9 of 49
Palo Alto Networks880-000018-00CFigure 9 - PA-4020 / PA-4050 Front ImageFigure 10 - PA-4060 Front ImageFigure 11 - PA-4020 / PA-4050 / PA-4060 Back ImageFigure 12 - PA-4020 / PA-4050 / PA-4060 Left Side with Opacity ShieldPalo Alto Networks Firewall Security PolicyPage 10 of 49
Palo Alto Networks880-000018-00CThe configurations for this validation are:Table 2 - Validated Version InformationModulePart NumberHardwareVersionFIPS Kit PartNumberFIPS 00DRev. D920-000005-001Rev. 13.1.2 or 3.1.7-h1PA-2020910-000004-00KRev. K920-000004-001Rev. 13.1.2 or 3.1.7-h1PA-2050910-000003-00KRev. K920-000004-001Rev. 13.1.2 or 3.1.7-h1PA-4020910-000002-00QRev. Q920-000003-001Rev. 13.1.2 or 3.1.7-h1PA-4050910-000001-00PRev. P920-000003-001Rev. 13.1.2 or 3.1.7-h1PA-4060910-000005-00GRev. G920-000003-001Rev. 13.1.2 or 3.1.7-h1Palo Alto Networks Firewall Security PolicyPage 11 of 49
Palo Alto Networks880-000018-00CFigure 12 depicts the logical block diagram for the modules. The cryptographic boundary includes allof the logical components of the modules and the boundary is the physical enclosure of the firewall.Figure 12 - Logical Block DiagramPalo Alto Networks Firewall Security PolicyPage 12 of 49
Palo Alto Networks880-000018-00C2 Security LevelThe cryptographic modules meet the overall requirements applicable to Level 2 security of FIPS 140-2.Table 3 - Module Security Level SpecificationSecurity Requirements SectionLevelCryptographic Module Specification3Module Ports and Interfaces2Roles, Services and Authentication3Finite State Model2Physical Security2Operational EnvironmentN/ACryptographic Key Management2EMI/EMC2Self-Tests2Design Assurance3Mitigation of Other AttacksPalo Alto Networks Firewall Security PolicyN/APage 13 of 49
Palo Alto Networks880-000018-00C3 Modes of Operation3.1FIPS Approved Mode of OperationThe modules support both a FIPS mode and a non-FIPS mode. The following procedure will put themodules into the FIPS mode of operation: During initial boot up, break the boot sequence via the console port connection (by pressing the mbutton when instructed to do so) to access the main menu. Select “Continue.” Select the “Set FIPS Mode” option to enter FIPS mode. Select “Enable FIPS Mode”. When prompted, select “Reboot” and the module will re-initialize and continue into FIPS mode. The module will reboot. In FIPS mode, the console port is available only as a status output port.The module will automatically indicate the FIPS Approved mode of operation in the following manner: Status output interface will indicate “**** FIPS MODE ENABLED ****” via the CLI session. Status output interface will indicate “FIPS Mode Enabled Successfully” via the console port. The module will display “FIPS mode” at all times in the status bar at the bottom of the webinterface.Should one or more power-up self-tests fail, the FIPS Approved mode of operation will not beachieved. Feedback will consist of: The module will reboot and enter a state in which the reason for the reboot can be determined. To determine which self-test caused the system to reboot into the error state, connect the consolecable and follow the on-screen instructions to view the self-test output. Install FIPS kit opacity shields and tamper evidence seals according to Section 9. The tamper evidence seals and opacity shields shall be installed for the module to operate in aFIPS Approved mode of operation.Palo Alto Networks Firewall Security PolicyPage 14 of 49
Palo Alto Networks3.2880-000018-00CApproved and Allowed AlgorithmsThe cryptographic modules support the following FIPS Approved algorithms.Table 4 - FIPS Approved Algorithms Used in Current ModuleFIPS Approved AlgorithmCAVP Cert. #AES1378TDESRSA950DSA451HMAC-SHA-1, HMAC-SHA-256810SHA-1, SHA-21259ANSI x9.31 RNG760675The cryptographic modules support the following non-FIPS Approved algorithms that are allowed foruse in FIPS mode.Table 5 – FIPS Allowed Algorithms Used in Current ModuleFIPS Allowed AlgorithmDiffie-Hellman (key establishment methodology provides 112 bits of encryption strength)RSA (key wrapping, key establishment methodology provides 112 bits of encryption strength)NDRNG (used to seed ANSI x9.31 RNG)MD5 (within TLS)3.3Non-Approved, Non-Allowed AlgorithmsThe cryptographic modules support the following non-Approved algorithms. No security claim is madein the current modules for any of the following non-Approved algorithms.Table 6 - Non-Approved, Non-Allowed Algorithms Used in Current ModuleNon-FIPS Allowed Algorithm in Non-FIPS ModeMD5 – used for hashing of non-security relevant data; in CHAP authentication with RADIUSservers; in authentication for OSPF, RIP, and BGP dynamic routing protocols; for passwordhashing on Data Leakage Protection and Administrator passwords; and to integrity check URLfiltering database downloads (note this is in addition to HMAC-SHA-1 authentication/integritycheck). MD5 is also used to authenticate communications with the security module. MD5 isalso used to hash administrator passwords.Palo Alto Networks Firewall Security PolicyPage 15 of 49
Palo Alto Networks880-000018-00CNon-FIPS Allowed Algorithm in Non-FIPS ModeRC4 – used to encrypt SSL communications with the security module.Camellia - used to encrypt SSL communications with the security module.RC2 - used to encrypt SSL communications with the security module.SEED - used to encrypt SSL communications with the security module.DES - used to encrypt SSL communications with the security module.Palo Alto Networks Firewall Security PolicyPage 16 of 49
Palo Alto Networks880-000018-00C4 Ports and InterfacesThe modules are multi-chip standalone modules with ports and interfaces as shown below.Table 7 – PA-500 FIPS 140-2 Ports and InterfacesInterfacePA-500FIPS 140-2 DesignationName and DescriptionRJ451Data input, control input, data output, Console portstatus outputRJ451Data input, control input, data output, Out of band managementstatus outputRJ458Data input, control input, data output, 10/100/1000 Ethernet interfacestatus output100-240 Vcc1Power inputPower interfaceLEDs6Status outputStatus indicatorsUSB1Disabled except for powerUsed in manufacturingTable 8 – PA-2000 Series FIPS 140-2 Ports and InterfacesInterfacePA-2050PA-2020FIPS 140-2 DesignationName and DescriptionRJ4511Data input, control input, dataoutput, status outputConsole portRJ4511Data input, control input, dataoutput, status outputOut of band managementSFP42Data input, control input, dataoutput, status outputEthernet optical gigabit interfaceRJ451612Data input, control input, dataoutput, status output10/100/1000 Ethernet interface100-240Vcc11Power inputPower interfaceLEDs66Status outputStatus indicatorsUSB11Disabled except for powerUsed in manufacturingTable 9 – PA-4000 Series FIPS 140-2 Ports and InterfacesInterfacePA-4060PA-4050PA-4020FIPS 140-2 DesignationName and DescriptionDB9111Data input, control input,data output, status outputConsole portRJ45111Data input, control input,Out of bandPalo Alto Networks Firewall Security PolicyPage 17 of 49
Palo Alto 20FIPS 140-2 Designationdata output, status outputName and DescriptionmanagementXFP400Data input, control input,data output, status outputEthernet optical 10gigabit interfaceSFP488Data input, control input,data output, status outputEthernet optical gigabitinterfacesRJ45222Data input, control input,data output, status output10/100/1000 HAEthernet interfaceRJ4501616Data input, control input,data output, status output10/100/1000 EthernetInterfaces100-240Vcc222Power inputPower interfaceLEDs888Status outputStatus indicatorsUSB222Disabled except for powerUsed in manufacturingPalo Alto Networks Firewall Security PolicyPage 18 of 49
Palo Alto Networks880-000018-00C5 Identification and Authentication Policy5.1Assumption of RolesThe modules support four distinct operator roles, User and Cryptographic Officer (CO), Remote AccessVPN, and Site-to-site VPN. The cryptographic modules enforce the separation of roles using uniqueauthentication credentials associated with operator accounts. The modules support concurrentoperators.The modules do not provide a maintenance role or bypass capability.Table 10 - Roles and Required Identification and AuthenticationRoleDescriptionAuthentication TypeAuthentication DataCOThis role has access to all servicesoffered by the modules. Within thePAN-OS software, this role maps to the“Superuser” administrator role.Identity-based operatorauthenticationUserThis role has limited access to servicesoffered by the modules. This role doesnot have access to modify or view thepasswords associated with otheradministrator accounts, it may not viewor alter CSPs of any type stored on themodule. Within the PAN-OS software,this role maps to the “Superuser (readonly)” administrator role (also referredto as “Superreader”).Identity-based operatorauthenticationUsername and password(optional certificate basedauthentication can be addedin addition to username andpassword)Username and password(optional certificate basedauthentication can be addedin addition to username andpassword)RemoteAccessVPN(RA VPN)Remote user accessing the network viaVPN.Identity-based operatorauthenticationSite-to-siteVPN(S-S VPN)Remote VPN device establishing aVPN session to facilitate access to thenetwork.Identity-based operatorauthenticationPalo Alto Networks Firewall Security PolicyUsername and password(optional certificate basedauthentication can be addedin addition to username andpassword)IKE/IPSec Pre-shared keys- Identification with the IPAddress and authenticationwith the Pre-Shared Key .Page 19 of 49
Palo Alto Networks880-000018-00CTable 11 – Strengths of Authentication MechanismsAuthentication MechanismStrength of MechanismUsername and PasswordMinimum length is 6 alphanumeric characters (62 possiblecharacters). The probability that a random attempt will succeedor a false acceptance will occur is 1/(626 ) which is less than1/1,000,000. The probability of successfully authenticating tothe module within one minute is 10/(626), which is less than1/100,000. The firewall’s configuration supports at most tenattempts to authenticate in a one-minute period.Certificate basedauthenticationThe security modules support certificate-based authenticationusing 2048 bit RSA keys. Such keys possess an equivalentstrength of 112 bits. The probability that a random attempt willsucceed is 1/(2112) which is less than 1/1,000,000. Theprobability of successfully authenticating to the module within aone minute period is 3,600,000/(2112), which is less than1/100,000. The firewall supports at most 60,000 new sessionsper second to authenticate in a one-minute period.IKE/IPSec pre-shared keysThe 160 bit key length supports 2160 different combinations. Theprobability of successfully authenticating to the module is1/(2160), which is less than 1/1,000,000. The number ofauthentication attempts is limited by the number of newconnections per second supported (60,000) on the fastestplatform of the Palo Alto Networks firewalls. The probability ofsuccessfully authenticating to the module within a one minuteperiod is 3,600,000/(2160), which is less than 1/100,000.Palo Alto Networks Firewall Security PolicyPage 20 of 49
Palo Alto Networks880-000018-00C6 Access Control Policy6.1Roles and ServicesTable 12 – Authenticated Service DescriptionsServiceDescriptionSecurity Configuration Configuring and managing cryptographic parameters andManagementsetting/modifying security policy, including creating User accounts andadditional CO accounts.Other ConfigurationNetworking parameter configuration, logging configuration, and other nonsecurity relevant configuration.View OtherConfigurationRead-only of non-security relevant configuration (see above).Show StatusView status via the web interface or command line interface.VPNProvide network access for remote users or site-to-site connections.Firmware updateProvides a method to update the firmware on the firewall.Table 13 – Authenticated ServicesServiceCrypto OfficerUserRA VPNS-S VPNSecurity ConfigurationManagementYNNNOther ConfigurationYNNNView Other ConfigurationYYNNShow StatusYYYYVPNNNYYFirmware updateYNNN6.2Unauthenticated ServicesThe cryptographic module supports the following unauthenticated services:Table 14 - Unauthenticated ServicesServiceDescriptionZeroizeThe device will overwrite all CSPs.Self-TestsRun power up self-tests on demand by power cycling the module.Show Status (LEDs)ZeroizeView status of the module via the LEDs.Palo Alto Networks Firewall Security PolicyPage 21 of 49
Palo Alto Networks880-000018-00CThe zeroization procedure is invoked when the operator exits FIPS mode. The procedure consists ofoverwriting configuration data including all CSPs. The operator must be in control of the moduleduring the entire procedure to ensure that it has successfully completed. During the zeroizationprocedure, no other services are available.6.3Definition of Critical Security Parameters (CSPs)The modules contain the following CSPs:Table 15 - Private Keys and CSPsCSP #Key NameTypeDescription1Web interface privatekeyRSADecrypts TLS session key and providesauthentication services (admin web interface,captive portal, SSL VPN portal)2TLS PreMaster SecretTLSSecretSecret value used to derive the TLS session keys3TLS DH PrivateComponentsDHDiffie Hellman (Group 14) 2048 bit privatecomponent used in key establishment4TLS-HMACHMACSHA-1Authentication keys used in all https connections tothe security module’s web interface.5TLS session keysAES,TDESUsed in all https connections to the securitymodule’s web interface.6SSH-Firewall private keyRSAUsed to identify the security appliance in SSH. Thesecurity modules su
Palo Alto Networks 880-000018-00C Palo Alto Networks Firewall Security Policy Page 6 of 49 1 Module Overview The Palo Alto Networks PA-500, PA-2000 Series, and PA-4000 Series firewalls (hereafter referred to as the modules) are multi-chip standalone modules that provide network security by enabling
