Security Target - Common Criteria
Contents
1. T E USE O E CONNECT O E USERS It is the responsibility of the administrator to ensure that the TOE is securely configured used and managed in their environment Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 5 5 IT Security Requirements This section contains the functional requirements that are provided by the TOE These requirements consist of functional components from Part 2 of the Common Criteria CC The strength of function required for all applicable Security Functional Requirements in this TOE is basic The requirements realised by probabilistic or permutational mechanisms include FIA_UAU 2 and FIA_UID 2 5 1 Security Functional Requirements Table 2 lists the functional requirements and the security objectives each requirement helps to address All functional and assurance dependencies associated with the components in Table 2 have been satisfied Table 2 Functional Components CC Name Hierarchical To Dependency Objectives c Component Helps omponent Address FAU_GEN 1 Audit Data No Other FPT_STM 1 O FILTER Generation Components FAU_SAR 1 Audit Review No Other FAU_GEN 1 O ADMIN Components FAU_SAR 2 Restricted No Other FAU_SAR 1 O ADMIN Audit Review Components FAU_STG 1 Protected Audit No Other FAU_GEN 1 O ADMIN Trail Storage Components FAU_STG 3 Action in Case No Other FAU_STG 1 O ADMIN of Possible Components Audit Data Loss F2. AVA_VLA 1 1C The documentation shall show for all identified vulnerabilities that the vulnerability cannot be exploited in the intended environment for the TOE Evaluator Action Elements AVA_VLA 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence Marconi Corporation plc 29 30 F2 0504 007 Marconi SA 400 Security Target v2 doc AVA_VLA 1 2E The evaluator shall conduct penetration testing building on the developer vulnerability analysis to ensure obvious vulnerabilities have been addressed 5 3 Security Requirements for the IT Environment There are no security requirements on the IT environment Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 6 6 TOE Summary Specification 6 1 TOE Security Functions The major functions implemented by the TOE are A B C D Main Extraction Process FIP The Main extraction process buffers incoming cells that are entering the firewall Inside or Outside port It buffers the data until a complete packet is assembled While buffering it extracts the header information revealing ATM VP VC and PTI fields It sends cells to the Call Set up process the PVC process or the SVC process Call Set up Process FIP FCP The Call Set up process sends ATM signaling message cells to the firewall output port either Inside or Outside and to the FCP call set up pr
3. Component Documentation Satisfying Component Rationale ADV_RCR 1 Marconi SA 400 Firewall Version 1 3 Security Target Revision 8 September 16 2003 SA 400 High Level Design Document with Security Functional Specifications Revision 2 3 July 10 2003 SA 400 Common Criteria Certification Correspondence Mapping Revision 3 5 November 5 2003 This document contains the correspondence mapping between the TOE Summary Specification Functional Specification and High Level Design documentation AGD_ADM 1 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 Marconi SA 400 Security Target Version 1 3 Revision 8 September 16 2003 Marconi SA 400 High Level Design Document with Security Functional Specifications Revision 2 3 July 10 2003 This documentation describes the responsibilities for the administrator of the TOE AGD_USR 1 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 Marconi SA 400 Security Target Version 1 3 Revision 8 September 16 2003 This documentation provides guidance to non administrative users of the TOE ATE_COV 1 Marconi SA 400 Security Target Revision 8 September 16 2003 Marconi SA 400 QA Test Procedures for Release 1 3 Revision 1 7 February 4 2004 SA 400 High Level Design Marconi Corporation plc This documentation describes the sc
4. Security Roles No Other FIA_UID 1 O ADMIN Components FPT_RVM 1 Non No Other None O ADMIN Bypassability of Components the TSP Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CC Name Hierarchical To Dependency Objectives Component Helps Component Address FPT_SEP 1 TSF Domain No Other None O ADMIN Separation Components FPT_STM 1 Reliable Time No Other None O ADMIN Stamps Components O FILTER FTA_SSL 1 TSF Initiated No Other FIA_UAU 1 O ADMIN Session Components Locking FTA_TSE 1 TOE Session No Other None O ADMIN Establishment Components The functional requirements that appear in Table 2 are described in more detail in the following subsections Additionally these requirements are derived verbatim from Part 2 of the Common Criteria for Information Technology Security Evaluation Version 2 1 with the exception of italicised items listed in brackets These bracketed items include either assignments that are TOE specific or selections from the Common Criteria that the TOE enforces 5 1 1 Security Audit FAU 5 1 1 1 FAU_GEN 1 Audit Data Generation Hierarchical to No other components FAU_GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events A Start up and shutdown of the audit functions B All auditable events for the not specified level of audit and C events as defined for the following 1 System Log system initialisation har
5. configure the firewall filtering rules FMT_SMR 1 GUI Rule Management The GUI Rule Management Process Process Administrator Administrator Management and Management Identification Identification Authorisation Access Authorisation Access Process functions implement the Process FMT_SMR 1 Functional Requirement by maintaining and associating users to the administrator role FPT_RVM 1 GUI Rule Management The GUI Rule Management Process Process Administrator Administrator Management and Main Management and Main Extraction Process FIP functions Extraction Process FIP implement the FPT_RVM 1 Functional Requirement by ensuring TSP enforcement functions are invoked and succeeded before each function within the TSC is allowed to proceed FPT_SEP 1 GUI Rule Management The GUI Rule Management Process Process Administrator Administrator Management and Main Management and Main Extraction Process FIP functions Extraction Process FIP implement the FPT_SEP 1 Functional Requirement by maintaining a security domain for TSF execution to provide protection from interference from untrusted subjects FPT_STM 1 Auditing Process The Auditing Process and Administrator Management Administrator Management functions implement the FPT_STM 1 Functional Requirement by providing timestamps for its own use FTA_SSL 1 Identification Authorisation The Identification Authorisation Access Process Access Process function imple
6. to the administrator Dependencies FDP_ACC 1 Subset Access Control or FDP_IFC 1 Subset Information Flow Control FMT_SMR 1 Security Roles and FMT_SMF 1 Management of Security Functions Rationale The administrator is the only role recognised by the TOE Attributes managed through the serial Command Line Interface include the Login ID Password and IP address for administrator and clock settings acquired by the real time clock Attributes managed through the web interface 10 100 Ethernet include applying filtering rules to allow or deny network traffic session idle time before re identification and re authentication is required 5 1 4 3 FMT_MSA 3 Static Attribute Initialisation Hierarchical to No other components FMT_MSA 3 1 The TSF shall enforce the Firewall Filtering Flow Control Policy to provide restrictive default values for security attributes that are used to enforce the SFP FMT_MSA 3 2 The TSF shall allow the the administrator to specify alternative initial values to override the default values when an object or information is created Dependencies FMT_MSA 1 Management of Security Attributes FMT_SMR 1 Security Roles Rationale Default values are set to explicitly deny all information flows without administrator modification of the filtering rules The default value for session idle time before re authentication is required is set at 180 seconds The administrator can specify an alternative value between 30 36
7. 2 2 FDP IFF Simple Security des ii 15 5 1 3 Identification and Authentication FIA iii 17 5 1 3 1 FIA_ATD 1 User Attribute Definition ccccceessssececececeeeesensseeeeeeeens 17 2004 Marconi Communications v F2 0504 007 Marconi SA 400 Security Target v2 doc 5 1 3 2 FIA_UAU 2 User Authentication Before any Action n 17 5 1 3 3 FIA_UAU 6 Re Authenticating rara erre 17 5 1 3 4 FIA_UAU 7 Protected Authentication Feedback i 18 5 1 3 5 FIA_UID 2 User Identification Before any Action i 18 5 1 3 6 FIA_USB 1 o AAA delle lean 18 5 1 4 Security Management FMT Vacacional arancel ras 18 5 1 4 1 FMT_MOF 1 Management of Security Functions Behaviour 18 5 1 4 2 FMT_MSA 1 Management of Security Attributes i 19 5 1 4 3 FMT_MSA 3 Static Attribute Initialisation ii 19 5 1 4 4 FMT_MTD 1 Management of TSF Data ii 20 5 1 4 5 FMT_MTD 2 Management of Limits on TSF Data i 20 5 1 4 6 FMT_SMF 1 Specification of Management Function i 20 SAT EMT SMR Security Roles etero ante o rai 20 3 1 3 Protection of the TSE CRP lA nei alan ia 21 5 1 5 1 FPT_RVM 1 Non Bypassability of the TSP aweza 21 5 1 5 2 FPT_SEP 1 TSF Domain Separa a it Es 21 5 1 5 3 FPT_STM 1 Reliable Time Stamps td 21 SAO TOE ACCESS ELA ii AAA OS AS a 21 5 1 6 1 FTA_SSL 1 TSF Initiate
8. 30 3600 seconds default is 180 seconds if inactivity on the serial interface by Marconi Corporation plc 21 22 F2 0504 007 Marconi SA 400 Security Target v2 doc A clearing or overwriting display devices making the current contents unreadable B disabling any activity of the user s data access display devices other than unlocking the session FTA_SSL 1 2 The TSF shall require the following events to occur prior to unlocking the session re authentication Dependencies FIA_UAU 1 Timing of Authentication Rationale After the administrator has been locked out after a period of inactivity re authentication is required 5 1 6 2 FTA_TSE 1 TOE Session Establishment Hierarchical to No other components FTA_TSE 1 1 The TSF shall be able to deny session establishment based on invalid username password or IP address Dependencies No dependencies Rationale For a user to initiate a session with the TOE they must first have a record in the TSF that defines their username password and IP permissions If any of these items do not match what is stored in the TSF then TOE session establishment will not be allowed 5 2 TOE Security Assurance Requirements The assurance components for the TOE are summarised in Table 4 Table 4 Assurance Components Assurance Class Component ID Component Title Configuration Management ACM_CAP 2 Configuration Items Delivery and Operation ADO_DEL 1 Del
9. Addressed by the TOE Environment T E USE The TOE may be inadvertently configured used and administered in an insecure manner by either authorised or unauthorised users 3 4 Organisational Security Policies There are no organisational security policies required for the TOE Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 4 4 Security Objectives 4 1 Security Objectives for the TOE All of the objectives listed in this section ensure that all of the security threats listed in Chapter 3 have been countered The security objectives O for the SA 400 Firewall are O FILTER The TSF will enforce defined filtering rules to allow or deny network traffic to pass through the TOE O ADMIN The TOE will allow the administrator the capability to securely manage the TOE TSF data 4 2 Security Objectives for the IT Environment O E CONNECT Users shall ensure that the TOE is located in a physically controlled environment that mitigates unauthorised tampering O E USERS Users of the TOE shall be trained and are trusted to enforce the security aspects of the TOE relevant to them 4 3 Security Objectives Rationale Table 1 demonstrates the correspondence between the security objectives listed in Sections 4 1 and 4 2 to the assumptions identified in Section 3 2 Table 1 Correspondence Between Assumptions Threats and Policies to Objectives Table Legend A Assumption P Policy T Th
10. Data Generation Rationale The TOE does not permit the deletion of events from the audit logs Once the logs have reached their storage capacity the oldest records are overwritten with the most recent events 5 1 1 5 FAU_STG 3 Action in Case of Possible Audit Data Loss Hierarchical to No other components FAU_STG 3 1 The TSF shall take overwrite the oldest audit records if the audit trail exceeds the defined limits as follows A System Log 100 files 1 2MB limit per file B Web Interface Log 100 files 1 2MB limit per file C Monitor Log 100 files 2MB limit per file D Disallowed Packets Log 100 files 2MB limit per file E Open Connections Log dynamic 2MB total Dependencies FAU_STG 1 Protected Audit Trail Storage Rationale If the System Log Web Interface Log Monitor Log and Disallowed Packets Log grow beyond their defined limits the oldest logs will be over written with the most recent The Open Connections Log is dynamic and is limited to 2MB 5 1 2 User Data Protection 5 1 2 1 FDP_IFC 1 Subset Information Flow Control Hierarchical to No other components FDP_IFC 1 1 The TSF shall enforce the Firewall Filtering Flow Control Policy on source subject TOE interface on which information is received destination subject TOE interface on which information is destined information data types UNI SPANS PVC IP to explicitly allow or deny access based upon data type attributes VPI VCI source port and
11. Forward for IP Filtering Dest NSAPAddress Allow Deny Forward for IP Filtering Direction Incoming Outgoing Both SPANS Filtering Src Address Allow Deny Forward for IP Filtering Src SAP Allow Deny Forward for IP Filtering Dest Address Allow Deny Forward for IP Filtering Dest SAP Allow Deny Forward for IP Filtering Direction Incoming Outgoing Both PVC Filtering VPI Allow Deny Forward for IP Filtering VCI Allow Deny Forward for IP Filtering Direction Incoming Outgoing Both IP Filtering Src Address Allow Deny Monitor Src Port Allow Deny Monitor Dest Port Allow Deny Monitor Dest Address Allow Deny Monitor Protocol Allow Deny Monitor Direction Incoming Outgoing Both FDP_IFF 1 3 The TSF shall enforce the no additional rules FDP_IFF 1 4 The TSF shall provide the following no additional rules FDP_IFF 1 5 The TSF shall explicitly authorise an information flow based upon the following rules no additional rules FDP_IFF 1 6 The TSF shall explicitly deny an information flow based upon the following rules all information flows are denied unless explicitly authorised rules have been defined in accordance with the Firewall Filtering Flow Control Policy Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Dependencies FDP_IFC 1 Subset Information Flow Control FMT_MSA 3 Static Attribute Initialisation Rationale Authorized users of the SA 400 may configure filtering r
12. Policy to the administrator FMT_MSA 3 GUI Rule Management Process Administrator Management The GUI Rule Management Process and Administrator Management functions implement the FMT_MSA 3 Functional Requirement by providing default values for security attributes and allowing alternative values to be specified by the administrator FMT_MTD 1 FMT_MTD 2 GUI Rule Management Process Administrator Management GUI Rule Management Process Administrator Management The GUI Rule Management Process and Administrator Management functions implement the FMT_MTD 1 Functional Requirement by restricting the ability to manage all TSF data to the administrator The GUI Rule Management Process and Administrator Management functions implement the FMT_MTD 2 Functional Requirement by restricting the management of limits on TSF data to the administrator FMT_SMF 1 1 Administrator Management Administrator Management function implements the FMT_SMF 1 1 Functional Requirement by providing the administrative functions to configure the GUI management capabilities for the administrator 36 Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Functional Functions Rationale Requirement FMT_SMF 1 GUI Rule Management GUI Rule Management Process 2 Process implements the FMT_SMF 1 2 Functional Requirement by providing the administrative functions to
13. TSF shall provide only the number of characters marked as asterisks typed for the Password to the user while the authentication is in progress Dependencies FIA_UAU 1 Timing of Authentication Rationale When a user logs onto the TOE through the serial interface for command line access or the web interface 10 100 Ethernet the characters entered for the Login are displayed while characters entered for the password are masked with asterisks to represent keystrokes 5 1 3 5 FIA_UID 2 User Identification Before any Action Hierarchical to FIA_UID 1 Timing of Identification FIA_UID 2 1 The TSF shall require each user to identify itself before allowing any other TSF mediated actions on behalf of that user Dependencies No dependencies Rationale The TSF requires all users to be identified and authenticated through the web interface Ethernet and serial interface for command line access prior to allowing any other TSF mediated actions on behalf of that user The Strength of Function claim for this probabilistic permutational mechanism is rated as basic 5 1 3 6 FIA_USB 1 User Subject Binding Hierarchical to No other components FIA_USB 1 1 The TSF shall associate the appropriate user security attributes with subjects acting on behalf of that user Dependencies FIA_ATD 1 User Attribute Definition Rationale After a user has been successfully identified and authenticated the TSF uses the appropriate user security
14. Target v2 doc Developer Action Elements AGD_USR 1 1D The developer shall provide user guidance Content and Presentation of Action Elements AGD_USR 1 1C The user guidance shall describe the functions and interfaces available to the non administrative users of the TOE AGD_USR 1 2C The user guidance shall describe the use of user accessible security functions provided by the TOE AGD_USR 1 3C The user guidance shall contain warnings about user accessible functions and privileges that should be controlled in a secure processing environment AGD_USR 1 4C The user guidance shall clearly present all user responsibilities necessary for secure operation of the TOE including those related to assumptions regarding user behaviour found in the statement of TOE security environment AGD_USR 1 5C User guidance shall be consistent with all other documentation supplied for evaluation AGD_USR 1 6C The user guidance shall describe all security requirements for the IT environment that are relevant to the user Evaluator Action Elements AGD_USR 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 5 Tests ATE 5 2 5 1 ATE_COV 1 Evidence of Coverage Dependencies ADV_FSP 1 Informal Functional Specification ATE_FUN 1 Functional Testing Developer Action Elements ATE_COV 1 1D The developer shall provide evidence of the test coverage Content and Presentation of
15. address destination port and destination address protocol Application Note In a firewall the central issue is that there are two subjects the sender of the packet information and the receiver of the packet neither of which are under the control of the TOE In order to use the FDP_IF requirements the potential set of subjects is associated with a firewall interface Dependencies FDP_IFF 1 Simple Security Attributes Rationale The SA 400 implements a structured flow of control of information between a subject and the Access Control List ACL on the H W PCI Firewall card The security policy processing is accomplished with interaction between the FCP Driver and FIP 5 1 2 2 FDP_IFF 1 Simple Security Attributes Hierarchical to No other components Marconi Corporation plc 15 16 F2 0504 007 Marconi SA 400 Security Target v2 doc FDP_IFF 1 1 The TSF shall enforce the Firewall Filtering Flow Control Policy based on the following types of subject and information security attributes subjects information and attributes as defined in Table 3 FDP_IFF 1 2 The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold subject rules on operations as defined in Table 3 Table 3 Information Attributes and Operations Information Attributes Operations UNI Filtering Src NSAP Address Allow Deny
16. administrator to have access to the CLI and Web interface Administrator Management The SA 400 shall be managed by a serial interface for configuration setting IP address allowable GUI users SSL configuration selecting speed of the OC 12 card Inactivity timeout period diagnostics system shutdown SYSLOG and an Ethernet interface for configuring the security functions and associated attributes Before being able to manage the Firewall the user must be authorised through the identification authorisation process Ultimately the administrator must verify that the rules they assign establish are correct for their network security policy For detailed information on managing specific policies configurations etc refer to the SA 400 User s Manual Table 5 Security Functional Requirements to Functions Mapping Functional Functions Rationale Requirement FAU_GEN 1 Auditing Process The Auditing Process function implements the FAU_GEN 1 Functional Requirement by collecting and generating records for auditable events Marconi Corporation plc 33 34 F2 0504 007 Marconi SA 400 Security Target v2 doc Functional Requirement Functions Rationale FAU_SAR 1 Auditing Process The Auditing Process function implements the FAU_SAR 1 Functional Requirement by allowing the administrator the capability to review all audit event records FAU_SAR 2 Auditing Process The Auditing Process f
17. attributes with processes on the TOE that are acting on behalf of the user 5 1 4 Security Management FMT 5 1 4 1 FMT_MOF 1 Management of Security Functions Behaviour Hierarchical to No other components FMT_MOF 1 1 The TSF shall restrict the ability to disable enable modify the behaviour of the functions all functions covered by the Firewall Filtering Flow Control Policy to allow or deny an information flow to the administrator Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Dependencies FMT_SMR 1 Security Roles and FMT_SMF 1 Management of Security Functions Rationale The administrator is the only role recognised by the TOE The functions managed through the serial Command Line Interface are limited to configuring the TOE to allow for administrator credential definitions and setting the system clock The functions managed through the web interface 10 100 Ethernet include starting stopping the firewall viewing modifying rules viewing log files and control of the firewall functions available on the navigation page and sub menus 5 1 4 2 FMT_MSA 1 Management of Security Attributes Hierarchical to No other components FMT_MSA 1 1 The TSF shall enforce the Firewall Filtering Flow Control Policy to restrict the ability to change default query modify delete the security attributes all attributes covered by the Firewall Filtering Flow Control Policy to allow or deny an information flow
18. threats or policies that apply to the environment the initial character is followed by a period and then an E For example T E USE is a threat to be countered by the security environment to ensure proper configuration and administration of the TOE 3 2 Assumptions The specific conditions listed in the following subsections are assumed to exist in the TOE environment These assumptions include both practical realities in the development of the TOE security requirements and the essential environmental conditions on the use of the TOE 3 2 1 Personnel Assumptions A USERS Users of the TOE shall be trained and are trusted to enforce the security aspects of the TOE relevant to them 3 2 2 Physical Assumptions A LOCATE The TOE shall be located in a secure facility that mitigates unauthorised physical access 3 3 Threats 3 3 1 Threats Addressed by the TOE T DIRECT An unauthorised user may attempt to bypass the security of the TOE so as to access and use security functions and or non security functions of the TOE T REPLAY An unauthorised user may use valid identification and authentication data obtained to access functions provided by the TOE T BYPASS An unauthorised user may attempt to bypass the information flow control policy T DATA An unauthorised user may read modify or destroy security critical TOE configuration data Marconi Corporation plc 7 F2 0504 007 Marconi SA 400 Security Target v2 doc 3 3 2 Threats
19. 00 seconds of inactivity Marconi Corporation plc 19 20 F2 0504 007 Marconi SA 400 Security Target v2 doc 5 1 4 4 FMT_MTD 1 Management of TSF Data Hierarchical to No other components FMT_MTD 1 1 The TSF shall restrict the ability to change_default query modify delete clear the functions and attributes covered by the Firewall Filtering Flow Control Policy to the administrator Dependencies FMT_SMR 1 Security Roles and FMT_SMF 1 Management of Security Functions Rationale The administrator manages all TSF data identified in the Firewall Filtering Flow Control Policy 5 1 4 5 FMT_MTD 2 Management of Limits on TSF Data Hierarchical to No other components FMT_MTD 2 1 The TSF shall restrict the specification of the limits for ZP active rules 500 maximum ATM active rules SOO maximum and audit data to the administrator FMT_MTD 2 2 The TSF shall take the following actions if the TSF data are at or exceed the indicated limits JP rules save additional rules in an inactive state ATM rules save additional rules in an inactive state and audit data overwrite the oldest audit records Dependencies FMT_MTD 1 Management of TSF Data FMT_SMR 1 Security Roles Rationale The administrator can create a maximum of 64 000 IP rules and 128 000 ATM rules however only 500 rules for each can be active at any given time 5 1 4 6 FMT_SMF 1 Specification of Management Function Hierarchical to No other compo
20. 001 Procedure for the Control of Unreleased Product Rev C 08 2000 Engineering Change Notice ECN Data Entry Work Instruction Rev B 06 23 2000 Engineering Change Notice Procedure Rev H 06 21 2000 Product Configuration Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Assurance Component Documentation Satisfying Component Rationale Management System Help Rev H 12 19 2001 New Product Release ECN Requirements Checklist Rev A 12 19 2001 Released Product Change ECN Requirements Checklist Rev A 12 19 2001 Product Deviation Requirements Checklist Rev B 12 19 2001 Bill of Materials Import Management System 06 24 2002 Bill of Material Structure Report Rev B 06 24 2002 Class Code Matrix 06 26 2002 ADO_DEL 1 Marconi Document PRST 4150 001 Handling Storage Preservation and Delivery of Products Revision C 01 23 2002 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 SA 400 Security Firewall Quickstart Guide Revision C 07 02 2002 Marconi SA 400 Security Target Revision 8 09 16 2003 This documentation describes the TOE delivery procedures used by the developer ADO_IGS 1 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue This documentation provides installation generation and configuration instructions for
21. DP_IFC 1 Subset No Other FDP_IFF 1 O FILTER Information Components Flow Control FDP_IFF 1 Simple Security No Other FDP_IFC 1 O ADMIN Attributes Components FMT_MSA 3 FIA_ATD 1 User Attribute No Other None O ADMIN Definition Components FIA UAU 2 User FIA_UAU 1 FIA_UID 1 O ADMIN Authentication Before any Action Marconi Corporation plc 11 12 F2 0504 007 Marconi SA 400 Security Target v2 doc CC Name Hierarchical To Dependency Objectives Component Helps Component Address FIA UAU 6 Re No Other None O ADMIN Authenticating Components FIA_UAU 7 Protected No Other FIA_UAU 1 O ADMIN Authentication Components Feedback FIA_UID 2 User FIA_UID 1 None O ADMIN Identification Before any Action FIA_USB 1 User Subject No Other FIA_ATD 1 O ADMIN Binding Components FMT_MOF 1 Management of No Other FMT_SMR I O ADMIN Security Components EMT_SME 1 O FILTER Functions Behaviour FMT_MSA 1 Management of No Other FDP_ACC 1 O ADMIN i Components or O FILTER ttributes FDP_IFC 1 FMT_SMR 1 FMT_SMF 1 FMT_MSA 3 Static Attribute No Other FMT_MSA 1 O ADMIN Initialisation Components FMT_SMR 1 O FILTER FMT_MTD 1 Management of No Other FMT_SMR 1 O ADMIN TSF Data Components FMT_SMF 1 O FILTER FMT_MTD 2 Management of No Other FMT_MTD 1 OADMIN Limits on TSF Components FMT_SMR 1 O FILTER Data FMT_SMF 1 Specification of No Other O ADMIN Management Components O FILTER Functions FMT_SMR 1
22. Evidence Elements ATE_COV 1 1C The evidence of the test coverage shall show the correspondence between the tests identified in the test documentation and the TSF as described in the functional specification Evaluator Action Elements ATE_COV 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 5 2 ATE_FUN 1 Functional Testing Dependencies No dependencies Developer Action Elements ATE_FUN 1 1D The developer shall test the TSF and document the results Marconi Corporation plc 27 28 F2 0504 007 Marconi SA 400 Security Target v2 doc ATE_FUN 1 2D The developer shall provide test documentation Content and Presentation of Evidence Elements ATE_FUN 1 1C The test documentation shall consist of test plans test procedure descriptions expected test results and actual test results ATE_FUN 1 2C The tests plans shall identify the security functions to be tested and describe the goal of the tests to be performed ATE_FUN 1 3C The test procedure descriptions shall identify the tests to be performed and describe the scenarios for testing each security function These scenarios shall include any ordering dependencies on the results of other tests ATE_FUN 1 4C The expected tests results shall show the anticipated outputs from a successful execution of the tests ATE_FUN 1 5C The test results from the developer execution of the tests shall demonstrate
23. F2 0504 007 Marconi SA 400 Security Target v2 doc Marconi Marconi SA 400 Firewall Version 1 3 Security Target May 27 2004 Document No F2 0504 007 May 2004 Copyright Marconi Communications Inc All rights reserved The information contained herein is confidential and the property of Marconi Communications Inc and is supplied without liability for errors or omissions No part of this document may be reproduced disclosed or used except as authorized by contract or other written permission The copyright and the foregoing restriction on reproduction and use extend to all media in which the information may be embodied Marconi the Marconi logo and the Marconi Federal logo are trademarks of Marconi Corporation plc SA 400 is a trademark of Marconi Communications Inc All other foregoing trademarks are the property of their respective owners F2 0504 007 Marconi SA 400 Security Target v2 doc Prepared for Marconi Communications Federal Inc 5457 Twin Knolls Road Suite 101 Columbia Maryland 21045 Phone 410 884 5648 Fax 410 884 5600 Prepared By COACT Inc Rivers Ninety Five 9140 Guilford Road Suite G Columbia MD 21046 2587 Phone 301 498 0150 Fax 301 498 0855 Marconi and COACT Inc assume no liability for any errors or omissions that may appear in this document il 2004 Marconi Communications F2 0504 007 Marconi SA 400 Security Target v2 doc DOCUMENT INTRODUCTION This document provides the basis fo
24. IP Process is a second level filtering function that is called by either the PVC or SVC function when the attribute of IP is selected in the rules In the firewall s dynamic state once a flow has passed the ATM filtering of PVC SVC and has its configuration bits set to IP it gets subjected to the filtering attributes of the IP module which are Source address Destination address Source port Destination port Protocol and Action The IP settings are common to all PVC and SVC flows that have IP selected as an Action For example it isn t possible to subject PVC 0 100 and PVC 0 200 with separate IP rules If any of the PVCs or SVCs has their Action set to IP the same IP rules apply to all PVCs or SVCs When the firewall is in the static state the IP function communicates with the GUI during rule configuration described in Management Changes to rules do not take affect until the firewall is Stopped Started or Restarted Monitor Process When the attribute of Monitor is selected in the IP rules the Monitor Process is executed The purpose of the monitor function is to force designated ATM flows to create an entry into a Monitor Log for surveillance purposes Since each flow is being processed and monitored in S W this causes noticeable delays to the monitored flows GUI Rule Management Process All of the processes listed above PVC SVC IP and Monitor have interfaces with the GUI process The administrator is able to sele
25. a number of sub systems including hardware software and firmware At the highest level the SA 400 appears as an industrial PC chassis in a standard 19 rack mount configuration At this level externally visible interfaces are evident These interfaces are the A C Power Entry Module a 9 pin Serial Port a standard 10 100 Ethernet port and OC 12 Multi mode fiber optic Inside and Outside network ports Moving in or down a level reveals redundant power supplies a PC Motherboard an IDE Hard Drive and Firewall PCI card that occupies slot 1 The Firewall PCI card communicates to the Software sub system via the 32 bit 33 MHz PCI Bus PCI slot 1 is set up as the bus master A dedicated software driver is used by the Software sub system to communicate to the card Flows from the Inside or Outside port that are registered in the FPGA on the PCI card are processed at line rates Flows that are not registered in hardware on the PCI card must be sent to the software via the PCI interface The two major systems that enforce the security policy on the unit are the Firewall Inline Processor FIP which resides in the FPGA on the PCI line card and the Firewall Control Processor FCP which is part of the SA 400 software application which resides on the local hard drive The figures below identify the TOE architecture Figure 1 SA 400 Physical Boundary Inside Network Power Light 79 Outside Networ Reset Power Switch Management Ethe
26. ade cao eed yaks saa E kwaka kazia 5 2 4 TOE Features Outside the Scope of the Evaluated Configuration 5 3 SECURITY ENVIRONMENT ssssssseseeeeeeeeeeeeeeececeeeeece 7 3 1 UU A AAA AAA ao 7 I2ASSUMPIOIS ii AN ANA 7 3 21 Personnel ASS PIO A aiii 7 3 2 2 Physical Assumptions siii EE E aa S S 7 ANTE AS ee a ON OE RPE oc PEED AEP Pe A feb re aL 7 3 3 1 Threats Address d bythe TOE y tales a ii 7 3 3 2 Threats Addressed by the TOE Environment nono ncnoncnnnnnnnnnnns 8 3 4 Organisational Security Poli ti lai 8 4 SECURITY OBJECTIVES nina ace 9 4 1 Security Objectives for the TOR cu oi ritirate 9 4 2 Security Objectives for the IT Environment viii dada 9 4 3 Security Objechves Rattonale arca iolanda 9 5 TE SECURITY REQUIREMENTS sesciiscscscscnccsteticetiedesavcsdavooncdedevacqesasscccoeseboscodapeasees 11 5 1 Security Functional Requirements ilo ola 11 SISSA Audit FAU AAA AAA UA 13 5 1 1 1 FAU_GEN 1 Audit Data Generation 13 5 1 1 2 FAU_SAR 1 Audit Review i 14 5 1 1 3 FAU_SAR 2 Restricted Audit RevieW 14 5 1 1 4 FAU_STG 1 Protected Audit Trail Storage ii 14 5 1 1 5 FAU_STG 3 Action in Case of Possible Audit Data Loss 15 91 2 User Data Protection ii e AA EE T E dE 15 5 1 2 1 FDP_IFC 1 Subset Information Flow Control 15 5 1
27. allowed to proceed Dependencies No dependencies Rationale The TSF is enforced under its own domain All functions are loaded prior to processing operations as defined in the Firewall Filtering Flow Control Policy 5 1 5 2 FPT_SEP 1 TSF Domain Separation Hierarchical to No other components FPT_SEP 1 1 The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects FPT_SEP 1 2 The TSF shall enforce separation between the security domains of subjects in the TSC Dependencies No dependencies Rationale TSF data is stored within the TOE on a hard drive and Firewall Inline Processor FIP chip located on the firewall PCI card TSF data is protected during transmission between these two parts of the TOE through a management channel User data is filtered on a separate channel During filtering if user data traffic violates the TSP rules then the event is copied to the audit logs and the traffic flow is denied 5 1 5 3 FPT_STM 1 Reliable Time Stamps Hierarchical to No other components FPT_STM 1 1 The TSF shall be able to provide reliable time stamps for its own use Dependencies No dependencies Rationale The Real Time Clock on the motherboard is used for the generation of time stamps 5 1 6 TOE Access FTA 5 1 6 1 FTA_SSL 1 TSF Initiated Session Locking Hierarchical to No other components FTA_SSL 1 1 The TSF shall lock an interactive session after
28. cess Process function implements the FIA_UAU 7 Functional Requirement by displaying the number of characters typed marked with asterisks to the user during authentication The Identification Authorisation Access Process function implements the FIA_UID 2 Functional Requirement by requiring each user to be identified and authenticated prior to allowing any other TSF mediated action on behalf of the user FIA_USB 1 Identification Authorisation Access Process The Identification Authorisation Access Process implements the FIA_USB 1 Functional Requirement by using the appropriate user security attributes with processes on the TOE that are acting on behalf of the user Marconi Corporation plc 35 F2 0504 007 Marconi SA 400 Security Target v2 doc Functional Requirement Functions Rationale FMT_MOF 1 GUI Rule Management Process Administrator Management The GUI Rule Management Process and Administrator Management functions implement the FMT_MOF 1 Functional Requirement by restricting the management of functions covered by the Firewall Filtering Flow Control Policy to the administrator FMT_MSA 1 GUI Rule Management Process Administrator Management The GUI Rule Management Process and Administrator Management functions implement the FMT_MSA 1 Functional Requirement by restricting the management of security attributes covered by the Firewall Filtering Flow Control
29. ct a Marconi Corporation plc H D J F2 0504 007 Marconi SA 400 Security Target v2 doc function such as PVC and obtain a visual display HTML format of the PVC rule data that is stored on the system hard drive For a complete description of the entire GUI s interaction with the previous processes including configurable attributes reference the SA 400 User s Manual and or other sections of this document Auditing Process The SA 400 provides auditing logging functions to record TSF security relevant events on its local hard drive The logs shall be separated into System Logs Web Interface Logs Connections Logs Monitor Log and Disallowed Connections Log An authorised user shall have the ability to review these files from the GUI on the local machine Each authorised user shall have equal access to the security functions The Log files shall be saved on a protected portion of the local hard drive and have a means to control the size and number of log files For security purposes a user cannot purge the log files The SYSLOG function along with the logrotate facility manages the log files Identification Authorisation Access Process The identification process is a sub set of the Administrator Management Process It is used to verify that the administrator has proper identification by means of login name and password before allowing interaction with the SA 400 Proper identification will allow the
30. d Session Locking ceeceeeeececeeeeeceteeeeeeeeeeneeeeees 21 5 1 6 2 FTA_TSE 1 TOE Session Establishment iii 22 5 2 TOE Security Assurance Requirements porcate ale o aa 22 5 2 1 Configuration Management ACM i 23 5 2 1 1 ACM CAP 2 Configuration Items iii 23 5 2 2 Delivery and Operation ADO usan loi 23 5 2 2 1 ADO DEL 1 Delivery Procedures iran 23 5 2 2 2 ADO_IGS 1 Installation Generation and Start Up Procedures 24 5 225 Development ADV aa lace wee td EA S 24 5 2 3 1 ADV_FSP 1 Informal Functional Specification 24 5 2 3 2 ADV_HLD 1 Descriptive High Level Design eeeeeceeceeeeeeeeeeteeeeneeeeees 25 5 2 3 3 ADV_RCR 1 Informal Correspondence Demonstration 25 5 2 4 Guidance Documents AGD i 26 5 2 4 1 AGD_ADM 1 Administrator Guidance ooonnnccnnonnccnnnnnonnnncononanononacononanononaconnnanoons 26 524 2 AGD_USR i User Guidance si ssa aitaka Eee tia eels dla 26 SZ Tests ATE clelia AA at seeks ess Ste sean ak Sevag ede Nie nah 27 22 LATE COY sl Byidence Of CONTE 27 3 2 3 2 ATE FUN Pine onal iii KA 27 5 2 5 3 ATE_IND 2 Independent Testing Sample i 28 5 2 6 Vulnerability Assessment AVA iii 29 5 2 6 1 AVA_SOF 1 Strength of TOE Security Function Evaluation 29 5 2 6 2 AVA_VLA 1 Developer Vulnerability AnalySiS 29 5 3 Security Requirements
31. ded meets all requirements for content and presentation of evidence ADV_FSP 1 2E The evaluator shall determine that the functional specification is an accurate and complete instantiation of the TOE security functional requirements 5 2 3 2 ADV_HLD 1 Descriptive High Level Design Dependencies ADV_FSP 1 Informal Functional Specification ADV_RCR 1 Informal Correspondence Demonstration Developer Action Elements ADV_HLD 1 1D The developer shall provide a high level design of the TSF Content and Presentation of Evidence Elements ADV_HLD 1 1C The presentation of the high level design shall be informal ADV_HLD 1 2C The high level design shall be internally consistent ADV_HLD 1 3C The high level design shall describe the structure of the TSF in terms of subsystems ADV_HLD 1 4C The high level design shall describe the security functionality provided by each subsystem of the TSF ADV_HLD 1 5C The high level design shall identify any underlying hardware firmware and or software required by the TSF with a presentation of the functions provided by the supporting protection mechanisms implemented in that hardware firmware or software ADV_HLD 1 6C The high level design shall identify all interfaces to the subsystems of the TSF ADV_HLD 1 7C The high level design shall identify which of the interfaces to the subsystems of the TSF are externally visible Evaluator Action Elements ADV_HLD 1 1E The evaluator shall confirm that the
32. dware PCI card detection status of firewall control processor active idle results of diagnostic tests hardware specification of PCI card link up link down status transmit and receive cell counters login for serial and Ethernet interfaces and management of TSF data 2 Web Interface Log User login identification and method of access source IP management of TSF data recording of rule modifications and maintenance 3 Monitor Log protocol including number source IP destination IP source port and destination port Marconi Corporation plc 13 14 F2 0504 007 Marconi SA 400 Security Target v2 doc 4 Disallowed Packets Log for all packets that are not allowed source IP address destination IP address protocol including number source port and destination port and 5 Open Connections Log dynamic VPI VCI source NSAP address and destination NSAP address FAU_GEN 1 2 The TSF shall record within each audit record at least the following information A Date and time of the event type of event subject identity and the outcome success or failure of the event and B For each audit event type based on the auditable event definitions of the functional components included in the PP ST none Dependencies FPT_STM 1 Reliable Time Stamps Rationale Auditing on the SA 400 is performed using a System Log Web Interface Log Monitor Log Disallowed Packets Log and an Open Connections Log dynamic These l
33. each user to be successfully authenticated before allowing any other TSF mediated actions on behalf of that user Dependencies FIA_UID 1 Timing of Identification Rationale The TSF requires all users to be identified and authenticated through the web interface Ethernet and serial interface for command line access prior to allowing any other TSF mediated actions on behalf of that user The Strength of Function claim for this probabilistic permutational mechanism is rated as basic 5 1 3 3 FIA_UAU 6 Re Authenticating Hierarchical to No other components FIA_UAU 6 1 The TSF shall re authenticate the user under the conditions 30 3600 seconds of inactivity 180 seconds default or after logging off of the TOE through the web interface 10 100 Ethernet connection Dependencies No dependencies Marconi Corporation plc 17 18 F2 0504 007 Marconi SA 400 Security Target v2 doc Rationale Once an administrator has been authenticated by the TSF through the web interface 10 100 Ethernet re authentication is required after a period of inactivity that is configurable by the administrator This period of inactivity is set at 180 seconds by default and can be modified by the administrator to a range between 30 3600 seconds In addition once the administrator has logged off of the TOE the TSF also requires re authentication 5 1 3 4 FIA_UAU 7 Protected Authentication Feedback Hierarchical to No other components FIA_UAU 7 1 The
34. eb Interface Command Line Interface Administrator Configuration 2 3 Evaluated Configuration The evaluated configuration requires A B C Local logging and storage of audit records Local timestamp generator for use in audit records Serial and Ethernet ports used to manage the TOE are connected to a LAN that contains only trusted administration systems e g only the management workstation 2 4 TOE Features Outside the Scope of the Evaluated Configuration The following features are outside the scope of the evaluated configuration of the TOE A B C D E Remote Logging and Storage of Records Network Time Protocol Server Used to generate time stamps for audit records Software Upgrades SSL Encryption Dual Redundant Hot Swappable AC Power Supply Marconi Corporation plc 5 F2 0504 007 Marconi SA 400 Security Target v2 doc Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 3 3 Security Environment 3 1 Introduction This chapter identifies the following A Significant assumptions about the TOE s operational environment B IT related threats to the organisation countered by the TOE C Environmental threats requiring controls to provide sufficient protection D Organisational security policies for the TOE as appropriate Using the above listing this chapter identifies threats T organisational security policies P and assumptions A For assumptions
35. espondence Between Assumptions Threats and Policies to Objectives 9 Funenonal Componenis casella 11 Information Attributes and Operations i 16 Assurance Components 22 Security Functional Requirements to Functions Mapping 33 Assurance MAU sd a a e A RA R NS 38 2004 Marconi Communications xi F2 0504 007 Marconi SA 400 Security Target v2 doc xii 2004 Marconi Communications F2 0504 007 Marconi SA 400 Security Target v2 doc ACRONYMS LIST AAL AA AAA AA AA ATM Adaptation Layer LI KAA A SIR Asynchronous Transfer Mode CE A A oI I igs TO ea Ee Common Criteria COT EE ka Common Criteria Testing Lab WA ee ee E ee ey ea E alano Anna Evaluation Assurance Level B AAA Pe ne atei ee Firewall Control Processor Pl ae io di e io rcs Firewall Inline Processor A a a n a a aea a o a r Graphical User Interface EMB hie eh A A NEER Internet Control Message Protocol EA AA a as Integrated Drive Electronics Iberia O Internet Group Multicast Protocol MMI si RE R OTE Interim Local Management Interface UB bid ale dida AA oe A e e e E Internet Protocol A aes E Information Technology LANE alive eee Local Area Network Emulation MPOA ti aaa Multi Protocol Over ATM NN Eure Network to Network Interface NSAP ui tete a O e deli AN Network Service Access Point A A giant Peripheral Component Interconnect PNN Estacio Private Network to Network Interface A O O O EEE Protection Profile ON Permanent Virtual Connecti
36. for the IT Environment ii 30 6 TOE SUMMARY SPECIFICATION Qi cccessscosssosessscvavessossonssseceosssonsonnssnsoesssesesenscnoe es 31 6 1 TOE Security Functions siria rita 31 6 2 AssuFance Measures e a e e eil iu 38 6 3 Rationale for TOE Assurance Requirements 44 7 PROTECTION PROFILE CLAIMG cccccccossssscscccscccsseccsccsecssecsscssccssccssccsecssesees 45 vi 2004 Marconi Communications F2 0504 007 Marconi SA 400 Security Target v2 doc Tel Protection Profile Rea att AA 45 7 2 Protection Profile Refimements irreali 45 7 3 Protection Profile Additions ii rindo 45 14 Protection Profile Kadhaa o SOI Oca 45 RATIONALE Galla a ia 47 8 1 Security Objectives Rational coi 47 8 2 Security Requirements Rationale i cnc elia ia 47 8 3 TOE Summary Specification Rationale awn ane awamww 47 S 4 PP Claims Rationale tinci n 47 2004 Marconi Communications vii F2 0504 007 Marconi SA 400 Security Target v2 doc vili 2004 Marconi Communications F2 0504 007 Marconi SA 400 Security Target v2 doc TABLE OF FIGURES Figure 1 SA 400 Physical Bound 00 te serail Qa ee tes 3 Figure2 SA 400 Logical Boundary slo eee 4 2004 Marconi Communications ix F2 0504 007 Marconi SA 400 Security Target v2 doc 2004 Marconi Communications Table 1 Table 2 Table 3 Table 4 Table 5 Table 6 F2 0504 007 Marconi SA 400 Security Target v2 doc LIST OF TABLES Corr
37. information provided meets all requirements for content and presentation of evidence ADV_HLD 1 2E The evaluator shall determine that the high level design is an accurate and complete instantiation of the TOE security functional requirements 5 2 3 3 ADV_RCR 1 Informal Correspondence Demonstration Dependencies No dependencies Developer Action Elements ADV_RCR 1 1D The developer shall provide an analysis of correspondence between all adjacent pairs of TSF representations that are provided Marconi Corporation plc 25 26 F2 0504 007 Marconi SA 400 Security Target v2 doc Content and Presentation of Evidence Elements ADV_RCR 1 1C For each adjacent pair of provided TSF representations the analysis shall demonstrate that all relevant security functionality of the more abstract TSF representation is correctly and completely refined in the less abstract TSF representation Evaluator Action Elements ADV_RCR 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 4 Guidance Documents AGD 5 2 4 1 AGD_ADM 1 Administrator Guidance Dependencies ADV_FSP 1 Informal Functional Specification Developer Action Elements AGD_ADM 1 1D The developer shall provide administrator guidance addressed to system administrative personnel Content and Presentation of Evidence Elements AGD_ADM 1 1C The administrative guidance shall describe the administrative funct
38. ions and interfaces available to the administrator of the TOE AGD_ADM 1 2C The administrator guidance shall describe how to administer the TOE in a secure manner AGD_ADM 1 3C The administrator guidance shall contain warnings about functions and privileges that should be controlled in a secure processing environment AGD_ADM 1 4C The administrator guidance shall describe all assumptions regarding user behaviour that are relevant to secure operation of the TOE AGD_ADM 1 5C The administrator guidance shall describe all security parameters under the control of the administrator indicating secure values as appropriate AGD_ADM 1 6C The administrator guidance shall describe each type of security relevant event relative to the administrative functions that need to be performed including changing the security characteristics of entities under the control of the TSF AGD_ADM 1 7C The administrator guidance shall be consistent with all other documentation supplied for evaluation AGD_ADM 1 8C The administrator guidance shall describe all security requirements for the IT environment that are relative to the administrator Evaluator Action Elements AGD_ADM 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 4 2 AGD_USR 1 User Guidance Dependencies ADV_FSP 1 Informal Functional Specification Marconi Corporation plc F2 0504 007 Marconi SA 400 Security
39. iption of the functions provided by the SA 400 to satisfy the security functional and assurance requirements Chapter 7 provides a rationale for claims of conformance to a registered Protection Profile PP Chapter 8 provides rationale statements to justify the TOE meeting its claimed security objectives 1 3 Common Criteria Conformance The SA 400 Firewall is compliant with the Common Criteria Version 2 1 functional requirements Part 2 conformant and assurance requirements Part 3 conformant for EAL2 1 4 Protection Profile Conformance The SA 400 Firewall does not claim conformance to any Protection Profile Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 2 2 TOE Description This section provides the context for the TOE evaluation by identifying the product type and describing the evaluated configuration 2 1 TOE Description The Target of Evaluation is the Marconi SA 400 Firewall Version 1 3 The SA 400 provides Enterprise Networks with reliable IP ATM Firewall capabilities at OC 12 line rate The appliance is managed by a web interface accessible by a 10 100 Ethernet port This allows the administrator to configure save and load filtering tables via a simplified Graphical User Interface GUI The interface also allows the administrator to start stop and reset the Firewall A log is available to review administrator and system interactions The SA 400 Firewall is comprised of
40. ivery Procedures Delivery and Operation ADO_IGS 1 Installation Generation and Start Up Procedures Development ADV_FSP 1 Informal Functional Specification Development ADV_HLD 1 Descriptive High Level Design Development ADV_RCR 1 Informal Correspondence Demonstration Guidance Documents AGD_ADM 1 Administrator Guidance Guidance Documents AGD_USR 1 User Guidance Tests ATE_COV 1 Evidence of Coverage Tests ATE_FUN 1 Functional Testing Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Assurance Class Component ID Component Title Tests ATE_IND 2 Independent Testing Sample Vulnerability Assessment AVA_SOF 1 Strength of TOE Security Function Evaluation Vulnerability Assessment AVA_VLA 1 Developer Vulnerability Analysis The following subsections provide more detail for the assurance components listed in Table 4 5 2 1 Configuration Management ACM 5 2 1 1 ACM_CAP 2 Configuration Items Dependencies No dependencies Developer Action Elements ACM_CAP 2 1D The developer shall provide a reference for the TOE ACM_CAP 2 2D The developer shall use a CM system ACM_CAP 2 3D The developer shall provide CM documentation Content and Presentation of Evidence Elements ACM_CAP 2 1C The reference for the TOE shall be unique to each version of the TOE ACM_CAP 2 2C The TOE shall be labeled with its reference ACM_CAP 2 3C The CM documentation shall include a configurati
41. lc 45 46 F2 0504 007 Marconi SA 400 Security Target v2 doc Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 8 8 Rationale 8 1 Security Objectives Rationale The rationale for the security objectives of the TOE is defined in Chapter 4 Section 4 3 Security Objectives Rationale 8 2 Security Requirements Rationale The rationale for the security requirements of the TOE is defined in two sections Rationale for the security functional requirements is given after each functional component description in Chapter 5 Section 5 1 Security Functional Requirements Rationale for the security assurance requirements is given in Chapter 6 Section 6 3 Rationale for the TOE Assurance Requirements 8 3 TOE Summary Specification Rationale The rationale for the TOE Summary Specification is defined in Chapter 6 Section 6 1 TOE Security Functions 8 4 PP Claims Rationale The rationale for the Protection Profile conformance claims is defined in Chapter 7 Section 7 4 Protection Profile Rationale Marconi Corporation plc 47 48 F2 0504 007 Marconi SA 400 Security Target v2 doc Marconi Corporation plc
42. ments the FTA_SSL 1 Functional Requirement by locking an interactive session after a period of inactivity and then requiring each user to be re authenticated Marconi Corporation plc 37 38 F2 0504 007 Marconi SA 400 Security Target v2 doc Functional Functions Rationale Requirement FTA_TSE 1 Identification Authorisation The Identification Authorisation Access Process Access Process function implements the FTA_TSE 1 Functional Requirement by denying a session establishment with the TOE based on an invalid username invalid password or invalid IP permissions 6 2 Assurance Measures The assurance measures provided by the TOE satisfy all of the assurance requirements listed in the following table which provides a reference between each TOE assurance requirement and the related vendor documentation that satisfies each requirement Assurance Component ACM_CAP 2 Table 6 Assurance Measures Documentation Satisfying Rationale Component Marconi SA 400 Firewall This documentation describes the Version 1 3 Security Target configuration management Revision 8 September 16 2003 system used for the development Product Requirements of the TOE Document PRD Rev 1 7 02 20 2002 Configuration Management Plan Rev A 05 30 2001 Control of Internal Business Process Documentation Procedure Rev A 09 2000 Control of Unreleased Product CUP Checklist Rev A 12 19 2
43. ndpoints and an ATM switch to decide upon a usable VP VC combination The VP VC values have only local significance As the connection spans multiple switches these VP VC values may change The two signaling protocols interpreted by the SA 400 are UNI and SPANS Marconi Corporation plc 31 32 E F G F2 0504 007 Marconi SA 400 Security Target v2 doc When the firewall is in the static state the SVC function communicates with the GUI during rule configuration described in Management When the firewall is in the dynamic or active state the SVC function receives cells from the Extraction Process and makes a decision based on configuration bits and rules to Allow Deny or forwards those cells to the IP module for further processing It also interacts with the Call Set up Process and Management Process to log connection information about the particular SVC that is set up or torn down UNI Signaling The SA 400 must pass through UNI 3 1 and be able to be connected between two NNI nodes The UNI filtering attributes shall include Source NSAP Address Destination NSAP Address and an Action Allow Deny or Forward for IP Filtering SPANS Signaling The SA 400 must recognise FORE IP SVC call setup information The filtering attributes shall include Source Address Source Access Point Destination Address and Destination Access Point and an Action Allow Deny or Forward for IP Filtering IP Filtering Process FIP FCP The
44. nents FMT_SMF 1 1 1 The TSF shall be capable of performing the following security management functions through the CLI interface Refinement configure IP SSL user account FCP GUI web server and log parameters perform diagnostics update software manage the system clock and shutdown or reboot the system FMT_SMF 1 1 2 The TSF shall be capable of performing the following security management functions through the GUI interface Refinement configure filtering rules upload rules view open connections display statistics start and stop the FCP and viewing logs Dependencies No dependencies Rationale There are two distinct interfaces used to access the security management functions provided by the TOE Together they provide the entirety of the security management functions 5 1 4 7 FMT_SMR 1 Security Roles Hierarchical to No other components Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc FMT_SMR 1 1 The TSF shall maintain the roles the administrator FMT_SMR 1 2 The TSF shall be able to associate users with roles Dependencies FIA_UID 1 Timing of Identification Rationale The administrator is the only role recognised by the TOE 5 1 5 Protection of the TSF FPT 5 1 5 1 FPT_RVM 1 Non Bypassability of the TSP Hierarchical to No other components FPT_RVM 1 1 The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within the TSC is
45. ocess The process consists of the FIP firmware PCI card and the FCP S W The FIP portion sends the cells to the output port while the FCP simultaneously processes the Connect Ack Release messages within the data This is done to prevent a noticeable delay in the call set up procedure between the switches The signaling protocol and this process set up a SVC between two endpoints and create a table of VC VP pairs with an associated SVC flag PVC Filtering Process FIP FCP PVCs allows a direct connection between ATM endpoints They guarantee availability of a connection and do not require a call set up procedure between ATM switches They must be configured manually and are static in nature The SA 400 is shipped with default PVC settings VP VC that are used to allow dedicated signaling messages to flow freely between ATM switches When the firewall is in the static state the PVC function communicates with the GUI during rule configuration described in Management When the firewall is in the active state the PVC function receives cells from the Extraction Process and makes a decision to Allow send to output port Deny discard or forward those cells to the IP module for further processing SVC ATM Filtering Process FIP FCP SVCs are created and released dynamically by the ATM network and remain in use as long as data is being transferred between network elements SVCs require a signaling protocol to execute between ATM e
46. ogs are stored in a protected partition on the local hard drive and are used to audit events both locally and remotely 5 1 1 2 FAU_SAR 1 Audit Review Hierarchical to No other components FAU_SAR 1 1 The TSF shall provide the administrator with the capability to read all audit information from the audit records FAU_SAR 1 2 The TSF shall provide the audit records in a manner suitable for the user to interpret the information Dependencies FAU_GEN 1 Audit Data Generation Rationale The TOE provides the facility to review the audit records using the standard SA 400 Web Graphical User Interface on the local machine These records are individual logs stored as flat files Note that the flat files use spaces to delineate separate fields 5 1 1 3 FAU_SAR 2 Restricted Audit Review Hierarchical to No other components FAU_SAR 2 1 The TSF shall prohibit all users read access to the audit records except those users that have been granted explicit read access Dependencies FAU_SAR 1 Audit Review Rationale Only the administrator has the capability to read the audit records 5 1 1 4 FAU_STG 1 Protected Audit Trail Storage Hierarchical to No other components FAU_STG 1 1 The TSF shall protect the stored audit records from unauthorised deletion FAU_STG 1 2 The TSF shall be able to prevent modifications to the audit records Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Dependencies FAU_GEN 1 Audit
47. on TN SPANS Service Access Point SHETE A Secure Hypertext Transfer Protocol SPANS Ces er ste alee ee eee Simple Protocol for ATM Network Signaling IO Security Target NN Switched Virtual Connection TEC a Transmission Control Protocol EEN Target of Evaluation A E as lio TOE Security Function Pcia a o TOE Security Policy NN User Datagram Protocol UND it nea AS AA User to Network Interface UREA o a KA o Uniform Resource Locator NOCE WA lora Virtual Channel Identifier NPI Giclee AA AA AA AAA Virtual Path Identifier 2004 Marconi Communications xiii F2 0504 007 Marconi SA 400 Security Target v2 doc XIV 2004 Marconi Communications F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 1 1 Security Target Introduction 1 1 Security Target Identification This section provides identifying information for the Marconi SA 400 Firewall Version 1 3 Security Target ST by identifying information regarding the Target of Evaluation TOE 1 1 1 Security Target Name Marconi SA 400 Firewall Version 1 3 Security Target dated May 27 2004 1 1 2 TOE Identification Marconi SA 400 Firewall Version 1 3 1 1 3 Evaluation Status This ST has been evaluated against the Common Methodology for Information Technology Security Evaluation Part 2 Version 1 0 1 1 4 Evaluation Assurance Level Functional claims conform to Part 2 of the Common Criteria Version 2 1 Assurance claims conform to EAL2 Evaluation Assurance Level 2 from Part 3 of
48. on Elements AVA_SOF 1 1D The developer shall perform a strength of TOE security function analysis for each mechanism identified in the ST as having a strength of TOE security function claim Content and Presentation of Evidence Elements AVA_SOF 1 1C For each mechanism with a strength of TOE security function claim the strength of TOE security function analysis shall show that it meets or exceeds the minimum strength level defined in the PP ST AVA_SOF 1 2C For each mechanism with a specific strength of TOE security function claim the strength of TOE security function analysis shall show that it meets or exceeds the specific strength of function metric defined in the PP ST Evaluator Action Elements AVA_SOF 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence AVA_SOF 1 2E The evaluator shall confirm that the strength claims are correct 5 2 6 2 AVA_VLA 1 Developer Vulnerability Analysis Dependencies ADV_FSP 1 Informal Functional Specification ADV_HLD 1 Descriptive High Level Design AGD_ADM 1 Administrator Guidance AGD_USR 1 User Guidance Developer Action Requirements AVA_VLA 1 1D The developer shall perform and document an analysis of the TOE deliverables searching for obvious ways in which a user can violate the TSP AVA_VLA 1 2D The developer shall document the disposition of obvious vulnerabilities Content and Presentation of Evidence Elements
49. on list ACM_CAP 2 4C The configuration list shall describe the configuration items that comprise the TOE ACM_CAP 2 5C The CM documentation shall describe the method used to uniquely identify the configuration items ACM_CAP 2 6C The CM system shall uniquely identify all configuration items Evaluator Action Elements ACM_CAP 2 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 2 Delivery and Operation ADO 5 2 2 1 ADO_DEL 1 Delivery Procedures Dependencies No dependencies Developer Action Elements ADO_DEL 1 1D The developer shall document procedures for delivery of the TOE or parts of it to the user Marconi Corporation plc 23 24 F2 0504 007 Marconi SA 400 Security Target v2 doc ADO_DEL 1 2D The developer shall use the delivery procedures Content and Presentation of Evidence Elements ADO_DEL 1 1C The delivery documentation shall describe all procedures that are necessary to maintain security when distributing versions of the TOE to a user s site Evaluator Action Elements ADO_DEL 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 2 2 ADO_IGS 1 Installation Generation and Start Up Procedures Dependencies AGD_ADM 1 Administrator Guidance Developer Action Elements ADO_IGS 1 1D The developer shall document procedures necessary for the secure in
50. ope of testing performed by the developer against the security features provided by the TOE 41 F2 0504 007 Marconi SA 400 Security Target v2 doc Assurance Component Documentation Satisfying Component Rationale Document with Security Functional Specifications Revision 2 3 July 10 2003 SA 400 Test Coverage Revision 1 2 2 11 04 ATE_FUN 1 Marconi SA 400 Security Target Revision 8 September 16 2003 Marconi SA 400 QA Test Procedures for release 1 3 Revision 1 7 2 4 04 Marconi Test Coverage Revision 1 2 SA 400 High Level Design Document with Security Functional Specifications Rev 2 3 July 10 2003 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 SA 400 Product Requirements Document PRD Rev 1 7 February 20 2002 SA 400 Test Results xls 6 14 02 This documentation describes the test procedures performed by the developer ATE_IND 2 Marconi SA 400 Security Target Revision 8 September 16 2003 SA 400 High Level Design Document with Security Functional Specifications Revision 2 3 July 10 2003 SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 SA 400 Installation Guide This documentation describes the test procedures performed by the developer The Laboratory will then perform independent testing of the TOE security features 42 Marconi C
51. orporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Assurance Component Documentation Satisfying Component Rationale Evaluated Configuration for Common Criteria Certification CCC Revision 1 0 06 03 2002 Marconi SA 400 QA Test Procedures for Release 1 3 Revision 1 7 Feb 4 2004 Evaluation Team Test Coverage Analysis of the Marconi Firewall v1 3 March 21 2003 Marconi SA 400 Firewall TOE AVA_SOF 1 SA 400 Common Criteria Certification Strength of Function Revision 1 4 March 17 2004 Marconi SA 400 Security Target Revision 8 September 16 2003 SA 400 High Level Design with Security Functional Specifications Revision 2 3 July 10 2003 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 This document describes the strength of function claim for the identification and authentication functions of the TOE AVA_VLA 1 Marconi SA 400 Security Target Version 1 3 Revision 8 September 16 2003 SA 400 Security Firewall User s Manual Issue D April 16 2004 SA 400 Common Criteria Certification Developer Vulnerability Analysis Revision 1 3 March 1 2004 This document describes the vulnerability analysis and penetration testing performed by the developer Marconi Corporation plc 43 44 F2 0504 007 Marconi SA 400 Security Target v2 doc 6 3 Rationale for TOE Assurance Requi
52. r an evaluation of a specific Target of Evaluation TOE the Marconi SA 400 Firewall Version 1 3 This Security Target ST defines a set of assumptions about the aspects of the environment a list of threats that the product intends to counter a set of security objectives and security requirements and the IT security functions provided by the TOE which meet the set of requirements REVISION HISTORY Rev Description May 27 2004 initial release O 2004 Marconi Communications 111 iv F2 0504 007 Marconi SA 400 Security Target v2 doc 2004 Marconi Communications F2 0504 007 Marconi SA 400 Security Target v2 doc TABLE OF CONTENTS 1 SECURITY TARGET INTRODUCTION rsssrrrrrcrrresescenensssceseneesececnenseseonenne 1 LI Security Target Identificado toa arios 1 1121 Security Target Name a A AAA eee ee ad 1 PZ TOR Identification aia da ibas 1 1 1 3 Bvaluationi AUS at E A Et 1 1 1 4 Evaluation Assurance Level ooooocoononnonanonocoononanaananononococnonnnna nono noroononanannnncncnoconns 1 INI KWA AA RL LI 1 TL SEGUA Ei ECVE IEW eee 1 1 2 1 Security Target Organisation swa ai 1 1 3 Common Criteria Conformance ono nonnnnnnononnnno no ncnnncnnons 2 1 4 Protection Profile Conformance i 2 2 TOE DESCRIPTION essccesiscssiessacsecscaucovscasedacsdivaasdesaceoncsdashunecoosecavecssnssveecaveveseawesoncubeve 3 2 L TOE DES a ii 3 2 2 TOE HeatufeSrcs italia elia 4 a A yalsaaa
53. reat O Objective E Environment T TOE Assumption Threat or Policy Security Objectives Rationale A USERS O E USERS Users of the TOE must be trained and trusted to operate the TOE in a manner that maintains security A LOCATE O E CONNECT Enforcement of physical access control reduces risk and protects the TOE and its assets from unauthorised modification T DIRECT O ADMIN Only the administrator can manipulate TOE TSF data through the management path T REPLAY O ADMIN During authentication through the management path the IP address must match an allowed IP listing Marconi Corporation plc 9 F2 0504 007 Marconi SA 400 Security Target v2 doc Table Legend A Assumption P Policy T Threat O Objective E Environment T TOE Assumption Threat or Policy Security Objectives Rationale stored in the TOE before access is granted to other parts of the TOE T BYPASS T DATA O FILTER O ADMIN All traffic passing through the firewall is subject to filtering rules applied on a channel separate from the management path This prevents circumventing information flow filters enforced by the TOE The administrator is the only authorised user of the TOE and performs configuration of the TOE through a separate management path Traffic passing through the firewall is processed on a separate channel to prevent unauthorised modification to the TOE
54. rements The strength of function required for all applicable Security Functional Requirements in this TOE is Basic The requirements realised by probabilistic or permutational mechanisms include FIA_UAU 2 and FIA_UID 2 The EAL 2 level of assurance was chosen to provide a moderate level of independently assured security including confidence that the TOE will not be tampered with during delivery This level of assurance will provide sufficient security to protect unclassified information such as that found in government organizations Information with this importance is assumed by nature to have a greater threat for disclosure and or corruption by unauthorized parties Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc CHAPTER 7 7 Protection Profile Claims This chapter provides detailed information in reference to the Protection Profile conformance identification that appears in Chapter 1 Section 1 4 Protection Profile Conformance 7 1 Protection Profile Reference This Security Target does not claim conformance to any registered Protection Profile 7 2 Protection Profile Refinements This Security Target does not include any Protection Profile refinements 7 3 Protection Profile Additions This Security Target does not include any Protection Profile additions 7 4 Protection Profile Rationale This Security Target does not include any Protection Profile rationale statements Marconi Corporation p
55. ring Process FIP FCP Monitor Process functions implement the FDP_IFF 1 Functional Requirement by filtering flows of information passing through the TOE based upon the subject and attributes and allowed operations Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Functional Requirement Functions Rationale FIA_ATD 1 Identification Authorisation Access Process The Identification Authorisation Access Process function implements the FIA_ATD 1 Functional Requirement by providing a serial connection that allows access to the TSF through a Command Line interface This interface is used to configure and define user security attributes on the TOE FIA_UAU 2 Identification Authorisation Access Process The Identification Authorisation Access Process function implements the FIA_UAU 2 Functional Requirement by requiring each user to be identified and authenticated prior to allowing any other TSF mediated action on behalf of the user FIA_UAU 6 Identification Authorisation Access Process The Identification Authorisation Access Process function implements the FIA_UAU 6 Functional Requirement by requiring each user to be re authenticated after a defined period of inactivity FIA_UAU 7 FIA_UID 2 Identification Authorisation Access Process Identification Authorisation Access Process The Identification Authorisation Ac
56. rnet Port Configuration Serial Port 1 Marconi Corporation plc 3 F2 0504 007 Marconi SA 400 Security Target v2 doc Figure 2 SA 400 Logical Boundary SA 400 System Overview y SW LX Subsytem YY Pirmware A GG tone Subsytem v te a Custom Linux O S a Su 2 CPLD 5 lt i ell ES i gt AC PGA Binary Executables Hard Drive EPROM m Log Files Redundant Power za Supplies Sa x Diagnostics x PCI Interface FIP H LED timing control Page 2 o 3 API Driver Oo E P C Motherboard CLi o u FCP Industrial Serial Ethernet GUI Web server z Port Port PC Chassis A A OC 12 Message Queues A A 3 MM Fiber Ports Security emphasis AN A External Interface xi S W Subsystem KEY gt Firmware Subsystem H Hardware Subsystem 2 2 TOE Features The SA 400 implements the following firewall features A IP Filtering Support based on 1 IP Source and Destination Address 2 IP Protocol 3 TCP 4 UDP 5 ICMP 6 IGMP B ATM NSAP Filtering Support C VPI VCI Filtering D Statistics and Counters Marconi Corporation plc E F F2 0504 007 Marconi SA 400 Security Target v2 doc Flexible W
57. stallation generation and start up of the TOE Content and Presentation of Evidence Elements ADO_IGS 1 1C The documentation shall describe the steps necessary for secure installation generation and start up of the TOE Evaluator Action Elements ADO_IGS 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ADO_IGS 1 2E The evaluator shall determine that the installation generation and start up procedures result in a secure configuration 5 2 3 Development ADV 5 2 3 1 ADV_FSP 1 Informal Functional Specification Dependencies ADV_RCR 1 Informal Correspondence Demonstration Developer Action Elements ADV_FSP 1 1D The developer shall provide a functional specification Content and Presentation of Evidence Elements ADV_FSP 1 1C The functional specification shall describe the TSF and its external interfaces using an informal style ADV_FSP 1 2C The functional specification shall be internally consistent ADV_FSP 1 3C The functional specification shall describe the purpose and method of use of all external TSF interfaces providing details of effects exceptions and error messages as appropriate ADV_FSP 1 4C The functional specification shall completely represent the TSF Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Evaluator Action Elements ADV_FSP 1 1E The evaluator shall confirm that the information provi
58. that each tested security function behaved as specified Evaluator Action Elements ATE_FUN 1 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence 5 2 5 3 ATE_IND 2 Independent Testing Sample Dependencies ADV_FSP 1 Informal Functional Specification AGD_ADM 1 Administrator Guidance AGD_USR 1 User Guidance ATE_FUN 1 Functional Testing Developer Action Elements ATE_IND 2 1D The developer shall provide the TOE for testing Content and Presentation of Evidence Elements ATE_IND 2 1C The TOE shall be suitable for testing ATE_IND 2 2C The developer shall provide an equivalent set of resourced to those that were used in the developers functional testing of the TSF Evaluator Action Elements ATE_IND 2 1E The evaluator shall confirm that the information provided meets all requirements for content and presentation of evidence ATE_IND 2 2E The evaluator shall test a subset of the TSF as appropriate to confirm that the TOE operates as specified ATE_IND 2 3E The evaluator shall execute a sample of tests in the test documentation to verify the developer test results Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc 5 2 6 Vulnerability Assessment AVA 5 2 6 1 AVA_SOF 1 Strength of TOE Security Function Evaluation Dependencies ADV_FSP 1 Informal Functional Specification ADV_HLD 1 Descriptive High Level Design Developer Acti
59. the Marconi Corporation plc 39 40 F2 0504 007 Marconi SA 400 Security Target v2 doc Assurance Component Documentation Satisfying Component Rationale D April 16 2004 SA 400 Security Firewall Quickstart Guide Revision C 07 02 2002 Marconi SA 400 Security Target Revision 8 09 16 2003 TOE ADV_FSP 1 Marconi SA 400 Firewall Version 1 3 Security Target Revision 8 September 16 2003 Marconi SA 400 High Level Design with Security Functional Specifications Revision 2 3 July 10 2003 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2004 Marconi SA 400 Security Firewall Quickstart Guide Software Version 1 3 0 Revision C July 02 2002 SA 400 GUI Error Conditions and Messages Version 1 1 October 27 2003 SA 400 CLI Error Conditions and Messages Version 1 1 October 27 2003 This document details all of the interfaces and functionality of the TOE ADV_HLD 1 Marconi SA 400 High Level Design with Security Functional Specifications Revision 2 3 July 10 2003 Marconi SA 400 Firewall Version 1 3 Security Target Revision 8 September 16 2003 Marconi SA 400 Security Firewall User s Manual Software Version 1 3 0 Issue D April 16 2003 This document describes the TOE in terms of sub systems Marconi Corporation plc F2 0504 007 Marconi SA 400 Security Target v2 doc Assurance
60. the Common Criteria Version 2 1 Both the functional and assurance claims contained in this ST have been updated to incorporate all applicable national and international interpretations through 16 April 2002 1 1 5 Keywords Firewall Security Asynchronous Transfer Mode ATM Internet Protocol IP Marconi packet filter SA 400 and traffic filter 1 2 Security Target Overview This ST describes the objectives requirements and rationale for the SA 400 Firewall The language used in this Security Target is consistent with the Common Criteria for Information Technology Security Evaluation Version 2 1 and the ISO IEC JTC 1 SC27 Guide for the Production of PPs and STs Version 0 9 As such the spelling of terms is presented using the internationally accepted English 1 2 1 Security Target Organisation Chapter 1 of this ST provides introductory and identifying information for the SA 400 TOE Chapter 2 describes the TOE and provides some guidance on its use Chapter 3 provides a security environment description in terms of assumptions threats and organisational security policies Chapter 4 identifies the security objectives of the TOE and of the Information Technology IT environment Marconi Corporation plc 1 F2 0504 007 Marconi SA 400 Security Target v2 doc Chapter 5 provides the TOE security and functional requirements as well as requirements on the IT environment Chapter 6 is the TOE Summary Specification a descr
61. ules based on the information and attributes shown in the table above to control the Firewall Filtering Flow Control Policy If there is an omission of an operational parameter associated with any particular subject then an explicit deny is in place This explicit deny prohibits all information to flows for the subject 5 1 3 Identification and Authentication FIA 5 1 3 1 FIA_ATD 1 User Attribute Definition Hierarchical to No other components FIA_ATD 1 1 The TSF shall maintain the following list of security attributes belonging to individual users login ID password and IP address Dependencies No dependencies Rationale The TOE provides a serial connection that allows access to the TSF through a Command Line Interface This interface is used to configure the security attributes for the administrator role The IP address of the remote machine that will access the TOE through the web interface must be configured also The TSF then stores the security attributes in a protected partition on the hard drive Once this has been configured the user will be able to access the TOE through the web interface 10 100 Ethernet connection using their identification and authentication information Once this action has successfully completed the user will then be recognised as an administrator of the TOE 5 1 3 2 FIA_UAU 2 User Authentication Before any Action Hierarchical to FIA_UAU 1 Timing of Authentication FIA_UAU 2 1 The TSF shall require
62. unction implements the FAU_SAR 2 Functional Requirement by limiting read access to the audit records to the administrator FAU_STG 1 Auditing Process The Auditing Process function implements the FAU_STG 1 Functional Requirement by protecting and preventing modifications to the audit records FAU_STG 3 Auditing Process The Auditing Process function implements the FAU_STG 3 Functional Requirement by overwriting the oldest audit records when the defined log file limits has been exceeded FDP_IFC 1 Main Extraction Process FIP Call Set up Process FIP FCP PVC Filtering Process FIP FCP SVC ATM Filtering Process FIP FCP IP Filtering Process FIP FCP Monitor Process The Main Extraction Process FIP Call Set up Process FIP FCP PVC Filtering Process FIP FCP SVC ATM Filtering Process FIP FCP IP Filtering Process FIP FCP and Monitor Process functions implement the FDP_IFC 1 Functional Requirement by implementing a structured flow of control of information between a user and the Access Control List on the H W PCI Firewall card FDP_IFF 1 Main Extraction Process FIP Call Set up Process FIP FCP PVC Filtering Process FIP FCP SVC ATM Filtering Process FIP FCP IP Filtering Process FIP FCP Monitor Process The Main Extraction Process FIP Call Set up Process FIP FCP PVC Filtering Process FIP FCP SVC ATM Filtering Process FIP FCP IP Filte
Download Pdf Manuals
Related Search