Maintenance ST - Common Criteria
Contents
1. 66 Curtiss Wright VPX3 685 CCA 685 Secure Page2of84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 7 1 5 System Monitoring 7 1 6 TOE Administration 7 1 7 Traffic Filter Firewall e 67 PAB 67 7 1 9 Verifiable 68 8 RATIONALE 69 8 1 CONFORMANCE CLAIMS 69 8 2 SECURITY OBJECTIVES 69 8 2 1 Security Objectives Rationale Relating to Threats eere ttt 69 8 2 2 Security Objectives Rationale Relating to 73 8 2 3 Security Objectives Rationale Relating to Assumptions 73 8 3 RATIONALE FOR EXTENDED SECURITY FUNCTIONAL REQUIREMENTS 74 8 4 RATIONALE FOR EXTENDED TOE SECURITY ASSURANCE REQUIREMENTS s ssesssssssssssssssssssssssssssssseseees 74 8 5 SECURITY REQUIREMENTS RATI2. 1 1 The TSF shall perform all random bit generation RBG services in accordance with FIPS PUB 140 2 Annex C X9 31 Appendix 2 4 using AES seeded by an entropy source that accumulated entropy from at least one independent TSF hardware based noise source FCS_RBG_EXT 1 2 The deterministic RBG shall be seeded with a minimum of 128 bits of entropy at least equal to the greatest bit length of the keys and authorization factors that it will generate Dependencies None FCS_SSH_EXT 1 SSH Hierarchical to No other components FCS_SSH_EXT 1 1 The TSF shall implement the SSH protocol that complies with RFCs 4251 4252 4253 and 4254 FCS_SSH_EXT 1 2 The TSF shall ensure that the SSH connection be rekeyed after no more than 2 packets have been transmitted using that key FCS_SSH_EXT 1 3 The TSF shall ensure that the SSH protocol implements a timeout period for authentication as defined RFC 4252 of 1800 30 minutes and provide a limit to the number of failed authentication attempts a client may perform in a single session to three consecutive failed attempts attempts FCS_SSH_EXT 1 4 The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252 public key based password based FCS SSH EXT I 5 The TSF shall ensure that as described in RFC 4253 packets greater than 262144 bytes in an SSH transport connection are dropped Curtiss Wright VPX3 685 CCA
3. STM I Met FAU GEN 2 1 Met Met Met by which is hierarchical to UID I FAU STG EXT I Met FTP Met FTP 2 Met FCS CKM I FCS CKM 4 Met Met by the explicitly stated 5 4 requirement FCS COP I Met Multiple iterations of FCS are included all of which meet this dependency FCS EXTA FCS CKM I Met Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 79 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS COMM PROT EXT I FCS SSH EXT I Met FCS HTTPS EXT I Met FCS IPSEC EXT I Met FCS TLS EXT I Met FCS COP I I FCS 1 Met FCS 4 Met Met by the explicitly stated 5 EXT 4 requirement FCS 1 2 FCS Met FCS CKM 4 Met Met by the explicitly stated 5 4 requirement FCS COP I 3 FCS CKM I Met FCS CKM 4 Met Met by the explicitly stated 4 requirement FCS COP I 4 FCS CKM I Met FCS CKM 4 Met Met by the explicitly stated 5 4 requirement FCS HTTPS EXT I FCS TLS EXT I Met FCS IPSEC EXT I FCS COP I 2 Met FCS 1 1 Met FCS RBG EXT I None Met
4. Security Target Version 1 16 October 6 2014 Description TOE Security Function FTP 2 Inter TSF Trusted Channel detection of modification FTP TRP I I Trusted Path prevention of disclosure 1 2 Trusted Path detection of modification Residual Information Clearing FDP RIP 2 Full residual information protection Resource Availability FRU RSA I Maximum Quotas System Monitoring 1 Audit Data Generation FAU GEN 2 User Identity Association STG EXT I External Audit Trail Storage FPT STM I Reliable time stamps TOE Administration FIA PMG EXT I Password Management UAU 6 Re authenticating UAU 7 Protected Authentication Feedback UAU EXT 5 Password based Authentication Mechanism FIA UIA EXT I User identification and authentication FMT MSA I Management of security attributes FMT MSA 3 Static attribute initialisation FMT_MTD 1 Management of TSF data FMT SMF I Specification of Management Functions SMR I Security roles 1 Management of TSF Data for reading of all symmetric keys FTA SSL 3 TSF initiated Termination FTA SSL EXT I TSF initiated Session Locking FTA TAB I Default TOE Access Banners Traffic Filter Firewall FDP IFC I Subset information flow control 1 Simple security attributes TSF Self Test TST EXT I TSF Testing Verifi
5. T MISACT Malicious activity by attackers who are not TOE users such as introductions of Trojan horses and viruses may occur on an IT System the TOE monitors T MISUSE Unauthorized accesses and activity by attackers who are not TOE users indicative of misuse may occur on an IT System the TOE monitors T RESOURCE EXHAUSTION A process initiated by a TOE user or a TOE user may deny access to TOE services by exhausting critical resources on the TOE T SCNCFG Improper security configuration settings created by non TOE users may exist in the IT System the TOE monitors T SCNMLC Users could execute malicious code on an IT System that the TOE monitors which causes modification of the IT System protected data or undermines the IT System security functions T SCNVUL Vulnerabilities introduced by non TOE users may exist in the IT System the TOE monitors T TSF_FAILURE Security mechanisms of the TOE may fail leading to a compromise of the TSF T UNAUTHORIZED_ACCESS A user may gain unauthorized access to the TOE data and TOE executable code A malicious user process or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources A malicious user process or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data T UNAUTHORIZED_UPDATE A malicious party attempts to supply the end user
6. The FIPS 140 2 validated cryptographic module ensures that all cryptographic operations are performed in a secure manner and that all cryptographic critical security parameters CSPs are securely managed and zeroized when they are no longer needed The TOE also prevents the reading of pre shared keys symmetric keys and private keys in plaintext Table 15 below provides details on how pre shared keys symmetric keys and private keys are obscured to prevent reading The FIPS 140 2 validated cryptographic module implements a FIPS approved random bit generator RBG and ensures that it generates random numbers in a FIPS approved manner The cryptographic module uses an ANSI x9 31 PRNG as defined in FIPS PUB 140 2 Annex Hardware based noise sources for entropy 40 AES Advanced Encryption Standard CBC Cipher Block Chaining Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 63 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 are retrieved from several places In kernel mode sources of randomness from the environment include inter keyboard timings and inter interrupt timings from network device drivers which are non deterministic Randomness from these sources is added to the entropy pool In the user space combination of the PRNG current system time including of micr
7. UAU 6 Attempt to re authenticate Origin of the attempt e g IP address Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 41 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Requirement Auditable Events Additional Audit Record Contents UAU 7 None 1 All use of the identification and Provided user identity origin of authentication mechanism the attempt e g IP address FMT MSA I None FMT MSA 3 None FMT MTD I None FMT SMF I None FMT SMR I None EXT I I None PTD 1 2 1 STM I Changes to the time The old and new values for the time Origin of the attempt e g IP address FPT TST EXT I Indication that TSF self test was Any additional information completed generated by the tests beyond success or failure FPT TUD EXT I Initiation of update No additional information FRU RSA I Maximum quota being exceeded Resource identifier FTA SSL EXT I The termination of a remote session No additional information the session locking mechanism FTA SSL 3 The termination of a remote session No additional information the session locking mechanism FTA TAB I
8. 1 7 1 6 TOE Administration The TOE Administration TSF provides a trusted means for administrators to interact with the TOE for management purposes The UNAUTHENTICATED SFP is enforced by the TOE to ensure that only authorized administrators are allowed to perform administrative and management tasks on the TOE and that restrictive default values are used for all security attributes used to enforce UNAUTHENTICATED SFP Administrators can manage the TOE via either a secure web GUI secured via the HTTPS protocol via a secure CLI protected via the SSH protocol or via SNMP v3 protocol CLI access via the serial port is disabled in FIPS mode The TOE can be configured by administrators to authenticate users either against a local password based authentication mechanism or against a remote RADIUS authentication server The TSF requires that administrators use strong passwords that must be changed on a regular basis and it requires users to re authenticate when they change their passwords Passwords are obscured during entry to prevent shoulder surfing of administrative passwords Passwords can be configured to expire and 20 SFP Security Functional Policy 51 RADIUS Remote Authentication Dial In User Service Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 66 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Se
9. 8 2 1 Security Objectives Rationale Relating to Threats Table 16 Threats Objectives Mapping Threats Objectives Rationale T ADMIN ERROR O TSF SELF TEST The TOE tests its security An administrator may The TOE will provide the functionality to ensure that it is unintentionally install or configure capability to test some subset of operating properly The TOE also the TOE incorrectly resulting in its security functionality to ensure ensures that the FIPS 140 2 ineffective security mechanisms it is operating properly approved mode of operation is enforced properly T ASPOOF O MEDIAT The TOE mediates all information An unauthorized person may carry The TOE must mediate the flow flows from and to the protected out spoofing in which information of all information from users ona network allowing the TOE to flows through the TOE into a connected network to users allow or deny the flow if spoofing connected network by using a another connected network is detected spoofed source address T FALACT O RESPON The TOE reacts to analytical An attacker might introduce The TOE must respond conclusions about suspected identified or suspected appropriately to analytical vulnerabilities or inappropriate vulnerabilities or perform conclusions activity inappropriate activity to which the TOE fails to react T FALASC O IDANLZ The TOE will recognize An attacker might introduce The Analyzer must accept data vuln
10. 6 SECURITY REQUIREMENTS 6 6 2 SECURITY FUNCTIONAL REQUIREMENTS 6 2 1 Class FAU Security 6 2 2 Class FCS Cryptographic 6 2 3 Class FDP User Data Protection 6 2 4 Class Identification and Authentication 6 2 5 Class FMT Security Management ss 6 2 6 Class Protection of the TSF ssssccssssssssssssscssssssssssssssssssssssssssssscsssssscssssnssessssscessssuscesssssesesssuecessssucessssseces 6 2 7 Class FRU Resource UtiliZation scssssssssssssssssssssessssssssssssssssssssssssssssssssssussssssscessssuessssssseessssucsssssseessssseess 6 2 8 Class FTA TOE Access 6 2 9 Class FTP Trusted Path Channels sssssssssssssssssesssesssssessssesssssessssscsssnessssecssssecsssscsssnecssnecsssneesssseesaneesssseess 6 2 10 Class IDS Intrusion Detection Function ssssccsssssssssssescssssssessssssscsssssessssssssssssssssssssuessssssscsssssuecsssssecessssneess 6 3 SECURITY ASSURANCE 7 TOE SUMMARY SPECIFICATION eee eee ee ee eo 102 7 2 4 4 0 60 7 5 SECURIT FUNCTIONS ER 60 7 1 1 Intrusion Detection 7 1 2 Protected COMMuNications sescccsssessssssssscssssescsssssesssssssssssssnscsssssuesssssnscesssssecssssusccesssuecesssuscessssuecsssssecessssnecss 62 7 1 3 Residual Information 65 7 1 4 Resource
11. administrative roles and privileges required to enable administrators to perform their duties Management of TSF Data for reading of authentication data The TOE does not provide any interface or command which would allow an administrator to view users plaintext passwords IDS RDR EXT I Restricted Data Review The TOE restricts the review of IDS data to those granted explicit read access O TSF SELF TEST FPT TST EXT I The TOE executes self tests at The TOE will provide the capability TSF Testing power up to ensure its correct to test some subset of its security operation functionality to ensure it is operating properly O VERIFIABLE UPDATES FCS COP I 2 The TOE ensures that updates are The TOE will provide the capability to help ensure that any updates to the TOE can be verified by the Cryptographic Operation for cryptographic signature signed only with approved cryptographic signature algorithms Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 78 of 84 Security Target Version 1 16 October 6 2014 administrator to be unaltered and FCS COP I 3 The TOE ensures that updates are optionally from a trusted source Cryptographic Operation for hashed only with approved cryptographic
12. channel defined ITC 1 Dependencies GEN 1 Audit data generation FTP ITC 1 1 Inter TSF trusted channel prevention of disclosure FTP ITC 1 2 Inter TSF trusted channel prevention of modification Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 43 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 2 Class FCS Cryptographic Support FCS CKM 1 Cryptographic key generation Hierarchical to No other components FCS CKM 1 1 The TSF shall generate asymmetric cryptographic keys in accordance with a domain parameter generator and a random number generator specified eryptesraphic key generation aleorithm assignment eryptegraphie key generation algoritli and specified cryptographie key sizes Iassignment eryptegraphic key sizes that meet the following e ANSI 9 31 1998 Public Key Cryptography Using Reversible Algorithms for the Financial Services Industry rDSA 1998 Generated key strength shall be equivalent to or greater than a symmetric key strength of 112 bits using conservative estimates NIST Special Publication 800 568 Recommendation for Pair Wise Key Establishment Schemes Using Integer Factorization Cryptography Dependencies FCS Cryptographic operation FCS CKM 4 Cryptographic
13. 1 1 ITC 1 2 TRP 1 1 TRP 1 2 FCS_CKM 1 5 EXT A 7 1 3 Residual Information Clearing The Residual Information Clearing TSF ensures that data is not accidentally leaked into network packets or cryptographic CSPs by ensuring that any data object representing a network packet or CSP is destroyed when that data object is no longer needed CSPs are zeroized by the FIPS 140 2 validated cryptographic module and network packet objects are zeroized by code outside of the FIPS module when these objects are deallocated that is when they have been fully processed and are no longer needed The TOE ensures that both CSPs and network packet objects are completely overwritten with zeros before the objects are 47 HMAC Hashed Message Authentication Code 5 SHS Secure Hash Standard DRBG Deterministic RBG Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 65 of 84 Security Target Version 1 16 October 6 2014 deallocated ensuring that any attempt to reconstruct the content of the object after deallocation will result in reconstruction of the zeros not the actual CSP or packet data TOE Security Functional Requirements Satisfied RIP 2 7 1 4 Resource Availability The Resource Availability TSF ensures that the TOE s resourc
14. 1 1 Inter TSF trusted channel prevention of disclosure FTP ITC 1 2 Inter TSF trusted channel prevention of modification Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 19 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 2 Class FCS Cryptographic Support The TSF may employ cryptographic functionality to help satisfy several high level security objectives These include but are not limited to identification and authentication non repudiation trusted path trusted channel and data separation This class is used when the TOE implements cryptographic functions the implementation of which could be in hardware firmware and or software The extended family 5 EXT Cryptographic key management was modeled after the CC family and related components for 5 Cryptographic key management The extended families FCS COMM PRO EXT Communication protection FCS HTTPS EXT HTTPS FCS IPSEC EXT IPsec FCS RBG EXT Random bit generation FCS SSH EXT SSH and FCS TLS EXT TLS were modeled after various families and related components in the CC Class FCS Cryptographic Support 51241 Family 5 EXT Cryptographic key management Family Behaviour Cryptographic keys must be managed throughout their life cycle
15. 1 IDS SDC EXT I Met STM I Met IDS RCT EXT I IDS SDC EXT I Met IDS EXT GEN I Met IDS SDC EXT I STM I Met Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions Page 81 of 84 This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Table 21 Acronyms Definition Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 82 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 Acronym KEK L2TP LED MB NAT NIST PPTP PSK Definition Transport Layer Security Target of Evaluation TOE Security Functionality Unified Threat Management Virtual Local Area Network Virtual Private Network Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions October 6 2014 Page 83 of 84 This document may be freely reproduced and distributed whole and intact including this copyright notice Prepared by Corsec Security Inc Corsec 13135 Lee Jackson Memorial Highway Suite 220 Fairfax 22033 United States of America Phone 1 703 267 6050 Email info corsec com http www corsec com
16. 2 Status Level 2 Validated Crypto Modules e Certificate 2085 for Curtiss Wright VPX3 685 Secure Routers Hardware Version 1 0 A Models VPX3 685 A13014 FC VPX3 685 C23014 FC with Software Version 605714 200 Models VPX3 685 A13020 FC and VPX3 685 C23020 FC with Software Version 606163 200 Certificate 2324 for Curtiss Wright CCA 685 Secure Router Hardware Version CCA 685 C2820 1 0 rev A Models CCA 685 2820 with Software Version 606163 210 1 3 Product Overview The TOE is a fully featured Layer 2 and 3 managed Gigabit Ethernet GbE router featuring a highly integrated security sub system in a rugged OpenVPX compliant 3U card It speeds and simplifies the integration of secure GbE switching and routing into embedded systems designed for harsh environment military applications Targeting highly secure IPv4 and IPv6 Intra Platform Networks IPNs VPX3 685 CCA 685 is designed to prevent unauthorized access to critical information for applications deployed in air land and sea vehicles It can be used to secure a data storage network or to protect mission critical applications from hostile attacks in the forms of viruses IP spoofing denial of service DoS and trojan horses The TOE must be embedded inside a chassis and requires a 5V and or 3 3Vpower supply The VPX3 685 CCA 685 is fixed within two different enclosures a conduction cooled cover an air cooled cover The internal prin
17. 48 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FDP IFF 1 4 The TSF shall explicitly authorise an information flow based on the following rules none FDP_IFF 1 5 The TSF shall explicitly deny an information flow based on the following rules The TOE shall reject requests for access or services where the information arrives on external TOE interface and the presumed address of the source subject is an internal IT entity on an internal network e The TOE shall reject requests for access or services where the information arrives on either an internal or external TOE interface and the presumed address of the source subject is an external IT entity on a broadcast network e The TOE shall reject requests for access or services where the information arrives on either an internal or external TOE interface and the presumed address of the source subject is an external IT entity on the loopback network Dependencies FDP_IFC 1 Subset information flow control FMT_MSA 3 Static attribute initialisation FDP_RIP 2 Full residual information protection Hierarchical to FDP_RIP 1 Subset residual information protection FDP_RIP 2 1 The TSF shall ensure that any previous information content of a network packet or cryptographic critical security parameter reseuree is made unava
18. 5 Class FMT Security Management FMT MSA 1 Management of security attributes Hierarchical to No other components MSA 1 1 The TSF shall enforce the UNAUTHENTICATED SFP to restrict the ability to perform all administrative tasks the security attributes all security attributes to authorized administrators Dependencies FDP IFC 1 Subset information flow control SMF 1 Specification of management functions FMT_SMR 1 Security roles MSA Static attribute initialisation Hierarchical to No other components FMT MSA 3 1 The TSF shall enforce UNAUTHENTICATED SFP to provide restrictive default values for security attributes that are used to enforce the SFP FMT MSA 3 2 The TSF shall allow the authorized administrators to specify alternative initial values to override the default values when an object or information is created Dependencies FMT MSA 1 Management of security attributes FMT_SMR 1 Security roles FMT MTD 1 Management of TSF data Hierarchical to No other components 1 1 The TSF shall restrict the ability to manage TSF data to the Security Administrators Dependencies FMT SMF 1 Specification of management functions FMT_SMR 1 Security roles SMF 1 Specification of Management Functions Hierarchical to No other components FMT 8 1 1 The TSF shall be capable of performing the following management functions e Ability to configure the list of T
19. FCS SSH EXT I FCS 1 1 Met FCS COP I 4 Met FCS COP I 2 Met FCS TLS EXT I FCS COP I 2 Met FCS 1 1 Met FCS COP I 3 Met FDP IFC I Met FDP_IFF FDP IFC I Met MSA 3 Met FDP RIP 2 None Met PMG EXT I None Met UAU 6 None Met UAU 7 UAU I Met Met by EXT I which is hierarchical to UAU I Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions Page 80 of 84 This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FIA UAU EXT 5 None Met UIA EXT I None Met FMT 5 1 SMR I Met FDP IFC I Met FMT SMF I Met FMT MSA 3 FMT 5 1 Met SMR I Met SMF I Met SMR I Met FMT_SMF FCS 2 Met SMR I Met Met by which is hierarchical to UID I PTD EXT I I None Met PTD EXT I 2 None Met FPT RPL I None Met FPT STM I None Met FPT TST EXT I None Met EXT I 5 1 2 FRU RSA I None Met FTA SSL 3 None Met FTA SSL 1 EXT I Met FTA TAB I None Met Met FTP 1 2 None Met 1 1 None Met FTP 1 2 None Met IDS ANL
20. None 1 None 1 2 None TRP I I None FTP 1 2 None IDS ANL EXT I None IDS RCT EXT I None IDS EXT I None IDS SDC EXT I None 1 2 The TSF shall record within each audit record at least the following information a Date and time of the event type of event subject identity 1f applicable and the outcome success or failure of the event and Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 42 of 84 Security Target Version 1 16 October 6 2014 b For each audit event type based on the auditable event definitions of the functional components included in the ST information specified in column three of Table 11 above Dependencies STM 1 Reliable time stamps FAU GEN 2 User identity association Hierarchical to No other components FAU GEN 2 1 For audit events resulting from actions of identified users the TSF shall be able to associate each auditable event with the identity of the user that caused the event Dependencies GEN 1 Audit data generation UID 1 Timing of identification FAU STG EXT 1 External audit trail storage Hierarchical to No other components STG 1 1 The TSF shall be able to transmit the generated audit data to an external IT entity over a trusted
21. RCT 1 The following actions could be considered for the management functions in FMT a the management addition removal or modification of actions Audit EXT IDS RCT 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a Minimal Actions taken due to a potential security violations IDS RCT EXT 1 Analyzer react Hierarchical to No other components IDS RCT 1 1 The TSF shall send an alarm to assignment alarm destination and take assignment appropriate actions upon detection of a potential security violation Dependencies IDS SDC EXT 1 System data collection 5 1 6 3 Family IDS RDR EXT Restricted data review Family Behaviour This family defines the requirements for external storage of audit records enforced by the TSF indicative of a potential security violation Component Leveling IDS RDR EXT Restricted data review 1 Figure 21 Restricted data review family decomposition DS RDR 1 Restricted data review requires that the TOE at least store its audit data indicative of a potential security violation on an external server and also support receipt of the audit data over a trusted channel Management 5 RDR EXT 1 a No management activities foreseen Audit IDS RDR EXT 1 Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 34 of 84 2014 Curtiss Wright Controls Defense Solutions This document may b
22. Routers Page 23 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS 1 2 The deterministic RBG shall be seeded with a minimum of selection choose one of 128 bits 256 bits of entropy at least equal to the greatest bit length of the keys and authorization factors that it will generate Dependencies None 5 1 2 6 Family FCS SSH EXT SSH Family Behaviour Components in this family address the requirements for protecting communications using SSH This is a new family defined for the FCS Class Component Leveling FCS SSH EXT SSH 1 Figure 10 SSH family decomposition FCS SSH EXT 1 SSH requires that SSH be implemented Management FCS SSH EXT 1 There are no management activities foreseen Audit 5 SSH 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a Failure to establish an SSH session b Establishment termination of an SSH session FCS SSH EXT 1 SSH Hierarchical to No other components FCS SSH EXT I 1 The TSF shall implement the SSH protocol that complies with RFCs 4251 4252 4253 and 4254 FCS SSH EXT 1 2 The TSF shall ensure that the SSH connection be rekeyed after no more than 27 packets have been transmitted using that key FCS SSH E
23. TABLE 4 ORGANIZATIONAL SECURITY 15 5 550 15 TABLE 6 SECURITY OBJECTIVES FOR THE 16 Curtiss Wright VPX3 685 CCA 685 Secure Page3of84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 TABLE 7 SECURITY 17 TABLE 8 EXTENDED TOE SECURITY FUNCTIONAL REQUIREMENTS s sssssssssssscsesesssesscsesesesscscsesesecseseseseseeesesesesees 18 TABLE9 105 SDC EXPLICIT SFR DEFINITION COLLECTED EVENTS 36 TABLE 10 TOE SECURITY FUNCTIONAL REQUIREMENTS 38 TABLE LE AUDITABLE EVENTS scusate rane aae raura tuae son aras tu 4l TABLE 12 IDS SDC COLLECTED EVENTS 57 TABLE 13 EAL2 ASSURANCE REQUIREMENTS cscssssssssssessssssssesessssssesesessssesesesessssesesesesssseseseseseeseseseseseeseseseseseeneaeaesesees 59 TABLE 14 MAPPING OF TOE SECURITY FUNCTIONS SECURITY FUNCTIONAL 60 TABLE 15 TOE KEvs KEY COMPONENTS AND CSPs TABLE 16 THREATS OBJECTIVES MAPPING u cssssssssessssscsecssssessessessesscsucsucsussussessessesscsucsussussucsesaesassucsucsucsuc
24. TSF initiated Termination 4 FTA SSL EXT I TSF initiated Session Locking TAB I Default Access Banners FTP_ITC 1 1 Inter TSF Trusted Channel prevention of ARAARA disclosure ITC I 2 Inter TSF Trusted Channel detection of modification TRP I I Trusted Path prevention of disclosure FTP 1 2 Trusted Path detection of modification IDS ANL 1 Analyzer analysis Viv Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions Page 39 of 84 This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 IDS RCT EXT I Analyzer react IDS Restricted Data Review IDS SDC EXT I System Data Collection Note S Selection A Assignment R Refinement I Iteration Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 40 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 1 Class FAU Security Audit FAU GEN 1 Audit Data Generation Hierarchical to No other components GEN 1 1 The TSF shall be able to generate an audit record of the following auditable events a Start up and shutdown of
25. The set of security objectives for a TOE form a high level solution to the security problem This high level solution is divided into two part wise solutions the security objectives for the TOE and the security objectives for the TOE s operational environment This section identifies the security objectives for the TOE and its supporting environment 4 1 Security Objectives for the TOE The specific security objectives for the TOE are as follows Table 6 Security Objectives for the TOE Name Description O DISPLAY_BANNER The TOE will display an advisory warning regarding use of the TOE O IDANLZ The TOE must accept data from IDS Sensors or IDS Scanners and then apply analytical processes and information to derive conclusions about intrusions past present or future O IDSCAN The TOE must collect and store static configuration information that might be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System O IDSENS The TOE must collect and store information about all events that are indicative of inappropriate activity that may have resulted from misuse access or malicious activity of IT System assets and the IDS O MEDIAT The TOE must mediate the flow of all information from users on a connected network to users on another connected network O PROTECTED_COMMUNICATI The TOE will provide protected communication channels for ONS administrators other part
26. This family is intended to support that lifecycle and consequently defines requirements for the following activities cryptographic key generation cryptographic key distribution cryptographic key access and cryptographic key destruction This family should be included whenever there are functional requirements for the management of cryptographic keys Components in this family address the requirements for managing cryptographic keys as defined in CC Part 2 This section defines the extended components for the family Component Leveling FCS CKM EXT Cryptographic key management 4 Figure 5 Cryptographic key management family decomposition FCS EXT Cryptographic key zeroization requires cryptographic keys and cryptographic critical security parameters to be zeroized It was modeled after 5 CKM 4 Management 5 EXT 4 a There are no management activities foreseen Audit FCS_CKM_EXT 4 The following actions should be auditable if FAU_GEN Security audit data generation is included in the ST a Failure on invoking the cryptographic key zeroization functionality FCS_CKM_EXT 4 Cryptographic Key Zeroization Hierarchical to No other components FCS_CKM_EXT 4 1 The TSF shall zeroize all plaintext secret and private cryptographic keys and CSP s when longer required Dependencies FDP_ITC 1 Import of user data without security attributes or FDP_ITC 2 Import of user data with
27. Wright VPX3 685 CCA 685 Secure Routers Page 9 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 1 6 1 1 Guidance Documentation The TOE includes the following guidance VPX3 685 Secure Ethernet Router User s Manual VPX3 685 WEB Interface Software Reference Manual VPX3 685 Command Line Interface CLI Software Reference Manual 68x Controlled Information User Manual VPX3 685 Product Release Notes CCA 685 Secure Ethernet Router User s Manual 1 6 2 Logical Scope The logical boundary of the TOE will be broken down into the following security classes which are further described in sections 6 and 7 of this ST The logical scope also provides the description of the security features of the TOE The security functional requirements implemented by the TOE are usefully grouped under the following TOE Security Functions TSFs Intrusion Detection Protected Communications Residual Information Clearing Resource Availability System Monitoring TOE Administration Traffic Filter Firewall TSF Self Test Verifiable Updates 1 6 2 1 Intrusion Detection The Intrusion Detection function enables the TOE to collect data about network traffic on monitored networks analyze the collected data for potential statistical and signature based security violations automatically react to dete
28. function s on all system data collected a statistical signature and b no other analytical functions IDS ANL 1 2 The System shall record within each analytical result at least the following information a Date and time of the result type of result identification of data source and b no other security relevant information about the result Dependencies IDS SDC EXT 1 System Data Collection FPT STM 1 Reliable Timestamps IDS RCT EXT 1 Analyzer react Hierarchical to No other components IDS 1 1 The TSF shall send an alarm to the external syslog server and take no other action upon detection of a potential security violation Dependencies IDS SDC EXT 1 System data collection IDS RDR EXT 1 Restricted data review Hierarchical to No other components IDS RDR 1 1 The TSF shall be able to transmit the generated audit data indicative of a potential security violation to an external IT entity over a trusted channel defined ITC 1 Dependencies FAU Audit data generation IDS SDC EXT 1 System data collection Hierarchical to No other component IDS SDC EXT I 1 The TSF shall be able to collect the following information from the targeted IT System resource s a network traffic b no other specifically defined events IDS SDC EXT 1 2 At a minimum the TSF shall collect and record the following information a Date and time of the event type of event sub
29. g compilers or user applications available on the TOE Objectives OE NO GENERAL PURPOSE There are no general purpose computing capabilities e g compilers or user applications available on the TOE other than Rationale No general purpose computing capabilities are available on the TOE beyond those required for TOE operation administration and support other than those services services necessary for the necessary for the operation operation administration administration and support of the support of the TOE TOE A PHYSICAL OE PHYSICAL The environment provides Physical security commensurate Physical security commensurate physical security for the TOE with the value of the TOE and the data it contains is assumed to be provided by the environment with the value of the TOE and the data it contains is provided by the environment commensurate with the value of the TOE and its data A TRUSTED ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner OE TRUSTED ADMIN TOE Administrators are trusted to follow apply administrator guidance in trusted manner TOE Administrators are trusted to follow administrative guidance A TRUSTED NETWOK BOUNDARY The TOE router controls the single access point to the trusted network and that there are no hostile entities on the trusted network side O
30. intact including this copyright notice Security Target Version 1 16 October 6 2014 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main mode FCS IPSEC EXT 1 3 The TSF shall ensure that IKEv1 SA lifetimes are able to be limited to 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs FCS IPSEC 1 4 The TSF shall ensure that IKEv1 SA lifetimes are able to be limited to 200 MB of traffic for Phase 2 SAs FCS IPSEC EXT I 5 The TSF shall ensure that all IKE protocols implement DH Groups 14 2048 bit MODP 768 bit 2 1024 bit MODP 5 1536 bit MODP FCS IPSEC EXT I 6 The TSF shall ensure that all IKE protocols implement Peer Authentication using the DSA rDS A algorithm FCS IPSEC EXT 1 7 The TSF shall support the use of pre shared keys as referenced in the RFCs for use in authenticating its IPsec connections FCS IPSEC 1 8 The TSF shall support the following 1 Pre shared keys shall be able to be composed of any combination of upper and lower case letters numbers and special characters that include 7 gn ego cem een and 2 Pre shared keys of 22 characters and pre shared key lengths of 8 to 31 Dependencies FCS COP 1 1 Cryptographic operation for data encryption decryption FCS COP 1 2 Cryptographic operation for cryptographic signature FCS RBG EXT 1 Random Bit Generation Hierarchical to No other components FCS
31. is reallocated The TOE ensures that any data contained in a protected resource is not reused with the resource is reallocated Every Threat is mapped to one or more Objectives in the table above This complete mapping demonstrates that the defined security objectives counter all defined threats Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 72 of 84 Security Target Version 1 16 October 6 2014 8 2 2 Security Objectives Rationale Relating to Policies Table 17 Policies Objectives Mapping Policies 55 BANNER The TOE shall display an initial banner describing restrictions of use legal agreements or any other appropriate information to which users consent by accessing the TOE Objectives O DISPLAY BANNER The TOE will display an advisory warning regarding use of the TOE Rationale The TOE displays an appropriate advisory warning Every policy is mapped to one or more Objectives in the table above This complete mapping demonstrates that the defined security objectives enforce all defined policies 8 2 3 Security Objectives Rationale Relating to Assumptions Table 18 Assumptions Objectives Mapping Assumptions A NO_GENERAL_PURPOSE lt is assumed that there are no general purpose computing capabilities e
32. lock out occurs for an individual user Audit FTA SSL EXT 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a Any attempts at unlocking an interactive session FTA SSL EXT 1 TSF initiated session locking Hierarchical to No other components FTA SSL EXT 1 1 The TSF shall for local interactive sessions selection e lock the session disable any activity of the user s data access display devices other than unlocking the session and requiring that the administrator re authenticate to the TSF prior to unlocking the session e terminate the session after a Security Administrator specified time period of inactivity Dependencies EXT 1 User identification and authentication Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 32 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 6 Class IDS Intrusion Detection Function Intrusion Detection functions involve collecting information from designated systems and analyzing the information for vulnerabilities and compliance The extended class IDS Intrusion detection function class was modeled after the CC FAU Security audit class The extended family and related components for 105 SDC EXT System data collection were modeled after the CC fa
33. other components FTP_TRP 1 1 2 The TSF shall provide a communication path between itself and remote administrators users using HTTPS SSH and SNMP using AES as specified in FCS_COP 1 1 and SHA as specified in FCS_COP 1 3 that is logically distinct from other communication paths and provides assured identification of its end points and detection of modification of the Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 55 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 communicated data pretection of the communicated data from tion modification FTP TRP 1 2 2 The TSF shall permit remote administrators users to initiate communication via the trusted path FTP TRP 1 3 2 The TSF shall require the use of the trusted path for all remote administrative actions Dependencies No dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 56 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 10 Class IDS Intrusion Detection Function IDS ANL EXT 1 Analyzer analysis Hierarchical to No other components IDS ANL 1 1 The TSF shall perform the following analysis
34. protocol is used in a secure manner FCS RBG EXT I The TOE uses only standards compliant implementations of the random bit generators and that they are used in a secure manner FCS SSH EXT I The TOE uses only standards SSH compliant implementations of the SSH protocol and that the SSH protocol is used in a secure manner FCS TLS EXT I The TOE uses only standards TLS compliant implementations of the TLS protocol and that the TLS protocol is used in a secure manner FPT PTD EXT I 2 Management of TSF Data for reading of all symmetric keys The TOE does not provide any interface or command which would allow an administrator to view plaintext pre shared symmetric and private keys Inter TSF Trusted Channel prevention of disclosure FPT RPL I The TOE detects and rejects Replay Detection replayed network packets The TOE uses only approved communication protection algorithms to conduct communications with external authorized IT entities ITC I 2 Inter TSF Trusted Channel detection of modification The TOE uses only approved communication protection algorithms to conduct communications with external authorized entities 1 1 Trusted Path prevention of disclosure The TOE uses only approved communication protection algorithms to conduct communications with remote administrators preventing disclosure of the administrator s
35. section defines the extended SFRs and extended SARs met by the TOE These requirements are presented following the conventions identified in Section 6 1 5 1 Extended TOE Security Functional Components This section specifies the extended SFRs for the TOE The extended SFRs are organized by class Table 8 identifies all extended SFRs implemented by the TOE Table 8 Extended TOE Security Functional Requirements Description FAU STG EXT I External Audit Trail Storage FCS CKM EXT 4 Cryptographic key destruction FCS COMM PRO Communication Protection FCS HTTPS HTTPS FCS IPSEC EXT I IPsec FCS Cryptographic Operation Random Bit Generation FCS SSH EXT I SSH FCS TLS EXT I TLS FIA PMG EXT I Password Management UAU EXT 5 Password based Authentication Mechanism FIA UIA EXT I User Identification and Authentication FPT PTD EXT I Management of TSF Data FPT TST EXT I TSF self test FPT TUD EXT I Trusted Update FTA SSL EXT I TSF initiated session locking IDS ANL EXT I Analysis IDS EXT I Analyzer react IDS RDR EXT I Restricted data review IDS SDC EXT I System data collection 20 TLS Transport Layer Security Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 18 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this cop
36. selection hmac shal hmac shal 96 hmac md5 hmac md5 96 FCS SSH EXT 1 9 The TSF shall ensure that diffie hellman group14 shal is the only allowed key exchange method used for the SSH protocol Dependencies FCS Cryptographic operation 5 1 27 Family FCS TLS EXT TLS Family Behaviour Components in this family address the requirements for protecting communications using TLS This is a new family defined for the FCS Class FCS TLS EXT TLS 1 Figure TLS family decomposition FCS TLS 1 TLS requires that TLS be implemented Management 5 TLS EXT 1 There are no management activities foreseen Audit FCS TLS EXT 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a Failure to establish a TLS session b Establishment termination of a TLS session FCS TLS EXT 1 TLS Hierarchical to No other components FCS TLS 1 1 The TSF shall implement one or more of the following protocols selection TLS 1 0 2246 TLS 1 1 RFC 4346 TLS 1 2 RFC 5246 supporting the following ciphersuites TLS RSA WITH AES 128 CBC SHA TLS RSA WITH AES 256 CBC SHA selection None TLS RSA WITH AES 128 CBC SHA256 TLS RSA WITH AES 256 CBC 5 256 TLS DHE RSA WITH AES 128 5 256 TLS DHE RSA WITH AES 256 5 256 TLS ECDHE ECDSA WITH AES 128 GCM SHA256 TLS ECDHE ECDSA WITH AES 256 GCM 5 84 TL
37. session data Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 76 of 84 Security Target Version 1 16 October 6 2014 1 2 Trusted Path detection of modification The TOE uses only approved communication protection algorithms to conduct communications with remote administrators allowing detection of any modification of the administrator s session data O RESIDUAL INFORMATION C LEARING The TOE will ensure that any data contained in a protected resource is not available when the resource is reallocated FDP RIP 2 Full residual information protection The TOE makes unavailable all previous information content of a resource when it is no longer in use O RESOURCE AVAILABILITY The TOE shall provide mechanisms that mitigate user attempts to exhaust TOE resources e g persistent storage FRU RSA I Maximum Quotas The TOE enforces maximum quota usage of critical TOE resources ensuring that those resources will not be exhausted O RESPON The TOE must respond IDS EXT I Analyzer react The TOE responds appropriately to IDS related analytical appropriately to analytical conclusions conclusions O SECSTA FMT MSA 3 The TOE implements a default Upon initial start up of the TOE or recovery from an inter
38. shall provide a means to verify firmware software updates to the TOE using a selection digital signature mechanism published hash prior to installing those updates Dependencies 5 Cryptographic operation Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 31 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 5 Class FTA TOE Access This family specifies functional requirements for controlling the establishment of a user s session The extended component 551 1 TSF initiated session locking was modeled after 881 1 TSF initiated session locking 5 1 5 1 Family FTA SSL EXT TSF initiated Session Locking Family Behaviour Components in this family address the requirements for TSF initiated and user initiated locking unlocking and termination of interactive sessions Component Leveling FTA SSL EXT TSF initiated session locking 1 Figure 18 TSF initiated Session Locking family decomposition SSL EXT 1 TSF initiated Session Locking requires system initiated locking of an interactive session after a specified period of inactivity Management FTA SSL EXT 1 The following actions could be considered for the management functions in FMT a Specification of the time of user inactivity after which
39. the audit functions b Allauditable events for the not specified level of audit and c All administrative actions d Specifically defined auditable events listed in Table 11 below Table Auditable Events Requirement Auditable Events Additional Audit Record Contents FAU GEN I None FAU GEN 2 None FAU STG EXT I None FCS Failure on invoking functionality No additional information FCS CKM EXT 4 Failure on invoking functionality No additional information FCS COMM PROT EXT I None FCS COP I I Failure on invoking functionality No additional information FCS 1 2 Failure on invoking functionality No additional information FCS COP I 3 Failure on invoking functionality No additional information FCS COP I 4 Failure on invoking functionality No additional information FCS HTTPS EXT I None FCS IPSEC EXT I Failure to establish an IPsec SA Reason for failure Establishment termination of an Non TOE endpoint of connection IP SA address for both successes and failures FCS RBG EXT I Failure on the randomization process No additional information FCS SSH EXT I None FCS TLS EXT I None FDP IFC I None IFF I All requests for and decisions about The presumed addresses of the information flows source and destination subject FDP RIP 2 None PMG EXT I None FIA UAU EXT 5 None
40. with an update to the product that may compromise the security features of the TOE T UNDETECTED_ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE These actions may remain undetected and thus their effects cannot be effectively mitigated T USER_DATA_REUSE User data may be inadvertently sent to a destination not intended by the original sender 3 2 Organizational Security Policies An Organizational Security Policy OSP is a set of security rules procedures or guidelines imposed by an organization on the operational environment of the TOE The following OSPs are presumed to be imposed upon the TOE or its operational environment by any organization implementing the TOE in the CC evaluated configuration Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions Page 14 of 84 This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Table 4 Organizational Security Policies Description 55 BANNER The TOE shall display an initial banner describing restrictions of use legal agreements or any other appropriate information to which users consent by accessing the TOE 3 3 Assumptions This section describes the security aspects of the intended environment for the evaluated TOE The operation
41. 1 2 The TSF shall use Psec in providing provide a trusted communication channel between itself and authorized IT entities anether trusted TT produet that is logically distinct from other communication channels and provides assured identification of its end points and detection of the modified data protection of the channel data from moedification er disclosure FTP ITC 1 2 2 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel FTP ITC 1 3 2 The TSF shall initiate communication via the trusted channel for all IPsec communications Dependencies No dependencies FTP TRP 1 1 Trusted path prevention of disclosure Hierarchical to No other components FTP 1 1 1 The TSF shall provide a communication path between itself and remote administrators users using HTTPS SSH and SNMP using AES as specified in FCS COP 1 1 and SHA as specified FCS COP 1 3 that is logically distinct from other communication paths and provides assured identification of its end points and protection of the communicated data from disclosure FTP 1 2 1 The TSF shall permit remote administrators users to initiate communication via the trusted path TRP 1 3 1 The TSF shall require the use of the trusted path for all remote administrative actions Dependencies No dependencies FTP_TRP 1 2 Trusted path detection of modification Hierarchical to No
42. 5 Secure Routers Page 38 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS HTTPS HTTPS FCS IPSEC EXT I IPsec FCS EXT I Cryptographic Operation Random Bit Generation FCS SSH EXT I SSH FCS 115 EXT I TLS Y FDP IFC I Subset information flow control FDP_IFF Simple security attributes viv FDP_RIP 2 Full residual information protection EXT I Password Management UAU 6 Re authenticating UAU 7 Protected Authentication Feedback UAU EXT 5 Password based Authentication Mechanism Viv EXT I User identification and authentication Y MSA I Management of security attributes FMT MSA 3 Static attribute initialisation _ 1 Management TSF data FMT_SMF Specification of Management Functions FMT SMR I Security roles Management of TSF Data for reading of authentication data PTD EXT I 2 Management of TSF Data for reading of all symmetric keys FPT RPL I Replay Detection FPT STM I Reliable time stamps FPT TST EXT I TSF Testing FPT TUD EXT I Trusted Update FRU RSA I Maximum Quotas viv FTA_SSL 3
43. 685 Secure Routers Page 46 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS SSH 1 6 The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms AES CBC 128 AES CBC 256 no other algorithms FCS SSH 1 7 The TSF shall ensure that the SSH transport implementation uses SSH RSA and No other public key algorithms as its public key algorithm s FCS SSH 8 The TSF shall ensure that data integrity algorithms used in SSH transport connection is hmac shal FCS_SSH_EXT 1 9 The TSF shall ensure that diffie hellman group14 shal is the only allowed key exchange method used for the SSH protocol Dependencies FCS COP 1 1 Cryptographic operation for data encryption decryption FCS COP 1 4 Cyprtographic operation for keyed hash message authentication FCS COP 1 2 Cryptographic operation for cryptographic signature FCS TLS EXT 1 TLS Hierarchical to No other components FCS TLS 1 1 The TSF shall implement one or more of the following protocols TLS 1 0 RFC 2246 supporting the following ciphersuites TLS RSA WITH AES 128 CBC SHA TLS RSA WITH AES 256 CBC SHA None Dependencies FCS COP 1 2 Cryptographic operation for cryptographic signature FCS COP 1 1 Cyprtographic operation for data enc
44. C SHA 256 KAT The HMAC algorithm takes a known value and hashes it with a hard coded HMAC key The result is then compared to the expected value hard coded in the module If the values differ then the test fails If they are the same the test passes d RBG KAT A known seed value is used to initialize the RBG A block of random data is then generated and compared to a pre generated value If these values are the same the test passes Otherwise the test fails Conditionally during normal operation 1 Continuous RBG Test When a new random number is generated it is first compared to the previously generated random number block If they are equal then the test fails If they differ then the test passes and the new random number is passed to the caller and stored in order to be compared to the next random number block If any of these tests fail then the TOE will enter a critical error state the TOE s Fault LED will illuminate and the TOE will require the administrator to clear the error condition by rebooting the TOE While the TOE is in the error state data output and cryptographic services are inhibited for untrusted interfaces until the error condition is cleared Since these tests cover all of the TOE s critical functions and since they are performed both at power up and periodically during normal operation and since they ensure that the TOE will enter a critical error state in which data output is inhibited if any of the tests fail t
45. Curtiss Wright Controls Defense Solutions VPX3 685 CCA 685 Secure Routers Versions VPX3 685 A13014 VPX3 685 A13020 FC VPX3 685 C23014 FC VPX3 685 C23020 FC and CCA 685 2820 Security Target Evaluation Assurance Level EAL EAL2 Document Number 828052 Document Version 1 16 Prepared for Prepared by cunts contras Corsec Defense Solutions Curtiss Wright Controls Defense Corsec Security Inc Solutions 333 Palladium Dr 13135 Lee Jackson Memorial Highway Suite 220 Kanata Ontario K2V 1A6 Fairfax VA 22033 Canada United States of America Phone 1 613 599 9199 Phone 1 703 267 6050 http www cwcdefense com http www corsec com Security Target Version 1 16 October 6 2014 Table of Contents INTRODUCTION PURPOSE eter 1 2 SECURITY TARGET AND TOE 5 Wed PRODUCT OVERVIEW ssassn 6 14 OVERVIEW 1 5 ENVIRONMENT 1 6 DESCRIPTION 6 1 Physical Scope 1 6 2 Logical 10 1 6 3 Product Features and Functionality Not Included in the I 2 CONFORMANCE CLAIMS iii erae sect sb eo aoa aea ae 12 SECURITY PROBLEM eoo snis eo oo nana ne oh ao eaa ao Ea asa LEES T N
46. DH group key exchange implementation is based on RFC 2409 The TOE implements DH Groups 14 2048 bit MODP 1 768 bit MODP 2 1024 bit MODP and 5 1536 bit MODP Groups can be selected through the management interface The TOE employs TLS in accordance to RFC 2246 and supports the following ciphersuites RSA WITH AES 128 SHA TLS WITH AES 256 CBC SHA The TOE enforces the Protected Communication TSF as encryption and decryption is provided using AES in CBC ECB CFB128 CTR and CMAC modes using 128 bit and 256 bit keys in accordance to FIPS PUB 197 NIST SP 800 38A and NIST SP800 38D The TOE utilizes cryptographic signature services using DSA with a key size of 2048 bits to 4096 bits and RSA PKCS 1 v1 5 Signature Generation Verification with a key size of 2048 bits to 4096 bits in accordance to FIPS PUB 186 3 Digital Signature Standard Cryptographic hashing services are accomplished by using SHA 1 SHA 256 SHA 384 and SHA 512 cryptographic algorithms with key sizes of 160 256 384 512 bits according to FIPS PUB 180 3 Secure Hash Standard Keyed hash message authentication is performed using the same SHA algorithms and message digest sizes of 160 256 384 and 512 bits according to FIPS PUB 198 1 Keyed Hash Message Authentication Code and FIPS PUB 180 3 Secure Hash Standard The TOE utilizes asymmetric cryptographic keys using ANSI X9 31 PRNG with the generated key strength of 112 bits
47. Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 This family defines the types of user authentication mechanisms supported by the TSF This section defines the extended components for the UAU family Component Leveling FIA UAU EXT User authentication 5 Figure 13 User authentication family decomposition EXT 5 Password based Authentication Mechanism requires a local password based authentication mechanism and the capability for passwords to expire In addition other authentication mechanisms can be specified Management EXT 5 The following actions could be considered for the management functions in FMT reset user password by an administrator Audit EXT 5 The following actions should be auditable if GEN 1 Security audit data generation is included in the ST a Alluse of the authentication mechanisms UAU EXT 5 Password based Authentication Mechanism Hierarchical to No other components FIA UAU EXT 5 1 The TSF shall provide a local password based authentication mechanism selection assignment other authentication mechanism s none to perform user authentication FIA UAU EXT 5 2 The TSF shall ensure that users with expired passwords are selection required to create a new password after correctly entering the ex
48. E TRUSTED NETWOK BOUNDARY The TOE router controls the single access point to the trusted network and that there are no hostile entities on the trusted network side Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice TOE controls the single entry point to the trusted network Entities on the trusted network are not hostile Page 73 of 84 Security Target Version 1 16 Every assumption is mapped to one or more Objectives in the table above October 6 2014 This complete mapping demonstrates that the defined security objectives uphold all defined assumptions 8 3 Rationale for Extended Security Functional Requirements The extended requirements are defined in section 5 These SFRs exhibit functionality that can be easily documented in the ADV assurance evidence and thus do not require any additional Assurance Documentation 8 4 Rationale for Extended TOE Security Assurance Requirements There are no Extended SARs defined for this ST 8 5 Security Requirements Rationale The following discussion provides detailed evidence of coverage for each security objective 8 5 1 Rationale for Security Functional Requirements of the TOE Objectives Table 19 Objectives SFRs Mapping Objective Requirements Addressing the Rationale O DISPLAY_BANNER The
49. ERIoR 00 a REM 3 2 ORGANIZATIONAL SECURITY POLICIES e 33 ASSUMPTIONS e P 4 SECURITY 5 e 16 4 SECURITY OBJECTIVES FOR THE 16 42 SECURITY OBJECTIVES FOR THE OPERATIONAL 17 4 2 1 Security 2 7 4 2 2 Non IT Security Objectives 7 5 EXTENDED COMPONENTS 3 8 8 18 5 1 EXTENDED TOE SECURITY FUNCTIONAL 18 5 1 1 Class FAU Security Audit 19 5 1 2 Class FCS Cryptographic Support 20 5 1 3 Class FIA Identification and Authentication ccccssssscssssessssssssssssssesssssssssssssnssssssssscssssnesesssssccssssnesssssseeesses 26 5 1 4 Class FPT Protection of the TSF 5 1 5 Class FTA TOE Access esee teennnt tenent ttntnsi tetti 5 1 6 Class IDS Intrusion Detection FUNCTION scssssssssssssssssssessssssssssssssesssssssesssssuesessssuessssssecessssscessssnecesssseeesses 33 5 2 EXTENDED TOE SECURITY ASSURANCE COMPONENTS ccsssssssssssssessesscsesscsesscsessesecscsecscsecsesecscssescaeeneeeees 37
50. ES The TOE will provide the capability to help ensure that any updates to the TOE can be verified by the administrator to be unaltered and optionally from a trusted source 4 2 Security Objectives for the Operational Environment 4 2 1 IT Security Objectives The following IT security objectives are to be satisfied by the environment Table 7 IT Security Objectives Description OE NO GENERAL PURPOSE There are no general purpose computing capabilities e g compilers or user applications available on the TOE other than those services necessary for the operation administration and support of the TOE OE PHYSICAL Physical security commensurate with the value of the TOE and the data it contains is provided by the environment OE TRUSTED ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner OE TRUSTED The TOE router controls the single access point to the trusted NETWOK BOUNDARY network and that there are no hostile entities on the trusted network side 4 2 2 Non IT Security Objectives There are no non IT environment security objectives Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 17 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Extended Components This
51. Groups 14 2048 bit MODP and selection 24 2048 bit MODP with 256 bit POS 19 256 bit Random ECP 20 384 bit 47 Random assignment other DH groups that are implemented by the TOE no other DH groups 2 Request for Comment 33 ESP Encapsulating Security Payload 24 SA Security Association 25 MB Megabyte 29 IKE Internet Key Exchange DH Diffie Hellman Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 22 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS IPSEC 1 6 The TSF shall ensure that all IKE protocols implement Peer Authentication using the selection DSA rDSA ECDSA algorithm FCS IPSEC EXT 1 7 The TSF shall support the use of pre shared keys as referenced in the RFCs for use in authenticating its IPsec connections FCS IPSEC 1 8 The TSF shall support the following 1 Pre shared keys shall be able to be composed of any combination of upper and lower case letters numbers and special characters that include 7 0 8 and 2 Pre shared keys of 22 characters and selection assignment other supported lengths no other lengths Dependencies FCS_COP 1 Cryptographic operation 5 1 2 5 Family FCS_RBG_EXT Random bit generation Fam
52. IPSEC This is a new family defined for the FCS Class Component Leveling FCS IPSEC EXT IPsec 1 Figure 8 IPsec family decomposition FCS IPSEC IPsec requires that IPsec be implemented as specified Management FCS IPSEC 1 a There no management activities foreseen Audit FCS EXT 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a Failure to establish an IPsec SA a Establishment termination of an IPsec SA FCS IPSEC EXT 1 IPsec Hierarchical to No other components FCS IPSEC 1 1 The TSF shall implement IPsec using the ESP protocol as defined by RFC 4303 using the cryptographic algorithms AES CBC 128 AES CBC 256 both specified by RFC 3602 selection no other algorithms and using as defined in RFCs 2407 2408 2409 and 4109 selection no other method to establish the security association FCS IPSEC EXT 1 2 The TSF shall ensure that IKEv1 Phase 1 exchanges use only main mode FCS IPSEC 1 3 The TSF shall ensure that IKEv1 SA lifetimes are able to be limited to 24 hours for Phase 1 SAs and 8 hours for Phase 2 SAs FCS IPSEC 1 4 The TSF shall ensure that IKEv1 SA lifetimes are able to be limited to assignment number between 100 200 MB of traffic for Phase 2 SAs FCS IPSEC EXT I 5 The TSF shall ensure that all IKE protocols implement
53. OE services available before an entity is identified and authenticated as specified in EXT 1 respectively Ability to configure the cryptographic functionality Ability to update the TOE and to verify the updates using the digital signature capability FCS_COP 1 2 and no other functions Dependencies FCS COP 1 2 Cryptographic operation for cryptographic signature FMT SMR 1 Security roles Hierarchical to No other components FMT SMR 1 1 The TSF shall maintain the roles Security Administrator other authorized administrative roles as defined by administrators FMT SMR 1 2 The TSF shall be able to associate users with roles Dependencies 00 11 Timing of identification Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 51 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 6 Class FPT Protection of the TSF PTD 1 1 Management of TSF data for reading of authentication data Hierarchical to No other components 1 1 TSF shall prevent reading of the plaintext passwords Dependencies No dependencies FPT PTD EXT 1 2 Management of TSF data for reading of all symmetric keys Hierarchical to No other components 1 1 TSF shall prevent reading of all pre shared keys sy
54. ONALE 74 8 5 1 Rationale for Security Functional Requirements of the TOE 74 8 5 2 Security Assurance Requirements Rationale 8 5 3 Dependency Rationale 9 82 Table of Figures FIGURE VPX3 685 SECURE ROUTER cscssssssssesessssssssesesesssscsesesssssscsesesessesesesesessesesesesesseseseseseseseseseseseeseneseseseeseaeaesesees FIGURE 2 DEPLOYMENT CONFIGURATION OF THE TOE E FIGURE 3 TOE PHYSICAL FIGURE 4 EXTERNAL AUDIT TRAIL FAMILY DECOMPOSITION csssssssssessssessssesscsessssessssessssessssesssscsscsessssessesessesceneaeesesees 19 FIGURE 5 CRYPTOGRAPHIC KEY MANAGEMENT FAMILY DECOMPOSITION 20 FIGURE 6 COMMUNICATIONS PROTECTION FAMILY DECOMPOSITION ccce 21 FIGURE 7 HTTPS FAMILY 21 FIGURE 8 IPSEC FAMILY 22 FIGURE 9 RANDOM BIT GENERATION FAMILY DECOMPOSITION 23 FIGURE 10 SSH FAMILY DECOMPOSITION FIGURE TLS FAMILY DECOMPOSITION FIGURE 12 PASSWORD MANAGEMENT FAMILY DECOMPOSITION ssssssssessssessssessssessssessssessesesscsessesesscsessesesseseeseaesseaees 26 FIGURE 13 USER AUTHENTICATION FAMILY DECOMPOSITION sssssssessssessssessssesscsesscs
55. S ECDHE ECDSA WITH AES 128 CBC SHA256 TLS ECDHE ECDSA WITH AES 256 5 84 Dependencies FCS Cryptographic operation Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 25 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 3 Class FIA Identification and Authentication Families in this class address the requirements for functions to establish and verify a claimed user identity The extended family EXT Password management was modeled after various families and related components in Class FIA The extended component UAU EXT 5 Password based authentication mechanism was modeled after UAU 5 Multiple authentication mechanisms The extended family UIA User identification and authentication was modeled after both UAU I Timing of authentication and UID 1 Timing of identification 5 1 3 1 Family EXT Password management Family Behaviour This family defines the password complexity requirements that the TSF must enforce and must allow the administrator to configure Component Leveling FIA PMG EXT Password management 1 Figure 12 Password management family decomposition PMG 1 Password management defines p
56. SA l 5 3 FMT MTD l FMT_SMF 1 FMT_SMR 1 FPT_PTD_EXT 1 1 PTD EXT 1 2 SSL 3 SSL 1 FTA_TAB 1 7 1 7 Traffic Filter Firewall The Traffic Filter Firewall TSF defines and enforces the UNAUTHENTICATED information flow control Security Functional Policy SFP The UNAUTHENTICATED SFP ensures that the TOE mediates all attempts by unauthenticated external IT entities to send and receive data through the TOE to each other The TOE determines whether or not to allow an information flow based on each external IT entity s presumed address and any other relevant security attributes as defined by the administrators in the 5 It also analyzes the data to determine whether its presumed source address presumed destination address protocol and the interface on which it arrives and departs matches the SFP rules If the SFP rules allow the information flow to occur then the data is passed out of the TOE on the appropriate interface otherwise the data is discarded and a record of the event is logged TOE Security Functional Requirements Satisfied FDP IFC 1 FDP IFF 1 7 1 8 TSF Self Test The TSF Self Test TSF ensures that the TOE verifies the correct operation of critical TOE functions at power on and conditionally during TOE operation The TOE performs the following self tests At power on 1 Software Integrity Test The TOE checks the integrity of its software using SHAI The pre boot secure firmware integ
57. SEC EXT 1 IPSEC or FCS SSH EXT 1 SSH FCS HTTPS EXT 1 HTTPS if selected FCS TLS EXT 1 TLS 5 1 23 Family FCS HTTPS EXT HTTPS Family Behaviour Components in this family address the requirements for protecting communications using HTTPS This is a new family defined for the FCS Class FCS HTTPS EXT HTTPS 1 Figure 7 HTTPS family decomposition FCS HTTPS EXT 1 HTTPS requires that HTTPS be implemented Management FCS HTTPS 1 a There are no management activities foreseen Audit FCS_HTTPS_EXT 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a Failure to establish an HTTPS session a Establishment termination of an HTTPS session FCS HTTPS EXT 1 HTTPS Hierarchical to No other components Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 21 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS HTTPS EXT I 1 The TSF shall implement the HTTPS protocol that complies with RFC 2818 FCS HTTPS EXT 1 2 The TSF shall implement the HTTPS protocol using TLS as specified in TLS 1 Dependencies FCS TLS EXT 1 TLS 5 1 2 4 Family FCS IPSEC EXT IPsec Family Behaviour Components in this family address the requirements for protecting communications using
58. T SCNVUL Vulnerabilities introduced by non TOE users may exist in the IT System the TOE monitors O IDSCAN The Scanner must collect and store static configuration information that might be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System The TOE collects and stores static configuration information that might be indicative of the presence of a vulnerability T TSF_FAILURE Security mechanisms of the TOE may fail leading to a compromise of the TSF O TSF_SELF_TEST The TOE will provide the capability to test some subset of its security functionality to ensure it is operating properly The TOE tests its security functionality to ensure that it is operating properly The TOE also ensures that the FIPS 140 2 approved mode of operation is enforced properly T UNAUTHORIZED_ACCESS A user may gain unauthorized access to the TOE data and TOE executable code A malicious user process or external IT entity may masquerade as an authorized entity in order to gain unauthorized access to data or TOE resources A malicious user process or external IT entity may misrepresent itself as the TOE to obtain identification and authentication data O DISPLAY_BANNER The TOE will display an advisory warning regarding use of the TOE The TOE displays a banner informing the user of the consequences of misusing the TOE O PROTECTED COMMUNICAT IONS The TOE
59. TOE will display an advisory warning regarding use of the TOE Objective FTA TAB I Default TOE Access Banners The TOE displays an advisory notice and consent warning specified by the administrator before allowing an administrator to log in O IDANLZ The Analyzer must accept data from IDS Sensors or IDS Scanners and then apply analytical processes and information to derive conclusions about intrusions past present or future IDS Analyzer analysis The TOE accepts data from IDS Sensors or IDS Scanners and then applies analytical processes and information to derive conclusions about intrusions past present or future O IDSCAN The Scanner must collect and store static configuration information that might be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System IDS SDC EXT I System Data Collection The TOE collects and stores static configuration information that might be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 74 of 84 Security Target Version 1 16 October 6 2014 O IDSENS The Sensor must collect and store information about all event
60. Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 77 of 84 Security Target Version 1 16 October 6 2014 are able to log in and configure the TOE and provide protections for logged in administrators UAU 6 Re authenticating The TOE requires administrators to re authenticate when they perform actions that might indicate the presence of a different human operator using operating under the same credentials UAU 7 The TOE does not display the Protected Authentication user s password as it is being Feedback typed at the authentication prompt UAU EXT 5 The TOE supports the listed Password based Authentication Mechanism password based authentication mechanisms FIA UIA EXT I User identification and authentication The TOE allows no services to be performed on behalf of the user before he is identified and authenticated MSA I Management of security attributes The TOE allows only authorized administrators the ability to perform administrative tasks on security attributes MTD I Management of TSF data The TOE allows only administrators to manage TSF data FMT SMF I Specification of Management Functions The TOE provides administrators with the management functions required to perform their duties SMR I Security roles The TOE provides the
61. Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FCS COP 1 2 Cryptographic operation for cryptographic signature Hierarchical to No other components FCS 1 1 2 The TSF shall perform cryptographic signature services in accordance with a Digital Signature Algorithm DSA with a key size modulus of 2048 bits or greater RSA Digital Signature Algorithm DSA with a key size modulus of 2048 bits greater mL I that 1 meet the following FIPS PUB 186 3 Digital Signature Standard Dependencies FCS CKM 1 Cryptographic key generation FCS CKM 4 Cryptographic key destruction FCS COP 1 3 Cryptographic operation for cryptographic hashing Hierarchical to No other components FCS 1 1 3 The TSF shall perform cryptographic hashing services in accordance with a specified cryptographic algorithm SHA 1 SHA 256 SHA 384 SHA 512 and message digest sizes 160 256 384 512 bits and eryptegraphie key sizes assignment eryptographic key sizes that meet the following FIPS Pub 180 3 Secure Hash Standard Dependencies FCS Cryptographic key generation FCS CKM 4 Cryptographic key destruction FCS COP 1 4 Cryptographic operation for keyed hash message authentication Hierarchical to No other components FCS 1 1 4 The TSF shall perform k
62. XT 1 3 The TSF shall ensure that the SSH protocol implements a timeout period for authentication as defined in RFC 4252 of assignment timeout period and provide a limit to the number of failed authentication attempts a client may perform in a single session to assignment maximum number of attempts attempts FCS SSH 1 4 The TSF shall ensure that the SSH protocol implementation supports the following authentication methods as described in RFC 4252 public key based password based FCS SSH 1 5 The TSF shall ensure that as described in RFC 4253 packets greater than assignment number of bytes bytes in an SSH transport connection are dropped FCS SSH 1 6 The TSF shall ensure that the SSH transport implementation uses the following encryption algorithms AES CBC 128 AES CBC 256 selection AEAD AES 128 GCM AEAD AES 256 no other algorithms FCS SSH EXT 1 7 The TSF shall ensure that the SSH transport implementation uses SSH RSA and selection PGP SIGN RSA PGP SIGN DSS no other public key algorithms as its public key algorithm s FCS SSH 1 8 Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 24of84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 The TSF shall ensure that data integrity algorithms used in SSH transport connection is
63. able Updates FCS COP I 2 Cryptographic Operation for cryptographic signature FCS COP I 3 Cryptographic Operation for Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 61 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 TOE Security Function Description cryptographic hashing EXT I Trusted Update 7 1 1 Intrusion Detection The Intrusion Detection function enables the TOE to collect data about network traffic on monitored networks analyze the collected data for potential statistical and signature based security violations automatically react to detected potential security violations and to allow authorized administrators to review the collected data and analyses The TOE collects the following information about network traffic on all monitored networks e Date and time the network packet was observed Protocol type of the packet Packet source address and destination address The TOE constantly analyzes collected data for potential security violations based on the network traffic s attributes signatures and statistical models provided and periodically updated by Curtiss Wright and arbitrary rules created and managed by authorized administrators When network traffic is deemed by the TOE to represent a potential security vio
64. al environment must be managed in accordance with assurance requirement documentation for delivery operation and user guidance The following specific conditions are required to ensure the security of the TOE and are assumed to exist in an environment where this TOE is employed Table 5 Assumptions Description A NO GENERAL PURPOSE It is assumed that there are no general purpose computing capabilities e g compilers or user applications available on the TOE other than those services necessary for the operation administration and support of the TOE A PHYSICAL Physical security commensurate with the value of the TOE and the data it contains is assumed to be provided by the environment A TRUSTED ADMIN TOE Administrators are trusted to follow and apply all administrator guidance in a trusted manner A TRUSTED The TOE router controls the single access point to the trusted NETWOK BOUNDARY network and that there are no hostile entities on the trusted network side Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 15 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 SY Security Objectives Security objectives are concise abstract statements of the intended solution to the problem defined by the security problem definition see Section 3
65. assword complexity requirements and configuration options Management PMG 1 The following actions could be considered for the management functions in FMT a Configure password complexity options Audit PMG EXT 1 The following actions should be auditable if FAU_GEN 1 Security audit data generation is included in the ST a Configuration of password complexity options FIA PMG EXT 1 Password management Hierarchical to No other components PMG 1 1 TSF shall provide the following password management capabilities for administrative passwords Passwords shall be able to be composed of any combination of upper and lower case letters numbers and special characters that include 7 90 n tg tem and DP 2 Minimum password length shall settable by the Security Administrator and support passwords of 8 characters or greater 3 Passwords composition rules specifying the types and number of required characters that comprise the password shall be settable by the Security Administrator 4 Passwords shall have a maximum lifetime configurable by the Security Administrator 5 New passwords must contain a minimum of 4 character changes from the previous password Dependencies No dependencies 5 1 3 2 Family FIA UAU EXT User authentication Family Behaviour Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 26 of 84 2014 Curtiss Wright Controls
66. ay be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 e with IPSec tunneling for secure communications channels e Advanced standards based cryptographic functions encryption decryption and authentication Network traffic analysis and intrusion detection with prevention system IDS and IPS functionality 1 4 TOE Overview The TOE Overview summarizes the usage and major security features of the TOE The TOE Overview provides a context for the TOE evaluation by identifying the TOE type describing the TOE and defining the specific evaluated configuration The hardware software TOE is the VPX3 685 CCA 685 Secure Routers It comprises the VPX3 685 secure router hardware but does not include the enclosure in which it is installed nor the power supply to which it is connected The TOE also includes the entire VPX3 685 CCA 685 Secure Routers software image and all functions of the software image excluding the features listed in Section 1 6 3 are included within the TOE boundary and can be configured for use by the TOE administrator The SFRs in this Security Target make claims about a subset of the VPX3 685 CCA 685 Secure Routers s functionality see Sections 1 6 2 and Section 6 below for details of the specific security function claims The VPX3 685 CCA 685 provides several management and configuration interfaces Remote administrators can conne
67. cal password based authentication mechanism RADIUS to perform user authentication FIA UAU EXT 5 2 The TSF shall ensure that users with expired passwords are required to create a new password after correctly entering the expired password Dependencies No dependencies FIA_UAU 6 Re authenticating Hierarchical to No other components FIA_UAU 6 1 The TSF shall re authenticate the user under the conditions when the user changes their password no other conditions Dependencies No dependencies FIA_UAU 7 Protected authentication feedback Hierarchical to No other components FIA_UAU 7 1 The TSF shall provide only obscured feedback to the user while the authentication is in progress Dependencies FIA_UAU 1 Timing of authentication FIA_UIA_EXT 1 User Identification and Authentication Hierarchical to FIA_UAU 1 FIA_UID 1 FIA UIA EXT I 1 The TSF shall allow no services on behalf of the user to be performed before the user is identified and authenticated FIA UIA EXT 1 2 The TSF shall require each user to be successfully identified and authenticated before allowing any other TSF mediated actions on behalf of that user Dependencies No dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 50 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2
68. ct to a web based management graphical user interface GUI over an HTTPS session or use the CLI remotely over an SSH connection or SNMP v3 The command line interface CLI provides a robust CLI environment that uses commands similar to the existing industry standard The web GUI provides a subset of the commands that are available from the CLI Through these connections administrators are able to configure and manage switching rules access control lists ACLs and to create or modify the firewall rules to be enforced Figure 2 below illustrates the deployment configuration of the TOE VPX Compliant Custom Chassis Backplane Local Management Workstation External Syslog Remote Management VPN Client Workstation NTP RADIUS Networked Clients TACACS and Servers Figure 2 Deployment Configuration of the TOE 10 See Section 1 6 3 HTTPS HyperText Transfer Protocol Secure 12 SSH Secure SHell SNMP Simple Network Management Protocol Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 8 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 1 5 TOE Environment The TOE is a single custom 3 or 40 VPX form factor blade running a fully integrated software solution to provide switch router firewall intrusion detection and prevention system and VPN functiona
69. cted potential security violations and allow authorized administrators to review the collected data and analyses 1 6 2 2 Protected Communications The Protected Communications TSF ensures that the three types of communications in which the TOE participates TOE to remote administrator TOE to remote TOE and TOE to remote IT entity are secure 1 6 2 3 Residual Information Clearing The Residual Information Clearing TSF ensures that data is not accidentally leaked into network packets or cryptographic CSPs by ensuring that any data object representing a network packet or CSP is destroyed when that data object is no longer needed 1 6 2 4 Resource Availability The Resource Availability TSF ensures that the TOE s resources supporting the administrative interfaces are not exhausted causing failure of the TOE by enforcing a quota on the number of simultaneous administrative connections 1 6 2 5 System Monitoring The System Monitoring TSF generates audit data ensuring that sufficient information exists to allow Security Administrators to discover both intentional and unintentional problems with the configuration or operation of the TOE and that the audit data is protected from compromise CSP Critical Security Parameter Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 10 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyrig
70. ction after a number of failed authentication attempts The number is configurable through the CLI The timeout period is thirty minutes SSH utilizes 3DES CBC AES CBC 128 and AES CBC 256 for encryption Password based authentication methods are available and utilize 5 as the authentication algorithm Large packets are detected and handled by the OpenSSL module The max packet size is 256KB and are handled according to RFC 4253 SSH management of the TOE is also capable of public key authentication The TOE implements SNMPv3 to protect communications between a client and the TOE SNMPv3 utilites encryption and decryptions functions in using AES in CBC and CTR modes Cryptographic hashing services utilized for SNMPv3 communication between a client and the TOE uses the SHA algorithm in accordance to FIPS Pub 180 3 Secure Hashing The TOE implements IPsec to protect communication between the TOE and another authorized IT entity The TOE restricts the ability to configure Confidentiality Only ESP mode for IPsec which is disabled Both certificate and pre shared key method of IKE peer authentication is supported by the TOE The TOE supports both manual key IPsec and IKE v1 v2 based key negotiation for IPsec implementation The pre shared key in IKE is used for authenticating the peer in the Phase 1 exchange of the IKE negotiation The TOE implements DH Groups key exchange available in OpenSSL 0 9 8r according to RFC 3526 IKE
71. cts audit and Sensor data T MEDIAT An unauthorized person may send impermissible information through the which results in the exploitation of resources on the internal network O MEDIAT The TOE must mediate the flow of all information from users on a connected network to users on another connected network The TOE mediates all information that flows to and from the protected network T MISACT Malicious activity by attackers who are not TOE users such as introductions of Trojan horses and viruses may occur on an IT System the TOE monitors O IDSENS The Sensor must collect and store information about all events that are indicative of inappropriate activity that may have resulted from misuse access or malicious activity of IT System assets and the IDS The TOE collects audit and Sensor data T MISUSE Unauthorized accesses and activity by attackers who are not TOE users indicative of misuse may occur on an System the TOE monitors O IDSENS The Sensor must collect and store information about all events that are indicative of inappropriate activity that may have resulted from misuse access or malicious activity of IT System assets and the IDS The TOE collects audit and Sensor data T RESOURCE EXHAUSTION A process initiated by a TOE user or a TOE user may deny access to TOE services by exhausting critical resources on the TOE O RESOURCE AVAILABILITY The TOE shal
72. curity Target Version 1 16 October 6 2014 users are required to set a new password after correctly authenticating with an expired and as yet unchanged password The TOE does not provide the ability to view stored passwords The TOE also prevents any user from reading any stored passwords by encrypted them Passwords are stored as MD5 or SHA hash in RAM SRAM or EEPROM Unattended local or remote sessions are terminated after a configurable period of inactivity banner displaying configurable warning text is displayed to all users upon successful log in but before any actions can be taken No services are available to users before they are successfully identified and authenticated and only the services for which a user is authorized are provided to that user The TOE implements 15 privilege levels each of which provides access to more commands than the previous privilege level 1 provides very basic commands and level 15 provides access to all commands Level 15 privileges are limited to the TOE s root account and are disabled in the CC evaluated configuration once the TOE has been set up After initial set up of the TOE the Security Administrator role referred to in this ST is assumed to have privilege level 14 or 15 The privilege level of each command can be customized by the Security Administrator TOE Security Functional Requirements Satisfied 1 UAU 6 5 FMT M
73. d subject information via a controlled operation if the following rules hold e Subjects an internal network can cause information to flow through the TOE to another connected network if o all the information security attribute values are unambiguously permitted by the information flow security policy rules where such rules may be composed from all possible combinations of the values of the information flow security attributes created by the authorized administrator o the presumed address of the source subject in the information translates to an internal network address o and the presumed address of the destination subject in the information translates to an address on the other connected network e Subjects on the external network can cause information to flow through the TOE to another connected network if o all the information security attribute values are unambiguously permitted by the information flow security policy rules where such rules may be composed from all possible combinations of the values of the information flow security attributes created by the authorized administrator o the presumed address of the source subject in the information translates to an external network address o and the presumed address of the destination subject in the information translates to an address on the other connected network FDP IFF 1 3 The TSF shall enforce the none Curtiss Wright VPX3 685 CCA 685 Secure Routers Page
74. dentified and authenticated before allowing any other TSF mediated actions on behalf of that user Dependencies No dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 28 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 4 Class FPT Protection of the TSF This class contains families of functional requirements that relate to the integrity and management of the mechanisms that constitute the TSF and to the integrity of TSF data The extended families PTD EXT Management of TSF data and 1 Trusted update were modeled after various families and related components in Class FPT The extended component TXT EXT 1 TSF self test was modeled after FPT TST 1 TSF testing 5 1 41 Family FPT PTD EXT Management of TSF data Family Behaviour Components in this family address the requirements for managing and protecting TSF data such as passwords and keys This is a new family defined for the FPT Class Component Leveling FPT PTD EXT Management of TSF data 1 Figure 15 Management of TSF data family decomposition FPT PTD EXT 1 Management of TSF Data requires preventing selected TSF data from being read by any user or subject Management FPT PTD EXT 1 a There are no management activities fo
75. e freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 a No auditable events are foreseen IDS_RDR_EXT 1 Restricted data review Hierarchical to No other components IDS_RDR_EXT 1 1 The TSF shall be able to selection transmit the generated audit data indicative of a potential security violation to an external IT entity over a trusted channel defined in ITC 1 receive and store audit data indicative of a potential security violation from an external IT entity over a trusted channel defined in 11 Dependencies FAU Audit data generation 5 1 6 4 Family IDS SDC EXT System data collection Family Behaviour This family defines the requirements for recording the occurrence of intrusion detection events that take place under TSF control This family identifies the level of system data collection enumerates the types of events that shall be collected by the TSF and identifies the minimum set of IDS related information that should be provided within various IDS record types Component Leveling IDS SDC EXT System data collection 1 Figure 22 System data collection family decomposition 108 SDC EXT 1 System data collection defines the level of IDS events and specifies the list of data that shall be recorded in each record Management 08 SDC EXT 1 a There no management activities
76. ecurity audit data generation is included in the ST a Minimal Enabling and disabling of any of the analysis mechanisms IDS ANL EXT 1 Analyzer analysis Hierarchical to No other components IDS ANL EXT I 1 The TSF shall perform the following analysis function s on all system data collected a selection statistical signature integrity and b assignment other analytical functions IDS ANL EXT 1 2 The System shall record within each analytical result at least the following information a Date and time of the result type of result identification of data source and b assignment other security relevant information about the result Dependencies IDS SDC EXT 1 System Data Collection Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 33 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FPT STM 1 Reliable Timestamps 5 1 6 2 Family IDS RCT EXT Analyzer react Family Behaviour This family defines the response to be taken in case of detected events indicative of a potential security violation Component Leveling IDS RCT EXT Analyzer react 1 Figure 20 Analyzer react family decomposition DS RCT EXT 1 Analyzer react specifies actions the TSF shall take in case a potential security violation is detected Management 105
77. eneration algorithms FCS CKM EXT 4 Cryptographic Key Zeroization The TOE zeroizes all plaintext secret and private keys and FIPS 140 2 CSPs when they are no longer needed FCS COMM PROT EXT I Communications Protection The TOE uses only approved communication encryption protocols FCS 1 1 Cryptographic Operation for data encryption decryption The TOE uses only approved algorithms for data encryption and decryption FCS COP I 2 Cryptographic Operation for cryptographic signature The TOE uses only approved algorithms for cryptographic signatures FCS COP I 3 Cryptographic Operation for cryptographic hashing The TOE uses only approved algorithms for cryptographic hashes FCS COP I 4 Cryptographic Operation for keyed hash message authentication The TOE uses only approved algorithms for HMACs Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 75 of 84 Security Target Version 1 16 October 6 2014 FCS HTTPS EXT I HTTPS The TOE uses only standards compliant implementations of the HTTPS and TLS protocols FCS IPSEC EXT I The TOE uses only standards Cryptographic Operation Random Bit Generation IPsec compliant implementations of the Ipsec protocol and that the Ipsec
78. erabilities or inappropriate vulnerabilities or perform from IDS Sensors IDS Scanners activity from multiple data inappropriate activity which the and then apply analytical sources TOE fails to identify based on processes and information to association of IDS data received derive conclusions about from all data sources intrusions past present or future Curtiss Wright VPX3 685 CCA 685 Secure Page 69 of84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 T FALREC An attacker might introduce vulnerabilities or perform inappropriate activity which the TOE fails to recognize based on IDS data received from each data source O IDANLZ The Analyzer must accept data from IDS Sensors or IDS Scanners and then apply analytical processes and information to derive conclusions about intrusions past present or future The TOE will recognize vulnerabilities or inappropriate activity from a data source T INADVE Inadvertent activity and access by attackers who are not TOE users may occur on an IT System the TOE monitors O IDSENS The Sensor must collect and store information about all events that are indicative of inappropriate activity that may have resulted from misuse access or malicious activity of IT System assets and the IDS The TOE colle
79. es supporting the administrative interfaces are not exhausted causing failure of the TOE by enforcing maximum quotas on the number of simultaneous administrative connections The maximum quotas per connection type are SSH 8 simultaneous connections HTTPS 10 simultaneous connections TOE Security Functional Requirements Satisfied RSA 1 7 1 5 System Monitoring The System Monitoring TSF generates audit data ensuring that sufficient information exists to allow Security Administrators to discover both intentional and unintentional problems with the configuration or operation of the TOE Each audited event is associated with the specific local administrator or remote entity that caused the event and each event also has a reliable time stamp provided by the TOE The TOE audits many events and system operations documented in GEN 1 including but not limited to e startup and shutdown of the audit functions all administrative actions all use of the identification and authentication functions failures of any TOE functions requests for information flows mediated by the TOE The audit records are temporarily stored locally in a configurable number of rotating log files Periodically the TOE transmits the recorded audit data to an external syslog server for permanent storage and for review by the authorized administrator TOE Security Functional Requirements Satisfied 1 GEN FAU_STG_EXT 1 5
80. esscsesscsesscsesscsesscsesscaesscaeeseaeescsees 27 FIGURE 14 USER IDENTIFICATION AND AUTHENTICATION FAMILY 27 FIGURE 15 MANAGEMENT OF TSF DATA FAMILY DECOMPOSITION a FIGURE 16 TSF TESTING FAMILY DECOMPOSITION sssssessssessssessssessssessesesscsesscsessesesscaesscsesecsesscsesscsesscsesscaesscaesseaesseaees FIGURE 7 TRUSTED UPDATE FAMILY DECOMPOSITION sssessssessssessssessssessesessesessssessescsssscsncsessssesscsessesessesesseseeneaeeseaees FIGURE 18 TSF INITIATED SESSION LOCKING FAMILY DECOMPOSITION sssssssessssssssesessssesssesesesseseseseseeeaesesessesees 32 FIGURE 19 ANALYZER ANALYSIS FAMILY DECOMPOSITION ccsssssssessssssssesessssescsesesecescsesessesesesesessesesesesesseneaescsesseseas 33 FIGURE 20 ANALYZER REACT FAMILY DECOMPOSITION 34 FIGURE 21 RESTRICTED DATA REVIEW FAMILY DECOMPOSITION 34 FIGURE 22 SYSTEM DATA COLLECTION FAMILY DECOMPOSITION 35 List of Tables TABLE ll ST AND T OE REFERENGES 5 TABLE2 CC AND PP 888 0 2 12 TABLE 3 THREATS
81. eyed hash message authentication in accordance with a specified cryptographic algorithm HMAC SHA 1 5 256 SHA 384 SHA 512 key size 160 bit 256 bit 384 bit 512 bit and message digest sizes 160 256 384 512 bits key sizes assignment erypteeraphie key sizes that meet the following FIPS Pub 198 1 The Keyed Hash Message Authentication Code and FIPS Pub 180 3 Secure Hash Standard Dependencies FCS CKM 1 Cryptographic key generation FCS CKM 4 Cryptographic key destruction FCS HTTPS EXT 1 HTTPS Hierarchical to No other components FCS HTTPS EXT I 1 The TSF shall implement the HTTPS protocol that complies with RFC 2818 FCS HTTPS EXT 1 2 The TSF shall implement the HTTPS protocol using TLS as specified in 5 TLS Dependencies FCS TLS EXT 1 TLS FCS IPSEC EXT 1 IPsec Hierarchical to No other components FCS IPSEC 1 1 The TSF shall implement IPsec using the ESP protocol as defined by RFC 4303 using the cryptographic algorithms AES CBC 128 AES CBC 256 both specified by 3602 no other algorithms and using IKEv1 as defined in RFCs 2407 2408 2409 and 4109 no other method to establish the security association FCS IPSEC 1 2 38 RSA Rivest Shamir Adleman Secure Hash Algorithm Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 45 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and
82. foreseen Audit IDS SDC 1 a There are no auditable events foreseen IDS SDC EXT 1 System data collection Hierarchical to No other component IDS SDC 1 1 The TSF shall be able to collect the following information from the targeted IT System resource s selection Start up and shutdown identification and authentication events data accesses service requests network traffic security configuration changes data introduction detected malicious code access control configuration service configuration authentication configuration accountability policy configuration detected known vulnerabilities b assignment other specifically defined events IDS_SDC_EXT 1 2 At a minimum the TSF shall collect and record the following information a Date and time of the event type of event subject identity and the outcome success or failure of the event and b The additional information specified in the Details column of Table 9 below Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 35 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Table 9 IDS SDC EXT I Explicit SFR Definition Collected Events 105 SDC Network traffic Protocol source address destination address Dependencies FPT STM 1 Reliable time stamps Curtis
83. hashing cryptographic hash algorithms FPT TUD EXT I The TOE administrators can verify Trusted Update the installed version of the TOE software firmware and can verify the integrity and authenticity of software firmware updates prior to installing them 8 5 2 Security Assurance Requirements Rationale EAL2 was chosen used by the ST authors in order to provide a low to moderate level of assurance that is consistent with good commercial practices Minimal additional tasks are placed upon the vendor assuming the vendor follows reasonable software engineering practices and can provide support to the evaluation for design and testing efforts The chosen assurance level is appropriate with the threats defined for the environment At EAL2 the TOE will have incurred a search for obvious flaws to support its introduction into the non hostile environment The augmentation of FLR 2 was chosen to give greater assurance of the developer s on going flaw remediation processes 8 5 3 Dependency Rationale The SFRs in this ST satisfy all of the required dependencies listed in the Common Criteria and SFRs explicitly stated in this ST Table 20 lists each requirement to which the TOE claims conformance and indicates whether the dependent requirements are included As the table indicates all dependencies have been met Table 20 Functional Requirements Dependencies Dependencies Dependency Rationale Met FAU GEN I
84. he security functions satisfy the necessary requirements Table 14 Mapping of TOE Security Functions to Security Functional Requirements TOE Security Function Description Intrusion Detection IDS ANL EXT I Analyzer analysis IDS EXT I Analyzer react IDS EXT I Restricted Data Review IDS SDC EXT I System Data Collection Protected Communications FCS CKM I Cryptographic Key Generation for asymmetric keys FCS CKM EXT 4 Cryptographic Key Zeroization FCS COMM PROT Communications Protection FCS 1 1 Cryptographic Operation for data encryption decryption FCS COP I 2 Cryptographic Operation for cryptographic signature FCS COP I 3 Cryptographic Operation for cryptographic hashing FCS COP I 4 Cryptographic Operation for keyed hash message authentication FCS HTTPS EXT I HTTPS FCS IPSEC EXT I IPsec FCS Cryptographic Operation Random Bit Generation FCS SSH EXT I SSH FCS TLS EXT I TLS FPT PTD EXT I 2 Management of TSF Data for reading of all symmetric keys FPT RPL I Replay Detection 1 1 Inter TSF Trusted Channel prevention of disclosure Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 60 of 84
85. hese tests are sufficient to demonstrate that the TSF is operating correctly at any point in time TOE Security Functional Requirements Satisfied TST 7 1 9 Verifiable Updates The Verifiable Updates TSF enables the administrator to ensure that software or firmware updates are unmodified and are authentic before installation Software and firmware updates are cryptographically hashed and signed FIPS 140 2 approved hashing and signing algorithms and verified by the TOE s FIPS 140 2 validated cryptographic module Administrators can retrieve the published cryptographic hash for the update from Curtiss Wright and then verify the update s hash via the TOE before installation to be assured that the update was not corrupted or modified during storage or transit In order to initiate the update process the administrator determines which of several update methods he wishes to use These methods are detailed in the VPX3 685 Secure Ethernet Router User s Manual Chapter 6 and generally involve powering off the TOE physically installing several jumpers on the TOE s main board and then booting the TOE into the desired update mode of operation When the administrator supplies the TOE with the desired firmware update file the TOE checks the digital signature on the update file and will only install the update if the signature is from Curtiss Wright The special portion of the TOE firmware that checks the signature and conducts the update cann
86. ht notice Security Target Version 1 16 October 6 2014 1 6 2 6 TOE Administration The TOE Administration TSF provides a trusted means for administrators to interact with the TOE for management purposes via the TOE s web GUI secured via the HTTPS protocol CLI protected via the SSH protocol or SNMP v3 protocol These interfaces are protected to mitigate threats of administrator impersonation account compromise or accidental access by unwitting users 1 6 2 7 Traffic Filter Firewall The Traffic Filter Firewall TSF defines and enforces the UNAUTHENTICATED information flow control Security Functional Policy SFP This SFP ensures that the TOE mediates all attempts by unauthenticated external IT entities to send and receive data through the TOE to each other 1 6 2 8 TSF Self Test The TSF Self Test TSF ensures that the TOE verifies the correct operation of critical TOE functions at power on 1 6 2 9 Verifiable Updates The Verifiable Updates TSF enables the administrator to ensure that software or firmware updates are unmodified and are authentic before installation 1 6 3 Product Features and Functionality Not Included in the TSF All product functionality and features of the 685 685 are included in the TSF S HTTPS Secure Hypertext Transport Protocol 19 SNMP Simple Network Management Protocol Curtiss Wright VPX3 685 CCA 685 Secure Routers Page of 84 2014 Curtiss Wright Controls Defense Solutions Th
87. ilable upon the deallocation of the resource from all objects Dependencies dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 49 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 4 Class FIA Identification and Authentication EXT 1 Password Management Hierarchical to No other components PMG 1 1 The TSF shall provide following password management capabilities for administrative passwords 1 Passwords shall be able to be composed of any combination of upper and lower case letters numbers and special characters that include 717 P 007 tg te and 2 Minimum password length shall settable by the Security Administrator and support passwords of 8 characters or greater 3 Passwords composition rules specifying the types and number of required characters that comprise the password shall be settable by the Security Administrator 4 Passwords shall have a maximum lifetime configurable by the Security Administrator 5 New passwords must contain a minimum of 4 character changes from the previous password Dependencies No dependencies FIA_UAU_EXT 5 Password based Authentication Mechanism Hierarchical to No other components FIA_UAU_EXT 5 1 The TSF shall provide a lo
88. ily Behaviour Components in this family address the requirements for random number bit generation This is a new family defined for the FCS Class Component Leveling FCS RBG EXT Random bit generation 1 Figure 9 Random bit generation family decomposition FCS_RBG_EXT 1 Random Bit Generation requires random bit generation to be performed in accordance with selected standards and seeded by an entropy source It was modeled after FCS_COP 1 Management FCS_RBG_EXT 1 a There are no management activities foreseen Audit FCS_RBG_EXT 1 The following actions should be auditable if FAU_GEN Security audit data generation is included in the ST a Failure of the randomization process FCS_RBG_EXT 1 Random bit generation Hierarchical to No other components FCS_RBG_EXT 1 1 The TSF shall perform all random bit generation RBG services in accordance with selection choose one of NIST Special Publication 800 90 using selection Hash_DRBG any HMAC DRBG any CTR_DRBG AES Dual EC DRBG FIPS 140 2 Annex X9 31 Appendix 2 4 using AES seeded by an entropy source that accumulated entropy from at least one independent TSF hardware based noise source 29 NIST National Institute of Standards and Technology 29 NIST National Institute of Standards and Technology 30 FIPS Federal Information Processing Standard 3 PUB Publication Curtiss Wright VPX3 685 CCA 685 Secure
89. inition ASE TSS TOE summary specification Class ALC Life Cycle Support Use of a CM system ALC CMS Parts of the TOE CM Coverage ALC_DEL Delivery procedures ALC FLR 2 Flaw reporting procedures Class ADV Development ADV Security architecture description ADV FSP 2 Security enforcing functional specification ADV TDS I Basic design Class AGD Guidance documents OPE I Operational user guidance PRE I Preparative procedures Class ATE Tests ATE COV I Evidence of coverage ATE FUN Functional testing ATE IND 2 Independent testing sample Class AVA Vulnerability assessment VAN 2 Vulnerability analysis Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 59 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 72 TOE Summary Specification This section presents information to detail how the TOE meets the functional requirements described in previous sections of this ST 7 1 TOE Security Functions Each of the security requirements and the associated descriptions correspond to the security functions Hence each function is described by how it specifically satisfies each of its related requirements This serves to both describe the security functions and rationalize that t
90. ironment which identifies and explains all e Known and presumed threats countered by either the TOE or by the security environment e Organizational security policies with which the TOE must comply e Assumptions about the secure usage of the TOE including physical personnel and connectivity aspects 3 1 Threats to Security This section identifies the threats to the assets against which protection is required by the TOE or by the security environment The threat agents are divided into two categories e Attackers who are not TOE users They have public knowledge of how the TOE operates and are assumed to possess a low skill level limited resources to alter TOE configuration settings or parameters and no physical access to the TOE users They have extensive knowledge of how the TOE operates and are assumed to possess a high skill level moderate resources to alter TOE configuration settings or parameters and physical access to the TOE TOE users are however assumed not to be willfully hostile to the TOE Both are assumed to have a low level of motivation The IT assets requiring protection are the TSF and user data saved on or transitioning through the TOE and the hosts on the protected network Removal diminution and mitigation of the threats are through the objectives identified in Section 4 Security Objectives The following threats are applicable Table 3 Threats Description T ADMIN ERROR An admi
91. is document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 c Y Conformance Claims This section provides the identification for any CC Protection Profile PP and EAL package conformance claims Rationale is provided for any extensions or augmentations to the conformance claims Rationale for CC and PP conformance claims can be found in Section 8 1 Table 2 CC and PP Conformance Common Criteria Common Criteria for Information Technology Security Evaluation Version 3 1 CC Identification Revision 3 July 2009 CC Part 2 extended CC Part 3 conformant Parts 2 and 3 and Conformance Interpretations of the Common Evaluation Methodology CEM as of July 22 2011 were reviewed and no interpretations apply to the claims made in this ST Identification Evaluation EAL2 augmented with Flaw Remediation ALC_FLR 2 Assurance Level Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 12 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 SN Security Problem This section describes the security aspects of the environment in which the TOE will be used and the manner in which the TOE is expected to be employed It provides the statement of the TOE security env
92. ister the TOE T UNAUTHORIZED UPDATE A malicious party attempts to supply the end user with an update to the product that may compromise the security features of the TOE O VERIFIABLE UPDATES The TOE will provide the capability to help ensure that any updates to the TOE can be verified by the administrator to be unaltered and optionally from a trusted source The TOE allows the administrator to verify the integrity and authenticity of updates prior to installing them T UNDETECTED ACTIONS Malicious remote users or external IT entities may take actions that adversely affect the security of the TOE These actions may remain undetected and thus their effects cannot be effectively mitigated O SYSTEM MONITORING The TOE will provide the capability to generate audit data and send those data to an external IT entity The TOE audits all administrative and authentication activities O TOE ADMINISTRATION The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE and provide protections for logged in administrators The TOE ensures that administrators and only administrators may administer the TOE T USER DATA REUSE User data may be inadvertently sent to a destination not intended by the original sender O RESIDUAL INFORMATION CLEARING The TOE will ensure that any data contained in a protected resource is not available when the resource
93. it Encrypted Never Plaintext in By command Encrypt and encryption key key with KEK or RAM SRAM power cycle decrypt the data generated or EEPROM reboot on flash internally Procedure overwrite with zeros HMAC key AES 256 bit Generated Never Plaintext in By command Message key internally RAM power cycle Authentication reboot with SHS Procedure overwrite with zeros Admin User Password Plaintext Never Plaintext in By command Login for password RAM SRAM module or EEPROM Procedure management overwrite with zeros DRBG seed Random Generated Never Plaintext in By command Seed input to value internally RAM power cycle ANSI 9 31 reboot Appendix 2 4 using AES Procedure PRNG overwrite with zeros In order to ensure that the integrity and usefulness of the audit log is not compromised the TOE securely transmits the audit log to an external syslog server The TOE includes an anti Replay feature which detects and prevents replay attacks Packets tranismitted using the IPSec TLS SNMPv3 and SSH protocols and are associated with the replay will be rejected by the TOE once the replay has been detected TOE Security Functional Requirements Satisfied FCS_COMM_PROT_EXT 1 1 1 1 2 3 FCS_COP 1 4 HTTPS FCS IPSEC 1 FCS SSH FCS TLS 1 PTD EXT 1 2 RPL 1 FTP ITC
94. ith Software Version 606163 200 REL2 0 0 VPX3 685 C23014 FC with Software Version 605714 200 REL2 0 0 VPX3 685 C23020 FC with Software Version 606163 200 REL2 0 0 CCA 685 C2820 with Software Version 606163 210 REL2 1 0 Purpose This ST is divided into nine sections as follows e Introduction Section 1 Provides a brief summary of the ST contents and describes the organization of other sections within this document It also provides an overview of the TOE security functions and describes the physical and logical scope for the TOE as well as the ST and TOE references e Conformance Claims Section 2 Provides the identification of any CC Protection Profile and Evaluation Assurance Level EAL package claims It also identifies whether the ST contains extended security requirements Security Problem Section 3 Describes the threats organizational security policies and assumptions that pertain to the TOE and its environment Security Objectives Section 4 Identifies the security objectives that are satisfied by the TOE and its environment Extended Components Section 5 Identifies new components extended Security Functional Requirements SFRs and extended Security Assurance Requirements SARs that are not included in CC Part 2 or CC Part 3 Security Requirements Section 6 Presents the SFRs and SARs met by the TOE TOE Summary Specification Section 7 Describes the security functions pro
95. ject identity and the outcome success or failure of the event and b The additional information specified in the Details column of Table 12 below Table 12 IDS SDC Collected Events Component Event Details Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 57 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 IDS SDC Network traffic Protocol source address destination address Dependencies FPT STM 1 Reliable time stamps Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 58 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 3 Security Assurance Requirements This section defines the assurance requirements for the TOE Assurance requirements are taken from the CC Part 3 and are EAL 2 augmented with FLR 2 Table 13 summarizes the requirements Table EAL2 Assurance Requirements Assurance Requirements Class ASE Security Target ASE Conformance claims evaluation ASE Extended components definition ASE INT I ST introduction ASE 2 Security objectives ASE REQ 2 Derived security requirements ASE SPD I Security problem def
96. key destruction 5 4 Cryptographic Key Zeroization Hierarchical to No other components FCS CKM EXT 4 1 The TSF shall zeroize all plaintext secret and private cryptographic keys and CSP s when longer required Dependencies FCS_CKM 1 Cryptographic key generation FCS_COMM_PROT_EXT 1 Communications Protection Hierarchical to No other components FCS_COMM_PROT_EXT 1 1 The TSF shall protect communications using IPsec SSH and TLS HTTPS Dependencies FCS IPSEC EXT 1 IPSEC or FCS SSH EXT 1 SSH FCS HTTPS EXT 1 HTTPS if selected FCS TLS 1 TLS FCS COP 1 1 Cryptographic operation for data encryption decryption Hierarchical to No other components FCS 1 1 1 The TSF shall perform encryption and decryption in accordance with a specified cryptographic algorithm AES operating in CBC modes and cryptographic key sizes assignment cryptographic key sizes 128 bits 256 bits and 192 bits that meet the following FIPS PUB 197 Advanced Encryption Standard AES NIST SP 800 38A NIST SP 800 38D Dependencies FCS Cryptographic key generation FCS CKM 4 Cryptographic key destruction 32 ANSI American National Standards Institute 33 CSP Critical Security Parameter s AES Advanced Encryption Standard 2 CBC Cipher Block Chaining 36 CTR Counter 37 SP Special Publication Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 44 of 84 2014 Curtiss
97. l provide mechanisms that mitigate user attempts to exhaust TOE resources e g persistent storage The TOE mitigates attempts intentional or unintentional to exhaust critical TOE resources Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 70 of 84 Security Target Version 1 16 October 6 2014 T SCNCFG Improper security configuration settings created by non TOE users may exist in the IT System the TOE monitors O IDSCAN The Scanner must collect and store static configuration information that might be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System The TOE collects and stores static configuration information that might be indicative of a configuration setting change T SCNMLC Users could execute malicious code on an IT System that the TOE monitors which causes modification of the IT System protected data or undermines the IT System security functions O IDSCAN The Scanner must collect and store static configuration information that might be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System The TOE collects and stores static configuration information that might be indicative of the presence of malicious code
98. lation an alert is generated and logged for administrative review and other actions can also be taken as configured by the administrator such as sending SNMP trap The TOE protects the collected data from review by anyone except those administrators who have been granted permission to view it TOE Security Functional Requirements Satisfied IDS_ANL 1 IDS RCT 1 IDS RDR 1 IDS_SDC 1 7 1 2 Protected Communications The Protected Communications TSF ensures that all types of communications in which the TOE participates are secure These types of communications are 1 The TOE communicating with a remote administrator 2 The TOE communicating with another IT entity that is not another instance of the TOE Since plaintext communication with the TOE might allow critical data such as passwords configuration setting or routing data to be intercepted disclosed manipulated modified or replayed by intermediate systems the TOE implements a FIPS 140 2 validated cryptographic module and uses it to encrypt and when appropriate digitally sign all such critical communications Specifically HTTPS and SSHprotocols and SNMPv3 secure mechanisms are used to protect administrative communication sessions Each secure session is distinguished by session information which is protected by the session protocol HTTPS SSH or SNMP The administrator can access the module via the CLI or the Web Interface The administrator uses secure pipes or tunne
99. lities The TOE must be embedded inside a VPX compliant custom chassis and requires a 5V and or 3 3V power supply The TOE stores all audit records in non volatile memory Audit records must be transferred to a syslog server in the IT environment for viewing by administrators The TOE needs the following environmental components in order to function properly a VPX compliant custom chassis a power supply an administrator workstation with an SSH HTTPS client an external syslog server The TOE is intended to be deployed in secure military environments that protect physical access to the TOE The TOE is intended to be managed by administrators operating under a consistent security policy 1 6 TOE Description This section primarily addresses the physical and logical components of the TOE included in the evaluation 1 6 1 Physical Scope Figure 3 below illustrates the physical scope and the physical boundary of the overall solution and ties together all of the components of the TOE and the constituents of the TOE Environment VPX Compliant Custom Chassis Backplane Local Management Workstation External Syslog Remote Management Workstation VPN Client RADIUS Networked Clients TACACS and Servers Figure 3 TOE Physical Boundary The TOE boundary includes the VPX3 685 CCA 685 hardware firmware and software The TOE boundary does not encompass the VPX compliant custom chassis or power supply Curtiss
100. ls with HTTPS SSH or SNMPv3 secure mechanisms Each administrator must authenticate using the user ID and password or certificates associated with the correct protocol in order to set up the secure tunnel The TOE then follows the appropriate protocol to distinguish between simultaneous administrators Each session remains active logged in and secured using the tunneling protocol until the administrator logs out In order for Security Administrators to administer the TOE using HTTPS the secure HTTP server available on the TOE requires a certificate to be generated and installed prior to enabling the secure HTTP server The web browser in which the remote administrator must authenticate with must accept the certificate offered by the secure HTTP server in order to achieve connection Security Administrators are also required to provide proper identification and authentication in order to access the Web Interface Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 62 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 The TOE implements SSH to protect communication between an administrator using the CLI and the TOE The TOE rekeys an SSH connection before more than 2 28 packets have been sent with a given key Configuration is not required to achieve this The TOE drops an SSH session conne
101. mily and related components for GEN Security audit generation The extended family 105 ANL EXT Analyzer analysis were modeled after the CC family and related components for FAU_SAA Security audit analysis extended family 105 RCT EXT Analyzer react were modeled after the CC family and related components for ARP Security alarms extended family and related components for DS RDR EXT Restricted data review were modeled after the CC family and related components for FAU_STG Security audit event storage 5 1 6 1 Family IDS ANL EXT Analyzer analysis Family Behaviour This family defines the analysis the TOE performs on the collected system data This family enumerates the types of program code that shall be collected by the TSF and identifies what type of control will be enforced on the executable code This family also determines which changes are to be prevented and which are to be monitored and reported Component Leveling 5 ANL EXT Analyzer analysis 1 Figure 19 Analyzer analysis family decomposition DS ANL EXT 1 Analyzer analysis specifies the list of analyses TOE will perform on the collected system data Management 108 ANL 1 The following actions could be considered for the management functions in FMT b Configuration of the analysis to be performed Audit IDS ANL EXT 1 The following actions should be auditable if GEN S
102. mmetric key and private keys Dependencies No dependencies FPT_RPL 1 Replay detection Hierarchical to No other components FPT_RPL 1 1 The TSF shall detect replay for the following entities network packets terminated at the TOE that are transmitted through the use of the TSF cryptographic services IPSec TLS SNMPv3 and SSH FPT RPL 1 2 The TSF shall perform reject the data when replay is detected Dependencies No dependencies FPT_STM 1 Reliable time stamps Hierarchical to No other components FPT_STM 1 1 The TSF shall be able to provide reliable time stamps for its own use Dependencies No dependencies FPT_TST_EXT 1 TSF testing Hierarchical to No other components FPT_TST_EXT 1 1 The TSF shall run a suite of self tests during initial start up on power on to demonstrate the correct operation of the TSF Dependencies No dependencies EXT 1 Trusted Update Hierarchical to No other components FPT TUD EXT I 1 The TSF shall provide security administrators the ability to query the current version of the TOE firmware software FPT TUD EXT 1 2 The TSF shall provide security administrators the ability to initiate updates to TOE firmware software FPT TUD EXT 1 3 The TSF shall provide a means to verify firmware software updates to the TOE using a digital signature mechanism published hash prior to installing those updates Dependencies FCS COP 1 2 Cryptographic operation for cryptographic sig
103. nature Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 52 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 7 Class FRU Resource Utilization FRU RSA 1 Maximum quotas Hierarchical to No other components FRU 5 1 1 The TSF shall enforce maximum quotas of the following resources simultaneous administrative connections no other resource that subjects can use simultaneously Dependencies No dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 53 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 8 Class FTA TOE Access FTA SSL EXT 1 TSF initiated session locking Hierarchical to No other components SSL EXT 1 1 The TSF shall for local interactive sessions terminate the session after a Security Administrator specified time period of inactivity Dependencies EXT 1 User identification and authentication FTA SSL 3 TSF initiated termination Hierarchical to No other components SSL 3 1 The TSF shall terminate a remote an interactive session after a Security Administrator configurable time interval of session inactivity Dependencies No depe
104. ndencies FTA_TAB 1 Default TOE access banners Hierarchical to No other components TAB 1 1 Before establishing a user administrator session the TSF shall display a Security Administrator specified an advisory notice and consent warning message regarding unauthorised use of the TOE Dependencies No dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 54 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 9 Class FTP Trusted Path Channels FTP ITC 1 1 Inter TSF trusted channel prevention of disclosure Hierarchical to No other components FTP_ITC 1 1 1 The TSF shall use IPsec to provide a trusted communication channel between itself and another trusted IT product authorized IT entities that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from medifieatien er disclosure FTP ITC 1 2 1 The TSF shall permit the TSF or the authorized IT entities to initiate communication via the trusted channel FTP_ITC 1 3 1 The TSF shall initiate communication via the trusted channel for all IPsec communications Dependencies No dependencies FTP ITC 1 2 Inter TSF trusted channel detection of modification Hierarchical to No other components FTP ITC 1
105. nistrator may unintentionally install or configure the TOE incorrectly resulting in ineffective security mechanisms T ASPOOF An unauthorized person may carry out spoofing in which information flows through the TOE into a connected network by using a spoofed source address T FALACT An attacker might introduce identified or suspected vulnerabilities or perform inappropriate activity to which the TOE fails to react T FALASC An attacker might introduce vulnerabilities or perform inappropriate activity which the TOE fails to identify based on association of IDS data received from all data sources T FALREC An attacker might introduce vulnerabilities or perform inappropriate activity which the TOE fails to recognize based on IDS data received from each data source T INADVE Inadvertent activity and access by attackers who are not TOE users may occur on an IT System the TOE monitors 1 IT Information Technology TSF TOE Security Functionality Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 13 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Description T MEDIAT An unauthorized person may send impermissible information through the TOE which results in the exploitation of resources on the internal network
106. o other components FPT TST EXT 1 1 The TSF shall run a suite of self tests during initial start up on power on to demonstrate the correct operation of the TSF Dependencies No dependencies 5 1 4 3 Family FPT TUD EXT Trusted update Family Behaviour Components in this family address the requirements for updating the TOE firmware and or software This is a new family defined for the FPT Class Component Leveling FPT TUD EXT Trusted update 1 Figure 17 Trusted update family decomposition 1 Trusted update requires management tools be provided to update the TOE firmware and software including the ability to verify the updates prior to installation Management FPT TUD EXT 1 a There are no management activities foreseen Audit FPT TUD EXT 1 a Initiation of update FPT TUD EXT 1 Trusted update Hierarchical to No other components FPT TUD EXT I 1 The TSF shall provide security administrators the ability to query the current version of the TOE firmware software FPT TUD EXT 1 2 Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 30 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 The TSF shall provide security administrators the ability to initiate updates to TOE firmware software FPT TUD EXT 1 3 The TSF
107. o seconds and process IDs are used as the sources of randomness There are enough entropy sources for the entropy pool for the resulting RBG output to be completely independent from time and environmental conditions When the module requires entropy it makes a call to pull 32 bits of entropy from the entropy pool mentioned above In the event of an entropy source failure such as failure to produce 32 bits of entropy the cryptographic module that contains the PRNG will receive an error instead of the requested entropy bits Upon receipt of this error the module will unload and not provide random numbers The module is restarted the next time any TOE component calls for cryptographic services Once the entropy input has been independently collected from the environment the entropy input is put through a series of transformation The rand function of the cryptographic module is used by the TOE to generate a random Using rand 5 2 is applied on the plain text generated and the key generated The generated HMAC SHA2 digest is used as the PRNG key for the AES 128 bit algorithm HMAC SHA2 is again applied on the plain text generated and the key generated The second SHA2 digest is used as the seed for the AES 128 bit algorithm By applying AES 128 bit encryption based the above generated PRNG key and seed the random number is generated 128 bit seed value is used for this process Table 15 below provides the details about
108. ot be updated by the administrator the TOE must be returned to Curtiss Wright for maintenance if that portion of the TOE firmware must be updated of this ensures that only valid uncompromised official updates from Curtiss Wright can be installed on the TOE and only by the authorized administrators who have physical access to the TOE in order to install the jumpers TOE Security Functional Requirements Satisfied FCS 1 2 COP 1 3 TUD 1 LED Light Emitting Diode Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 68 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 PN 4 8 1 Conformance Claims Rationale This Security Target conforms to Part 2 and Part 3 of the Common Criteria for Information Technology Security Evaluation Version 3 1 Revision 3 There are no protection profile conformance claims for this Security Target 8 2 Security Objectives Rationale This section provides a rationale for the existence of each threat policy statement and assumption that compose the Security Target Sections 8 2 1 8 2 2 and 8 2 3 demonstrate the mappings between the threats policies and assumptions to the security objectives are complete The following discussion provides detailed evidence of coverage for each threat policy and assumption
109. pired password locked out until their password is reset an administrator Dependencies No dependencies 5 1 3 3 Family FIA_UIA_EXT User identification and authentication Family Behaviour This family defines the services provided by the TSF to unidentified and unauthenticated users Component Leveling FIA_UIA_EXT User identification and authentication 1 Figure 14 User identification and authentication family decomposition FIA_UIA_EXT 1 User identification and authentication requires users to be successfully identified and authenticated before providing any services other than those listed to the user Management FIA_UIA_EXT 1 a There are no management activities foreseen Audit FIA_UIA_EXT 1 a Alluse of the identification and authentication mechanism Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 27 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 FIA UIA EXT 1 User Identification and Authentication Hierarchical to UAU 1 UID 1 1 1 The TSF shall allow selection assignment list of TOE provided services no services on behalf of the user to be performed before the user is identified and authenticated EXT 1 2 The TSF shall require each user to be successfully i
110. re Routers The VPX3 685 CCA 685 can be configured with up to twenty interfaces It also provides up to two 10GbE ports to support switch to switch expansion or dual redundant networks for fail over or for architecting high performance 10 Gb s network backbones Embedded backplane routing is supported with standard Base T or Base X GbE and 10GbE XAUT interfaces To reduce power requirements any unused ports can be disabled or depopulated The TOE is available in conduction cooled stackable and air cooled versions The blade incorporates security software and a high performance hardware based security engine Comprising a single card Unified Threat Management UTM system the blade s advanced security and network features include Support for VPNs IPSec PPTP L2TP to protect dedicated networks A stateful firewall to protect against multiple evasive attacks Network Address Translation NAT routing for IPv4 masquerading Port and protocol based Access Control Lists to prevent unauthorized access Broadcast Storm Control to protect against network disruption due to packet flooding 4 GbE Gigabit Ethernet 10 Attachment Unit Interface 9 VPN Virtual Private Network 7 IPSec Internet Protocol Security PPTP Point to Point Tunneling Protocol L2TP Layer 2 Tunneling Protocol Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 7 of 84 2014 Curtiss Wright Controls Defense Solutions This document m
111. reseen Audit FPT PTD EXT 1 a There are no auditable activities foreseen PTD EXT 1 1 Management of TSF data for reading of authentication data Hierarchical to No other components 1 1 The TSF shall prevent reading of the plaintext passwords Dependencies No dependencies FPT_PTD_EXT 1 2 Management of TSF data for reading of all symmetric keys Hierarchical to No other components FPT_PTD_EXT 1 1 The TSF shall prevent reading of all pre shared keys symmetric key and private keys Dependencies No dependencies Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 29 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 4 2 Family TST EXT TSF testing Family Behaviour Components in this family address the requirements for self testing the TSF for selected correct operation Component Leveling FPT TST EXT TSF testing 1 Figure 16 TSF testing family decomposition FPT TST EXT 1 TSF testing requires a suite of self tests to be run during initial start up in order to demonstrate correct operation of the TSF Management FPT TST EXT 1 a There are no management activities foreseen Audit FPT TST EXT 1 a Indication that TSF self test was completed FPT TST EXT 1 TSF testing Hierarchical to N
112. rity is located in the hardware protect and is not modifiable At power up the TOE computes a new digest and compares it to the pre computed digest value for the pre boot secure image This Integrity Test is also considered the for 5 The TOE then continues to check the integrity of the loadable images using 5 and compares to the pre computed digest for the loadable images If the value are the same then the test passes otherwise it fails 2 Cryptographic Algorithm Tests a AES Known Answer Test KAT The AES KAT encrypts a known plaintext value with known keys It then compares the resultant ciphertext with the expected ciphertext hard coded in the TOE If the two values differ then the KAT fails If the two values agree the AES KAT then decrypts the ciphertext with the known keys and compares the decrypted text with the known plaintext If they differ then the test fails If they are the same then the test passes Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 67 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 b SHA 256 KAT The hashing algorithm performs a KAT for SHA 256 The KAT takes a specific value and hashes it This digest value is then compared to the known value If the values differ the test fails If they are the same the test passes c HMA
113. ruption in TOE service the TOE must not compromise its resources or those of any connected network Static attribute initialisation deny policy for information flow control security rules O SESSION LOCK The TOE shall provide mechanisms that mitigate the risk of unattended sessions being hijacked FTA SSL 3 TSF initiated Termination The TOE terminates unattended or idle administrative sessions after an administrator specified period of time FTA SSL EXT I TSF initiated Session Locking The TOE terminates unattended or idle administrative sessions after an administrator specified period of time O SYSTEM MONITORING The TOE will provide the capability to generate audit data and send those data to an external IT entity GEN I The TOE generates audit records Audit Data Generation of appropriate events GEN 2 The TOE associates actions of an User Identity Association identified user with that user FAU STG EXT I The TOE sends all audit records External Audit Trail Storage to the external audit log server STM I The TOE provides reliable time Reliable time stamps stamps for generated audit records O TOE ADMINISTRATION The TOE will provide mechanisms to ensure that only administrators Password Management The TOE requires secure passwords for administrative users Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss
114. ryption decryption FCS COP 1 3 Cryptographic operation for cryptographic hashing Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 47 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 6 2 3 Class FDP User Data Protection FDP IFC 1 Subset information flow control Hierarchical to No other components FDP IFC 1 1 The TSF shall enforce UNAUTHENTICATED SFP e Subjects unauthenticated external IT entities that send and receive information through the TOE to one another Information traffic sent through the TOE from one subject to another Operation pass information 1 Dependencies IFF 1 Simple security attributes FDP IFF 1 Simple security attributes Hierarchical to No other components FDP IFF 1 1 The TSF shall enforce UNAUTHENTICATED SFP based on at least the following types of subject and information security attributes e Subject security attributes o presumed address o other subject security attributes as configured by the administrators e Information security attributes o presumed address of source subject o presumed address of destination subject o transport layer protocol o interface on which traffic arrives and departs 1 FDP IFF 1 2 The TSF shall permit an information flow between a controlled subject and another controlle
115. s Wright VPX3 685 CCA 685 Secure Routers Page 36 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 2 Extended TOE Security Assurance Components There are no extended TOE Security Assurance Components Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 37 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 E Security Requirements This section defines the SFRs and SARs met by the TOE These requirements are presented following the conventions identified in Section 6 1 6 1 Conventions There are several font variations used within this ST Selected presentation choices are discussed here to aid the Security Target reader The CC allows for assignment refinement selection and iteration operations to be performed on security functional requirements All of these operations are used within this ST These operations are performed as described in Part 2 of the CC and are shown as follows a Completed assignment statements are identified using italicized text within brackets b Completed selection statements are identified using underlined text within brackets c Refinements are identified using bold te
116. s of a distributed TOE and authorized IT entities O RESIDUAL INFORMATION C The TOE will ensure that any data contained in a protected resource LEARING is not available when the resource is reallocated O RESOURCE_AVAILABILITY The TOE shall provide mechanisms that mitigate user attempts to exhaust TOE resources e g persistent storage O RESPON The TOE must respond appropriately to analytical conclusions O SECSTA Upon initial start up of the TOE or recovery from an interruption in TOE service the TOE must not compromise its resources or those of any connected network O SESSION_LOCK The TOE shall provide mechanisms that mitigate the risk of unattended sessions being hijacked O SYSTEM_MONITORING The TOE will provide the capability to generate audit data and send those data to an external IT entity O TOE_ADMINISTRATION The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE and provide protections for logged in administrators Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 16 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 O TSF SELF TEST The TOE will provide the capability to test some subset of its security functionality to ensure it is operating properly O VERIFIABLE UPDAT
117. s that are indicative of inappropriate activity that may have resulted from misuse access or malicious activity of IT System assets and the IDS IDS SDC EXT I System Data Collection The TOE collects and stores information about all events that are indicative of inappropriate activity that may have resulted from misuse access or malicious activity of IT System assets and the TOE O MEDIAT The TOE must mediate the flow of all information from users on a connected network to users on another connected network FDP IFC I Subset information flow control The TOE controls the flow of all data covered by the UNAUTHENTICATED information flow control SFP FDP_IFF Simple security attributes The TOE controls the flow of all data covered by the UNAUTHENTICATED information flow control SFP FDP_RIP 2 Full residual information protection The TOE does not use information that had previously flowed through the TOE nor any TOE internal data to pad packets passed through the TOE as part of an information flow FMT_MSA 3 Static attribute initialisation The TOE implements a default deny policy for information flow control security rules O PROTECTED_COMMUNICATI ONS The TOE will provide protected communication channels for administrators other parts of a distributed TOE and FCS 1 Cryptographic Key Generation for asymmetric keys The TOE uses only approved asymmetric key g
118. security attributes or FCS_CKM 1 Cryptographic key generation Critical Security Parameters Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 20 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 5 1 2 2 Family FCS COMM PROT EXT Communications protection Family Behaviour Components in this family address the requirements for protecting network communications This is a new family defined for the FCS Class Component Leveling FCS COMM PROT EXT Communications protection 1 Figure 6 Communications protection family decomposition FCS COMM PROT EXT 1 Communications Protection requires that network communications be protected The communications must be protected by either IPSec SSH or both Additionally TLS HTTPS may be selected Management FC8 COMM PROT EXT 1 a There are no management activities foreseen Audit FC8 COMM PROT 1 The following actions should be auditable if GEN Security audit data generation is included in the ST a There are no auditable events foreseen FCS COMM PROT EXT 1 Communications Protection Hierarchical to No other components FCS COMM PROT EXT I 1 The TSF shall protect communications using selection IPsec SSH and selection TLS HTTPS no other protocol Dependencies FCS IP
119. sesseeneescencsscees TABLE 17 POLICIES OBJECTIVES TABLE 18 ASSUMPTIONS OBJECTIVES MAPPING TABLE 19 OBJECTIVES SFRS MAPPING TABLE 20 FUNCTIONAL REQUIREMENTS DEPENDENCIEG scsccsssssssesesssssscsesessssssesesesssscsesesesesscsesesesesseseseseseeneseacseeees 79 TABLE 2 Il ero RE RH nv peer ee e EA 82 Curtiss Wright VPX3 685 CCA 685 Secure Routers Page4of84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 2 IN Introduction This section identifies the Security Target ST Target of Evaluation TOE and the ST organization The Target of Evaluation TOE is the Curtiss Wright VPX3 685 CCA 685 Secure Routers and will hereafter be referred to as the TOE throughout this document The TOE is a single blade that provides secure routing switching firewall functionality intrusion detection and prevention and support for virtual private networks VPNs in a 3U VPX form factor The TOE is manufactured in multiple physical configurations associated with the following model numbers which are included in the Common Criteria CC evaluation 3 685 13014 with Software Version 605714 200 REL2 0 0 VPX3 685 A13020 FC w
120. ted circuit board the hardware and software are identical regardless of the enclosure Curtiss Wright offers a 14 Ethernet port and a 20 Ethernet port version of each enclosure type The VPX3 685 A13014 FC and VPX3 685 A13020 FC are the 14 and 20 port air cooled enclosures respectively The VPX3 685 C23014 FC and VPX3 685 C23020 FC are the 14 and 20 port conduction cooled enclosures respectively The CCA 685 2820 is a 12 port conduction cooled enclosure of the VPX3 685 variants have an identical software load The CCA 685 2820 runs a unique variant of the software load containing a distinct implementation of the FIPS 140 2 validated cryptographic module Separate software part numbers are assigned to facilitate the number of ports exposed to the customer Figure 1 below shows a pictures of the conduction cooled and the air cooled VPX3 685 CCA 685 Secure Routers VPX formerly known as VITA 46 VPX is an ANSI standard ANSI VITA 46 0 2007 that provides VMEbus based systems with support for switched fabrics over a high speed connector Internet Protocol Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 6 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 Conduction cooled cover Air cooled cover Conduction cooled CCA 685 cover Figure VPX3 685 CCA 685 Secu
121. the keys key components and critical security parameters CSPs used by the TOE when it is operating in the CC certified configuration Note that the CC certified configuration requires that the TOE also be operating in FIPS approved mode of operation FIPS mode For details on FIPS mode see the TOE s administrative guidance and related FIPS 140 2 Security Policy Table 15 TOE Keys Key Components and CSPs CSP Key Type Input Output Storage Zeroization Use PSK Pre AES 256 bit Pre installed Never Plaintext in By command Encrypt the shared key key at factory RAM or power cycle EEPROM reboot Procedure overwrite with zeros KEK Key AES 256 bit Generated Encrypted Plaintext in By command Decrypt the encryption key key internally with PSK RAM power cycle or KEK SRAM or reboot EEPROM Procedure overwrite with zeros RAM Random Access Memory EEPROM Electrically Erasable Programmable Read Only Memory KEK Key Encrypting Key 5 SRAM Static Random Access Memory 46 DEK Data Encrypting Key Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions Page 64 of 84 This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 CSP Key Type Input Output Storage Zeroization Use DEK Data AES 256 b
122. vided by the TOE that satisfy the security functional requirements and objectives e Rationale Section 8 Presents the rationale for the security objectives requirements and SFR dependencies as to their consistency completeness and suitability Acronyms Section 9 Defines the acronyms and terminology used within this ST 1 2 Security Target and TOE References Table 1 provides an overview of the Security Target as well as the official TOE reference and its FIPS 140 2 validation status Table ST and TOE References ST Title Curtiss Wright Controls Defense Solutions VPX3 685 CCA 685 Secure Routers Security Target ST Version Version 1 16 ST Author Corsec Security Inc Curtiss Wright VPX3 685 CCA 685 Secure Routers Page 5 of 84 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Security Target Version 1 16 October 6 2014 ST Title Curtiss Wright Controls Defense Solutions VPX3 685 CCA 685 Secure Routers Security Target PIE October 6 2014 TOE Reference Curtiss Wright VPX3 685 CCA 685 Secure Routerss Hardware Version 1 0 rev A Models VPX3 685 A13014 FC VPX3 685 C23014 FC with Software Version 605714 200 Models VPX3 685 A 3020 FC and VPX3 685 C23020 FC with Software Version 606163 200 Models CCA 685 2820 with Software Version 606163 210 FIPS 140
123. will provide protected communication channels for administrators other parts of a distributed TOE and The TOE protects communications channels to prevent malicious or accidental disclosure hijacking replay or other compromise of authorized communications O SECSTA Upon initial start up of the TOE or recovery from an interruption in TOE service the TOE must not compromise its resources or those of any connected network The TOE ensures that no information is compromised by the TOE upon start up or recovery Curtiss Wright VPX3 685 CCA 685 Secure Routers 2014 Curtiss Wright Controls Defense Solutions This document may be freely reproduced and distributed whole and intact including this copyright notice Page 71 of 84 Security Target Version 1 16 October 6 2014 O SESSION LOCK The TOE shall provide mechanisms that mitigate the risk of unattended sessions being hijacked The TOE terminates idle or unattended administrator sessions O SYSTEM MONITORING The TOE will provide the capability to generate audit data and send those data to an external IT entity The TOE audits all administrative and authentication activities O TOE ADMINISTRATION The TOE will provide mechanisms to ensure that only administrators are able to log in and configure the TOE and provide protections for logged in administrators The TOE ensures that administrators and only administrators may admin
124. xt Any text removed is stricken Example FSF Data and should be considered as a refinement d Extended Functional and Assurance Requirements are identified using EXT at the end of the short name e Iterations are identified by appending a number in parentheses following the component title For example FAU_GEN 1 1 Audit Data Generation would be the first iteration and GEN 1 2 Audit Data Generation would be the second iteration 6 2 Security Functional Requirements This section specifies the SFRs for the TOE This section organizes SFRs by CC class Table 10 identifies all SFRs implemented by the TOE and indicates the ST operations performed on each requirement Table 10 Security Functional Requirements Description IS A R I FAU GEN I Audit Data Generation VY FAU GEN 2 User Identity Association STG EXT I External Audit Trail Storage FCS CKM I Cryptographic Key Generation for asymmetric viv keys FCS_CKM_EXT 4 Cryptographic Key Zeroization FCS COMM PROT EXT I Communications Protection FCS COP I I Cryptographic Operation for data encryption decryption FCS 1 2 Cryptographic Operation for cryptographic viv signature FCS COP I 3 Cryptographic Operation for cryptographic hashing FCS COP I 4 Cryptographic Operation for keyed hash message authentication Curtiss Wright VPX3 685 CCA 68
125. yright notice Security Target Version 1 16 October 6 2014 5 1 1 Class FAU Security Audit Security auditing involves recognizing recording storing and analyzing information related to security relevant activities 1 e activities controlled by the TSF The extended family FAU STG EXT External audit trail was modeled after the CC family and related components for FAU_STG Security audit event storage 5 1 1 1 Family FAU STG EXT External audit trail Family Behaviour This family defines the requirements for external storage of audit records enforced by the TSF Component Leveling FAU STG EXT External audit trail Figure 4 External audit trail family decomposition STG 1 External audit trail storage requires that the TOE at least store its audit trail on an external server and also support receipt of audit data over a trusted channel Management FAU STG EXT 1 a No management activities are foreseen Audit FAU STG EXT 1 a No auditable events are foreseen FAU STG EXT 1 External audit trail storage Hierarchical to No other components STG 1 1 TSF shall be able to selection transmit the generated audit data to an external IT entity over a trusted channel defined in ITC 1 receive and store audit data from an external IT entity over a trusted channel defined in ITC 1 Dependencies GEN 1 Audit data generation FTP ITC
Download Pdf Manuals
Related Search