C039 Certification Report
Juniper Networks Junos Pulse Access Control Service
4.2 R4
File name: ISCB-5-RPT-C039-CR-v1a
Version: v1a
Date of document: 5 August 2013
Document classification: PUBLIC
For general inquiry about us or our services,
please email: mycc@cybersecurity.my
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page i of ix
PUBLIC
C039 Certification Report
Juniper Networks Junos Pulse Access Control
Service 4.2 R4
5 August 2013
ISCB Department
CyberSecurity Malaysia
Level 5, Sapura@Mines, No 7 Jalan Tasik, The Mines Resort City
43300 Seri Kembangan, Selangor, Malaysia
Tel: +603 8992 6888 Fax: +603 8992 6841
http://www.cybersecurity.my
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page ii of ix
PUBLIC
Document Authorisation
DOCUMENT TITLE: C039 Certification Report - Juniper Networks Junos Pulse
Access Control Service 4.2 R4
DOCUMENT REFERENCE: ISCB-5-RPT-C039-CR-v1a
ISSUE: v1a
DATE: 5 August 2013
DISTRIBUTION: UNCONTROLLED COPY - FOR UNLIMITED USE AND
DISTRIBUTION
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page iii of ix
PUBLIC
Copyright Statement
The copyright of this document, which may contain proprietary information, is the property
of CyberSecurity Malaysia.
The document shall be held in safe custody.
©CYBERSECURITY MALAYSIA, 2013
Registered office:
Level 5, Sapura@Mines,
No 7, Jalan Tasik,
The Mines Resort City,
43300 Seri Kembangan
Selangor Malaysia
Registered in Malaysia – Company Limited by Guarantee
Company No. 726630-U
Printed in Malaysia
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page iv of ix
PUBLIC
Forward
The Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme has been
established under the 9th Malaysian Plan to increase Malaysia’s competitiveness in quality
assurance of information security based on the Common Criteria (CC) standard and to build
consumers’ confidence towards Malaysian information security products.
The MyCC Scheme is operated by CyberSecurity Malaysia and provides a model for licensed
Malaysian Security Evaluation Facilities (MySEFs) to conduct security evaluations of ICT
products, systems and protection profiles against internationally recognised standards. The
results of these evaluations are certified by the Malaysian Common Criteria Certification
Body (MyCB) Unit, a unit established within Information Security Certification Body (ISCB)
Department, CyberSecurity Malaysia.
By awarding a Common Criteria certificate, the MyCB asserts that the product complies with
the security requirements specified in the associated Security Target. A Security Target is a
requirements specification document that defines the scope of the evaluation activities. The
consumer of certified IT products should review the Security Target, in addition to this
certification report, in order to gain an understanding of any assumptions made during the
evaluation, the IT product's intended environment, its security requirements, and the level of
confidence (i.e., the evaluation assurance level) that the product satisfies the security
requirements.
This certification report is associated with the certificate of product evaluation dated 5
August 2013, and the Security Target (Ref [6]). The certification report, Certificate of product
evaluation and security target are posted on the MyCC Scheme Certified Product Register
(MyCPR) at www.cybersecurity.my/mycc and the Common Criteria Portal (the official website
of the Common Criteria Recognition Arrangement at www.commoncriteriaportal.org).
Reproduction of this report is authorised provided the report is reproduced in its entirety.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page v of ix
PUBLIC
Disclaimer
The Information Technology (IT) product identified in this certification report and its
associate certificate has been evaluated at an accredited and licensed evaluation facility
established under the Malaysian Common Criteria Evaluation and Certification (MyCC)
Scheme (Ref [4]) using the Common Methodology for IT Security Evaluation, version 3.1
revision 3 (Ref [3]), for conformance to the Common Criteria for IT Security Evaluation,
version 3.1 revision 3 (Ref [2]). This certification report and its associated certificate apply
only to the specific version and release of the product in its evaluated configuration. The
evaluation has been conducted in accordance with the provisions of the MyCC Scheme and
the conclusions of the evaluation facility in the evaluation technical report are consistent
with the evidence adduced. This certification report and its associated certificate is not an
endorsement of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certification report and its associated certificate, and no
warranty of the IT product by CyberSecurity Malaysia or by any other organisation that
recognises or gives effect to this certificate, is either expressed or implied.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page vi of ix
PUBLIC
Document Change Log
RELEASE DATE PAGES
AFFECTED
REMARKS/CHANGE REFERENCE
v1 24 July 2013 All Final Released
v1a 5 August 2013 Page iv Add the date of the certificate.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page vii of ix
PUBLIC
Executive Summary
The Juniper Networks Junos Pulse Access Control Service 4.2 R4 (hereafter referred as
Unified Access Control (UAC)) from Juniper Networks is the Target of Evaluation (TOE) for
this Evaluation Assurance Level (EAL) 3 augmented with ALC_FLR.2 evaluation.
Juniper Networks Junos Pulse Access Control Service 4.2 R4 or the TOE is the central control
point for Juniper Network’s Unified Access Control (UAC) solution. Users will contact the TOE
using a variety of clients in order to request network access. The TOE authenticates users
and retrieves the access policies for those users. The TOE also assesses the health of a
user’s host machine and compares it to the policies in order to determine whether network
access is allowed.
It then communicates with a variety of enforcement points (including Juniper endpoint
clients filters, Juniper firewalls, and standard 802.1X enabled switches or wireless access
points) to communicate the network access constraints based on the TOE’s decision. The
enforcement points will allow or deny access based on the TOE’s result of authentication and
policy compliance.
The functions of the TOE that are within the scope of evaluation covering the secure audit,
cryptographic support (including cryptographic operations), information flow control,
identification and authentication, security management.
The scope of the evaluation is defined by the Security Target (Ref [6]), which identifies
assumptions made during the evaluation, the intended environment for the TOE, the security
functional requirements, and the evaluation assurance level at which the product is intended
to satisfy the security requirements. Prospective consumers are advised to verify that their
operating environment is consistent with the evaluated configuration, and to give due
consideration to the comments, observations and recommendations in this certification
report.
This report confirms the findings of the security evaluation of the TOE to the Common
Criteria (CC) Evaluation Assurance Level 3 (EAL3) Augmented with ALC_FLR.2. The report
confirms that the evaluation was conducted in accordance with the relevant criteria and the
requirements of the Malaysian Common Criteria Evaluation and Certification (MyCC) Scheme
(Ref [4]). The evaluation was performed by the BAE Systems Detica evaluation facility (the
‘BAE Systems Detica MySEF’) and completed on 31 May 2013.
The Malaysian Common Criteria Certification Body (MyCB), as the MyCC Scheme Certification
Body, declares that the TOE evaluation meets all the Arrangement on the Recognition of
Common Criteria certificates and the product will be listed in the MyCC Scheme Certified
Products Register (MyCPR) at www.cybersecurity.my/mycc and the Common Criteria portal
(the official website of the Common Criteria Recognition Arrangement) at
www.commoncriteriaportal.org.
It is the responsibility of the user to ensure that the UAC meets their requirements. It is
recommended that a potential user of the UAC to refer to the Security Target (Ref [6]) and
this Certification Report prior to deciding whether to purchase the product.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page viii of ix
PUBLIC
Table of Contents
1 Target of Evaluation...........................................................................1
1.1 TOE Description............................................................................................... 1
1.2 TOE Identification............................................................................................ 1
1.3 Security Policy.................................................................................................. 2
1.4 TOE Architecture ............................................................................................. 3
1.4.1 Logical Boundaries........................................................................... 3
1.4.2 The Physical Boundaries ................................................................. 5
1.5 Clarification of Scope...................................................................................... 6
1.6 Assumptions .................................................................................................... 6
1.6.1 Usage assumptions......................................................................................... 6
1.6.2 Environmental assumptions........................................................................... 7
1.7 Evaluated Configuration................................................................................. 7
1.8 Delivery Procedures ........................................................................................ 7
1.9 Documentation ................................................................................................ 8
2 Evaluation..........................................................................................10
2.1 Evaluation Analysis Activities ...................................................................... 10
2.1.1 Life-cycle support.......................................................................... 10
2.1.2 Development................................................................................... 10
2.1.3 Guidance documents..................................................................... 11
2.1.4 IT Product Testing.......................................................................... 11
3 Result of the Evaluation...................................................................16
3.1 Assurance Level Information ....................................................................... 16
3.2 Recommendation........................................................................................... 16
Annex A References.........................................................................................18
A.1 References...................................................................................................... 18
A.2 Terminology................................................................................................... 18
A.2.1 Acronyms........................................................................................................ 18
A.2.2 Glossary of Terms ......................................................................................... 19
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page ix of ix
PUBLIC
Index of Tables
Table 1: TOE identification.................................................................................................................. 1
Table 2: Independent Functional Testing ....................................................................................... 12
Table 3: List of Acronyms.................................................................................................................. 18
Table 4: Glossary of Terms ............................................................................................................... 19
Index of Figures
Figure 1: TOE Boundry......................................................................................................................... 5
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 1 of 20
PUBLIC
1 Target of Evaluation
1.1 TOE Description
1 The Target of Evaluation (TOE), Juniper Networks Junos Pulse Access Control Service
4.2 R4 (hereafter referred as Unified Access Control (UAC)) is an appliance and
software client running on a remote IT system. The TOE provides central control
point for Juniper Network’s Unified Access Control (UAC) solution.
2 Users will contact the TOE using a variety of clients in order to request network
access. The TOE authenticates users and retrieves the access policies for those
users. The TOE also assesses the health of a user’s host machine and compares it to
the policies in order to determine whether network access is allowed.
3 Authorised users can communicate with a variety of enforcement points (including
Juniper endpoint clients filters, Juniper firewalls, and standard 802.1X enabled
switches or wireless access points) to communicate the network access constraints
based on the TOE’s decision. The enforcement points will allow or deny access based
on the TOE’s result of authentication and policy compliance.
4 In the context of the evaluation, the TOE provides the following major security
features; which will be discussed further in Section 1.4.1 of this document:
a) Generates audit records of security events.
b) Cryptographic support for secure communications between TOE and other IT
entities in order to authenticate users and to transmit authorisations to
enforcement points.
c) Information flow control to prevent unwanted and non-compliant endpoints
from gaining access to the local area network. The TOE compares endpoint
configuration with defined security policies; a non-compliant endpoint is not
allowed full access to the network.
d) All users are required to perform identification and authentication before any
information flows are permitted. For administrators, they must also be
authenticated before performing any administrative functions.
e) Security management functions for the administrators to configure the TOE,
manage users, manage information flow policy and auditing activities.
1.2 TOE Identification
5 The details of the TOE are identified in Table 1 below.
Table 1: TOE identification
Evaluation Scheme
Malaysian Common Criteria Evaluation and Certification
(MyCC) Scheme
Project Identifier C039
TOE Name Juniper Networks Junos Pulse Access Control Service
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 2 of 20
PUBLIC
TOE Version Version 4.2 R4
Security Target Title
Security Target: Juniper Networks Junos Pulse Access
Control Service 4.2 R4
Security Target Version v1.3
Security Target Date 30 May 2013
Assurance Level
Evaluation Assurance Level 3 augmented (EAL3+) with
ALC_FLR.2.
Criteria
Common Criteria for Information Technology Security
Evaluation, July 2009, Version 3.1 Revision 3 (Ref [2])
Methodology
Common Evaluation Methodology for Information
Technology Security Evaluation, July 2009, Version 3.1
Revision 3 (Ref [3])
Protection Profile
Conformance
None
Common Criteria
Conformance
CC Part 2 Conformant
CC Part 3 Conformant
Package conformant to EAL3 augmented with ALC_FLR.2
(EAL3+ ALC_FLR.2)
Sponsor and Developer
Juniper Networks, Inc.
1194 North Matilda Avenue,
Sunnyvale, California 94089-1206
Unites States
Evaluation Facility BAE Systems Detica MySEF
1.3 Security Policy
6 The TOE enforces an information flow control policy between authenticated users
and protected resources logically behind the appliance based on user roles and
resource types. Administrators have the ability to establish rules that permit or deny
information flows based on the combination of attributes.
7 Users will request for information access (such as reading, writing, or deleting a file
or accessing an internal Web server) to a network in the IT environment. They are
granted access if they successfully authenticate to the TOE and the endpoint is
compliant to the Host Checker Policy or the endpoint MAC address is contained
within an exception list. If the authentication is successful but the endpoint is not
compliant to a Host Checker Policy, the endpoint may be remediated in an isolated
area of the network to attain compliance with the Host Checker Policy then gain
access.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 3 of 20
PUBLIC
8 The details of the security policy are described in Sections 6 and 7 of the Security
Target (Ref [6]).
1.4 TOE Architecture
9 The TOE includes both logical and physical boundaries which are described in detail
Section 1.7 of the Security Target (Ref [6]).
1.4.1 Logical Boundaries
10 The TOE implements and controls the security features listed below:
a) Security audit
The TOE generates audit records for security events. These logs are stored
locally, and the system can also send them to an external SYSLOG server for
alternative storage. The logs are divided into the following categories and are
maintained separately:
i. Event logs – used to track system related events such as start-up and
shutdown,
ii. Admin access logs – used to record administrator generated events, and
iii. User access logs – record user access events such as retrieving a file.
The log details and list of events where the TOE will generate the logs are
listed in Section 6.1.1.1 and Section 7.2 of the Security Target (Ref [6]).
The logs are only accessible through the web-based administrative interface,
in which only authenticated administrators are authorised to access.
Administrators can view, clear, save the logs. When logs are saved from the
TOE, they are transferred to the PC connected to the web-based administrative
interface. The administrator also has the ability to change the log settings.
b) Cryptographic support
The TOE provides an encrypted path between users and itself. The secure
connection ensures that user password and data are protected from
modification and disclosure. The TOE use TDES and AES encryption algorithms
with 128 bit, 192 bit or 256 bit key sizes to provide the secure communication.
AES and TDES keys are generated with an ANSI X9.31 pseudo-random number
generator and are used as session keys for TLS sessions. Cryptographic key
distribution is implemented via the TLS protocol.
c) Information flow control
The TOE enforces an information flow policy between authenticated users and
protected resources logically behind the appliance. Users will request for
information access (such as reading, writing, or deleting a file or accessing an
internal Web server) to a network in the IT environment. They are granted
access if they successfully authenticate to the TOE and the endpoint is
compliant to the Host Checker Policy or the endpoint MAC address is contained
within an exception list. If the authentication is successful but the endpoint is
not compliant to a Host Checker Policy, the endpoint may be remediated in an
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 4 of 20
PUBLIC
isolated area of the network to attain compliance with the Host Checker Policy
then gain access.
The TOE supports predefined rules that check for antivirus software and up-
to-date virus signatures, firewalls, malware, spyware, and specific operating
systems from a wide variety of industry leaders. Additionally, the TOE supports
custom rules that use integrity measurement collectors (IMCs) and integrity
measurement verifiers (IMVs) to perform customised client-side checks.
Custom rules also allow the TOE to check for third party DLLs that perform
customised client side checks. Finally, custom rules can check for ports,
processes, files, registry key settings, and the NetBIOS name, MAC addresses
or certificate of the client machine.
The examples above apply to Windows-based machines. For Mac OS, Linux,
and Solaris the TOE can check for ports, processes, and files only.
d) Identification and authentication
All users, including administrators, are required to perform identification and
authentication before any information flows are permitted. The TOE has the
ability to authenticate users locally using a password or can integrate with a
remote authentication server. In the evaluated configuration, the TOE will
perform the authentication locally. The users will enter a username and
password which will be validated by the TOE against the information stored by
the TOE. If the authentication succeeds, the user receives a session token that
is used for identification of subsequent requests during that session.
The TOE ensures authentication parameters to meet the following:
i. Minimum of eight (8) characters,
ii. Minimum of three (3) numeric characters,
iii. Minimum of three (3) alphabetic characters,
iv. Combination of both uppercase and lowercase alphabetic characters,
v. Different from the username, and
vi. Different from the previously used password
The TOE associates an operator to a role by associating the username with the
proper role once successful authentication occurs. Successful authentication is
required prior to giving a user access to the system. These mechanisms are
used for administration of the routing functions as well as the administration
of the operator accounts used for management.
e) Security management
The TOE provides a wide range of security management functions. The
Administrator logs onto the TOE from a protected network and performs all
management functions through the browser interface. The administrator has
the ability to control all aspects of the TOE configuration including: user
management, information flow policy management, audit management, and
system start-up and shutdown.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 5 of 20
PUBLIC
The TOE also provides a console port for certain management capabilities,
such as configuring the network relevant information pertaining to the internal
and external network interfaces. However, the console port does not provide
the management capabilities necessary to utilise the security management
functionalities claimed within this ST.
Administrators set the information flow policy rules on a per user basis. When
the administrator adds a new user, the administrator defines the user access.
Although users are grouped into roles, administrators can create rules that
except specific users from the constraints of their role. By default, user access
is restrictive but the administrator may override the default upon rule creation.
The TOE provides a timestamp for its own use. The timestamp is generated
from the clock provided in the hardware. Communications between TOE
components (client and appliance) are encrypted via a secure connection in
order to protect the traffic from disclosure and modification.
1.4.2 The Physical Boundaries
11 The TOE includes the appliance and software client running on a remote IT system.
The appliance TOE component is completely self-contained, housing the software
and hardware necessary to perform all functions. The TOE boundary is shown in
Figure 1 below.
Figure 1: TOE Boundry
12 The TOE is composed of the following components:
a) Authentication Server – verifies the credentials presented by the user (or
presented by the Authenticator on behalf of the user) and associates the user
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 6 of 20
PUBLIC
with an access policy. The Authentication Server may use its integrated
database, or it may consult an external authentication server. The interface to
an external database may be RADIUS, or it may be a more generic database
interface (e.g., LDAP).
b) Policy Manager – interfaces with external enforcement points like Juniper
firewalls. It uses proprietary interfaces to set the access privileges of users
that connect through those enforcement points.
c) Web Server and Application Proxies – provides the main interface for both
users and administrators of the TOE. The web server provides users an
interface to submit connection requests via an HTTPS encrypted tunnel. The
web server provides administrators an interface to administrate the TOE using
a web browser. The web server component is included as part of the TOE and
this includes application proxies to govern the use of and access to
applications on the protected network.
d) Software clients - open and manage a secure connection to the appliance in
order to request network access.
13 The details of TOE physical scope are described in Section 1.7.1 of the Security
Target (Ref [6]).
1.5 Clarification of Scope
14 The TOE is designed to be suitable for use in well-protected environments that have
effective countermeasures such as physical access protection, non-hostile and well-
managed user community in accordance with administrator guidance that is supplied
with the product.
15 Section 1.4 of this document described the scope of the evaluation which was limited
to those claims made in the Security Target (Ref [6]). The operating systems and the
hardware running the software clients are outside the scope of the evaluation.
16 Potential consumers of the TOE are advised that some functions and services may
not have been evaluated as part of the evaluation. Potential consumers of the TOE
should carefully consider their requirements for using functions and services outside
of the evaluated configuration.
1.6 Assumptions
17 This section summarises the security aspects of the environment/configuration in
which the IT product is intended to operate. Consumers should understand their own
IT environments and that required for secure operation of the TOE as defined in
subsequent sections and in the Security Target Ref ([6]).
1.6.1 Usage assumptions
18 Assumptions for the TOE usage listed in the Security Target are:
a) The authorised users will be competent, and not careless, wilfully negligent, or
hostile, and will follow and abide by the instructions provided by the TOE
documentation.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 7 of 20
PUBLIC
1.6.2 Environmental assumptions
19 Assumptions for the TOE environment listed in the Security Target are:
a) The processing resources of the TOE will be located within controlled access
facilities, which will prevent unauthorised physical access.
1.7 Evaluated Configuration
20 The TOE is the appliance and software client running on a remote IT system, as
described in Section 1.7.1 of the Security Target (Ref [6]). The assurance gained via
evaluation applies specifically to the TOE in the defined evaluated configuration
according to the documented preparative user guidance (Ref 31).
21 The evaluated configuration for the TOE encompasses three components:
a) Appliance software: Juniper Networks Junos Pulse Access Control Service 4.2
R4,
b) Appliance hardware: as per listed in Table 3 of the Security Target (Ref [6]), and
c) Client software: as per listed in Table 3 of the Security Target (Ref [6]).
1.8 Delivery Procedures
22 UAC is delivered to the customers using the delivery procedure (Ref 31a)), which
ensures that the TOE is securely transferred from the development environment into
the responsibility of the customer. The delivery procedures are outlined below.
23 Upon receipt by Juniper, customer orders are processed by Juniper Order
Management where all subsequent processing (shipment transaction, package slip
generation, and invoice generation) will take place.
24 UAC will be produced by authorised contract manufacturers. The appliances are
uniquely labelled using an adhesive-backed thermal label that contains unit model
number, unit serial number and in some instances the MAC address. These labels
are printed during the manufacturing process by the contract manufacturers and
affixed to the unit during final packaging of the box.
25 Juniper packages and labels the product in accordance with the current bill of
material (BOM) and any applicable package specification for the product to be
shipped.
26 Each hardware appliance is wrapped in a plastic bag to provide resistance against
moisture. Then the appliance is enclosed in cardboard shipping boxes and sealed
with tape that does not contain a Juniper logo. A shipping label identifying the exact
product (including the serial number for the included device) and the customer name
is provided on the outside of the shipping box.
27 Juniper employs commercial carrier for its shipment of goods. The commercial
carrier provides a tracking service for both the sender (Juniper) and the receiver to
track delivery and receipt of the package.
28 The recipient can verify that they have received a product that has not been
tampered with:
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 8 of 20
PUBLIC
a) Outside packaging: If the outside shipping box and tape have not been broken,
and the outside shipping label properly identifies the customer and the
product, then the product has not been tampered with.
b) Inside packaging: If the plastic bag or seal on the plastic bag are damaged or
removed, the device may have been tampered with.
c) Delivery times: If delivery times coincide with the tracking information from the
carrier, it can be assumed that the package was not tampered. It is assumed
that the trusted carriers provide reasonable measures to protect the products
from tampering during shipping.
29 There are several mechanisms provided in the above process for a customer to
ensure that they are receiving a box sent by Juniper that has not been masqueraded
by another company or entity:
a) When an appliance is shipped, an Advanced Shipment Notification is sent to
the email address provided by the customer when the order is taken. This
email includes the following information:
i) Purchase Order Number.
ii) Juniper Order Number to be used to track the shipment.
iii) Carrier tracking number to be used to track the shipment.
iv) List of Items shipped including serial numbers.
v) Address and contacts of the customer who ordered the product and who
the product will be shipped to.
b) If a customer wants to verify that a box they have received was sent by Juniper
they can do the following:
i) Compare the carrier tracking number or the Juniper order number listed in
the Juniper shipment notification with the tracking number on the package
received.
ii) Log onto the Juniper online customer support portal at
https://www.juniper.net/customers/csc/management/ to view the Order
Status. Compare the carrier tracking number or the Juniper order number
listed in the Juniper shipment notification with the tracking number on the
package received.
1.9 Documentation
30 To ensure continued secure usage of the product, it is important that the TOE is
used in accordance with the guidance documentation.
31 The following documentation is provided by the developer to the end user as
guidance to ensure secure installation and operation of the product:
a) Secure Delivery Processes and Procedures : Juniper Networks Junos Pulse
Access Control Service 4.2R4, v1.1, 30 October 2012
b) Operational User Guidance and Preparative Procedures Supplement : Juniper
Networks Junos Pulse Access Control Service 4.2 R4, v1.2, 30 October 2012
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 9 of 20
PUBLIC
c) Quick Start Guide: Juniper Networks Junos Pulse Access Control Service 4.2R4,
v4.0, 27 January 2011
d) Administrator Guide: Juniper Networks Junos Pulse Access Control Service
4.2R4, v4.1, 30 January 2011
e) Juniper Networks Unified Access Control Installation Guide (IC4500/IC6500),
530-029910-01 Rev 01, 2009
f) Troubleshooting Guide: Juniper Networks Junos Pulse Access Control Service
4.2R4, v4.0, 25 January 2011
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 10 of 20
PUBLIC
2 Evaluation
32 The evaluation was conducted in accordance with the requirements of the Common
Criteria, Version 3.1 Revision 3 (Ref [2]) and the Common Methodology for IT
Security Evaluation (CEM), Version 3.1 Revision 3 (Ref [3]). The evaluation was
conducted at Evaluation Assurance Level 3 augmented with ALC_FLR.2 (EAL3+
ALC_FLR.2). The evaluation was performed conformant to the MyCC Scheme Policy
(MyCC_P1) (Ref [4]) and MyCC Scheme Evaluation Facility Manual (MyCC_P3) (Ref [5]).
2.1 Evaluation Analysis Activities
33 The evaluation activities involved a structured evaluation of the TOE, including the
following components:
2.1.1 Life-cycle support
34 An analysis of the TOE configuration management system and associated
documentation was performed. The evaluators confirmed that the configuration list
which includes the TOE and the evaluation evidence were clearly and uniquely
labelled, and that the access control measures as described in the configuration
management documentation are effective in preventing unauthorised access to the
configuration items. The developer’s configuration management system was also
observed during the site visit, and it was found to be consistent with the provided
evidence.
35 It is evaluated that the implemented configuration management system can control
changes to those items that have been placed under configuration management
system. The developer’s configuration management system was also observed
during the site visit, and it was found security flaws under configuration
management ensures that security flaw reports are not lost or forgotten, and allows
a developer to track security flaws to their resolution. This is evaluated to be
consistent with the provided evidence.
36 During the site visit the evaluators examined the development security
documentation and determined that it detailed sufficient security measures for the
development environment to protect the confidentiality and integrity of the TOE
design and implementation. The evaluators confirmed that the developer used a
documented life-cycle model which provides necessary control over the development
and maintenance of the TOE by using the procedures, tools and techniques
described by the life-cycle model.
37 The evaluators examined the delivery documentation and determined that it
described all of the procedures required to maintain the integrity of the TOE during
distribution to the consumer.
2.1.2 Development
38 The evaluators analysed the TOE functional specification and design documentation;
they determined that the design completely and accurately describes the TOE
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 11 of 20
PUBLIC
security functionality (TSF) interfaces, and the TSF subsystems. The design described
the TOE subsystems to sufficiently determine the TSF boundary. It provides a
detailed description of the SFR-enforcing subsystems and enough information about
the SFR supporting and SFR-non-interfering subsystems for the evaluator to
determine that the SFRs are completely and accurately implemented.
39 The evaluators analysed the TOE security architectural description and determined
that the delivery and installation process was secure and the security functions are
protected against tamper and bypass. The evaluators also independently verified that
the correspondence mappings between the design documents were correct.
2.1.3 Guidance documents
40 The evaluators examined the TOE preparative user guidance and operational user
guidance, and determined that it sufficiently and unambiguously described how to
securely transform the TOE into its evaluated configuration, and how to use and
administer the product in order to fulfil the security objectives for the operational
environment. The evaluators examined and tested the preparative and operational
guidance, and determined that they were complete and sufficiently detailed to result
in a secure configuration.
2.1.4 IT Product Testing
41 Testing at EAL3 consists of assessing developer tests, performing independent
function test, and performing penetration tests. The TOE testing was conducted by
evaluator from BAE Systems Detica MySEF at BAE Systems Detica MySEF Lab, Kuala
Lumpur and at the developer’s site where it was subjected to comprehensive suite of
formally documented, independent functional and penetration tests. The detailed
testing activities, including configurations, procedures, test cases, expected results
and actual results are documented in a separate Test Plan Reports.
2.1.4.1 Assessment of Developer Tests
42 The evaluators verified that the developer has met their testing responsibilities by
examining their test plans, and reviewing their test results, as documented in the
Evaluation Technical Report (Ref [7]) (not a public document because it contains
information proprietary to the developer and/or the evaluator).
43 The evaluators analysed the developer’s test coverage and depth analysis, and found
them to be complete and accurate. The correspondence between the tests identified
in the developer’s test documentation and the interfaces in the implementation
representative, functional specification, TOE design and security architecture
description was complete.
2.1.4.2 Independent Functional Testing
44 Independent functional testing is the evaluation conducted by evaluator based on the
information gathered by examining design and guidance documentation, examining
developer’s test documentations, executing a sample of the developer’s test plan,
and creating test cases that augmented the developer test.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 12 of 20
PUBLIC
45 All testing was planned and documented to a sufficient level of detail to allow
repeatability of the testing procedures and results. The results of the independent
functional tests were developed and performed by the evaluators to verify the TOE
functionality as follows:
Table 2: Independent Functional Testing
DESCRIPTION SECURITY
FUNCTION
TSFI RESULTS
To test that TSF shall be able to
generate an audit record for the
following auditable events:
a) Start-up and shutdown of
the audit functions;
b) All auditable events for
the [not specified] level of audit;
and
To test that TSF shall record
within each audit record at least
the following information.
a) Date and time of the
event, type of event, subject
identity (if applicable), and the
outcome (success or failure) of
the event; and
b) For each audit event type,
based on the auditable event
definitions of the functional
components included in the
PP/ST.
FAU_GEN.1,
FMT_SMT.1,
FIA_UID.2,
FIA_UAU.2,
FDP_IFF.1,
FPT_STM.1,
FMT_MOF.1,
FIA_ATD.1
Administrator
Interface
PASS. The TOE does
generate an audit
record as claimed.
To test that the TSF shall provide
an Administrator with the
capability to read all audit
information from the audit
records in a manner suitable for
the user to interpret the
information.
FAU_SAR.1,
FIA_ATD.1
Administrator
Interface
PASS. The
administrator and
Read-Only
Administrator are
able to read and
interpret audit
record.
To test that the TSF shall
generate cryptographic keys in
accordance with a specified
cryptographic key generation
algorithm [ANSI X9.31] and
specified cryptographic key sizes
FCS_CKM.1,
FCS_COP.1
Administrator
Interface and End
user interface
PASS. The TOE is able
to configure using
cryptographic key
length of at least 128
bits.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 13 of 20
PUBLIC
DESCRIPTION SECURITY
FUNCTION
TSFI RESULTS
[128-, 192-, or 256-bit AES key
and 168-bit TDES key] that meet
the following: [FIPS 197 for AES
and FIPS 46-3 for TDES].
To test that TOE can be
configured to only accept a
cryptographic key length of at
least 168 bits.
FCS_CKM.2 End user
interface
PASS. The TOE is able
to configure using
AES/3DES cipher
suites with the use of
cryptographic key
lengths of at least
168 bits.
To test that the TSF shall enforce
the [NAC Information Flow
Control SFP] based on the
following types of subject and
information security attributes.
To test the TSF shall permit an
information flow between a
controlled subject and controlled
information via a controlled
operation.
FDP_IFF.1 End user
interface
PASS. Non-compliant
end user was unable
to authenticate to
TOE due to access
restriction defined in
policy.
To test that the TSF shall require
each user to be successfully
identified before allowing any
other TSF-mediated actions on
behalf of that user.
FAU_UAU.2 Administrator
Interface and End
user interface
PASS. The end user
can only access
resources upon
successfully
authentication.
To test that read-only admin
cannot create, delete, modify, or
view resource policy rules that
permit or deny resource
requests.
FMT_MOF.1 Administrator
Interface
PASS. Read-Only
admin is not able to
create/ modify/
delete Host Checker
policies.
To test that user without proper
authorisation cannot manage
security attributes.
FMT_MSA.2 Administrator
Interface
PASS. User without
proper authorisation
cannot manage
security attributes.
To test that user with default
TOE settings cannot telnet/ssh
to backend servers.
FDP.IFF.1 and
FMT_MSA.3
Administrator
Interface and
Network
Interface
PASS. Unable to
telnet/ssh to backend
servers.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 14 of 20
PUBLIC
DESCRIPTION SECURITY
FUNCTION
TSFI RESULTS
To test that admin user can
create, delete, modify, and view
resource policy rules that permit
or deny resource requests.
FMT_SMF.1.1 Administrator
Interface
PASS. The TOE
administrator can
create, delete,
modify, and view
resource policy rules
that permit or deny
resource requests.
To test the default user/admin
realm and roles.
FMT_SMR.1 Administrator
Interface
PASS. The TOE does
have default
user/admin realm
and roles.
To test that the basic Internal
TSF data transfer is protected.
FPT_ITT.1.1 End user and
network
interface
PASS. Data
transferred between
the TOE and Client is
encrypted.
46 All tests performed by the evaluators produced the expected results and as such the
TOE behaved as expected.
2.1.4.3 Penetration Testing
47 The evaluators performed a vulnerability analysis of the TOE in order to identify
potential vulnerabilities in the TOE and to determine whether these were exploitable
in the intended operating environment of the TOE. This vulnerability analysis
considered public domain sources and an analysis of guidance documentation,
functional specification, TOE design, security architecture description, and
implementation representation.
48 From the vulnerability analysis, the evaluators conducted penetration testing to
determine that the TOE, in its operational environment, is resistant to attack
performed by an attacker possessing a Basic attack potential. The following factors
have been taken into consideration during penetration tests:
a) Time taken to identify and exploit (elapsed time);
b) Specialist technical expertise required (specialised expertise);
c) Knowledge of the TOE design and operation (knowledge of the TOE);
d) Window of opportunity; and
e) IT hardware/software or other requirement required for exploitation.
49 The penetration tests focused on:
a) Man in the middle attack;
b) Input manipulation;
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 15 of 20
PUBLIC
c) Fuzzing; and
d) Injection.
50 The results of the penetration testing note that there is no exploitable vulnerability
and/or residual vulnerability found. However, it is important to ensure that the TOE
is use only in its evaluated configuration and in secure environment.
2.1.4.4 Testing Results
51 Tests conducted for the TOE produced the expected results and demonstrated that
the product behaved as specified in its Security Target and functional specification.
52 Based on the results of penetration testing, the evaluators determined that the TOE
is resistant to an attacker possessing a Basic attack potential.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 16 of 20
PUBLIC
3 Result of the Evaluation
53 After due consideration during the oversight of the execution of the evaluation by
the certifiers and of the Evaluation Technical Report (Ref [7]), the Malaysian Common
Criteria Certification Body certifies the evaluation of Juniper Networks Junos Pulse
Access Control Service 4.2 R4 performed by the BAE Systems Detica MySEF.
54 The BAE Systems Detica MySEF found that Juniper Networks Junos Pulse Access
Control Service upholds the claims made in the Security Target (Ref [6]) and
supporting documentation, and has met the requirements of the Common Criteria
(CC) assurance level EAL3+ ALC_FLR.2.
55 Certification is not a guarantee that a TOE is completely free of exploitable
vulnerabilities. There will remain a small level of risk that exploitable vulnerabilities
remain undiscovered in its claimed security functionality. This risk is reduced as the
certified level of assurance increases for the TOE.
3.1 Assurance Level Information
56 EAL3 provides assurance by a full Security Target (ST) and an analysis of the security
functions in the ST, using a functional and complete interface specification, guidance
documentation, and an architectural description of the TOE design to understand the
security behaviour.
57 The analysis is supported by independent testing of the TOE security functions,
evidence of developer testing based on the functional specification and TOE design,
selective independent confirmation of the developer test results, and a vulnerability
analysis (based upon the functional specification, TOE design, security architecture
description and guidance evidence provided) demonstrating resistance to
penetration attackers with a Basic attack potential. However, in this evaluation, the
lifecycle support evaluation is performed by the evaluator assuming a flaw reporting
procedures of High based on ALC_FLR.2 requirements.
58 EAL3 also provides assurance through the use of development environment controls,
TOE configuration management, and evidence of secure delivery procedures.
59 EAL3 represents a meaningful increase in assurance by requiring more complete
testing coverage of the security functionality and mechanisms and/or procedures
that provide some confidence that the TOE will not be tampered with during
development.
3.2 Recommendation
60 In addition to ensure secure usage of the product, below are additional
recommendations for Juniper Networks Junos Pulse Access Control Service 4.2 R4
consumers:
a) The users and administrators of the TOE should make themselves familiar with
the developer guidance provided with the TOE and pay attention to all security
warnings.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 17 of 20
PUBLIC
b) Appropriate network layer protection; the network on which the TOE is
installed must be both physically and logically protected.
c) System Administrator ensures that the TOE is correctly configured and
performs annual testing to confirm that all vulnerabilities have been suitably
addressed.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 18 of 20
PUBLIC
Annex A References
A.1 References
[1] Arrangement on the recognition of Common Criteria Certificates in the field of
Information Technology Security, May 2000.
[2] The Common Criteria for Information Technology Security Evaluation, Version 3.1,
Revision 3, July 2009.
[3] The Common Evaluation Methodology for Information Technology Security
Evaluation, Version 3.1, Revision 3, July 2009.
[4] MyCC Scheme Policy (MyCC_P1), v1a, CyberSecurity Malaysia, December 2009.
[5] MyCC Scheme Evaluation Facility Manual (MyCC_P3), v1, December 2009.
[6] Security Target: Juniper Networks Junos Pulse Access Control Service 4.2 R4, v1.3, 30
May 2013.
[7] Evaluation Technical Report: EAL3+ ALC_FLR.2 Evaluation of Juniper Networks Junos
Pulse Access Control Service Version 4.2 R4, v1.1, 31 May 2013.
A.2 Terminology
A.2.1 Acronyms
Table 3: List of Acronyms
Acronym Expanded Term
AES Advanced Encryption Standard
CB Certification Body
CC Common Criteria (ISO/IEC15408)
CEM Common Evaluation Methodology (ISO/IEC 18045)
CCRA Common Criteria Recognition Arrangement
EAL Evaluation Assurance Level
FIPS Federal Information Processing Standard
HTTPS Hypertext Transfer Protocol Secure
IEC International Electrotechnical Commission
ISCB Information Security Certification Body
ISO International Standards Organisation
LDAP Lightweight Directory Access Protocol
MyCB Malaysian Common Criteria Certification Body
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 19 of 20
PUBLIC
Acronym Expanded Term
MyCC Malaysian Common Criteria Evaluation and Certification Scheme
MyCPR MyCC Scheme Certified Products Register
MySEF Malaysian Security Evaluation Facility
NAC Network Access Control
PP Protection Profile
RADIUS Remote Authentication Dial-in User Service
SFP Security Function Policy
SSH Secure Shell
ST Security Target
Syslog System logging as specified in Request for Comment 5424
TDES Triple Data Encryption Standard
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Functions
TSFI TOE Security Functions Interface
UAC Unified Access Control
A.2.2 Glossary of Terms
Table 4: Glossary of Terms
Term Definition and Source
Certificate An electronic attestation which links the SVD to a person and
confirms the identity of that person.
Certification Body An organisation responsible for carrying out certification and
for overseeing the day-today operation of an Evaluation and
Certification Scheme. Source CCRA.
Consumer The organisation that uses the certified product within their
infrastructure.
Developer The organisation that develops the product submitted for CC
evaluation and certification.
Evaluation The assessment of an IT product, IT system, or any other valid
target as defined by the scheme, proposed by an applicant
against the standards covered by the scope defined in its
application against the certification criteria specified in the rules
of the scheme. Source CCRA and MS ISO/IEC Guide 65.
PUBLIC
FINAL
C039 Certification Report - Juniper Networks
Junos Pulse Access Control Service 4.2 R4
ISCB-5-RPT-C039-CR-v1a
Page 20 of 20
PUBLIC
Term Definition and Source
Evaluation and
Certification Scheme
The systematic organisation of the functions of evaluation and
certification under the authority of a certification body in order
to ensure that high standards of competence and impartiality
are maintained and that consistency is achieved. Source CCRA.
Interpretation Expert technical judgement, when required, regarding the
meaning or method of application of any technical aspect of the
criteria or the methodology.
Certifier The certifier responsible for managing a specific certification
task.
Evaluator The evaluator responsible for managing the technical aspects of
a specific evaluation task.
Security Evaluation
Facility
An organisation (or business unit of an organisation) that
conducts ICT security evaluation of products and systems using
the CC and CEM in accordance with Evaluation and Certification
Scheme policy
Sponsor The organisation that submits a product for evaluation and
certification under the MyCC Scheme. The sponsor may also be
the developer.
User Any entity (human user or external IT entity) outside the TOE
that interacts with the TOE.
User data Data created by and for the user that does not affect the
operation of the TSF.
--- END OF DOCUMENT ---