Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms JUNIPEF Security Target Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms Document Version 2.0 July 13, 2011 Document Version 2.0 © Juniper Networks Page 1 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms Prepared For: JUNIPEF Juniper Networks, Inc. 1194 North Mathilda Avenue Sunnyvale, CA 94089 www.juniper.net Abstract Prepared By: APEXASSURANCE GROUP Apex Assurance Group, LLC 530 Lytton Avenue, Ste. 200 Palo Alto, CA 94301 www.apexassurance.com This document provides the basis for an evaluation of a specific Target of Evaluation (TOE), the JUNOS 10.0 R4 for J-Series and SRX-Series Platforms. This Security Target (ST) defines a set of assumptions about the aspects of the environment, a list of threats that the product intends to counter, a set of security objectives, a set of security requirements and the IT security functions provided by the TOE which meet the set of requirements. Document Version 2.0 © Juniper Networks Page 2 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms Table of Contents 1 Introduction .. 1.1 ST Reference. 1.2 TOE Reference. 1.3 Document Organization... 1.4 Document Conventions 1.5 Document Terminology 1.6 TOE Overview.. 1.7 TOE Description 17.1 Overview 1.7.2 Physical Boundary .. 1.7.3 Logical Boundary... 2 Conformance Claim: 2.1 CC Conformance Claim. 2.2 PP Claim... 2.3 Package Claim. 2.4. Conformance Rationale 3 Security Problem Definition 31 Threats 3.2 Organizational Security Policies 3.3 Assumptions .... 4 Security Objectives. 4.1 Security Objectives for the TOE .. 4.2 Security Objectives for the Operational Environment... 4.3 Security Objectives Rationale... 5 Extended Components Definition 5.1 Definition of Extended Components... 6 Security Requirements ..... . 6.1 Security Functional Requirements..... 6.1.1 Security Audit (FAU). 6.1.2 Communication (FCO 6.13 Cryptographic Support (FCS) 6.1.4 Information Flow Control (FDP)... 6.1.5 Identification and Authentication (FIA) . 6.2 Security Management (FMT) 6.2.2 Protection of the TSF (FPT) ... 6.2.3. TOE Access (FTA)... 6.2.4 Trusted Path/Channels (FTP) 6.3 Security Functional Requirements for the IT Environment ... 6.3.1 Identification and Authentication (FIA) .... 6.4 Security Assurance Requirements 6.5 Security Requirements Rationale. Document Version 2.0 © Juniper Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 3 of 58 Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 6.5.1 Security Functional Requirements 6.5.2 Sufficiency of Security Requirements .... 6.5.3 Security Assurance Requirements ... 6.5.4 Security Assurance Requirements Rationale 6.5.5 Security Assurance Requirements Evidence ... 7 TOE Summary Specification 7.1 TOE Security Functions . 7.2 Audit 7.3 Information Flow Control. 7.4 Identification and Authenticatioi 7.5 Security Management... Document Version 2.0 © Juniper Networks Page 4 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms List of Tables Table 1 — ST Organization and Section Descriptions ... 6 Table 2 — Acronyms Used in Security Target .. 8 Table 3 — Evaluated Configuration for the TOE ..... Table 4 - Logical Boundary Descriptions... Table 5 — Threats Addressed by the TOE. Table 6 — Assumptions... Table 7 — TOE Security Objectives Table 8 — Operational Environment Security Objectives Table 9 — Mapping of Assumptions, Threats, and OSPs to Security Objectives .... Table 10 - Mapping of Objectives to Threats... Table 11 - Mapping of Threats, Policies, and Assumptions to Objectives Table 12 — TOE Security Functional Requirements... Table 13 — Cryptographic Operations.... Table 14 - Management of TSF data..... Table 15 - Mapping of TOE Security Functional Requirements and Objectives.... Table 16 — Rationale for TOE SFRs to Objectives Table 17 - Rationale for TOE Objectives to SFRs Table 18 - Security Assurance Requirements at EAL3 Table 19 - Security Assurance Rationale and Measures List of Figures Figure 1— Common TOE Deployment Figure 2 — Typical IPSec Configuration. Figure 3 — TOE Boundary... Figure 4 — J2320, J2350, J4350, J6350 (Top to Bottom) ..... Figure 5 — SRX100, SRX210, SRX650, SRX3400, SRX3600, SRX5600, SRX5800 (Top to Bottom) Document Version 2.0 © Juniper Networks Page 5 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 1 Introduction This section identifies the Security Target (ST), Target of Evaluation (TOE), Security Target organization, document conventions, and terminology. It also includes an overview of the evaluated product. 1.1 ST Reference Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX- ST Title Series Platforms ST Revision 2.0 ST Publication Date July 13, 2011 Author Apex Assurance Group, LLC 1.2 TOE Reference TOE Reference 1.3 Document Organization Juniper Networks JUNOS 10.0 RA for J-Series and SRX-Series Platforms This Security Target follows the following format: SECTION | TITLE DESCRIPTION 1 Introduction Provides an overview of the TOE and defines the hardware and software that make up the TOE as well as the physical and logical boundaries of the TOE 2 Conformance Claims Lists evaluation conformance to Common Criteria versions, Protection Profiles, or Packages where applicable 3 Security Problem Definition Specifies the threats, assumptions and organizational security policies that affect the TOE 4 Security Objectives Defines the security objectives for the TOE/operational environment and provides a rationale to demonstrate that the security objectives satisfy the threats 5 Extended Components Describes extended components of the evaluation (if any) Definition 6 Security Requirements Contains the functional and assurance requirements for this TOE 7 TOE Summary Specification Identifies the IT security functions provided by the TOE and also identifies the assurance measures targeted to meet the assurance requirements. Table 1 — ST Organization and Section Descriptions Document Version 2.0 This docume © Juniper Networks Page 6 of 58 nt may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 1.4 Document Conventions The notation, formatting, and conventions used in this Security Target are consistent with those used in Version 3.1 of the Common Criteria. Selected presentation choices are discussed here to aid the Security Target reader. The Common Criteria allows several operations to be performed on functional requirements: The allowable operations defined in Part 2 of the Common Criteria are refinement, selection, assignment and iteration. * The assignment operation is used to assign a specific value to an unspecified parameter, such as the length of a password. An assignment operation is indicated by showing the value in square brackets, i.e. [assignment_value(s)]. * The refinement operation is used to add detail to a requirement, and thus further restricts a requirement. Refinement of security requirements is denoted by bold text. Any text removed is indicated with a strikethrough format (Example: TSF). * The selection operation is picking one or more items from a list in order to narrow the scope of a component element. Selections are denoted by italicized text. ¢ Iterated functional and assurance requirements are given unique identifiers by appending to the base requirement identifier from the Common Criteria an iteration number inside parenthesis, for example, FMT_MTD.1.1 (1) and FMT_MTD.1.1 (2) refer to separate instances of the FMT_MTD.1 security functional requirement component. When not embedded in a Security Functional Requirement, italicized text is used for both official document titles and text meant to be emphasized more than plain text. 1.5 Document Terminology The following table describes the acronyms used in this document: TERM DEFINITION AES Advanced Encryption Standard ANSI American National Standards Institute BGP Border Gateway Protocol cc Common Criteria version 3.1 DH Diffie Hellman EAL Evaluation Assurance Level IETF Internet Engineering Task Force IKE Internet Key Exchange IPSec Internet Protocol Security JUNOS Juniper Operating System NAT Network Address Translation NTP Network Time Protocol OSP Organizational Security Policy PFE Packet Forwarding Engine Document Version 2.0 © Juniper Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 7 of 58 Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms TERM DEFINITION PIC/PIM Physical Interface Card/Module RE Routing Engine RFC Request for Comment RIP Routing Information Protocol SA Security Association SCEP Simple Certificate Enrollment Protocol SFP Security Function Policy SFR Security Functional Requirement SNMP Simple Network Management Protocol SSH Secure Shell SSL Secure Sockets Layer ST Security Target TOE Target of Evaluation TSF TOE Security Function VPN Virtual Private Network VR Virtual Router Table 2 - Acronyms Used in Security Target 1.6 TOE Overview The TOE is Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms, which primarily supports the definition of and enforces information flow policies among network nodes. The routers provide for stateful inspection of every packet that traverses the network and provide central management to manage the network security policy. All information flow from one network node to another passes through an instance of the TOE. Information flow is controlled on the basis of network node addresses, protocol, type of access requested, and services requested. In support of the information flow security functions, the TOE ensures that security-relevant activity is audited, that their own functions are protected from potential attacks, and provide the security tools to manage all of the security functions. The J-series Services Routers are deployed at branch and remote locations in the network to provide all- in-one secure WAN connectivity, IP telephony, and connection to local PCs and servers via integrated Ethernet switching. Document Version 2.0 © Juniper Networks Page 8 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms Figure 1- Common TOE Deployment JUNOS 10.0 R4 for J-Series and SRX-Series Platforms may also be referred to as the TOE in this document. 1.7 TOE Description 1.7.1 Overview Each Juniper Networks J-Series and SRX-Series routing platform is a complete routing system that supports a variety of high-speed interfaces for medium/large networks and network applications. Juniper Networks routers share common JUNOS software, features, and technology for compatibility across platforms. The routers are physically self-contained, housing the software, firmware and hardware necessary to perform all router functions. The hardware has two components: the router itself and various PIC/PIMs, which allow the routers to communicate with the different types of networks that may be required within the environment where the routers are used. Each instance of the TOE consists of the following major architectural components: + The Routing Engine (RE) runs the JUNOS software and provides Layer 3 routing services and network management for all operations necessary for the configuration and operation of the TOE and controls the flow of information through the TOE, including Network Address Translation (NAT) and all operations necessary for the encryption/decryption of packets for secure communication via the IPSec protocol; * The Packet Forwarding Engine (PFE) provides all operations necessary for transit packet forwarding; Document Version 2.0 © Juniper Networks Page 9 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms The Routing Engine and Packet Forwarding Engine perform their primary tasks independently, while constantly communicating through a high-speed internal link. This arrangement provides streamlined forwarding and routing control and the capability to run Internet-scale networks at high speeds. The routers support numerous routing standards for flexibility and scalability as well as IETF IPSec protocols as defined in RFC2401- RFC2410. These functions can all be managed through the JUNOS software, either from a connected terminal console or via a network connection. Network management can be secured using SSL, SNMP v3, and SSH protocols. All management, whether from a user connecting to a terminal or from the network, requires successful authentication and is communicated using JUNOScript. Net conf is an IETF standardization effort which is closely aligned to JUNOScript. JUNOS only supports netconf via SSH transport, and authentication is handled by SSHD. The TOE supports IPSec to provide confidentiality, integrity, and authenticity to network traffic transmitted from one TOE device and received by another TOE device. The following figure shows a typical IPSec architecture: Device-A Device-B tunnel gateway tunnel gateway Intemet B A|B Payload ——+|1]2]a]8 Payload ——|ı|s Payload The original packet is encapsulated Figure 2 — Typical IPSec Configuration IPSec supports the automated generation and negotiation of keys and security associations using the Internet Key Exchange (IKE) protocol. The JUNOS software performs all IPSec operations, including control of Security Associations and Key Management operations. Juniper Networks security devices accomplish routing through a process called a virtual router (VR). A security device divides its routing component into two or more VRs with each VR maintaining its own list of known networks in the form of a routing table, routing logic, and associated security zones. Document Version 2.0 © Juniper Networks Page 10 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 1.7.2 Physical Boundary The TOE is a combined hardware/software TOE and is defined as the JUNOS 10.0 R4 for J-Series and SRX- Series Platforms. The TOE boundary is shown below: tele lta) a reale Packet Forwarding LT + = External Interface t = Internal Interface u =TOE Component | = IT Environment Component Figure 3 - TOE Boundary The physical boundary is defined as the entire router chassis, as depicted below: Document Version 2.0 © Juniper Networks Page 11 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms Figure 4 — 2320, 12350, 14350, 16350 (Top to Bottom) The SRX series appliances are pictured below: Document Version 2.0 © Juniper Networks Page 12 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms Figure 5 — SRX100, SRX210, SRX650, SRX3400, SRX3600, SRX5600, SRX5800 (Top to Bottom) Document Version 2.0 © Juniper Networks Page 13 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms In order to comply with the evaluated configuration, the following hardware and software components should be used: TOE COMPONENT VERSION/MODEL NUMBER Software Version JUNOS US/Canada Version 10.0 R4 JUNOS-FIPS Version 10.0 R4 J-Series Hardware Version J2320, J2350, J4350, J6350 SRX-Series SRX100, SRX210, SRX240, SRX650, SRX3400, SRX3600, SRX5600, SRX5800 Table 3 - Evaluated Configuration for the TOE The TOE interfaces are comprised of the following: 1. Network interfaces which pass traffic 2. Management interface through which handle administrative actions. 1.7.3 Logical Boundary This section outlines the boundaries of the security functionality of the TOE; the logical boundary ofthe TOE includes the security functionality described in the following table: TSF | DESCRIPTION Audit JUNOS auditable events are stored in the syslog files, and although they can be sent to an external log server, the requirements for auditing are met by local storage. Audit events cover authentication activity and configuration changes. Audit records include the date and time, event category, event type, username. An accurate time is gained by the router ntp daemon, acting as a client, from an NTP server in the IT environment. (The NTP server is considered outside the scope of the TOE.) This external time source allows synchronization the TOE audit logs with external audit log servers in the environment. The audit log can be viewed only by a super-user and custom- user with appropriate privileges. Information Flow The TOE is designed to forward network packets (i.e., information flows) Control from source network entities to destination network entities based on available routing information. This information is either provided directly by TOE users or indirectly from other network entities (outside the TOE) configured by the TOE users. The TOE also implements Internet Protocol Security (IPSec) support confidentiality, integrity, and authenticity of data transmitted from the TOE and received by the TOE in a VPN-configured state. Document Version 2.0 © Juniper Networks Page 14 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms TSF Identification and Authentication DESCRIPTION The TOE requires users to provide unique identification and authentication data before any administrative access to the system is granted. The TOE provides three levels of authority for users, providing administrative flexibility (additional flexibility is provided in JUNOS, but is outside the scope of the evaluation). Super-users and custom-users with appropriate privileges have the ability to define groups and their authority and they have complete control over the TOE. The routers also require that applications exchanging information with them successfully authenticate prior to any exchange. This covers all services used to exchange information, including telnet (out of scope), SSH, SSL, and FTP. Authentication services can be handled either internally (fixed user selected passwords) or through a RADIUS or TACACS+ authentication server in the IT environment (the external authentication server is considered outside the scope of the TOE). Security Management The router is managed using XML RPCs (JUNOScript), either through raw XML (API mode) as in the case of J-Web (over HTTP) and JUNOScope (over SSL) or through a Command Line Interface (CLI) protected by SSH. Both interfaces provide equivalent management functionality. Through these interfaces all management can be performed, including user management and the configuration of the router functions. The CLI interface is accessible through an SSH session, or via a local terminal console. Net conf is an IETF standardization effort which is closely aligned to JUNOScript. Table 4 - Logical Boundary Descriptions Document Version 2.0 © Juniper Networks Page 15 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 2 Conformance Claims 2.1 CC Conformance Claim The TOE is Common Criteria Version 3.1 Revision 3 (July 2009) Part 2 extended and Part 3 conformant. 2.2 PP Claim The TOE does not claim conformance to any registered Protection Profile. 2.3 Package Claim The TOE claims conformance to the EAL3 assurance package defined in Part 3 ofthe Common Criteria Version 3.1 Revision 3 (July 2009). The TOE does not claim conformance to any functional package. 2.4 Conformance Rationale No conformance rationale is necessary for this evaluation since this Security Target does not claim conformance to a Protection Profile. Document Version 2.0 © Juniper Networks Page 16 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 3 Security Problem Definition In order to clarify the nature of the security problem that the TOE is intended to solve, this section describes the following: ® Any known or assumed threats to the assets against which specific protection within the TOE or its environment is required ® Any organizational security policy statements or rules with which the TOE must comply * Any assumptions about the security aspects of the environment and/or of the manner in which the TOE is intended to be used. This chapter identifies assumptions as A.assumption, threats as T.threat and policies as P.policy. 3.1 Threats The following are threats identified for the TOE and the IT System the TOE monitors. The TOE itself has threats and the TOE is also responsible for addressing threats to the environment in which it resides. The assumed level of expertise of the attacker for all threats is unsophisticated. The TOE addresses the following threats: THREAT DESCRIPTION T.CONFLOSS Failure of network components may result in loss of configuration data that cannot quickly be restored. T.MANDAT Unauthorized changes to the network configuration may be made through interception of in-band router management traffic on a network T.NOAUDIT Unauthorized changes to the router configurations and other management information will not be detected. T.OPS An unauthorized process or application may gain access to the TOE security functions and data, inappropriately changing the configuration data for the TOE security functions. T.PRIVIL An unauthorized user may gain access to the TOE and exploit system privileges to gain access to TOE security functions and data, inappropriately changing the configuration data for TOE security functions. T.ROUTE Network packets may be routed inappropriately due to accidental or deliberate misconfiguration. T.UNTRUSTED_PATH An attacker may attempt to disclose, modify or insert data within packet flows transmitted/received by the TOE over an untrusted network. If such an attack was successful, then the confidentiality, integrity and authenticity of packet flows transmitted/received over an untrusted path would be compromised. Table 5 - Threats Addressed by the TOE The IT Environment does not explicitly addresses any threats. Document Version 2.0 © Juniper Networks Page 17 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 3.2 Organizational Security Policies The TOE is not required to meet any organizational security policies. 3.3 Assumptions This section describes the security aspects of the environment in which the TOE is intended to be used. The TOE is assured to provide effective security measures in a co-operative non-hostile environment only if it is installed, managed, and used correctly. The following specific conditions are assumed to exist in an environment where the TOE is employed. ASSUMPTION DESCRIPTION A.LOCATE The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. A.NOEVIL The authorized users will be competent, and not careless, willfully negligent, or hostile, and will follow and abide by the instructions provided by the TOE documentation. AE.EAUTH External authentication services will be available via either RADIUS, TACACS+, or both. AE.TIME External NTP services will be available. AE.CRYPTO In-band management traffic will be protected using SSL or SSH. Table 6 - Assumptions Document Version 2.0 © Juniper Networks Page 18 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 4 Security Objectives 4.1 Security Objectives for the TOE The IT security objectives for the TOE are addressed below: OBJECTIVE DESCRIPTION O.ACCESS The TOE must only allow authorized users and processes (applications) to access protected TOE functions and data. O.AMANAGE The TOE management functions must be accessible only by authorized users. O.AUDIT Users must be accountable for their actions in administering the TOE. O.AUTHENTICITY The TOE must provide the means for ensuring that a packet flow has been received from a trusted source. O.CONFIDENTIALITY The TOE must protect the confidentiality of packet flows transmitted to/from the TOE over an untrusted network. O.EADMIN The TOE must provide services that allow effective management of its functions and data. O.FLOW The TOE must ensure that network packets flow from source to destination according to available routing information. O.INTEGRITY The TOE must ensure that any attempt to corrupt or modify a packet flow transmitted to/from the TOE is detected. O.PROTECT The TOE must protect against unauthorized accesses and disruptions of TOE functions and data. O.ROLBAK The TOE must enable rollback of router configurations to a known state. O.SECURE_KEY The TOE must provide the means of protecting the confidentiality of cryptographic keys when they are used to encrypt/decrypt traffic flows between instances of the TOE. The TOE must also provide a means of secure key distribution to other subjects. Table 7 — TOE Security Objectives 4.2 Security Objectives for the Operational Environment The security objectives for the operational environment are addressed below: OBJECTIVE DESCRIPTION OE.ADMIN Authorized users must follow all guidance OE.CRYPTO SSL or SSH must be enabled for all in-band management traffic OE.EAUTH A RADIUS server, a TACACS+ server, or both must be available for external authentication services. OE.PHYSICAL Those responsible for the TOE must ensure that those parts of the TOE critical to the security policy are protected from any physical attack. OE.TIME NTP server(s) will be available to provide accurate/synchronized time services to the router. Table 8 - Operational Environment Security Objectives Document Version 2.0 © Juniper Networks This document may be freely reproduced and distributed whole and intact including this copyright notice. Page 19 of 58 Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 4.3 Security Objectives Rationale This section provides the summary that all security objectives are traced back to aspects of the addressed assumptions, threats, and Organizational Security Policies. THREATS/ ASSUMPTIONS T.ROUTE T.PRIVIL A.NOEVIL A.EAUTH A.CRYPTO = Fi [=] z < 2 = T.CONFLOSS T.NOAUDIT T.UNTRUSTED_PATH OBJECTIVES O.FLOW O.PROTECT O.EADMIN O.AMANAGE O.ACCESS O.ROLBAK O.AUDIT O.AUTHENTICITY O.CONFIDENTIALITY O.INTEGRITY O.SECURE_KEY OE.EAUTH v v OE.TIME v OE.CRYPTO v OE.PHYSICAL v OE.ADMIN v Table 9 - Mapping of Assumptions, Threats, and OSPs to Security Objectives «| NN NARRRERE NARBE << NENENEN 4.3.1.1 Rationale for Security Threats to the TOE THREAT RATIONALE T.CONFLOSS This threat is completely countered by * O.EADMIN, which ensures that the TOE provides services that allow effective management of its functions and data ¢ O.ROLBAK which ensures the TOE enables rollback of TOE configurations to a known state. Document Version 2.0 © Juniper Networks Page 20 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms THREAT RATIONALE T.MANDAT This threat is completely countered by * O.ACCESS which ensures the TOE only allows authorized users and processes (applications) to access protected TOE functions and data. * O.AMANAGE which ensures that the TOE management functions are accessible only by authorized users. * O.AUDIT which ensures users are accountable for their actions in administering the TOE. T.NOAUDIT This threat is completely countered by O.AUDIT, which ensures users are accountable for their actions in administering the TOE. T.OPS This threat is completely countered by * O.ACCESS which ensures the TOE only allows authorized users and processes (applications) to access protected TOE functions and data. * O.AUDIT which ensures users are accountable for their actions in administering the TOE. * O.PROTECT which ensures the TOE protects against unauthorized accesses and disruptions of TOE functions and data. * O.ROLBAK which ensures TOE enables rollback of TOE configurations to a known state. T.PRIVIL This threat is completely countered by * O.ACCESS which ensures the TOE only allows authorized users and processes (applications) to access protected TOE functions and data. * O.AMANAGE which ensures that the TOE management functions are accessible only by authorized users. * O.AUDIT which ensures users are accountable for their actions in administering the TOE. * O.PROTECT which ensures the TOE protects against unauthorized accesses and disruptions of TOE functions and data. * O.ROLBAK which ensures TOE enables rollback of TOE configurations to a known state. T.ROUTE This threat is completely countered by * O.ACCESS which ensures the TOE only allows authorized users and processes (applications) to access protected TOE functions and data. * O.AUDIT which ensures users are accountable for their actions in administering the TOE. * O.AMANAGE which ensures that the TOE management functions are accessible only by authorized users. * O.EADMIN which ensures that the TOE provides services that allow effective management of its functions and data * O.FLOW which ensures that network packets flow from source to destination according to available routing information in the TOE configuration. * O.PROTECT which ensures the TOE protects against unauthorized accesses and disruptions of TOE functions and data. * O.ROLBAK which ensures TOE enables rollback of TOE configurations to a known state. Document Version 2.0 © Juniper Networks Page 21 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms T.UNTRUSTED_PATH THREAT RATIONALE This threat is completely countered by ® O.INTEGRITY which ensures that any attempt to corrupt or modify a packet flow transmitted to/from the TOE is detected. O.AUTHENTICITY which ensures the TOE can ensure that a packet flow has been received from a trusted source. O.CONFIDENTIALITY which ensures that the TOE protects the confidentiality of packet flows transmitted to/from the TOE over an untrusted network. O.SECURE_KEY which ensures the TOE provides the means of protecting the confidentiality of cryptographic keys when they are used to encrypt/decrypt traffic flows between instances of the TOE. The TOE must also provide a means of secure key distribution to other subjects. O.ACCESS Table 10 — Mapping of Objectives to Threats 4.3.1.2 Rationale for Security Objectives of the TOE OBJECTIVE RATIONALE This objective addresses the need to protect the TOE’s operations and data. This helps counter the threats of incorrect routing (T.ROUTE), unauthorized access (T.PRIVIL and T.OPS), and interception (T.MANDAT). O.AMANAGE The objective to limit access to management functions helps ensure correct routing (T.ROUTE), and helps counter the threat of unauthorized access (T.PRIVIL), and interception (T.MANDAT). O.AUDIT This objective serves to discourage and detect inappropriate use of the TOE (T.NOAUDIT), and as such helps counter T.ROUTE, T.PRIVIL, T.OPS and T.MANDAT. It also helps to support the assumption A.NOEVIL, by recording actions of users. O.AUTHENTICITY This objective ensures that a packet flow has been received from a trusted source (T.UNTRUSTED_PATH) O.CONFIDENTIALITY This objective ensures the protection of confidentiality of packet flows transmitted to/from the TOE over an untrusted network (T.UNTRUSTED_PATH). O.INTEGRITY This objective ensures that any attempt to corrupt or modify a packet flow transmitted to/from the TOE is detected (T.UNTRUSTED_PATH). O.EADMIN This objective is to provide effective management tools that assist in the correct routing of packets (T.ROUTE) and help to recover from failures (T.CONFLOSS). O.FLOW This objective helps to counters the threat T.ROUTE through the use of routing tables to correctly route information. O.PROTECT This objective contributes to correct routing of information (T.ROUTE) and prevention of disruption to TOE functions by users (T.PRIVIL) or processes (T.OPS). O.ROLBAK The objective to restore previous configurations helps ensure correct routing of data (T.ROUTE), and helps recover from loss of configuration data (T.CONFLOSS) and unauthorized changes (T.PRIVIL, T.OPS). O.SECURE_KEY The objective mitigates the threat of data modification or disclosure by ensuring that cryptographic keys are generated sufficiently, kept confidential, and destroyed property (T.UNTRUSTED_PATH) Document Version 2.0 © Juniper Networks Page 22 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms OBJECTIVE RATIONALE OE.ADMIN The objective that users should follow guidance supports the assumption that they will not be careless, willfully negligent or hostile (A.NOEVIL). OE.CRYPTO The objective to use SSL or SSH to protect in-band management traffic supports the assumption that cryptography is used to protect management traffic (A.CRYPTO). OE.EAUTH The objective to have an authentication server in the TOE environment helps to counter the threat of unauthorized access (T.PRIVIL), and supports the assumption that such a server is present (A.EAUTH). OE.PHYSICAL The objective to provide physical protection for the TOE supports the assumption that the TOE will be located within controlled access facilities, which will prevent unauthorized physical access (A.LOCATE). OE.TIME The objective to have an NTP server in the TOE environment supports the assumption (A.TIME) that time services are available to provide the router with accurate/synchronized time information. Table 11 - Mapping of Threats, Policies, and Assumptions to Objectives Document Version 2.0 © Juniper Networks Page 23 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 5 Extended Components Definition 5.1 Definition of Extended Components FCS_CKM_SYM_EXP.1 Cryptographic Key Establishment for AES Symmetric Keys was created to define the details of ANSI X9.42 key establishment. Management: FCS_CKM_SYM_EXP.1 There are no management activities foreseen. Audit: FCS_CKM_SYM_EXP.1 The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST: a) Minimal: Success and failure of the activity. b) Basic: The object attribute(s), and object value(s) excluding any sensitive information (e.g. secret or private keys). FCS_CKM_SYM_EXP.1 Cryptographic Key Establishment for AES Symmetric Keys Hierarchical to: No other components Dependencies: [FCS_CKM.1 Cryptographic Key Generation, FCS_COP.1 Cryptographic Operation] FCS_CKM_SYM_EXP.1.1 The cryptomodule shall provide the following cryptographic key establishment using Discrete Logarithm Key Agreement that meets the following: a) The cryptomodule shall provide the capability to act as the initiator or responder (that is, act as Party U or Party V as defined in the standard) to agree on cryptographic keys of all sizes using the [assignment: key agreement scheme] key agreement scheme where domain parameter p is a prime of [assignment: size(s) in bits of P value(s)] and domain parameter q is a prime of [assignment: size(s) in bits of Q value(s)], and that conforms with ANSI X9.42, Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography. b) The cryptomodule shall conform to a standard using a FIPS-approved Random Number generation function and a FIPS-approved Hashing function. Document Version 2.0 © Juniper Networks Page 24 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms c) The choices and options used in conforming to the key agreement scheme(s) are as follows: [assignment: prerequisites and other applicable standards}. Document Version 2.0 © Juniper Networks Page 25 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 6 Security Requirements The security requirements that are levied on the TOE and the IT environment are specified in this section of the ST. 6.1 Security Functional Requirements The functional security requirements for this Security Target consist of the following components from Part 2 of the CC, which are summarized in the following table: SS HEADING LASS_FAMILY DESCRIPTION Security Audit FAU_ARP.1 Security Alarms FAU_GEN.1 Audit Data Generation FAU_GEN.2 User Identity Association FAU_SAA.1 Potential Violation Analysis FAU_SAR.1 Audit Review FAU_STG.1 Protected Audit Trail Storage Communication FCO_NRO.2 Enforced Proof of Origin Cryptographic Support FCS_CKM.1 Cryptographic Key Generation FCS_CKM_SYM_EXP.1 | Cryptographic Key Establishment for AES symmetric keys FCS_CKM.2 Cryptographic Key Distribution FCS_COP.1 Cryptographic Operation User Data Protection FDP_IFC.1(1) Subset Information Flow Control FDP_IFF.1(1) Simple Security Attributes FDP_IFC.1(2) Subset Information Flow Control FDP_IFF.1(2) Simple Security Attributes FDP_ROL.1 Basic Rollback FDP_UCT.1 Basic Data Exchange Confidentiality FDP_UIT.1 Data Exchange Integrity Identification and FIA_ATD.1 User attribute definition Authentication FIA_SOS.1 Verification of secrets FIA_UAU.2 User authentication before any action FIA_UAU.5 Multiple authentication mechanisms FIA_UID.2 User identification before any action Security Management FMT_MOF.1 Management of Security Functions Behavior FMT_MSA.1 Management of Security Attributes FMT_MSA.2 Secure Security Attributes FMT_MSA.3 Static Attribute Initialization FMT_MTD.1 Management of TSF Data FMT_SMF.1 Specification of Management Functions FMT_SMR.1 Security Roles Protection ofthe TSF FPT_STM.1 Reliable Time Stamps Document Version 2.0 © Juniper Networks Page 26 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms CLASS HEADING SS_FAMILY DESCRIPTION TOE Access FTA_TSE.1 TOE Session Establishment Trusted Path/Channels FTP_ITC.1 Inter-TSF trusted Channel Table 12 - TOE Security Functional Requirements 6.1.1 Security Audit (FAU) 6.1.1.1 FAU_ARP.1 Security Alarms FAU_ARP.1.1 The TSF shall take [the following configurable actions: create a log entry and drop connection] upon detection of a potential security violation. 6.1.1.2 FAU_GEN.1 Audit Data Generation FAU_GEN.1.1 FAU_GEN.1.2 The TSF shall be able to generate an audit record of the following auditable events: a) b) c) 4) e) f) 8) Start-up and shutdown of the audit functions; All auditable events for the [not specified] level of audit; and [User login/logout; Login failures; Configuration is committed on a device; Configuration is changed; Errors during processing of the Routed Information Flow Control SFP and the Secure Information Flow Control SFP] The TSF shall record within each audit record at least the following information: a) b) Date and time of the event, type of event, subject identity (if applicable), and the outcome (success or failure) of the event; and For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [no other audit relevant information]. 6.1.1.3 FAU_GEN.2 User Identity Association FAU_GEN.2.1 Document Version 2.0 For audit events resulting from actions of identified users, the TSF shall be able to associate each auditable event with the identity of the user that caused the event. © Juniper Networks Page 27 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 6.1.1.4 FAU_SAA.1 Potential Violation Analysis FAU_SAA.1.1 FAU_SAA.1.2 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon these rules indicate a potential violation of the enforcement of the SFRs. The TSF shall enforce the following rules for monitoring audited events: a) Accumulation or combination of [failed authentication attempt events] known to indicate a potential security violation; b) [no other rules]. 6.1.1.5 FAU_SAR.1 Audit Review FAU_SAR.1.1 FAU_SAR.1.2 The TSF shall provide [super-users and custom-users with appropriate privileges] with the capability to read [all audit information] from the audit records. The TSF shall provide the audit records in a manner suitable for the user to interpret the information. 6.1.1.6 FAU_STG.1 Protected Audit Trail Storage FAU_STG.1.1 FAU_STG.1.2 The TSF shall protect the stored audit records in the audit trail from unauthorized deletion. The TSF shall be able to [prevent] unauthorized modifications to the stored audit records in the audit trail. 6.1.2 Communication (FCO) 6.1.2.1 FCO_NRO.2 Enforced Proof of Origin FCO_NRO.2.1 FCO_NRO.2.2 FCO_NRO.2.3 Document Version 2.0 The TSF shall enforce the generation of evidence of origin for transmitted [IP packets protected by the Secure Information Flow Control SFP] at all times. The TSF shall be able to relate the [IPSec peer] of the originator of the information, and the [digital signature] of the information to which the evidence applies. The TSF shall provide a capability to verify the evidence of origin of information to [the receiving TOE] given [the successful establishment of an IPSec security association with the transmitting TOE]. © Juniper Networks Page 28 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 6.1.3. Cryptographic Support (FCS) 6.1.3.1 FCS_CKM.1 Cryptographic Key Generation FCS_CKM.1.1 The TSF shall generate cryptographic keys in accordance with a specified cryptographic key generation algorithm [ANSI X9.31] and specified cryptographic key sizes [128-, 192-, or 256-bit AES key and 728-, 1024-, or 1536- bit P values for Diffie Hellman] that meet the following: [FIPS 197 for AES and ANSI X9.42 for Diffie-Hellman]. Application Note: This requirement’s dependency on FCS_CKM.4 is not met; FCS_CKM.4 is excluded from the Security Target because key destruction is implemented in hardware. However, as specified in the ADV_ARC.1 evidence, the architecture addresses this by not providing any commands to retrieve keys and not providing any functions pertaining to a general-purpose operating system. Additionally, the operational environment helps counter this by not providing unauthorized physical access to the TOE (see OE.PHYSICAL). 6.1.3.2 FCS_CKM.2 Cryptographic Key Distribution FCS_CKM.2.1 The TSF shall distribute cryptographic keys in accordance with a specified cryptographic key distribution method [Simple Certificate Enrollment Protocol (SCEP)] that meets the following: [SCEP-IETF, PKCS#7, X.509]. Application Note: This requirement’s dependency on FCS_CKM.4 is not met; FCS_CKM.4 is excluded from the Security Target because key destruction is implemented in hardware. However, as specified in the ADV_ARC.1 evidence, the architecture addresses this by not providing any commands to retrieve keys and not providing any functions pertaining to a general-purpose operating system. Additionally, the operational environment helps counter this by not providing unauthorized physical access to the TOE (see OE.PHYSICAL). 6.1.3.3 FCS_COP.1 Cryptographic Operation FCS_COP.1.1 The TSF shall perform [the operations described below] in accordance with a specified cryptographic algorithm [multiple algorithms in the modes of operation described below] and cryptographic key sizes [multiple key sizes described below] that meet the following: [multiple standards described below]. ALGORITHM KEY SIZE IN OPERATION nn) BITS STANDARDS Encryption | AES (CBC mode) | 256 FIPS 197 and Decryption Document Version 2.0 © Juniper Networks Page 29 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 'ORITHM KEY SIZE IN OPERATION nn) BITS STANDAR|! Key Diffie-Hellman g=2 ANSI X9.42 agreement | (ANSI X9.42 p= 1024, or Hybrid 5 1536 [concatenation]) Hashing SHS (SHA-1) 160 (size of | FIPS 180-2 digest) Random ANSI X9.31 Not ANSI X9.31 Number Applicable Generation Digital RSA Modulus PKCS7 Signatures Size: 1024 Table 13 - Cryptographic Operations Application Note: This requirement’s dependency on FCS_CKM.4 is not met; FCS_CKM.4 is excluded from the Security Target because key destruction is implemented in hardware. However, as specified in the ADV_ARC.1 evidence, the architecture addresses this by not providing any commands to retrieve keys and not providing any functions pertaining to a general-purpose operating system. Additionally, the operational environment helps counter this by not providing unauthorized physical access to the TOE (see OE.PHYSICAL). 6.1.3.4 FCS_CKM_SYM_EXP.1 Cryptographic Key Establishment for AES symmetric keys Rationale for explicitly stated SFR: This SFR is necessary to define the details of ANSI X9.42 key establishment. FCS_CKM_SYM_EXP.1.1 The cryptomodule shall provide the following cryptographic key establishment using Discrete Logarithm Key Agreement that meets the following: a) The cryptomodule shall provide the capability to act as the initiator or responder (that is, act as Party U or Party V as defined in the standard) to agree on cryptographic keys of all sizes using the [dhHybrid5] key agreement scheme where domain parameter p is a prime of [1024/1536- bit P values] and domain parameter q is a prime of [160-bit Q value], and that conforms with ANSI X9.42, Public Key Cryptography for the Financial Services Industry: Agreement of Symmetric Keys Using Discrete Logarithm Cryptography. b) The cryptomodule shall conform to a standard using a FIPS-approved Random Number generation function and a FIPS-approved Hashing function. c) The choices and options used in conforming to the key agreement scheme(s) are as follows: [prerequisites - domain parameters are validated Document Version 2.0 © Juniper Networks Page 30 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Junip er Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms as they are received from a trusted entity, the CM, to have validated them in accordance with sec. 7.2; public keys (Yv and Tv) are validated locally be party V using trusted routines (sec. 7.4 option 3) and party U trusts that the public keys it receives have already been validated (sec. 7.4 option 4); concatenated mode is used (sec. 7.7.2)]. 6.1.4 Information Flow Control (FDP) 6.1.4.1 FDP_IFC.1(1) - Subset Information Flow Control FDP_IFC.1.1(1) The TSF shall enforce the [Routed Information Flow Control SFP] on [Subjects: unauthenticated external IT entities that send and receive packets through the TOE to one another, Information: network packets sent through the TOE from one subject to another, and Operations: send and receive]. 6.1.4.2 FDP_IFF.1(1) - Simple Security Attributes FDP_IFF.1.1(1) FDP_IFF.1.2 (1) Document Version 2.0 The TSF shall enforce the [Routed Information Flow Control SFP] based on the following types of subject and information security attributes: [Subject security attributes: * Presumed address Information security attributes: ® Presumed address of source subject *® Presumed address of destination subject * Network layer protocol (statically-defined routes, RIPv1, RIPv2, OSPF, BGP, filter-based Forwarding, ECMP) * Zone on which packet arrives and departs]. The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [ ¢ all the packet security attribute values are unambiguously permitted by the information flow security policy rules, where such rules may be composed from all possible combinations of the values of the packet security attributes, created by the authorized user; © Juniper Networks Page 31 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms FDP_IFF.1.3(1) FDP_IFF.1.4(1) FDP_IFF.1.5(1) * the presumed address of the source subject, in the packet, is consistent with the network interface it arrives on; * and the presumed address of the destination subject, in the packet, can be mapped to a configured nexthop 1. The TSF shall enforce the [Network Address Translation operations with Destination IP address translation and/or Source IP address translation if configured to do so]. The TSF shall explicitly authorize an information flow based on the following rules: [no additional Routed Information Flow Control SFP rules]. The TSF shall explicitly deny an information flow based on the following rules: [no additional denial rules]. 6.1.4.3 FDP_IFC.1(2) - Subset Information Flow Control FDP_IFC.1.1 (2) The TSF shall enforce the [Secure Information Flow Control SFP] on [Subjects: IT entities that send information through the TOE, Information: network traffic, and Operations: IP packet forwarding]. 6.1.4.4 FDP_IFF.1(2) - Simple Security Attributes FDP_IFF.1.1 (2) Document Version 2.0 The TSF shall enforce the [Secure Information Flow Control SFP] based on the following types of subject and information security attributes: [Subject security attributes: + Policy settings * TOE identity credentials Information security attributes: ® Presumed address of source subject *® Presumed address of destination subject * IPSec attributes (parameters for Manual Key, AutoKey IKE with Preshared Keys, AutoKey IKE with Certificates, Pre-shared Key, route/policy-based VPNs) + Port number of source subject © Juniper Networks Page 32 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms + Port number of destination subject + Zone on which packet arrives and departs. Operations: send and receive]. FDP_IFF.1.2 (2) The TSF shall permit an information flow between a controlled subject and controlled information via a controlled operation if the following rules hold: [if one TOE instance (subject) can authenticate another TOE instance (subject) through the establishment of an IPSec Security Association using the configured policy and identity credentials of the TOE instances]. FDP_IFF.1.3 (2) The TSF shall enforce the [Network Address Translation operations with Destination IP address translation and/or Source IP address translation if configured to do so]. FDP_IFF.1.4 (2) The TSF shall explicitly authorize an information flow based on the following rules: [no additional Secure Information Flow Control SFP rules]. FDP_IFF.1.5 (2) The TSF shall explicitly deny an information flow based on the following rules: [no additional denial rules]. 6.1.4.5 FDP_ROL.1 Basic Rollback FDP_ROL.1.1 The TSF shall enforce [the management access control policy] to permit the rollback of the [committed configuration change] on the [router tables and access control lists]. FDP_ROL.1.2 The TSF shall permit operations to be rolled back within the [limit of any of the last 50 committed configurations or a designated “rescue” configuration]. 6.1.4.6 FDP_UCT.1 Basic Data Exchange Confidentiality FDP_UCT.1.1 The TSF shall enforce the [Secure Information Flow Control SFP] to be able to [transmit, receive] user data in a manner protected from unauthorized disclosure. 6.1.4.7 FDP_UIT.1 Data exchange integrity FDP_UIT.1.1 The TSF shall enforce the [Secure Information Flow Control SFP] to be able to [transmit, receive] wserdata packet flows in a manner protected from [modification, insertion, replay] errors. FDP_UIT.1.2 The TSF shall be able to determine on receipt of userdata packet flows, whether [modification, insertion, replay] has occurred. * As specified by FMT requirements Document Version 2.0 © Juniper Networks Page 33 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms 6.1.5 Identification and Authentication (FIA) 6.1.5.1 FIA_ATD.1 - User Attribute Definition FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to individual users: [User Identity, Authentication Data, Privilege Level]. 6.1.5.2 FIA_SOS.1 Verification of secrets FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [password minimum length of 6 characters with at least one change of character type (e.g., uppercase, lowercase, numeric, or special characters)]. 6.1.5.3 FIA_UAU.2 User Authentication before Any Action FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated actions on behalf of that user. 6.1.5.4 FIA_UAU.5 Multiple Authentication Mechanisms FIA_UAU.5.1 The TSF shall provide [internal fixed password mechanism and external server (RADIUS or TACACS+) gateway mechanism] to support user authentication. FIA_UAU.5.2 The TSF shall authenticate any user's claimed identity according to the [authentication mechanism specified by an authorized user]. 6.1.5.5 FIA_UID.2 User Identification before Any Action FIA_UID.2.1 The TSF shall require each user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 6.2 Security Management (FMT) 6.2.1.1 FMT_MOF.1 Management of Security Functions Behavior FMT_MOF.1.1 The TSF shall restrict the ability to [determine the behavior of, disable, enable, modify the behavior of] the functions [that implement the Routed Information Flow Control SFP and the Secure Information Flow Control SFP] to [super-users and custom-users with appropriate privileges]. 6.2.1.2 FMT_MSA.1 Management of security attributes FMT_MSA.1.1 The TSF shall enforce the [Routed Information Flow Control SFP and the Secure Information Flow Control SFP] to restrict the ability to [query, modify, delete] Document Version 2.0 © Juniper Networks Page 34 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms the security attributes [TOE configuration (e.g., routing tables and access control lists)] to [super-users and custom-users with appropriate privileges]. 6.2.1.3 FMT_MSA.2 Secure Security Attributes FMT_MSA.2.1 The TSF shall ensure that only secure values are accepted for [security attributes listed with Routed Information Flow Control SFP and the Secure Information Flow Control SFP]. 6.2.1.4 FMT_MSA.3 Static Attribute Initialization FMT_MSA.3.1 The TSF shall enforce the [Routed Information Flow Control SFP and the Secure Information Flow Control SFP] to provide [restrictive] default values for security attributes that are used to enforce the SFP. FMT_MSA.3.2 The TSF shall allow the [super-users and custom-users with appropriate privileges] to specify alternative initial values to override the default values when an object or information is created. 6.2.1.5 FMT_MTD.1 Management of TSF Data FMT_MTD.1.1 The TSF shall restrict the ability to control the [data described in the table below] to [super-users and custom-users with appropriate privileges]: CHANGE ATA DEFAULT UERY MODIFY | DELETE Routed Information v v v v v Flow Control SFP Secure Information v v v v v Flow Control SFP User Account v Attributes Audit Logs v Date/Time v Rules that restrict the ability to establish v management sessions Table 14 — Management of TSF data 6.2.1.6 FMT_SMF.1 Specification of Management Functions FMT_SMF.1.1 The TSF shall be capable of performing the following management functions: a) modify TOE configuration, including Document Version 2.0 © Juniper Networks Page 35 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms a. rollback of configuration b. control of management session establishment c. configuration of Routed Information Flow Control SFP. d. configuration of Secure Information Flow Control SFP b) modify user account attributes (including operation of identification and authentication), c) delete audit logs, d) modify the date/time, e) modify security pattern matching for identification of potential violations]. 6.2.1.7 FMT_SMR.1 Security Roles FMT_SMR.1.1 The TSF shall maintain the roles [read-only user, operator user, custom-user, super-user]. FMT_SMR.1.2 The TSF shall be able to associate users with roles. 6.2.2 Protection ofthe TSF (FPT) 6.2.2.1 FPT_STM.1 Reliable Time Stamps FPT_STM.1.1 The TSF shall be able to provide reliable time stamps. 6.2.3 TOE Access (FTA) 6.2.3.1 FTA_TSE.1 TOE Session Establishment FTA_TSE.1.1 The TSF shall be able to deny session establishment based on [access control policy specifying a source/destination IP address and source/destination TCP/UDP port number]. 6.2.4 Trusted Path/Channels (FTP) 6.2.4.1 FTP_ITC.1 Inter-TSF trusted Channel FTP_ITC.1.1 The TSF shall provide a communication channel between itself and another trusted IT product that is logically distinct from other communication channels and provides assured identification of its end points and protection of the channel data from modification or disclosure. Document Version 2.0 © Juniper Networks Page 36 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms FTP_ITC.1.2 The TSF shall permit [the TSF and another trusted IT product] to initiate communication via the trusted channel. FTP_ITC.1.3 The TSF shall initiate communication via the trusted channel for [the secure transmission of traffic between trusted networks]. 6.3 Security Functional Requirements for the IT Environment 6.3.1 Identification and Authentication (FIA) 6.3.1.1 FIA_UAU.5 Multiple Authentication Mechanisms FIA_UAU.5.1 The FSF IT Environment shall provide [any necessary RADIUS or TACACS+ server] to support user authentication. FIA_UAU.5.2 The FSF IT Environment shall authenticate any user's claimed identity according to the [authentication mechanism specified by an authorized user]. 6.4 Security Assurance Requirements The Security Assurance Requirements for this evaluation are listed in Section 6.5.3 — Security Assurance Requirements. 6.5 Security Requirements Rationale 6.5.1 Security Functional Requirements The following table provides the correspondence mapping between security objectives for the TOE and the requirements that satisfy them. OBJECTIVE O.CONFIDENTIALITY O.AUTHENTICITY O.SECURE_KEY O.AMANAGE O.INTEGRITY NN O.PROTECT O.EADMIN O.ACCESS O.ROLBAK FAU_ARP.1 FAU_GEN.1 FAU_GEN.2 NENEN O.AUDIT Document Version 2.0 © Juniper Networks Page 37 of 58 This document may be freely reproduced and distributed whole and intact including this copyright notice. Security Target: Juniper Networks JUNOS 10.0 R4 for J-Series and SRX-Series Platforms OBJECTIVE O.CONFIDENTIALITY O.EADMIN O.AMANAGE O.ACCESS O.ROLBAK O.INTEGRITY O.AUTHENTI O.SECURE_KEY NN O.PROTECT FAU_SAA.1 FAU_SAR.1 FAU_STG.1 FCO_NRO.2 v FCS_CKM.1 v FCS_CKM_SYM_EXP. v 1 FCS_CKM.2 v FCS_COP.1 vivIiv FDP_IFC.1(1) v fv FDP_IFF.1(1) viv FDP_IFC.1(2) viviv FDP_IFF.1(2) vivIiv FDP_ROL.1 v FDP_UCT.1 v FDP_UIT.1 v FIA_ATD.1 FIA_SOS.1 FIA_UAU.2 FIA_UAU.S FIA_UID.2 FMT_MOF.1 FMT_MSA.1 FMT_MSA.2 FMT_MSA.3 FMT_MTD.1 FMT_SMF.1 FMT_SMR.1 FPT_STM.1 FTA_TSE.1 v FTP_ITC.1 vIivIiv Table 15 - Mapping of TOE Security Functional Requirements and Objectives Nii O.AUDIT WWW SN WWW SN SJ SSI S)