Intellectual property notice: Waterfall’s products are covered by U.S. Patent 7,649,452 and by other pending patent
applications in the US and other countries. “Waterfall”, the Waterfall Logo, and “One Way to Connect” are
trademarks of Waterfall Security Solutions Ltd. All marks, trademarks, and logos mentioned in this material are the
property of their respective owners.
Security Services
Security Services
Metatron
Metatron
Security Services
Security Services
Metatron
Metatron
Waterfall Unidirectional Security Gateway WF-400
Security Target
Version 0.72
June 29, 2012
Prepared for:
Waterfall Security Solutions Ltd.
16 Hamelacha St., Afek Industrial Park
Rosh Ha’ayin, Israel 48091
Prepared by:
Metatron Ltd.
66 Yosef St.,
Modiin, Israel 71724
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 2
Prologue 29/6/2012
Document Version Control Log
Version Date Author Description
Version 0.1 September 14, 2011 Nir Naaman Initial draft.
Version 0.2 October 18, 2011 Nir Naaman Minor updates to TOE description and
TOE summary specification.
Version 0.3 March 11, 2012 Nir Naaman Post-kickoff updates:
• Augmented to ALC_DVS.2 claim.
Version 0.4 May 3, 2012 Nir Naaman Clarified assumptions and objectives for
IT environment.
Version 0.5 June 20, 2012 Nir Naaman Fixed ST conformance claim.
Clarified TOE identification.
Updated reference to TOE guidance.
Removed redundant FDP_IFF.1.5 b).
Version 0.6 June 21, 2012 Nir Naaman TOE identification now includes version.
Moved list of supported appliances from
TOE reference to TOE description.
Version 0.7 June 27, 2012 Nir Naaman Added FDP_IFF.1.5 b).
Updated reference to TOE guidance.
Version 0.72 June 29, 2012 Nir Naaman Clarified physical scope of the TOE.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 3
Prologue 29/6/2012
Table of Contents
1. ST Introduction........................................................................................................................... 5
1.1. ST Reference.................................................................................................................. 5
1.2. TOE Reference............................................................................................................... 5
1.3. TOE Overview ............................................................................................................... 6
1.4. TOE Description ............................................................................................................ 8
1.4.1. Physical Scope and Boundaries of the TOE ............................................................... 8
1.4.2. Logical Scope of the TOE......................................................................................... 10
1.5. Document Organization ............................................................................................... 11
2. Conformance Claims ................................................................................................................ 12
2.1. CC Conformance Claim............................................................................................... 12
2.2. Protection Profile and Package Conformance Claims ................................................. 12
2.3. Conformance Rationale................................................................................................ 12
3. Security Problem Definition ..................................................................................................... 13
3.1. Threats.......................................................................................................................... 13
3.2. Organizational Security Policies.................................................................................. 13
3.3. Assumptions................................................................................................................. 13
4. Security Objectives................................................................................................................... 14
4.1. Security Objectives for the TOE.................................................................................. 14
4.2. Security Objectives for the Operational Environment ................................................. 14
4.2.1. Traffic Filtering Objectives for the IT Environment ................................................ 14
4.2.2. Security Objectives for the Environment Upholding Assumptions.......................... 14
4.3. Security Objectives Rationale...................................................................................... 15
5. Security Requirements.............................................................................................................. 17
5.1. Security Functional Requirements ............................................................................... 17
5.1.1. User data protection (FDP)....................................................................................... 17
5.2. Security Assurance Requirements................................................................................ 18
5.3. Extended Components Definition................................................................................ 19
5.4. Security Requirements Rationale................................................................................. 20
5.4.1. Security Functional Requirements Rationale............................................................ 20
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 4
Prologue 29/6/2012
5.4.2. Security Assurance Requirements Rationale............................................................ 20
5.4.3. Dependency Rationale .............................................................................................. 21
6. TOE Summary Specification.................................................................................................... 23
6.1. SFR Mapping ............................................................................................................... 23
6.1.1. User Data Protection (FDP)...................................................................................... 23
7. Supplemental Information ........................................................................................................ 24
7.1. References.................................................................................................................... 24
7.2. Abbreviations ............................................................................................................... 24
List of Tables
Table 1-1 - Appliances included in the TOE .................................................................................. 8
Table 4-1- Tracing of security objectives to threats ..................................................................... 15
Table 5-1 –Security functional requirement components............................................................ 17
Table 5-2- TOE Security Assurance Requirements...................................................................... 18
Table 5-3- Tracing of SFRs to security objectives for the TOE................................................... 20
Table 5-4- Security Requirements Dependency Mapping............................................................ 21
Table 6-1 - TOE Summary Specification SFR Mapping.............................................................. 23
List of Figures
Figure 1-1 – Typical Usage Scenario.............................................................................................. 6
Figure 1-2 – Waterfall TX and RX appliances............................................................................... 8
Figure 1-3 –Information Flow through the TOE .......................................................................... 10
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 5
Chapter 1. ST Introduction 29/6/2012
1. ST Introduction
1.1. ST Reference
Title: Waterfall Unidirectional Security Gateway WF-400 Security Target
ST Version: 0.72
ST Date: June 29, 2012
Author: Nir Naaman
CC Version: Common Criteria for Information Technology Security Evaluation,
Version 3.1 Revision 3, July 2009
Evaluation Assurance Level (EAL):
EAL 4, augmented with AVA_VAN.5 (Advanced methodical vulnerabil-
ity analysis), ALC_DVS.2 (Sufficiency of security measures), and
ALC_FLR.2 (Flaw reporting procedures).
1.2. TOE Reference
The TOE is uniquely identified as the Waterfall Unidirectional Security Gateway model
WF-400, version 1.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 6
Chapter 1. ST Introduction 29/6/2012
1.3. TOE Overview
The Target of Evaluation (TOE) is a network gateway that enforces a unidirectional
information flow control policy on network traffic flowing through the gateway. The TX
appliance picks up network frames from the sending network, and forwards them to the
RX appliance for transmission to the receiving network. The TOE hardware ensures that
no information can flow from the receiving network to the sending network.
The TOE does not require nor provide any management capabilities. The unidirectional
traffic flow is operational once the TX appliance is connected to the sending network, the
RX appliance to the receiving network, the two appliances connected by a single fiber-
optic cable, and the two appliances are each powered up.
A typical usage scenario consists of a sending network that represents a utility’s
industrial network, and a receiving network that represents the corporate or monitoring
environment. For example, a power plant or other SCADA network is required to
transmit status information in real-time, while preventing an attack from the external
network that might impact its integrity or result in a denial of service.
Figure 1-1 – Typical Usage Scenario
The TOE allows information such as SNMP traps, syslog event records, or files to flow
from the industrial network to the corporate network, while preventing any information
flows through the gateway to the industrial network. This serves to prevent a wide range
of online attacks:
• The sending network is fully protected against any online cyber attacks initiated at
the receiving network, since no information can be sent from the receiving net-
work to the sending network.
• Most network-based attacks require feedback from the network-connected entity
under attack1
. Since no information can be sent back from the receiving network
to the sending network, network-connected hosts on the receiving network are
thus protected against online cyber attacks initiated at the sending network.
1
For example, an attacker in the industrial network cannot easily complete a TCP handshake with the corporate
network if she is prevented from receiving the acknowledgement from the targeted server.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 7
Chapter 1. ST Introduction 29/6/2012
• The receiving network is fully protected against information leaks into the
sending network, since no information can be sent from the receiving network to
the sending network.
An alternative usage scenario might involve a classified Intelligence Community (IC)
network that must receive information from the outside world (e.g. from sensors or from
other operational networks), while preventing leakage of classified information. In this
scenario, the TOE is configured such that the IC network is the receiving network.
The Waterfall Unidirectional Security gateway is used as the security-enforcing core for a
set of Waterfall products that include, in addition to the gateway, TX and RX agent
software running on servers in the sending and receiving networks, respectively. The
agents provide product management and monitoring capabilities and support for standard
network protocols, including: FTP (file transfer), SMTP (email), SNMP traps, Syslog,
Remote Screen View (RSV), OSIsoft PI, System 1, Modbus, ASDE-X, WMQ, eDNA,
ICCP, OPC-DA, and others.
As depicted in Figure 1-1 above, the servers and agent software are considered to be
outside the TOE; they cannot affect the enforcement of unidirectional information flow
by the TOE.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 8
Chapter 1. ST Introduction 29/6/2012
1.4. TOE Description
1.4.1. Physical Scope and Boundaries of the TOE
1.4.1.1. TOE Hardware, Firmware, and Software
The Waterfall Unidirectional Security gateway is comprised of a pair of WF-400
appliances, including one TX appliance and one RX appliance. For each appliance type
(TX or RX), two variants are supported: a single power supply variant, and a dual power-
supply variant (for redundancy). The following appliances are included in the TOE:
Table 1-1 - Appliances included in the TOE
Appliance Part Number TX RX Dual Power-Supply
WF-400RX- 2PS 9 9
WF-400TX- 2PS 9 9
WF-400RX 9
WF-400TX 9
The TX appliance contains a laser LED that converts electronic signals to light. The RX
appliance contains a photoelectric cell that can sense light and convert it to electronic
signals. The Waterfall TX appliance and Waterfall RX appliance are connected via a
single standard fiber-optic cable, allowing light to move from the TX LED to the RX
photoelectric cell. The cable is not included in the TOE.
The TOE Security Functionality is implemented entirely in hardware. The TOE also
contains firmware that implements functionality such as control of the front-panel display
LEDs.
Figure 1-2 – Waterfall TX and RX appliances
Figure 1-2 above depicts the gateway appliance pair. Each appliance is completely
enclosed by an aluminum casing, with no ventilation holes or other apertures that might
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 9
Chapter 1. ST Introduction 29/6/2012
allow any signals from the RX appliance into the TX appliance. The fiber ports on each
front panel are used for connecting the two appliances the fiber-optic cable. The two
RJ45 network ports are used to connect each appliance to its corresponding network.
In addition to the TOE components described above, two software agents are installed on
dedicated local servers, on the sending and receiving networks, respectively. As depicted
in Figure 1-1 above, the software agents are considered to be outside of the TOE.
1.4.1.2. TOE Guidance
The following Waterfall guidance is considered part of the TOE:
Title Date
Waterfall Unidirectional Security Gateway Common Criteria Evaluated
Configuration Guide
June 2012
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 10
Chapter 1. ST Introduction 29/6/2012
1.4.2. Logical Scope of the TOE
1.4.2.1. Summary of TOE Security Functionality
The TOE enables online transmission of data (e.g. information, alerts, files, video
streams, etc.) from a designated sending network to a designated receiving network in a
unidirectional mode only. No information can be sent in the reverse direction through the
TOE.
The TOE does not provide any management or auditing functionality.
1.4.2.2. Information Flow through the TOE
The Waterfall Unidirectional Security Gateway can be provided both as a stand-alone
solution and as an integrated component in large scale IT security projects, enabling
secure one-way data transfer from a critical industrial network to the corporate network.
Figure 1-3 –Information Flow through the TOE
TOE
The following sequence describes the information flow through the TOE:
1. The Waterfall TX agent (outside the TOE) receives a protocol-specific data
stream from the industrial network servers or stations.
2. The Waterfall TX agent handles the translation of the data into Waterfall’s
proprietary protocol and sends the information to the Waterfall TX appliance.
3. The Waterfall TX appliance transfers the information to the RX appliance over a
single fiber-optic cable.
4. The Waterfall RX appliance sends the information to the Waterfall RX agent on
the RX server (outside the TOE) using Waterfall's proprietary protocol. The RX
agent handles the retrieval of the information from the RX appliance and the
translation of the data from Waterfall’s proprietary protocol.
5. The Waterfall RX agent communicates the data stream to the corporate network
servers or stations.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 11
Chapter 1. ST Introduction 29/6/2012
1.5. Document Organization
Section 1 provides the introductory material for the security target, including ST and
TOE references, TOE Overview, and TOE Description.
Section 2 identifies the Common Criteria conformance claims in this security target.
Section 3 describes the security problem solved by the TOE, in terms of the expected
operational environment and the set of threats that are to be addressed by either
the technical countermeasures implemented in the TOE or through additional
environmental controls identified in the TOE documentation.
Section 4 defines the security objectives for both the TOE and the TOE environment.
Section 5 gives the functional and assurance requirements derived from the Common
Criteria, Parts 2 and 3, respectively that must be satisfied by the TOE.
Section 6 explains how the TOE meets the security requirements defined in section 6, and
how it protects itself against bypass, interference and logical tampering.
Section 7 provides external references used in this security target document
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 12
Chapter 2. Conformance Claims 29/6/2012
2. Conformance Claims
2.1. CC Conformance Claim
The TOE is conformant with the following CC specifications:
• Common Criteria for Information Technology Security Evaluation Part 2:
Security functional components, Version 3.1, Revision 3, July 2009, CCMB-
2009-07-002, conformant (CC Part 2 Conformant)
• Common Criteria for Information Technology Security Evaluation Part 3:
Security assurance components, Version 3.1 Revision 3, July 2009, CCMB-2009-
07-003, conformant (CC Part 3 Conformant)
2.2. Protection Profile and Package Conformance Claims
This Security Target claims conformance to assurance package EAL4 augmented with
AVA_VAN.5, ALC_DVS.2, and ALC_FLR.2.
The TOE does not claim conformance with any Protection Profile.
2.3. Conformance Rationale
None
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 13
Chapter 3. Security Problem Definition 29/6/2012
3. Security Problem Definition
3.1. Threats
This section describes the threats that are addressed by the TOE:
T.LEAKAGE A user or process with access to the receiving network accidentally
or maliciously transmits information through the TOE to the send-
ing network.
T.HACK_HIGH A user with access to the receiving network compromises the
integrity of a host or process on the sending network.
T.HACK_LOW A user with access to the sending network compromises the
integrity of a host or process on the receiving network.
3.2. Organizational Security Policies
This Security Target does not identify any rules or guidelines that must be followed by
the TOE and/or its operational environment, phrased as Organizational Security Policies.
All defined security objectives are derived from assumptions and threats only.
3.3. Assumptions
The assumptions made about the TOE's intended environment are:
A.PHYSICAL The TOE and the fiber-optic cable connecting its separate parts
will be located within controlled access facilities, which will pre-
vent unauthorized physical access.
A.ADMIN Personnel with authorized physical access to the TOE will not
attempt to circumvent the TOE's security functionality.
A.NETWORK There will be no channels for information to flow between the
sending and receiving networks unless it passes through the TOE.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 14
Chapter 4. Security Objectives 29/6/2012
4. Security Objectives
4.1. Security Objectives for the TOE
O.UNIDIRECTIONAL The TOE shall allow information to flow only from the sending
network to the receiving network and not vice versa.
4.2. Security Objectives for the Operational Environment
4.2.1. Traffic Filtering Objectives for the IT Environment
As explained in section 1.3 above, the TOE provides mitigation against online cyber
attacks initiated at the sending network, given that most online attacks require feedback
from the entity under attack. The following security objective for the IT environment
complements this by requiring the environment to filter or transform the traffic from the
sending network in order to prevent attacks from the sending network.
OE.FILTER_LOW The IT environment shall filter or transform the information
transmitted through the TOE to the receiving network such that it
cannot result in compromise of the integrity of hosts or processes on
the receiving network.
Note: The Waterfall TX and RX agents (considered to be in the IT environment) proxy
the information transmitted through the TOE to the receiving network, thereby
implementing a restrictive traffic filter that allows only a single unidirectional
protocol stream into the receiving network. This filtering functionality is not being
evaluated in the context of this Security Target.
4.2.2. Security Objectives for the Environment Upholding Assumptions
The assumptions made in this ST about the TOE's operational environment must be
upheld by corresponding security objectives for the environment.
The following security objectives are intended to be satisfied without imposing technical
requirements on the TOE. These objectives are intended to be satisfied though the
application of procedural or administrative measures.
NOE.PHYSICAL The intended operation environment shall prevent unauthorized
physical access to the TOE and to the fiber-optic cable connecting
its separate parts.
NOE.ADMIN Physical access to the TOE shall be authorized only to personnel
that will not attempt to circumvent the TOE's security functionality.
NOE.NETWORK The TOE is the only interconnection between the sending and
receiving networks.
Application Note: It is recommended to use separate power and network infrastructure
for the sending and receiving networks, connected to the TX and RX, respectively.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 15
Chapter 4. Security Objectives 29/6/2012
4.3. Security Objectives Rationale
Table 4-1 maps security objectives to threats and assumptions described in chapter 3. The
table clearly demonstrates that each threat is countered by at least one security objective,
that each assumption is upheld by at least one security objective, and that each objective
counters at least one threat or upholds at least one assumption.
This is then followed by explanatory text providing justification for each defined threat
that if all security objectives that trace back to the threat are achieved, the threat is
removed, sufficiently diminished, or that the effects of the threat are sufficiently
mitigated. In addition, each defined assumption is shown to be upheld if all security
objectives for the operational environment that trace back to the assumption are achieved.
Table 4-1- Tracing of security objectives to threats
T.LEAKAGE
T.HACK_HIGH
T.HACK_LOW
A.PHYSICAL
A.ADMIN
A.NETWORK
O.UNIDIRECTIONAL 9 9 9
OE.FILTER_LOW 9
NOE.PHYSICAL 9
NOE.ADMIN 9
NOE.NETWORK 9
T. LEAKAGE A user or process with access to the receiving network accidentally
or maliciously transmits information through the TOE to the send-
ing network.
O.UNIDIRECTIONAL ensures that information flows through the TOE will be allowed
only from the sending network to the receiving network and not vice versa.
T. HACK_HIGH A user with access to the receiving network compromises the
integrity of a host or process on the sending network.
O.UNIDIRECTIONAL ensures that information flows through the TOE will be allowed
only from the sending network to the receiving network and not vice versa. A user with
access to the receiving network cannot send any information to any host or process on the
sending network, and therefore the threat of compromising the integrity of such hosts or
processes is removed.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 16
Chapter 4. Security Objectives 29/6/2012
T. HACK_LOW A user with access to the sending network compromises the integrity
of a host or process on the receiving network.
O.UNIDIRECTIONAL ensures that information flows through the TOE will be allowed
only from the sending network to the receiving network and not vice versa. This provides
mitigation for the majority of online attacks, as most attacks require feedback from the
entity under attack.
OE.FILTER_LOW requires the IT environment to ensure that the unidirectional
information flows through the TOE to the receiving network are filtered or transformed
such that they cannot result in compromise of the integrity of hosts or processes on the
receiving network.
Together, O.UNIDIRECTIONAL and OE.FILTER_LOW counter T.HACK_LOW.
A.PHYSICAL The TOE and the fiber-optic cable connecting its separate parts will
be located within controlled access facilities, which will prevent un-
authorized physical access.
NOE.PHYSICAL directly upholds A.PHYSICAL.
A.ADMIN Personnel with authorized physical access to the TOE will not
attempt to circumvent the TOE's security functionality.
NOE.ADMIN directly upholds A.ADMIN. Together with NOE.PHYSICAL, this ensures
that the TOE will not be subject to physical tampering, such as short-circuiting the TX
and RX appliances and thereby bypassing the unidirectional optical transmission channel.
A.NETWORK There will be no channels for information to flow between the
sending and receiving networks unless it passes through the TOE.
NOE.NETWORK directly upholds A.NETWORK.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 17
Chapter 5. Security Requirements 29/6/2012
5. Security Requirements
5.1. Security Functional Requirements
The security functional requirements (SFRs) for this ST consist of the following
components from CC Part 2, summarized in Table 5-1.
Table 5-1 –Security functional requirement components
Functional Component CC Operations Applied
FDP_IFC.2 Complete Information Flow Control Assignment
FDP_IFF.1 Simple Security Attributes Assignment, Refinement
The terminology used in the SFRs is as defined in section 1.
5.1.1. User data protection (FDP)
5.1.1.1. Complete Information Flow Control (FDP_IFC.2)
FDP_IFC.2.1 The TSF shall enforce the Unidirectional SFP on the TX, the RX, and all information
flowing through the TOE and all operations that cause that information to flow to and
from subjects covered by the SFP.
FDP_IFC.2.2 The TSF shall ensure that all operations that cause any information in the TOE to flow to
and from any subject in the TOE are covered by an information flow control SFP.
5.1.1.2. Simple security attributes (FDP_IFF.1)2
FDP_IFF.1.1 The TSF shall enforce the Unidirectional SFP based on the following types of subject
and information security attributes: subject identity3
.
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and controlled
information via a controlled operation if the following rules hold:
a) The TSF shall permit the TX to read information from the sending network;
b) The TSF shall permit the TX to transmit information to the RX;
c) The TSF shall permit the RX to receive information from the TX; and
d) The TSF shall permit the RX to write information to the receiving network.
FDP_IFF.1.5 The TSF shall explicitly deny an information flow based on the following rules:
a) The TSF shall deny the RX to transmit information to the TX; and
b) The TSF shall deny the TX to receive information from the RX.
2
The assignments for FDP_IFF.1.3 and FDP_IFF.1.4 have been completed as ‘no additional information flow
control SFP rules’ and ‘no rules that explicitly authorise information flows’, respectively, and these elements have
been refined away to improve the readability of the FDP_IFF.1 SFR.
3
The subject identity may be, as defined in FDP_IFC.2.1, ‘TX’ or ‘RX’.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 18
Chapter 5. Security Requirements 29/6/2012
5.2. Security Assurance Requirements
The security assurance requirements for the TOE are the Evaluation Assurance Level
(EAL) 4 components defined in Part 3 of the Common Criteria, augmented with the CC
Part 3 components ALC_FLR.2, ALC_DVS.2, and AVA_VAN.5.
No operations are applied to any assurance component.
Table 5-2- TOE Security Assurance Requirements
Assurance
Class
Assurance Components
ADV_ARC.1 Security architecture description
ADV_FSP.4 Complete functional specification
ADV_IMP.1 Implementation representation of the TSF
Development
ADV_TDS.3 Basic modular design
AGD_OPE.1 Operational user guidance
Guidance
documents
AGD_PRE.1 Preparative procedures
ALC_CMC.4 Production support, acceptance procedures and automation
ALC_CMS.4 Problem tracking CM coverage
ALC_DEL.1 Delivery procedures
ALC_DVS.2 Sufficiency of security measures
ALC_FLR.2 Flaw reporting procedures
ALC_LCD.1 Developer defined life-cycle model
Life-cycle
support
ALC_TAT.1 Well-defined development tools
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 19
Chapter 5. Security Requirements 29/6/2012
Assurance
Class
Assurance Components
ASE_CCL.1 Conformance claims
ASE_ECD.1 Extended components definition
ASE_INT.1 ST introduction
ASE_OBJ.2 Security objectives
ASE_REQ.2 Derived security requirements
ASE_SPD.1 Security problem definition
Security
Target
evaluation
ASE_TSS.1 TOE summary specification
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: basic design
ATE_FUN.1 Functional testing
Tests
ATE_IND.2 Independent testing – sample
Vulnerability
assessment
AVA_VAN.5 Advanced methodical vulnerability analysis
5.3. Extended Components Definition
There are no extended components defined in this Security Target. All security
requirements have been drawn from the [CC] Parts 2 and 3.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 20
Chapter 5. Security Requirements 29/6/2012
5.4. Security Requirements Rationale
5.4.1. Security Functional Requirements Rationale
Table 5-3 provides a mapping between the security requirements and the security
objective for the TOE that has been defined in section 4. This is followed by a detailed
rationale of this mapping.
Table 5-3- Tracing of SFRs to security objectives for the TOE
SFRs
O.UNIDIRECTIONAL
FDP_IFC.2 X
FDP_IFF.1 X
O.UNIDIRECTIONAL The TOE shall allow information to flow only from the
sending network to the receiving network and not vice versa.
FDP_IFC.2 requires that all information flowing through the TOE be covered by the
information flow control SFP. This ensures that no information flows, whether explicit or
covert, are exempt from the Unidirectional SFP.
FDP_IFF.1 allows information to flow from the sending network to the receiving
network as follows: the TX reads the information from the sending network; the TX
transmits the information to the RX; the RX receives the information from the TX and
writes it to the receiving network.
The inverse information flow (from the receiving network to the sending network) is
explicitly denied by FDP_IFF.1, as the TX cannot read information from the receiving
network, and no information can flow from the RX (which is connected to the receiving
network) to the TX (which is connected to the sending network).
FDP_IFC.2 and FDP_IFF.1 together enforce the Unidirectional SFP on all information
flows through the TOE.
5.4.2. Security Assurance Requirements Rationale
The level of assurance chosen for this ST is that of Evaluation Assurance Level (EAL) 4,
as defined in CC Part 3, augmented with the CC Part 3 components AVA_VAN.5,
ALC_DVS.2, and ALC_FLR.2.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 21
Chapter 5. Security Requirements 29/6/2012
EAL 4 ensures that the product has been methodically designed, tested, and reviewed
with maximum assurance from positive security engineering based on good commercial
development practices. It is applicable in those circumstances where developers or users
require a moderate to high level of independently assured security.
AVA_VAN.5 augments EAL4 by ensuring that the product has undergone advanced
methodical vulnerability analysis to confirm that the product is resistant to attacks with
up to High attack potential.
EAL 4 augmented by AVA_VAN.5 is appropriate for a TOE designed to protect
industrial networks from cyber attacks and to prevent leakage of information from
classified networks. These use cases may attract attackers with high motivation and
therefore High attack potential.
The ALC_DVS.2 augmentation was included to provide justification that the security
measures provide the necessary level of protection to maintain the confidentiality and
integrity of the TOE.
In addition, the assurance requirements have been augmented with ALC_FLR.2 (Flaw
reporting procedures) to provide assurance that the TOE will be maintained and
supported in the future, requiring the TOE developer to track and correct flaws in the
TOE, and providing guidance to TOE users for how to submit security flaw reports to the
developer.
5.4.3. Dependency Rationale
Table 5-4 depicts the satisfaction of all security requirement dependencies. For each
security requirement included in the ST, the CC dependencies are identified in the
column “CC dependency”, and the satisfied dependencies are identified in the “ST
dependency” column.
Dependencies that are satisfied by hierarchically higher or alternative components are
given in boldface, and explained in the “Justification” column.
Table 5-4- Security Requirements Dependency Mapping
SFR CC dependency ST component Justification (where needed)
FDP_IFC.2 FDP_IFF.1 FDP_IFF.1
FDP_IFF.1 FDP_IFC.1,
FMT_MSA.3
FDP_IFC.2 The dependency on FMT_MSA.3
is not applicable as there are no
security attributes to initialize.
ADV_ARC.1 ADV_FSP.1,
ADV_TDS.1
ADV_FSP.4,
ADV_TDS.3
Consistent with EAL4
ADV_FSP.4 ADV_TDS.1 ADV_TDS.3 Consistent with EAL4
ADV_IMP.1 ADV_TDS.3,
ALC_TAT.1
ADV_TDS.3,
ALC_TAT.1
ADV_TDS.3 ADV_FSP.4 ADV_FSP.4
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 22
Chapter 5. Security Requirements 29/6/2012
SFR CC dependency ST component Justification (where needed)
AGD_OPE.1 ADV_FSP.1 ADV_FSP.4 Consistent with EAL4
AGD_PRE.1
ALC_CMC.4 ALC_CMS.1,
ALC_DVS.1,
ALC_LCD.1
ALC_CMS.4,
ALC_DVS.2,
ALC_LCD.1
ALC_CMS.4 is consistent with
EAL4; ALC_DVS.2 is
hierarchical to ALC_DVS.1.
ALC_CMS.4 None
ALC_DEL.1 None
ALC_DVS.2 None
ALC_FLR.2 None
ALC_LCD.1 None
ALC_TAT.1 ADV_IMP.1 ADV_IMP.1
ATE_COV.2 ADV_FSP.2,
ATE_FUN.1
ADV_FSP.4,
ATE_FUN.1
Consistent with EAL4
ATE_DPT.1 ADV_ARC.1,
ADV_TDS.2,
ATE_FUN.1
ADV_ARC.1,
ADV_TDS.3,
ATE_FUN.1
Consistent with EAL4
ATE_FUN.1 ATE_COV.1 ATE_COV.2 Consistent with EAL4
ATE_IND.2 ADV_FSP.2,
AGD_OPE.1,
AGD_PRE.1,
ATE_COV.1,
ATE_FUN.1
ADV_FSP.4,
AGD_OPE.1,
AGD_PRE.1,
ATE_COV.1,
ATE_FUN.1
Consistent with EAL4
AVA_VAN.5 ADV_ARC.1,
ADV_FSP.4,
ADV_TDS.3,
ADV_IMP.1,
AGD_OPE.1,
AGD_PRE.1,
ATE_DPT.1
ADV_ARC.1,
ADV_FSP.4,
ADV_TDS.3,
ADV_IMP.1,
AGD_OPE.1,
AGD_PRE.1,
ATE_DPT.1
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 23
Chapter 6. TOE Summary Specification 29/6/2012
6. TOE Summary Specification
6.1. SFR Mapping
Table 6-1 provides a description of the general technical mechanisms that the TOE uses
to satisfy each SFR defined in section 5. The table includes the description of security
functionality given in each SFR by reference and provides a high-level view of their
implementation in the TOE, referencing section 1.4.1 and 1.4.2 for descriptions of the
physical and logical components of the TOE, respectively.
Table 6-1 - TOE Summary Specification SFR Mapping
Component Description of mechanism
6.1.1. User Data Protection (FDP)
FDP_IFC.2 The TOE is implemented in parts: the TX and RX appliances are entirely
independent, each with its own independent power and network interfaces, each
enclosed in a separate enclosure that does not admit electronic or light signals via
any other than the described interfaces.
In accordance with TOE guidance, the TX appliance is connected only to the
sending network, and is not connected to the receiving network. Conversely, the
RX appliance is connected only to the receiving network.
The two parts of the TOE are connected by a single fiber-optic cable. This ensures
that all information flows through the TOE must flow through the cable and are
thereby covered by the Unidirectional SFP.
FDP_IFF.1 The TX appliance is connected using standard RJ45 interfaces for copper-based
electronic communication with the sending network. The TX appliance cannot
read information from the receiving network because its network interfaces are
connected only to the sending network.
The TX appliance contains a proprietary TX board which converts the incoming
communication into a fiber-optic-based data transmission using a fiber-optic
transceiver. The TX board and TX transceiver support only data transmission,
implementing galvanic isolation between the on-board circuitry and the receiving
end of the transceiver, which is customized by Waterfall so that it does not
include a photoelectric cell for optical data reception.
A single fiber-optic cable connects the TX appliance to the RX appliance, and
constitutes the only connection between these two components. This fiber-optic
cable connects to the RX appliance’s Fiber port. A proprietary RX board converts
the incoming optical data into electronic signals, transmitted onto the receiving
network, using a fiber-optic transceiver. The RX board and RX transceiver
support only data reception, implementing galvanic isolation between the on-
board circuitry and the transmitting end of the transceiver, which is customized by
Waterfall so that it does not include a LED for optical data transmission.
Waterfall Unidirectional Security Gateway WF-400 Security Target Version 0.72 24
Chapter 7. Supplemental Information 29/6/2012
7. Supplemental Information
7.1. References
The following external documents are referenced in this Security Target.
Identifier Document
CC Common Criteria for Information Technology Security Evaluation Parts 1-3,
Version 3.1, Revision 3, July 2009, CCMB-2009-07-002, 002 and 003
CEM Common Methodology for Information Technology Security Evaluation,
Evaluation Methodology, Version 3.1 Revision 3, July 2009, CCMB-2009-07-
004
7.2. Abbreviations
Abbreviation Description
CC Common Criteria
CEM Common Evaluation Methodology
EAL Evaluation Assurance Level
FTP File Transfer Protocol
LED Light Emitting Diode
RSV Remote Screen View
SFR Security Functional Requirement
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
ST Security Target
TCP Transmission Control Protocol
TOE Target of Evaluation
TSF TOE Security Functionality
TSS TOE Summary Specification
UDP User Datagram Protocol