Swedish Certification Body for IT Security
Certification Report - Färist 2.5.2-RELEASE
Issue: 1.0, 2007-Oct-30
Responsible: Jerry jyjoh Johansson
Authorisation: Dag Ströman, Technical Manager , VG CSEC
svarets
Materielverk
/
CSEC
2005
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
FMV ID: 25 550:46 569/2007 Classification: 25 550
Template: 035_CSEC_mall.dot, 2.0
Uncontrolled copy when printed
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
Table of Contents
1 Executive Summary 3
2 Identification 5
3 Security Policy 6
3.1 Security Audit 6
3.2 Cryptographic Support 6
3.3 Information Flow Control 6
3.4 Identification and Authentication 7
3.5 Security Management 7
3.6 Protection of the TOE Security Functions 7
3.7 Trusted Communication Path 7
4 Assumptions and Clarification of Scope 8
4.1 Usage Assumptions 8
4.2 Environmental Assumptions 8
4.3 Clarification of Scope 9
5 Architectural Information 10
6 Documentation 12
7 IT Product Testing 13
7.1 Developer Testing 13
7.2 Evaluator Testing 13
7.3 Evaluator penetration testing 15
8 Evaluated Configuration 17
9 Results of the Evaluation 18
10 Evaluator Comments and Recommendations 20
11 Glossary 21
12 Bibliography 24
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 2 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
1 Executive Summary
The Target of Evaluation, TOE, is part of the Färist Firewall and VPN , developed by
Tutus Data AB. Notably, the IP stack is included in the TOE. The Färist provides
application level proxies, IP filtering, VPN functionality, and failover capabilities. All
traffic will pass through a proxy and/or the VPN-crypto. Remote administration is
possible through a secure channel. There are two versions of Färist covered by the
evaluation, the Firewall version (Färist 2.5.2-RELEASE) and the VPN version (Färist
2.5.2-R-RELEASE). The difference between the versions is that the VPN version will
not work in firewall only mode.
The cryptographic module used by the TLS and IPSEC protocols are provided by the
Swedish government and are not considered part of the TOE. The implementation of
the TLS and IPSEC protocols are part of the TOE, while the cryptographic module is
not. It is not possible to change which cryptographic module is used. The Färist has
been developed for the Swedish government.
The Färist product is delivered on an all-in-one install CD, including the TOE, addi-
tional proxies, the remaining parts of FreeBSD 6.2, and the Administrator's Manual.
The CD is marked with either Färist 2.5.2-RELEASE or Färist 2.5.2-R-RELEASE.
The Färist is designed to run on Intel x86 compatible PCs with two ethernet cards.
There is one probablilistic mechanism with a strength of function claim in the security
target, i.e. the integrity check of received NTP packets, for which the claim is SOF-
high.
No conformance claim to any protection profile is made for Färist.
There are ten assumptions made in the ST regarding the secure usage and environ-
ment of the Färist. The TOE rely on these being met to counter the thirteen threats,
and to fulfill the one organisational security policy (OSP) in the ST. The assumptions,
the threats, and the organisational security policy are described in chapter 4 Assump-
tions and Clarification of Scope.
The evaluation has been performed by atsec information security AB in Danderyd,
Sweden, and was completed on the 9th of October 2007. The evaluation was con-
ducted in accordance with the requirements of Common Criteria, version 2.3, Part 2
and Part 3, and the Common Methodology for IT Security Evaluation, CEM, version
2.3. The evaluation was done at the evaluation assurance level EAL4, augmented by
ALC_FLR.1 Basic Flaw Remediation.
Atsec Information Security AB is under licensing to be an IT Security Evaluation
Facility, ITSEF, within the scope of the Swedish Common Criteria Evaluation and
Certification Scheme, and has been granted a conditional license allowing them to
perform trial evaluations under the supervision of CSEC. The evaluation of Färist has
served as such a trial evaluation. Atsec Information Security AB is also under accredi-
tation against ISO/IEC 17025 by the Swedish accreditation body, SWEDAC. A suc-
cessful trial evaluation, and accreditation against ISO/IEC 17025 is necessary to be
licensed as an ITSEF by CSEC.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 3 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
The certifier monitored the activities of the evaluators by reviewing all work units in
all successive versions of the evaluations reports, and by observing the evaluators
performing site visits and testing. The certifier determined that the evaluation results
show that the product satisfies all functional and assurance requirements stated in the
security target, ST. The certifier concluded that the evaluator's findings are accurate,
the conclusions justified, and the conformance results correct. The conclusions of the
evaluators in the final evaluation report are consistent with the evidence provided.
The evaluators concluded that the Common Criteria requirements for evaluation as-
surance level EAL4 augmented by ALC_FLR.1 have been met.
The technical information included in this report has been compiled from the Security
Target Färist 2.5.2 [ST], produced by Tutus Data AB, and from the final evaluation
report produced by atsec information security AB.
The certification results only apply to the version of the product indicated in the cer-
tificate, and on the condition that all the stipulations in the Security Target are met.
This certificate is not an endorsement of the IT product by CSEC or any other or-
ganisation that recognises or gives effect to this certificate, and no warranty of the IT
product by CSEC or any other organisation that recognises or gives effect to this
certificate is either expressed or implied.
The cryptographic algorithms in this product has not been analysed or tested to con-
form to cryptographic standards during this evaluation. All cryptography has only
been asserted as tested by the vendor.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 4 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
2 Identification
The TOE is part of the Färist Firewall and VPN product, including the IP stack, which
is delivered on an all-in-one install CD, with the remaining parts of FreeBSD version
6.2 and the Administrator's Manual. The CD is marked with either Färist 2.5.2-
RELEASE or Färist 2.5.2-R-RELEASE. The full version identifier is also visible on-
screen using the remote administration interface. The manual is marked with Färist
2.5.
svarets
Materielverk
/
CSEC
2005
Certification Identification
Certification ID CSEC 2006001
Name and version of the
certified IT product
Färist 2.5.2-RELEASE
Färist 2.5.2-R-RELEASE
Security Target Identification Security Target Färist, Release 2.5.2, Tutus Data AB,
2007-09-20, Document version 2.1
Common Criteria version 2.3 as of August 2005
CEM version 2.3 as of August 2005
EAL EAL4 + ALC_FLR.1
National and international
interpretations
Scheme Note 5 (Scheme crypto policy)
Scheme Note 8 (Guide to evaluation of crypto)
Sponsor and Developer Tutus Data AB
Svärdvägen 11
SE-182 33 Danderyd
PoC: Per Holmer, President of Tutus Data AB
+46 8 551 102 30
per.holmer@tutus.se
ITSEF atsec information security AB
Svärdvägen 11
SE-182 33 Danderyd
PoC: Staffan Persson, President/Head of ITSEF
+46 8 551 104 00
staffan.persson@atsec.com
Certification Body CSEC
SE-115 88 Stockholm
PoC: Jerry Johansson, Lead Certifier
+46 8 782 66 43
jerry.johansson@fmv.se
Quality Assurance, CSEC Anders Staaf, Certifier
Dag Ströman, Technical Manager
Certification completion date 2007-10-23
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 5 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
3 Security Policy
The security functionality of the TOE is divided into services and outlined below.
3.1 Security Audit
The TOE generates audit data for events associated with the communication links it
monitors. The full set of auditable events are listed in the ST, section 5.1.1.1. Admin-
istrators are able to select the audited events from this list, and to read the log file via
the remote administration tool.
3.2 Cryptographic Support
For all incoming NTP packets, a keyed MD5 hash sum is checked to verify the origin
and integrity of the packet.
After identifying and authenticating, RSA key exchange is performed for remote ad-
ministrators and failover peers, RSA signed Diffie-Hellman key exchange is per-
formed for users requesting restricted access to the internal network. The data is pro-
tected using AES 256 or 3DES encryption and SHA-1 hash.
The IPSEC VPN data streams are encrypted using AES 256 or 3DES, and integrity
protected using SHA-1 HMAC with a 160 bit key. The key exchange is done using
SKUT.
Note that the implementation of the cryptographic algorithms is provided by the
Swedish government and is not included in the TOE.
svarets
Materielverk
/
CSEC
2005
3.3 Information Flow Control
There are two security function policies for information flow control, and one for
access control, in the ST.
The information flow policies are the Unauthenticated SFP, and the Authenticated
SFP. The access control policy is the Authenticated User Access SFP.
The Unauthenticated SFP applies to internal and external entities that have not been
authenticated, is based on source and destinaltion IP address, port number, protocol
type, and protocol specific rules. The protocol must be one of the supported, and the
source and destination IP addresses has to be explicitly allowed for the protocol. IP
packets with an IP address that belongs to the internal/external network has to arrive
at the corresponding network interface. IP packets that arrive in wrong context and
does not belong to an axisting TCP connection are denied.
The Authenticated SFP applies to IP packets arriving through an established VPN
channel, where the remote VPN endpoint has been authenticated. Outgoing IP packets
has to have a destination IP address that belongs to the network at the remote end of
the VPN channel.
The Authenticated User Access SFP applies to remote administrators, failover peer
firewalls, and users accessing services requiring authentication (as configured in the
TCP plug proxy). The user or firewall peer must have a known X.509 certificate,
which has been listed in the respective access control list, and must pass the authenti-
cation to be allowed access to the requested service.
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 6 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
3.4 Identification and Authentication
Remote administrators, failover peers, and users requesting access to services config-
ured to require authentication by the TCP plug proxy, are mutually authenticated, i.e.
the TOE also authenticates itself to the other party. This is done using TLS v1 and
X.509 certificates.
When establishing an IPSEC VPN connection, the endpoints are mutually authenti-
cated using TLS v.1 and X.509 certificates.
3.5 Security Management
The TOE has well-defined initial default values. Initial configuration is done using a
local configuration tool. During normal operation, a more convenient remote interface
may be used for configuration and audit review. To access the local tool, the adminis-
trator needs physical access and a username/password to the underlying operating
system. To access the remote interface, an administrator will have to be authenticated
using a X.509 certificate.
3.6 Protection of the TOE Security Functions
The TOE has been designed to enforce that all incoming packets have to be inspected
by one of the proxies, and/or encrypted/decrypted, before it can reach an outgoing
interface.
3.7 Trusted Communication Path
Using Färist as VPN endpoints, it is possible to connect trusted networks over an in-
secure network. The VPN endpoints has to be mutually authenticated, and all the in-
formation flowing through the VPN channel will be confidentiality and integrity pro-
tected cryptographically.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 7 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
4 Assumptions and Clarification of Scope
In order to function securely, the TOE relies upon a number of assumptions being met
in the operational environment. These are listed in section 4.1 and 4.2 below.
Threats against the environment and considerations about the cryptographic function-
ality are discussed in section 4.3.
4.1 Usage Assumptions
A.AUTKEY - It is assumed that private keys used for the certificates imported to the
TOE are of high quality and not disclosed, replaced or modified. This applies to the
private keys of the certificates for the administrators, the users, the server, as well as
for the certificates used by the VPN connection.
A.GENPUR - There are no general-purpose computing capabilities (e.g., the ability to
execute arbitrary code or applications) on the TOE. The underlying system of the
TOE is solely deployed to host the TOE.
A.MD5KEY - It is assumed that secret keys used for the generation and verification
of the keyed MD5 hash sums are of high quality, are not disclosed and do belong to
the assigned NTP server.
A.NOEVIL - Authorised administrators and users given privileges, are competent,
non-hostile and follow all their guidance; however, they are capable of error.
A.SINGE - The connection from the TOE to an external trusted network using the
VPN functionality has only one connection point on the other network, i.e. the exter-
nal network meets the assumption A.SINGI for its Färist.
A.SINGI - Information cannot flow among the internal and external networks unless
it passes through the TOE or a failover firewall to the TOE, i.e. the TOE or its
failover firewall is the only connection point between those two networks.
A.PEERTRUST - The TOE firewall peers that are configured as failover must be
trustworthy. That means that they are all under the same administration as the TOE,
identically configured and that the same assumptions can be made about them as for
the TOE.
svarets
Materielverk
/
CSEC
2005
4.2 Environmental Assumptions
A.NOEMA - Interception of emanation of any kind is addressed by environmental
controls that reduce the signal to noise ratio for an interceptor to a level that prohibits
useful evaluation of the intercepted signals.
A.PHYSEC - The TOE is physically secure, i.e. no unauthorised persons have physi-
cal access to the TOE and its underlying system.
A.RELHARD - The underlying hardware, firmware (BIOS and device drivers) and
the operating system functions needed by the TOE to guarantee secure operation, are
working correctly and have no undocumented security critical side effect on the func-
tions of the TOE.
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 8 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
4.3 Clarification of Scope
All threats to the TOE, as specified in the ST, are countered by the TSF. Therefore
only the threats to the TOE environment are listed, since they are countered by the
environment rather than the TOE.
TE.AUDIT - An attacker may manipulate the underlying system of the TOE in a way
that authorised administrators are not able to read the audit data via console access.
TE.FILE - An attacker may gain the possibility to alter user or TSF data without be-
ing detected.
TE.INFO - An attacker may gain access to TSF data (like TLS session keys used for
the remote administration encryption) by allocating memory on the underlying operat-
ing environment which still contains such data from a previous allocation.
The cryptographic algorithms in this product has not been analysed or tested to con-
form to cryptographic standards during this evaluation. All cryptography has only
been asserted as tested by the vendor.
The implementation of the cryptographic module is excluded from the TOE, but the
correctness of the calls to the cryptographic module is covered by the evaluation.
The boundary of the cryptographic module coincides with the cryptographic engine
boundary in OpenSSL.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 9 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
5 Architectural Information
The TOE includes the parts of Färist 2.5.2-RELEASE and Färist 2.5.2-R-RELEASE
identified in the picture below, using FreeBSD version 6.2 as the underlying operating
system.
The TOE consists of the following parts:
− the FTP-proxy,
− the SMTP-proxy consisting of omb_smtp and omb_smtpd,
− the DNS-proxy,
− the TCP Plug-proxy,
− the VPN functionality consisting of vpnd and skutd,
− the failover system consisting of the proxy daemon and carp daemon
svarets
Materielverk
/
CSEC
2005
− the IP stack of the kernel including
− the FreeBSD packet filter
− the VPN-check routing function,
− the packet screening daemon,
− the PHP-based remote administration tool including
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 10 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
− the reboot cgi application,
− the https server
− administration backend, consisting of
− modifications to the FreeBSD sysinstall program,
− fwadmin wrapper script,
− fconfig and its wrapper newfconfic
− the configuration daemon configd using the configc and config_sync
script.
working together as described in the security target, chapter 2.
The cryptographic module implementation is excluded from the TOE (note this does
not show in the figure). The boundary of the excluded part corresponds precisely to
the boundary of the OpenSSL cryptographic engine.
All components are handled under version control and are part of the Färist 2.5.2-
RELEASE, Färist 2.5.2-R-RELEASE.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 11 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
6 Documentation
The following documentation is provided with the product by the developer to the
customer:
Färist Administrator's Manual, Release 2.5, Tutus Data AB, 2007-08-22, document
version 2.9.3.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 12 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
7 IT Product Testing
7.1 Developer Testing
7.1.1 TOE test configuration
All developer testing was conducted in the developer's test environment, providing a
suitable test network with machines to access services on the inside and outside inter-
faces of the TOE, and to connect to the TOE for remote administration tasks.
A BSD or Windows XP based PC was used either in the internal or external network
(relative to the TOE) as external testing system. Standard services (SMTP relay, SSH
host, DNS server and FTP server) were provided in the test environment as was a
gateway to the Internet.
The TOE itself was installed on the Färist 40100c4HD hardware, which is a standard
PC with a 32 bit Intel architecture CPU, 256 MB of main memory, 40GM hard disk
and 4 standard 10/100 MBit Ethernet ports.
A clean install of the TOE software (FÄRIST 2.5.2-RELEASE and FÄRIST 2.5.2-R-
RELEASE) was performed upfront, and the machines were set up according to the
specifications in the developer test plan.
The evaluators verified that the test environment corresponded to the evaluated con-
figuration as described in the Security Target.
7.1.2 Testing approach
The developer performed all tests by stimulating external interfaces of the TOE. This
is considered to be sufficient due to the information flow between the TOE subsys-
tems – it is always clearly defined to which subsystem information, given to an exter-
nal interface, will be transferred via the internal interfaces.
The developer's overall approach was to send valid and invalid input to the external
interfaces, and evaluating the behavior observed and output obtained (error messages
and log files). All tests were performed manually and the results recorded.
The developer performed a total of 33 tests, covering both parallel and serial tunnel
mode of the TOE, exercising all security functions through their external interfaces.
Implicitly, audit and management functions (local and remote administration) were
exercised in all tests when setting up the test conditions and when observing the out-
put of the tests.
svarets
Materielverk
/
CSEC
2005
7.1.3 Test results
All developer testing was performed according to plan. The expected results were met
in each case and the evaluators were able to determine that the developer testing pro-
vides sufficient support for the evaluation.
Note that the cryptographic algorithms in this product has not been analysed or tested
to conform to cryptographic standards during this evaluation. All cryptography has
only been asserted as tested by the vendor.
7.2 Evaluator Testing
The evaluators conducted their independent testing after the site visit on June 13-14,
2007. As required by CEM, they split their test effort into
1. the repetition of developer test samples and
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 13 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
2. independent evaluator testing.
7.2.1 Test Environment
All evaluator testing was conducted in the developer's test environment, providing a
suitable test network with machines to access services on the inside and outside inter-
faces of the TOE, and to connect to the TOE for remote administration tasks.
A BSD or Windows XP based PC was used either in the internal or external network
(relative to the TOE) as external testing system. Standard services (SMTP relay, SSH
host, DNS server and FTP server) were provided in the test environment as was a
gateway to the Internet.
The TOE itself was installed on the Färist 40100c4HD hardware, which is a standard
PC with a 32 bit Intel architecture CPU, 256 MB of main memory, 40GB hard disk
and 4 standard 10/100 MBit Ethernet ports.
7.2.2 Test Configuration
The evaluators, assisted by the developer, performed a clean install of the TOE soft-
ware version 2.5.1 from a USB stick obtained from the developer on the machine and
configured the machine according to the specifications in the developer's test plan.
The TOE version used for testing was 2.5.1, which at the time of testing was the cur-
rent version. Since the final TOE version for this evaluation is 2.5.2, the evaluators
conducted a detailed analysis of the changes introduced between these versions and
documented it in their report. They found their tests to be still valid, as none of the
changes affected the security functions tested by the evaluators.
7.2.3 Testing approach
The evaluators have performed all their tests by stimulating external interfaces of the
TOE. This is considered to be sufficient due to the information flow between the TOE
subsystems – it is always clearly defined to which subsystem information given to an
external interface will be transferred via the internal interfaces.
The overall approach was similar to the one the developer used: valid and invalid
input was sent to the external interfaces, the output was observed at the interfaces and
in the log file.
7.2.4 Subset size and selection criteria for test repetition
The evaluators used the CEM guidance to choose a sample from the set of developer
tests that would explicitly exercise all security functions and three of the four proxies,
focusing on functionality that had been changed (esp. the DNS proxy) in this release.
Management and audit functionality was sufficiently exercised by the setup of the
tests, which were all manually performed.
The evaluators chose a total of 11 tests from the 33 tests in the developer's test plan.
Three of these tests were performed in the serial tunnel (VPN) setting of the Färist.
All tests ran successfully, delivering the expected results as specified in the developer
test documentation.
svarets
Materielverk
/
CSEC
2005
7.2.5 Additional evaluator tests
Since the examination of the developer tests had proven a good test coverage and
depth for all security functions, interfaces and components, there was no compelling
reason to supplement the developer testing in a specific area. The evaluators devised a
set of additional tests according to the criteria outline in CEM:
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 14 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
• to supplement the developer testing in places, where the evaluator sees the de-
mand for additional tests,
• to cover a broad range of security functions provided by the TOE,
• to cover public domain weaknesses concerning firewalls,
• and to stay in the projected schedule for the evaluator testing activities.
A total of seven additional tests was developed by the evaluators. They were executed
in the developer's test environment as described above.
All tests ran successfully, delivering the expected results as specified in the evalua-
tors' test documentation.
7.2.6 Verdict for the activity
All evaluator testing could be performed as intended. The expected results were met
in each case and were able to support the persuasion of the evaluators that the overall
developer and evaluator testing activities are sound and sufficient to support the EAL
4 evaluation of the TOE.
7.3 Evaluator penetration testing
The evaluators performed penetration testing.
7.3.1 TOE test configuration
The TOE was set up with a basic network configuration (internal and external inter-
faces, routing, external services available (e.g. DNS server)), with all proxies belong-
ing to the evaluated configuration (i.e. FTP, DNS, SMTP and TCP plug proxy) en-
abled, whereby a plug proxy was configured to serve port 22, and with the remote
administration tool accessible from the external and internal network. The set up in-
cluded the activation of all features being part of the evaluated configuration, as de-
scribed in the Administrator's Manual, section 4.3, Because of the nature of the tests,
no Färist VPN system was used (i.e. FÄRIST 2.5.2-R-RELEASE), since the tests
would not have been able to test that system.
On a Linux-based remote test PC, the network security scanner “Nessus” for Linux
was set up and configured to probe the TOE for public domain vulnerabilities and
exploits by stimulating the external network interface of the TOE.
7.3.2 Security functions tested
The penetration test was aimed predominantly at the security functions of the TOE
processing the user information, i.e. the IP packets mediated through the TOE and
their upper protocol specific treatment (e.g. FTP), which are:
• SF.IPS (IP stack)
• SF.PF (packet filter), and
• SF.AP (application proxies)
− FTP
− SMTP
svarets
Materielverk
/
CSEC
2005
− DNS
7.3.3 Obvious vulnerabilities tested
The evaluators did not identify any obvious vulnerabilities worth testing. Instead, they
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 15 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
took the approach of an attacker trying to footprint the system and scan for any un-
usual behavior possibly leading to an unknown vulnerability and hence an exploit.
However, they were not able to identify such behavior, since the TOE withstood all
attempts to confuse it or to reveal any useful information to an attacker.
7.3.4 Results
No vulnerabilities were detected during penetration testing.
The TOE version used for testing was 2.5.1, which at the time of testing was the cur-
rent version. Since the final TOE version for this evaluation is 2.5.2, the evaluators
conducted a detailed analysis of the changes introduced between these versions and
documented it in their report. They found their tests to be still valid, as none of the
changes affected the security functions tested by the evaluators.
The developer vulnerability analysis and the results of the evaluator penetration test-
ing show that no exploitable vulnerabilities were found.
After careful analysis, the evaluators also determined that one residual vulnerability
initially reported by the developer and rated as theoretically exploitable is not exploit-
able in any real-world scenario.
No exploitable vulnerabilities were discovered.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 16 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
8 Evaluated Configuration
The evaluated configuration is part of the Färist Firewall and VPN product. Two vari-
ants have been covered by the evaluation, the firewall version (Färist 2.5.2-
RELEASE) and the VPN version (Färist 2.5.2-R-RELEASE). The only difference is
that the VPN version will not work in firewall only mode.
The Färist product is delivered on a CD, which also includes the Administrator's Man-
ual.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 17 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
9 Results of the Evaluation
The evaluators applied each CEM work unit. For all temporary fail or inconclusive
verdicts, the developer supplied updated or complementary evidence.
The certifier reviewed the work of the evaluators, and verified that sufficient evidence
and justification was provided by the evaluators to confirm that the evaluation was
conducted in accordance with the requirements of the CEM.
The evaluators’verdicts for the assurance classes and components are summarised in
the following table:
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 18 (24)
©
För
Assurance Class Name / Assurance Family Name Short name (including
component identifier
for assurance families)
Verdict
Security Target ASE PASS
- TOE description ASE_DES.1 PASS
- Security environment ASE_ENV.1 PASS
- ST introduction ASE_INT.1 PASS
- Security objectives ASE_OBJ.1 PASS
- PP claims ASE_PPC.1 PASS
- IT security requirements ASE_REQ.1 PASS
- Explicitly stated IT security requirements ASE_SRE.1 PASS
- TOE summary specification ASE_TSS.1 PASS
Configuration management ACM PASS
- CM automation ACM_AUT.1 PASS
- CM capabilities ACM_CAP.4 PASS
- CM scope ACM_SCP.2 PASS
Delivery and operation ADO PASS
- Delivery ADO_DEL.2 PASS
- Installation, generation and start-up ADO_IGS.1 PASS
Development ADV PASS
- Functional specification ADV_FSP.2 PASS
- High-level design ADV_HLD.2 PASS
- Implementation representation ADV_IMP.1 PASS
- Low-level design ADV_LLD.1 PASS
- Representation correspondence ADV_RCR.1 PASS
- Security policy modeling ADV_SPM.1 PASS
Guidance documents AGD PASS
- Administrator guidance AGD_ADM.1 PASS
- User guidance AGD_USR.1 PASS
Life cycle support ALC PASS
- Development security ALC_DVS.1 PASS
- Flaw remediation ALC_FLR.1 PASS
- Life cycle definition ALC_LCD.1 PASS
- Tools and techniques ALC_TAT.1 PASS
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
Assurance Class Name / Assurance Family Name Short name (including
component identifier
for assurance families)
Verdict
Tests ATE PASS
- Coverage ATE_COV.2 PASS
- Depth ATE_DPT.1 PASS
- Functional tests ATE_FUN.1 PASS
- Independent testing ATE_IND.2 PASS
Vulnerability assessment AVA PASS
- Misuse AVA_MSU.2 PASS
- Strength of TOE security functions AVA_SOF.1 PASS
- Vulnerability analysis AVA_VLA.2 PASS
Summarising the results of all assurance classes, the final evaluation result is PASS.
The evaluator’s conclusion is that the evaluation of Färist 2.5.2-RELEASE and Färist
2.5.2-R-RELEASE fulfils the requirements of EAL4 and ALC_FLR.1 and that the
minimum strength of function for the integrity check of NTP packets is SOF-high.
During the assessment of the evaluators’ work, the certifier found that the evaluators’
conclusions were justified.
One observation report was written by the certifier during the evaluation, requesting
the developer to provide clarification to the description of the threats against TOE.
The security target was updated, and the threat descriptions clarified by the developer.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 19 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
10 Evaluator Comments and Recommendations
The evaluators have not reported any particular considerations regarding the use of
Färist 2.5.2-RELEASE or Färist 2.5.2-R-RELEASE.
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 20 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
11 Glossary
svarets
Materielverk
/
CSEC
2005
Glossary
(the) Scheme The Swedish Common Criteria Evaluation and Certifica-
tion Scheme.
CCRA International arrangement to promote mutual recognition
of Common Criteria certificates.
Certification The formal approval of a product or protection profile
based on the result of the evaluation.
Certification ID Unique identifier issued by the Certification Body to
clearly identify a certification.
Certification report Report issued by the certifier at the end of each certifica-
tion showing the outcome of the certification. Certification
reports will be issued for all completed certifications, suc-
cessful or not. The certification report is based on the final
evaluation report.
Conditional license Stage before the Evaluation Facility is granted a full li-
cense, permitting the evaluation facility to perform a trial
evaluation.
Evaluation The assessment of an IT product or protection profile
against the Common Criteria using the Common Method-
ology to determine whether or not the security claims on
the product or protection profile are justified.
Evaluation and certifi-
cation scheme
The systematic organisation of the functions of evaluation
and certification under the authority of a Certification
Body in order to ensure that high standards of competence
and impartiality are maintained and that consistency is
achieved.
Evaluation evidence All documentation and provided information submitted by
the Developer and/or Sponsor during evaluation and certi-
fication.
Evaluation facility A non-licensed organisation that carries out independent
IT product or protection profile evaluations, usually on a
commercial basis.
See also IT security evaluation facility.
Evaluation report See Evaluation technical report.
Evaluation technical
report
A report produced by the Evaluation Facility. Either ad-
dresses specific assurance aspects, as in the single evalua-
tion reports, or is the final evaluation report. The final
evaluation report summarises the single evaluation reports
for all assessment aspects required in the Common Crite-
ria.
Final evaluation report Final report produced by an Evaluation Facility regarding
the procedures performed and the results of evaluation of a
target of evaluation. The final evaluation report summa-
rises the single evaluation reports for all the assessment
aspects required in the Common Criteria.
Full ITSEF license After all licensing requirements are fulfilled, an Evaluation
Facility is granted a full license and becomes an ITSEF.
IT security evaluation
facility
An organisation licensed by the Certification Body to
carry out independent IT product or protection profile
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 21 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
Glossary
evaluations, usually on a commercial basis.
Licensing Licensing of an Evaluation Facility by the Certification
Body constitutes confirmation that that Evaluation Facility
is qualified to perform evaluations.
Product A package of IT software, firmware, and/or hardware pro-
viding functionality designed for use or incorporation
within a multiplicity of systems.
Security target A set of security requirements and specifications to be
used as the basis for evaluation of an identified target of
evaluation.
Single evaluation re-
port
Report produced by an Evaluation Facility covering indi-
vidual assurance aspects specified in the Common Criteria.
Site visit There are several different site visits within the Scheme:
auditing of the development environment of the Devel-
oper, auditing of the evaluation tests at the ITSEF, and
auditing of the ITSEF during licensing. During a site visit,
checks are performed as to whether the documented con-
figuration control processes, policies, and security proce-
dures are being applied. In addition, during a site visit to a
development environment, the skills of Developers and
other staff in performing tasks are assessed.
Sponsor The organisation that applies and pays for a certification
from the Certification Body.
Target of evaluation An IT product and its associated administrator and user
guidance documentation that is the subject of an evalua-
tion.
Trial evaluation An evaluation conducted as part of the Evaluation Facility
licensing process to demonstrate technical competence and
the ability of the Evaluation Facility to work in compliance
with the Scheme.
svarets
Materielverk
/
CSEC
2005
Abbreviation Description
CB Certification Body
CC Common Criteria (CC Part 1-3 refers to the Common Criteria
standard documentation)
CCMB Common Criteria Maintenance Board
CCRA Common Criteria Recognition Arrangement
CEM Common Methodology for Information Technology Security
Evaluation (CEM Part 1-2 refers to the CEM standard documen-
tation)
CM configuration management
CR certification report
EAL evaluation assurance level
FER final evaluation report
FMV Försvarets Materielverk - The Swedish Defence Material Ad-
ministration
IEC International Electrotechnical Commission
ISO International Organisation for Standardisation
IT information technology
ITSEF IT Security Evaluation Facility
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 22 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
svarets
Materielverk
/
CSEC
2005
Abbreviation Description
OR observation report
SER single evaluation report
ST security target
TOE target of evaluation
TOR technical oversight report
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 23 (24)
©
För
SWEDISH COMMON CRITERIA EVALUATION AND CERTIFICATION SCHEME
Certification Report - Färist 2.5.2-RELEASE
12 Bibliography
ST Security Target Färist, Release 2.5.2, Tutus Data AB, 2007-
09-20, document version 2.1
ADM Färist Administrator’s Manual, Release 2.5.1, Tutus Data
AB, 2007-08-22, document version 2.9.3
SKUT Simple key-exchange using TLS (SKUT), P. Holmer and
R.Lind, March 2004
CC Common Criteria for Information Technology Security
Evaluation, version 2.3, August 2005, Part 1-3
CEM Common Methodology for Information Technology Security
Evaluation, version 2.3, August 2005
SP-002 Evaluation and Certification, FMV/CSEC 25550:558/2005,
2007-07-28, document version 8.0
SN5 Scheme Note 5, FMV/CSEC 25550:64 543/2006, 2007-05-
25
SN8 Scheme Note 8, FMV/CSEC 25550:29 747, 2007-06-25
svarets
Materielverk
/
CSEC
2005
25 550:46 569/2007 1.0 2007-10-30
Uncontrolled copy when printed 24 (24)
©
För