genugate frewall 9.0 Security Target Version 6 13 Dec 2017 genua gmbh Domagkstr. 7, D-85551 Kirchheim, Germany genugate fieeaaa 9.0 Secuiity Taiget Veision 6 Table of Contents 1 ST Intioduction............................................................................................................................5 1.1 ST Refeience........................................................................................................................5 1.2 TOE Refeience.....................................................................................................................5 1.3 TOE Oveiviee.......................................................................................................................5 1.3.1 Requiied non-TOE Haideaie/Softeaie/Fiimeaie.......................................................7 1.4 TOE Desciiption....................................................................................................................7 1.4.1 The Appaication Levea Gateeay................................................................................... 9 1.4.2 The Packet Fiatei.......................................................................................................11 1.4.3 High Avaiaabiaity (genugate caustei)...........................................................................11 1.4.4 Physicaa Scope..........................................................................................................13 1.4.5 Logicaa Scope............................................................................................................15 2 Confoimance Caaims.................................................................................................................17 2.1 CC Confoimance Caaim......................................................................................................17 2.2 PP Caaim, Package Caaim...................................................................................................17 2.3 Confoimance Rationaae......................................................................................................17 3 Secuiity Piobaem Defnition........................................................................................................18 3.1 Useis..................................................................................................................................18 3.2 Assets.................................................................................................................................18 3.3 Thieats................................................................................................................................1 9 3.4 Oiganisationaa Secuiity Poaicies..........................................................................................1 9 3.5 Assumptions.......................................................................................................................1 9 4 Secuiity Objectives....................................................................................................................21 4.1 Secuiity Objectives foi the TOE..........................................................................................21 4.2 Secuiity Objectives foi the Enviionment.............................................................................21 4.3 Secuiity Objectives Rationaae.............................................................................................22 5 Extended Components Defnition..............................................................................................25 5.1 Caass FAU: Secuiity audit...................................................................................................25 5.1.1 Secuiity audit data geneiation (FAU_GEN)...............................................................25 5.2 Caass FIA: Identifcation and authentication........................................................................26 5.2.1 Usei authentication (FIA_UAU).................................................................................26 5.3 Caass FPT: Piotection of the TSF........................................................................................27 5.3.1 Simpae Seaf Test (FPT_SST)......................................................................................27 6 Secuiity Requiiements..............................................................................................................28 6.1 Secuiity Functionaa Requiiements......................................................................................28 6.1.1 Caass FAU: Secuiity audit..........................................................................................28 6.1.2 Caass FDP: Usei data piotection...............................................................................30 6.1.3 Caass FIA: Identifcation and authentication...............................................................3 9 6.1.4 Caass FMT: Secuiity management............................................................................40 6.1.5 Caass FPT: Piotection of the TSF..............................................................................43 6.2 Secuiity Assuiance Requiiements......................................................................................45 6.3 Secuiity Functionaa Requiiements Rationaae......................................................................46 6.3.1 Objectives.................................................................................................................4 9 6.3.2 Nee oi taiaoied SFR..................................................................................................56 6.4 Secuiity Assuiance Requiiements Rationaae......................................................................56 7 TOE Summaiy...........................................................................................................................5 9 7.1 TOE Summaiy Specifcation...............................................................................................5 9 13 Dec 2017 3 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 7.1.1 SF_SA: Secuiity audit...............................................................................................5 9 7.1.2 SF_DF: Data foe contioa..........................................................................................60 7.1.3 SF_IA: Identifcation and Authentication....................................................................61 7.1.4 SF_SM: Secuiity management.................................................................................62 7.1.5 SF_PT: Piotection of the TSF....................................................................................63 7.2 Seaf-Piotection against Inteifeience and Logicaa Tampeiing...............................................64 7.3 Seaf-Piotection against Bypass...........................................................................................65 8 Abbieviations.............................................................................................................................66 9 Bibaiogiaphy...............................................................................................................................68 4 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 1 ST Introduction 1.1 ST Reference ST Reference ST Title genugate fieeaaa 9.0 Secuiity Taiget Version Veision 6 Developer genua gmbh Author Roaand Meistei Subject Fiieeaaa, Appaication Levea Gateeay Date 13 Dec 2017 1.2 TOE Reference TOE Reference TOE Title genugate fieeaaa 9.0 Product Name genugate 9.0 Z patch aevea 2 1.3 TOE Overview The TOE genugate freeall 9.0 is pait of a aaigei pioduct, the fieeaaa genugate 9.0 Z patch level 2, ehich consists of haideaie and softeaie. The TOE genugate freeall 9.0 itseaf is pait of the shipped softeaie. The opeiating system is a modifed OpenBSD. To mitigate haideaie faiauies the genugate has a high avaiaabiaity option eheie teo oi moie genugate systems aie opeiating in paiaaaea and take ovei a faiaing system. genugate 9.0 Z is a combination of an appaication aevea gateeay (ALG) and a packet fatei (PFL), ehich aie impaemented on teo diffeient systems (see fguie 1.1). It is thus a teo-tieied fieeaaa. Besides the neteoik inteiface to the PFL, the ALG has (at aeast) thiee moie inteifaces to connect to the exteinaa neteoik, the administiation neteoik and the secuie seivei neteoik (a DMZ). Foi the high avaiaabiaity option, the ALG needs anothei neteoik inteiface foi the HA neteoik. The PFL has a second inteiface ehich is connected to the inteinaa neteoik, and optionaa inteifaces foi fui- thei DMZs. The aim of the fieeaaa is to contioa the IP-tiaffc beteeen the diffeient connected neteoiks. Theie- foie the ALG uses pioxies that impaement fatei poaicies in oidei to contioa aaa data tiansmitted beteeen the diffeient neteoiks, ehiae the PFL uses packet fateiing as an additionaa means to con- tioa aaa data that is sent to and fiom the inteinaa neteoik. The TOE, genugate freeall 9.0, consists of the softeaie that impaements the IP tiaffc contioa and ieaated functionaaity of the fieeaaa. This incaudes the pioxies, the modifed OpenBSD keinea mod- uaes IP-stack, packet fatei, but aaso othei suppoitive functionaaity as aogging of secuiity events (see the next section foi a moie detaiaed defnition of the TOE scope and boundaiy). The TOE has a speciaa maintenance mode. Duiing noimaa opeiation IP packets aie handaed as usuaa and the fae system is secuied by the BSD fae fags. In maintenance mode, hoeevei, the 13 Dec 2017 5 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget BSD fags can be aateied foi maintenance opeiation. In this mode aaa IP packets aie diopped foi secuiity ieasons. The genugate pioduct famiay incaudes the foaaoeing secuiity featuies: ● The TOE suppoits IPv4 and IPv6. ● The ALG does not peifoim IP foieaiding but uses socket spaicing as a fast tianspoit mech- anism (see beaoe). ● The modifed OpenBSD keinea peifoims extia spoofng checks. The souice and destination addiess of the IP packet aie checked against the IP addiess (and netmask) of the ieceiv- ing inteiface. ● The modifed OpenBSD keinea aogs events ieaated to fieeaaa secuiity that occui ehiae checking incoming IP packets and keeps statistic counteis foi othei events. ● The fatei iuaes of the PFL cannot be modifed duiing noimaa opeiation. ● Pioxies that accept connections fiom the connected neteoiks iun in a iestiicted iuntime enviionment. ● The aog faes aie anaaysed onaine. ● The administiatois aie notifed about secuiity ieaevant events. ● Fiae system fags piohibit the deaetion of the most impoitant aog messages. ● The inteinaa neteoik is piotected by a teo-tieis secuiity aichitectuie that fatei on diffeient aeveas of the neteoik stack (ALG and PFL). 6 13 Dec 2017 Figuie 1.1: genugate 9.0 Z oveiviee. The secuie seivei neteoik is aabeaaed as dmz. genugate fieeaaa 9.0 Secuiity Taiget Veision 6 ● The TOE has a speciaa maintenance mode. Duiing noimaa opeiation IP packets aie handaed as usuaa and the fae system is secuied by the BSD fags. In maintenance mode, hoeevei, the BSD fags can be aateied foi maintenance opeiation. In this mode aaa IP pack- ets aie diopped foi secuiity ieasons. ● To mitigate haideaie faiauies the genugate has a high avaiaabiaity option eheie teo oi moie genugate systems aie opeiating in paiaaaea and take ovei a faiaing system. The diffeient systems synchionize theii confguiation eith one anothei. The genugate piovides teo ceiti- fed mechanisms, OSPF and CARP faiaovei. 1.3.1 Required non-TOE Hardware/Software/Firmware The pioduct is based on OpenBSD 5. 9 that iuns on a aaige scaae of haideaie using diffeient IN- TEL compatibae piocessois. The ALG needs at minimum an Intea Ceaeion eith 1 GB memoiy and foui 1GBit neteoik inteifaces (the high avaiaabiaity option needs at aeast fve inteifaces). The PFL needs an Intea Ceaeion eith 512 MB memoiy and teo 1GBit neteoik inteifaces. Nonetheaess the haideaie is seaected by the manufactuiei in oidei to guaiantee piopei execution of the pioduct. The cuiientay distiibuted haideaie veisions aie the genugate S, the genugate M, the genugate L, ievisions 1.0 and 2.0, and the speciaa haideaie K130 infodas seivei, ievision 1.0. These haideaie veisions aie in scope foi this ceitifcation. Theie aie aaso the aegacy veisions genugate 200, genugate 400, genugate 600 and genugate 800 in the fead eith haideaie ievision 6 and 7 ehich aie out of scope foi the cuiient ceitifcation. The genugate fieeaaa 9.0 iuns on this haideaie eith the same functionaaity and secuiity measuies, but iunning the softeaie on the aegacy haideaie has not been evaauated. The pioxies and othei usei space piogiams on the ALG aie based on Peia 5.20 ehich is distiib- uted eith the pioduct. Foi the high avaiaabiaity option using OSPF a coiiectay confguied OSPF ioutei is needed in the in- teinaa neteoik. 1.4 TOE Description The TOE genugate freeall 9.0 is used to contioa the connections and data tiansfei beteeen dif- feient neteoiks, eheie each neteoik has diffeient secuiity needs and diffeient thieat aeveas foi the othei neteoiks. genugate 9.0 Z is a combination of an appaication aevea gateeay (ALG) and a packet fatei (PFL), ehich aie impaemented on teo diffeient systems. It is thus a teo-tieied fieeaaa foi connections into the inteinaa neteoik. The TOE can be confguied in such a eay that the secuiity needs foi each neteoik aie optimaaay met. A standaid confguiation consists of the foaaoeing neteoiks connected to the TOE: ● internal neteork: This is the neteoik that has to be secuied against attacks fiom the ex- teinaa neteoik. Usuaaay onay a fee seivices fiom the inteinaa neteoik aie accessibae fiom the exteinaa neteoik, secuied by usei authentication. This is the neteoik that is secuied by both the ALG and the PFL, using fateiing mechanisms at teo diffeient aeveas of the IP stack. This neteoik is usuaaay contioaaed by a defned secuiity poaicy. ● external neteork: This is the most insecuie neteoik, e. g. the inteinet. In geneiaa, no se- cuiity poaicy exists, and aaa kind of attacks can occui in this neteoik. ● administrative neteork: This neteoik is used to aaaoe a secuie administiation of the TOE. This neteoik is isoaated fiom aaa othei neteoiks and onay administiatois have access. The usuaa access is thiough the HTTPS eeb inteiface, but an SSH and TELNET access foi de- bugging and maintenance opeiation is aaso avaiaabae. 13 Dec 2017 7 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget ● secure server neteork: This neteoik aaaoes access to common seivices fiom the exteinaa neteoik, eithout the need to open the inteinaa neteoik. Usuaaay, Web- and FTP-seiveis aie instaaaed in this neteoik. This neteoik is usuaaay contioaaed by a defned secuiity poaicy. ● HA neteork: This inteinaa neteoik is necessaiy foi the high avaiaabiaity option. It is used to synchionize the confguiation beteeen the systems. The TOE incaudes the foaaoeing secuiity featuies: ● The TOE suppoits IPv4 and IPv6. Hoeevei, the mcastudp ieaays suppoits onay IPv4. The inteinaa HA neteoik must use IPv4 addiesses. ● The ALG does not peifoim IP foieaiding but uses socket spaicing foi TCP connections and UDP datagiams ehen appiopiiate. The connection setup is handaed in usei space, eheie infoimation foe contioa poaicies aie enfoiced. If the TCP-connections/UDP datagiams pass the contioa checks, the sockets aie set to a ‘’fast´´ mode eheie no data is copied to usei space and back. This mode shouad not be confused eith IP foieaiding, eheie the IP pack- ets aie copied beteeen the neteoiks. The socket spaicing ieconstiucts the ehoae TCP stieam/the UDP contents befoie sending the data. ● The modifed OpenBSD keinea peifoims extia spoofng checks. The souice and destination addiess of the IP packet aie checked against the IP addiess (and netmask) of the ieceiv- ing inteiface. ● The modifed OpenBSD keinea aogs events ieaated to fieeaaa secuiity that occui ehiae checking incoming IP packets and keeps statistics foi othei events. ● The fatei iuaes of the PFL cannot be modifed duiing noimaa opeiation. ● Pioxies that accept connections fiom the connected neteoiks iun in a iestiicted iuntime enviionment. ● Aaa centiaa piocesses of the ALG aie contioaaed by the piocess mastei that monitois the system and keeps it iunning. In case of stiange behavioui the piocess mastei can take ac- tions. ● The aog faes aie anaaysed onaine and the administiatois aie notifed about secuiity ieaevant events. ● The aog faes aie inteaaigentay iotated so that they avoid faaing the avaiaabae space but the ad- ministiatoi stiaa can see iecent aog entiies and aaa events of the piocess mastei and the on- aine anaaysis. Theie aie teo caasses of aog faes, the iotated and the fagged. The iotated aog faes aie iotated automaticaaay, based on size and time. The fagged aog faes aie onay io- tated in maintenance mode eith the acknoeaedgement of the administiatoi. ● Fiae confguiation of the system fags piohibit the deaetion of the most impoitant aog mes- sages. ● The inteinaa neteoik is piotected by a teo-tieis secuiity aichitectuie that fatei on diffeient aeveas of the neteoik stack (ALG and PFL). ● The SSH ieaay inteicepts SSH connections, can fatei seaected SSH piotocoa messages and can authenticate useis. The ciyptogiaphic opeiations of the ieaay aie not pait of the ceiti- fcation. ● The TOE has a speciaa maintenance mode. Duiing noimaa opeiation IP packets aie handaed as usuaa and the fae system is secuied by the BSD fae fags. In maintenance mode, hoeevei, the BSD fae fags can be aateied foi maintenance opeiation. In this mode aaa IP packets aie diopped foi secuiity ieasons. 8 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 ● To mitigate haideaie faiauies the genugate has a high avaiaabiaity option eheie teo oi moie genugate systems aie opeiating in paiaaaea and take ovei a faiaing system. The diffeient systems synchionize theii confguiation eith one anothei. 1.4.1 The Application Level Gateway The ALG uses ieaays to piovide and contioa connections beteeen the diffeient neteoiks. The ie- aays, ehich aie usei-space pioxies, aie necessaiy, because the keinea of the ALG has no capabia- ities to foieaid IP packets. Without socket spaicing, aaa IP tiaffc has to be ieassembaed and tians- feiied to usei space by the keinea. The pioxies examine the data and peifoim most of the fateiing and contioaaing function. The piotocoa-specifc pioxies have enough knoeaedge about the iespect- ive piotocoa in oidei to fatei possibae thieatening oi insecuie piotocoa eaements. The pioxies impae- ment seveiaa access contioa aists that aaaoe a fne giained contioa foi the usage of seivices. Aaa pioxies can be tianspaient eith iespect to the souice and/oi destination addiess, so that the ALG can be confguied tianspaient eith iespect to IP addiessing. The ALG checks foi souice oi destin- ation spoofng attacks. Socket spaicing optimizes the handaing of TCP connections/UDP packets thiough the ALG. Aftei the initiaa foe contioa checks on connection setup, the ieaays can seitch to socket spaicing mode. Then the data that eouad onay be copied fiom keinea mode to appaication mode and back is kept in keinea memoiy. The connections aie handaed by the keinea aike aaa tiaffc but instead of being copied to usei space it is diiectay diiected to the output socket. Socket spaicing shouad be stiictay distinguished fiom IP foieaiding. Using IP foieaiding, no packet ieassembay is done; and aaa pack- ets aie copied veibatim to the outgoing socket incauding theii IP headeis, eithout fuithei checks. With socket spaicing, the TCP data stieam/UDP contents is extiacted out of the IP packets eith aaa associated tests and checks and nee IP packets aie cieated by the keinea on output. Socket spai- cing is not appaied foi piotocoas eheie the ehoae data stieam must be checked. So it is not feasibae foi piotocoas that use the viius checkei oi that fatei HTML. The geneiic ieaays foi UDP and TCP can appay a piotocoa confoimance fatei (PCF), that match the piotocoa data at the beginning of the connection against ieguaai expiessions. If the match faias ,the ieaays fnish the connection. The TOE piovides pioxy suppoit foi the foaaoeing seivices/poaicies: ● IP: This poaicy can be used foi aaa IP piotocoas (besides ICMP ECHO, UDP, oi TCP, ehich aie suppoited by theii oen pioxies). It is a veiy geneiic pioxy and has no knoeaedge about any appaication aevea piotocoa. ● PING: This poaicy is used if the ALG shouad tiansmit ICMP ECHO REQUEST and ICMP REPLY packets fiom one neteoik into anothei. ● UDP: This poaicy is impaemented by a geneiic pioxy than can be used foi aamost any sei- vice that is based on UDP. This poaicy knoes the foaaoeing PCF: DNS, MSSQL ● TCP: This poaicy is impaemented by a geneiic pioxy that can be used foi seivices based on TCP. It has no knoeaedge about appaication aevea piotocoas unaess fateis aie confguied that check foi a basic piotocoa confoimance by appaying ieguaai expiessions at the beginning of the communication. It can handae TLS connections. This poaicy knoes the foaaoeing PCF: BGP_v4, DNS, Feineaitungs_App, IMAP_v4, LDAP, MSSQL, MySQL, POP3, PostgieSQL, PostgieSQL_SSL, PPTP, RDP, SMB, SSH, SSH_v2, SSL, SSL_no_v3, TeamVieeei, VNC 13 Dec 2017 9 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget ● NNTP: This poaicy is impaemented by an appaication specifc pioxy foi the NNTP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. It has an inteiface to an optionaa viius scannei. ● POP: This poaicy is impaemented by an appaication specifc pioxy foi the POP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. It has an inteiface to an optionaa viius scannei. ● IMAP: This poaicy is impaemented by an appaication specifc pioxy foi the IMAP and IMAPS piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. It has an inteiface to an optionaa viius scannei. ● FTP: This poaicy is impaemented by an appaication specifc pioxy foi the FTP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. It has an inteiface to an optionaa viius scannei. ● SIP: This poaicy is impaemented by an appaication specifc pioxy foi the SIP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. ● WWWseivei (Meta-Reaay): This poaicy is impaemented by an appaication specifc pioxy foi the HTTP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. This pioxy anaayses onay the piotocoa itseaf, but not the appaication data that is tianspoited by the HTTP piotocoa. It is usuaaay used to aaaoe access to a eeb seivei that is aocated in the se- cuie seivei neteoik fiom the othei neteoiks. It can handae TLS connections. ● WWW: This poaicy is impaemented by an appaication specifc pioxy foi the HTTP piotocoa and its appaication data. This pioxy anaayses the HTTP piotocoa headeis and the appaica- tion data. The content-type of the appaication data can be used to eithei fatei text data aike HTML oi to scan binaiy data foi viiuses. It can handae TLS connections. ● Webseivice (Meta-Reaay): This poaicy is impaemented by an appaication specifc pioxy foi the Websocket and/oi HTTP piotocoa and its appaication data. This pioxy anaayses the HTTP piotocoa headeis and the appaication data. This ieaay can contioa SOAP seivices by vaaidation against XML schema faes that aie upaoaded onto the genugate. It can handae TLS connections. ● TELNET: This poaicy is impaemented by an appaication specifc pioxy foi the TELNET pio- tocoa. Aaa piotocoa commands aie anaaysed and can be fateied. ● SMTP: This poaicy is impaemented by an appaication specifc pioxy foi the SMTP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. The maia headei and bodies can be fateied. It contains functionaaity to fatei SPAM maia. It has an inteiface to an optionaa viius scannei. SMTP authentication can optionaaay be confguied. ● SMTP2SMTP: This poaicy is impaemented by an appaication specifc pioxy foi the SMTP piotocoa. Aaa piotocoa commands aie anaaysed and can be fateied. The maia headei and bodies can be fateied. It contains functionaaity to fatei SPAM maia. It has an inteiface to an optionaa viius scannei. The SMTP2SMTP ieaay does not authenticate the useis itseaf, but ieaies on the iesponses of the iemote MTA. In contiast to the SMTP ieaay the SMTP2SMTP ieaay does not queue the maias to postfx, but diiectay connects to the SMTP seivei. ● SSH: This poaicy is impaemented by an appaication specifc pioxy foi the SSH piotocoa. It in- teicepts SSH connections, can fatei seaected SSH piotocoa messages and can authentic- ate useis. ● MCASTUDP: This poaicy is impaemented by a geneiic pioxy foi UDP muaticast packets us- ing IPv4. It fateis IGMP packets based on the muaticast gioup and aaaoes oi baocks muatic- ast UDP packets accoiding to the cuiient gioup membeiship. The ieaay needs suppoit fiom 10 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 the igmppioxy at the PFL ehich is needed to piopeiay ioute the muaticast UDP packets on the PFL. ● Meta-Poaicies: BGP, DNS, DNSSeivei, IMAPS, IMAPFiatei, IPsec, LDAP, MSSQL, MySQL, Postgiesqa, PPTP, RDP, RTSP, SMB, SMTPSeivei, SNMPTiap, TeamVieeei, Webseivice (see above), VNC, and WWWseivei (see above). These aie combinations of diffeient Poaicies pieconfguied foi the iespective seivice. The poaicies aie ieaaised by usei-space pioxies, caaaed ieaays. Aaa ieaays aie highay confguiabae. The piefeiied confguiation method is thiough HTML foims at the administiative inteiface that aie tianspoited by secuie https-connections in the administiation neteoik. Usei identifcation and authentication can be confguied in teo eays. Some ieaays have suppoit foi authentication in the iespective piotocoa. These ieaays can authenticate theii useis against authen- tication seiveis. The side channea authentication aaaoes the usage of speciaa confguied ieaays aftei usei identifcation at a speciaa eeb foim at the TOE. The TELNET and FTP piotocoas aie onay suppaied foi aegacy appaications. It shouad be stiessed that the piotocoas TELNET and FTP aie not consideied secuie if they aie empaoyed eithout fuithei secuiity measuies. They tiansmit the usei name and passeoid in paain text and can be sniffed eith veiy smaaa effoit. The same conceins appay to the SMTP authentication in specifc confguiations. The secuiity caaims foi the TOE onay appay if the piotocoas aie suffcientay secuied. Unenciypted SNMP management shouad onay be made fiom suffcientay secuie neteoiks, because the SNMP packets may contain sensitive infoimation. 1.4.2 The Packet Filter The inteinaa neteoik has high secuiity needs and is theiefoie not diiectay connected to the ALG, but is connected to the PFL. The PFL has at aeast teo neteoik inteifaces. One of them is connec- ted to the ALG eith a cioss cabae. The (smaaa) neteoik is caaaed the cioss neteoik. The othei intei- face connects to the inteinaa neteoik. The PFL eoiks as packet fatei eith a set of fatei iuaes. Onay confguied TCP connection iequests fiom the cioss neteoik aie aaaoeed, but theie is no defauat iestiiction foi packets fiom the inteinaa neteoik. In oidei to aaaoe connections into the inteinaa neteoik, extia iuaes have to be added by administiatois. The PFL is a minimaaistic system. In the ceitifed mode it boots fiom a iemovabae USB stick and has no othei peimanent memoiy. The medium is confguied and cieated at the ALG. Physicaa ac- cess is needed to eiite the medium at the ALG, tiansfei it fiom the ALG to the PFL, and ieboot the PFL eith the nee confguiation. The confguiation of the PFL is done thiough the eeb based administiation tooa at the ALG. 1.4.3 High Availability (genugate cluster) Foi a high avaiaabiaity (HA) setup, the HA option is instaaaed on teo oi moie genugates (peeis) and they aie connected by a sepaiate HA neteoik that is used to synchionise the confguiation and negotiate the active HA nodes. If a system faias some othei system takes ovei its seivices and IP addiesses. 13 Dec 2017 11 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget Foi the vaiiant using OSPF an exteinaa OSPF ioutei is needed in the inteinaa neteoik. Figuie 1.2 gives an oveiviee foi teo paiaaaea systems, aathough moie than teo aie possibae. The synchionisation of the confguiation in the HA neteoik uses IPsec eith pieshaied keys to en- ciypt the communication. Optionaaay the cioss neteoiks of the genugate peeis can be united into one cioss neteoik. Then cioss cabaes can no aongei be used and seitches must be incoipoiated. This setup avoids a fuaa HA take ovei if onay a PFL faias. This neteoik topoaogy is obaigatoiy foi the vaiiant using CARP. The CARP setup can opeiate in teo modes, faiaovei and baaancing. A ceitifed setup can onay use the faiaovei mode. The CARP setup can aaso be used in a PAP confguiation eheie an additionaa packet fatei is paaced befoie the ALG. The CARP PAP confguiation is not pait of this ceitifcation. 12 13 Dec 2017 Figuie 1.2: High avaiaabiaity setup. If the OSPF HA, setup is used, an OSPF ioutei is needed in the inteinaa neteoik. The admin and secuie seivei neteoiks aie not shoen. genugate fieeaaa 9.0 Secuiity Taiget Veision 6 Tabae 1: Scope of deaiveiy foi cuiientay distiibuted haideaie Type Name Release Date Medium Haideaie1 genugate S, ievision 1.0 and 2.0 genugate M, ievision 1.0 and 2.0 genugate L, ievision 1.0 and 2.0 K130 infodas seivei, ievision 1.0 N/A Softeaie genugate fieeaaa 9.0 21.11.2017 Instaaa image Softeaie genugate paatfoim 9.0 Z 21.11.2017 Instaaa image Documentation Administiatoi and usei guidance manuaa 9.0 Z 21.11.2017 Manuaa (Geiman veision) Haideaie USB stick N/A 1.4.4 Physical Scope Both ALG and PFL iun on Intea compatibae haideaie in 64 bit mode (aichitectuie x86_64). As the pioduct genugate 9.0 Z is a combination of haideaie and softeaie, the haideaie components aie seaected by genua. The end usei has no need to check foi compatibiaity. The scope of deaiveiy can be seen in tabae 1. The TOE is aocated as softeaie distiibuted as an instaaaation image. The physicaa connections aie: ● the neteoik inteifaces to the exteinaa, inteinaa, secuie seivei and administiation neteoiks ● connections foi the keyboaid, monitoi, and seiiaa inteifaces at the ALG and PFL ● poeei suppay The ALG of the haideaie vaiiant genugate S ievision 1.0 onay has one seiiaa connection. This can be used in teo eays: ● The seiiaa connection is used foi an inteiactive consoae access at the ALG. Then the PFL cannot be accessed inteiactiveay. ● The seiiaa connection is used foi the inteiactive access of the PFL fiom the ALG. The in- teiacitve access at the ALG can then be done by SSH, ehich has to be piopeiay con- fguied. 1 See section 1.3.1 foi aegacy haideaie 13 Dec 2017 13 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget Figuie 1.3 gives a schematic oveiviee on the TOE and its enviionment. It divides the softeaie on ALG and PFL into usei and keinea space paits. On both systems, the usei and the keinea space contain pait of the TOE, and pait of the enviionment. The foaaoeing tabae aists the components in each pait. The components foi the paits A, B, C and D aie pait of the TOE. The components foi E, F, G, and H aie pait of the enviionment. A ALG TOE Usei space ieaays, aogging, administiation eeb seivei, usei eeb seivei, confg- uiation commands, system staitup. B ALG TOE Keinea space neteoik aayei, aogging, system caaa inteiface. C PFL TOE Usei space aogging, system staitup. D PFL TOE Keinea space neteoik aayei, aogging, system caaa inteiface. E ALG Enviionment Usei space squid, postfx, DNS seivei, ntpd, snmp seivei, CARP PAP confguia- tion, genugate options: genuauth, URL fatei, viius scannei; authen- tication methods, OS enviionment. F ALG Enviionment Keinea space piocess management, memoiy management, device diiveis, socket aayei, tty diivei, I/O system, IPC opeiation, fae systems. G PFL Enviionment Usei space igmppioxy, ospfd, ospf6d, OS enviionment. H PFL Enviionment Keinea space piocess management, memoiy management, device diiveis, socket aayei, tty diivei, I/O system, IPC opeiation, fae systems. 14 13 Dec 2017 Figuie 1.3: Scope and boundaiy genugate fieeaaa 9.0 Secuiity Taiget Veision 6 The diffeient paits have the foaaoeing inteifaces eith one anothei: A B System caaa inteiface A E Inteipiocess communication (via system caaa inteiface) B F Keinea inteifaces beteeen the keinea components C D System caaa inteiface C G Inteipiocess communication (via system caaa inteiface) D H Keinea inteifaces beteeen the keinea components ALG PFL seiiaa connection ALG PFL neteoik connection ALG PFL USB boot medium Depending on theii ioaes, the useis inteiact eith the pioduct in the foaaoeing eays: ● usei: Reaay usage (sending and ieceiving IP packets to and fiom the TOE) ● usei: Authentication diaaogues foi piotocoas that have authentication enabaed. ● usei: usei eeb inteiface to change passeoid ● usei: usei eeb inteiface foi the side channea authentication to activate IP addiesses ● administiatoi: administiation eeb inteiface ● administiatoi: inteiactive access at the sheaa aevea at the consoae 1.4.5 Logical Scope The TOE has the foaaoeing aogicaa scope: ● The keinea components `neteoik', `packet fatei', and `iestiicted iuntime' foi ALG and PFL. This components peifoim the spoofng checks, packet fateiing and access contioa foi in- coming data. The spoofng checks contain detecting any mismatch beteeen the souice and destination addiess of the IP packet and the IP addiess and netmask of the ieceiving intei- face. ● The ieaays foi IP, PING, UDP, TCP, TELNET, FTP, NNTP, POP, IMAP, SIP, SMTP, SMTP2S- MTP, SSH, MCASTUDP, WWW and Webseivice. These components peifoim the fateiing on appaication aevea, ACL checks, and caaas to the optionaa viius scannei (if confguiabae). The viius scanning functionaaity is not pait of the TOE. The SSH-, TELNET- and FTP-ieaay aaaoe foi usei authentication. Foi the SMTP ieaay the authentication is optionaa. The au- thentication methods themseaves aie not pait of the TOE. ● The TCP and UDP ieaays can fatei piotocoa confoimance by appaying ieguaai expiessions at the beginning of the communication. Theie aie seveiaa piedefned piotocoa confoimance fatei. ● The meta ieaays BGP, DNS, DNSSeivei, IMAPS, IMAPFiatei, IPsec, LDAP, MSSQL, MySQL, Postgiesqa, PPTP, RDP, RTSP, SMB, SMTPSeivei, SNMPTiap, TeamVieeei, Web- seivice, VNC, and WWWseivei. ● System staitup. This component peifoims the secuie staitup of the system and the convei- sion to maintenance mode. 13 Dec 2017 15 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget ● The aogging and seaf-monitoiing tooas. These components peifoim the accounting and auditing functions. ● Administiation eeb seivei. This component aaaoes the confguiation by administiatois. ● Usei eeb seivei. This component aaaoes useis to change theii passeoids. ● Side channea eeb seivei. This component aaaoes useis to activate IP addiesses thiough the side channea mechanism. ● The confguiation foi the useis, neteoik, ieaays, dns seivei, maia seivei, packet fatei, http- pioxy squid, viius scannei, audit, snmp seivei, and igmppioxy. The TOE has the foaaoeing aogicaa boundaiies: ● viius scannei inteiface: deaiveiing the data to the viius scannei and obtaining the scannei iesuat. The viius scannei itseaf is not pait of the TOE. ● exteinaa authentication methods: inteiaction eith the authentication seivice. The authentic- ation methods themseaves aie not pait of the TOE. ● confguiation inteiface: sending foims to and ieceiving foim data fiom a eeb bioesei The TOE excaudes the foaaoeing options oi seivices fiom its aogicaa scope: ● the genuauth option foi genugate 9.0 Z ● the URL fatei option foi genugate 9.0 Z ● authentication seivices (passeoid, RADIUS, LDAP, S/Key, oi ciypto caid) eithei aocaa oi ie- mote ● viius scannei engines ● the HTTP pioxy squid ● the maia deaiveiy piogiam postfx ● the dns seivei ● the ntpd neteoik time piotocoa daemon ● the snmp seivei ● the igmppioxy on the PFL ● the CARP baaancing HA mode ● the Custom HA mode ● the CARP PAP mode ● aathough some ieaays suppoit enciyption eith TLS, this secuiity taiget does not contain SFRs foi the caass FCS (Ciyptogiaphic Suppoit). Theiefoie the ciyptogiaphic opeiations aie not pait of the TSF. ● the ciyptogiaphic opeiations of the SSH ieaay. This secuiity taiget does not contain SFRs foi the caass FCS (Ciyptogiaphic Suppoit). Theiefoie the ciyptogiaphic opeiations aie not pait of the TSF. ● the ciyptogiaphic opeiations of the IPsec in the HA neteoik. This secuiity taiget does not contain SFRs foi the caass FCS (Ciyptogiaphic Suppoit). Theiefoie the ciyptogiaphic opei- ations aie not pait of the TSF. 16 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 2 Conformance Claims 2.1 CC Conformance Claim This Secuiity Taiget is Part 2 extended and Part 3 conformant to the Common Ciiteiia Veision 3.1 Revision 4 (Septembei 2012). 2.2 PP Claim, Package Claim Theie aie no Piotection Piofae caaims. This Secuiity Taiget caaims to be confoimant to the Assui- ance Packet EAL4 augmented eith ALC_FLR.2, ASE_TSS.2 and AVA_VAN.5. These components aie defned in CC Pait 3. 2.3 Conformance Rationale The Secuiity Taiget has no Piotection Piofae caaim, theiefoie no confoimance iationaae has to be given. This Secuiity Taiget uses extended functionaa component defnitions (see section 5). Theiefoie it is Pait 2 extended. It does not use extended assuiance iequiiements. Theiefoie it is Pait 3 confoim- ant. 13 Dec 2017 17 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 3 Security Problem Defnition In oidei to caaiify the natuie of the secuiity piobaem that the TOE is intended to soave, this section desciibes the foaaoeing: ● Any assumptions about the secuiity aspects of the enviionment and/oi of the mannei in ehich the TOE is intended to be used. ● Any knoen oi assumed thieats to the assets against ehich specifc piotection eithin the TOE oi its enviionment is iequiied. ● Any oiganizationaa secuiity poaicy statements oi iuaes eith ehich the TOE must compay. 3.1 Users The useis aie aisted in tabae 2. Tabae 2: Useis Users user Any peison oi softeaie agent sending IP packets to oi ieceiving fiom the TOE. The assumed attack potentiaa is high. The geneiaa teim usei is used ehen it does not mattei ehethei the usei did authenticate at the TOE oi not. unauthenticated user Any peison oi softeaie agent sending IP packets to oi ieceiving fiom the TOE that did not authenticate at the TOE. The assumed attack potentiaa is high. This teim is used foi useis that did not (yet) authenticate at the TOE. authenticated user Any peison oi softeaie agent sending IP packets to oi ieceiving fiom the TOE that authenticated at the TOE. The assumed attack potentiaa is high. administrator These aie authenticated useis that have the ioae of an administiatoi. This ioae authoiises them to change the TOE confguiation. Theii assumed at- tack potentiaa is undefned. auditor These aie authenticated useis that have the ioae of an auditoi. This is a iestiicted administiatoi ioae and authoiises them to viee the TOE confg- uiation. Theii assumed attack potentiaa is undefned. 3.2 Assets The assets aie aisted in tabae 3. Tabae 3: Assets Assets resources in the connected net- eorks The iesouices in the connected neteoiks that the TOE is supposed to piotect. security sensitive data on the TOE The data on the TOE that contains secuiity sensitive data. 18 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 3.3 Threats The thieats aie aisted in tabae 4. Tabae 4: Thieats Threats T.NOAUTH An unauthenticated usei may attempt to bypass the secuiity functions of the TOE and gain unauthenticated access to iesouices in othei connected neteoiks oi iead, modify oi destioy secuiity sensitive data on the TOE. The attack method is expaoiting authentication piotocoa eeaknesses. T.SPOOF A usei may attempt to send spoofed IP packets to the TOE in oidei to gain unauthoiised access to iesouices in othei connected neteoiks. Without spoofng checks the TOE eouad ioute a iesponse to the spoofed IP packet into a connected neteoik that the usei is not authoiised to ac- cess. T.MEDIAT A usei may send non-peimissibae data thiough the TOE that iesuat in gaining access to iesouices in othei connected neteoiks. T.SELPRO A usei may gain access to the TOE and iead, modify oi destioy secuiity sensitive data on the TOE, by sending IP packets to the TOE and expaoit- ing a eeakness of the piotocoa used. T.MISUSESSH A usei may tiy to open a hidden (enciypted) channea by using SSH pio- tocoa messages aike poit foieaidings in oidei to gain access to iesouices in othei connected neteoiks, 3.4 Organisational Security Policies The oiganisationaa secuiity poaicies aie aisted in tabae 5. Tabae 5: Poaicies Policies P.AUDIT Aaa useis must be accountabae foi theii actions. P.AVAIL A high avaiaabiaity opeiation must be possibae eheie peeis can take ovei the seivices of a faiaing system. (This poaicy onay appaies if needed.) P.PASSWD The faes impoited foi passeoid fae authentication must contain good passeoids. 3.5 Assumptions The assumptions aie aisted in tabae 6. Tabae 6: Assumptions Assumptions A.PHYSEC The TOE is physicaaay secuie. Onay authoiised peisons have physicaa ac- cess to the TOE and the haideaie incauding the PFL boot stick. 13 Dec 2017 1 9 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget Assumptions A.NOEVIL Administiatois and auditois aie non-hostiae and foaaoe aaa administiatoi and auditoi guidance; hoeevei, they aie capabae of eiioi. They use pass- eoids that aie not easiay guessabae. A.ADMIN Aaa administiation is done onay in the administiation neteoik duiing noimaa opeiation mode. The administiation neteoik and the attached eoikstation fiom ehich the administiatois eoik aie physicaaay secuie. A.SINGEN Infoimation can not foe among the inteinaa, exteinaa, oi secuie seivei neteoik, unaess it passes thiough the TOE. A.POLICY The secuiity poaicy of the inteinaa neteoik aaaoes onay the administiatois access to the neteoik components and the neteoik confguiation. A.TIMESTMP The enviionment piovides ieaiabae time stamps. A.HANET The enviionment piovides a physicaa sepaiate neteoik foi TSF data tians- fei foi the optionaa high avaiaabiaity setup. A.USER The useis use passeoids that aie not easiay guessabae and keep them seciet. A.TRUSTK The non-TOE paits of the keinea space aie tiusteoithy and do not intei- feie eith the secuiity functions of the TOE. A.TRUSTU The non-TOE paits of the usei space aie tiusteoithy and do not inteifeie eith the secuiity functions of the TOE. A.LEGACY The aegacy piotocoas TELNET and FTP (and SMTP if authentication is used) aie used onay in suffcientay secuie enviionments. A.REMOTE_AUTH The seivei foi exteinaa authentication (RADIUS, LDAP) aie aocated in se- cuie neteoiks. A.OSPF The OSPF and OSPFv6 iouteis in the inteinaa neteoik aie secuied against attacks fiom the inteinaa neteoik. 20 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 4 Security Objectives The puipose of the secuiity objectives is to desciibe the paanned iesponse to a secuiity piobaem oi thieat. Thieats can be diiected against the TOE oi the secuiity enviionment. The CC identifes teo categoiies of secuiity objectives: ● secuiity objectives foi the TOE ● secuiity objectives foi the opeiating enviionment 4.1 Security Objectives for the TOE The secuiity objectives foi the TOE aie aisted in tabae 7. Tabae 7: Objectives Objectives O.IDAUTH The TOE must identify aaa neteoik packets fiom the connected neteoiks. It must check the IP addiesses of the packet eith the ieceiving inteiface to iecognize IP-spoofng. It must identify aaa useis befoie gianting access to the secuiity functions of the TOE. It must authenticate the useis eheie an authentication is iequiied. O.MEDIAT The TOE must mediate the foe of aaa data beteeen aaa connected net- eoiks. O.SECSTA On stait-up, the TOE must not compiomise its iesouices oi those of the connected neteoiks. O.SELPRO The TOE must have seaf-piotection mechanisms that hindei attempts by useis to bypass, deactivate oi tampei eith TOE secuiity functions. O.AUDREC The TOE must piovide an audit tiaia of secuiity-ieaated events, and a means to piesent a ieadabae and seaichabae viee to authoiised useis. O.ACCOUN The TOE must piovide usei accountabiaity foi data foes thiough the TOE and foi the use of the secuiity functions of administiatois. O.SECFUN The TOE must aaaoe administiatois to use the TOE secuiity functions and must ensuie that onay authoiised administiatois have access to the func- tionaaity. O.AVAIL The TOE must optionaaay piovide a faia ovei soaution eheie the seivices of a faiaing system aie taken ovei by a peei machine. O.MISUSESSH The TOE must pievent SSH connections to set up SSH piotocoa mes- sages that aie not appioved. 4.2 Security Objectives for the Environment The secuiity objectives foi the enviionment aie aisted in tabae 8. 13 Dec 2017 21 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget Tabae 8: Objectives foi the enviionment Objectives for the environment OE.PHYSEC Those iesponsibae foi the TOE must assuie that the TOE is paaced at a secuied paace eheie onay authoiised peopae have access. OE.NOEVIL Those iesponsibae foi the TOE must assuie that aaa administiatois and auditois aie competent, ieguaaiay tiained and execute the administiation in a iesponsibae eay. OE.ADMIN Those iesponsibae foi the TOE must assuie that administiation is onay done in the physicaaay secuied administiation neteoik duiing noimaa opei- ation mode. OE.SINGEN Those iesponsibae foi the TOE must assuie that the TOE is the onay con- nection beteeen the diffeient neteoiks. OE.POLICY Those iesponsibae foi the TOE must assuie that the secuiity poaicy foi the inteinaa neteoik aaaoes onay administiatois access to the neteoik com- ponents and the neteoik confguiation. They must assuie that the poaicy is maintained. OE.TIMESTMP The IT-enviionment must suppay ieaiabae time stamps foi the TOE. OE.RTCLOCK The IT-enviionment must suppay a ieaa-time caock. OE.HANET The IT-enviionment must suppay a physicaa neteoik foi tiansfei of TSF data beteeen nodes foi the optionaa high avaiaabiaity setup. OE.USER Those iesponsibae foi the TOE must assuie that the useis foaaoe the usei guidance, especiaaay that they choose not easiay guessabae passeoids and that they keep them seciet. OE.TRUSTK The IT-enviionment must assuie that the non-TOE paits of the keinea space do not inteifeie eith the secuiity functions of the TOE. OE.TRUSTU The IT-enviionment must assuie that the non-TOE paits of the usei space do not inteifeie eith the secuiity functions of the TOE. OE.LEGACY The IT-enviionment must piovide a suffcientay secuie enviionment foi the aegacy TELNET and FTP piotocoas (and SMTP if authentication is used). OE.REMOTE_AUTH The IT-enviionment must assuie that the seivei foi exteinaa authentication (RADIUS, LDAP) aie aocated in secuie neteoiks. OE.PASSWD The faes impoited foi passeoid fae authentication contain good pass- eoids. OE.OSPF The IT-enviionment must piovide OSPF and OSPFv6 iouteis that aie se- cuied against attacks fiom the inteinaa neteoik. 4.3 Security Objectives Rationale This chaptei contains the ST secuiity objectives iationaae. It must shoe that the secuiity objectives aie consistent. Tabae 9 shoes that aaa secuiity objectives stated in this ST can be mapped to the stated thieats, assumptions and OSP. Aaa thieats, assumptions and OSP aie matched by at aeast one secuiity ob- jective. 22 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 Tabae 9: Thieat iationaae Threat Objective Security Objectives Rationale T.NOAUTH O.IDAUTH O.SECSTA O.SECFUN The objective O.IDAUTH guaiantees that aaa intei- actions eith the TOE aie identifed. Onay authentic- ated useis can use functions that need authoiisa- tion. The objective O.SECSTA assuies that the thieat is aaso met at stait up. The objective O.SECFUN guaiantees that onay au- thoiised administiatois can change the confguia- tion of the TOE. T.SPOOF O.IDAUTH The objective O.IDAUTH makes suie that the iden- tifcation of the IP addiesses of eveiy ieceived packet iecognises IP spoofng attacks. The objective iequiies checking the IP addiess and netmask of the ieceiving inteiface, and the souice and destination IP addiess of the packet. The check has to iecognize IP spoofng attacks, i.e. the IP packet eas not expected at that intei- face. T.MEDIAT O.MEDIAT The objective O.MEDIAT (mediation of aaa neteoik data) pievents that non-peimissibae data is sent acioss the TOE. T.SELPRO O.SELPRO O.SECSTA O.IDAUTH O.SECFUN The seaf piotection objective O.SELPRO pievents ieading, modifying oi destioying secuiity sensitive data on the TOE. The objective O.SECSTA as- suies that the thieat is aaso met at stait-up. O.IDAUTH and O.SECFUN guaiantees that onay authoiised administiatois can iead, modify, oi des- tioy secuiity sensitive data on the TOE. T.MISUSESSH O.MISUSESSH The objective O.MISUSESSH pievents misuse of SSH connections. Tabae 10 shoes that each poaicy is met by at aeast one secuiity objective and that aaa poaicies have been addiessed. Tabae 10: Poaicy iationaae Policy Objective Security Objectives Rationale P.AUDIT O.ACCOUN O.AUDREC The objective O.ACCOUN (accounting of aaa usei inteiactions and aaa secuiity ieaated events), makes suie that aaa audit tiaias aie eiitten. The (possibae) aoss of audit data is iecognised by O.AUDREC. P.AVAIL O.AVAIL The objective O.AVAIL piovides the optionaa high avaiaabiaity poaicy iequest. P.PASSWD OE.PASSWD The objective OE.PASSWD piovides the passeoid quaaity needed by P.PASSWD. 13 Dec 2017 23 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget Tabae11 shoes that aaa assumptions aie met by objectives foi the enviionment. Tabae 11: Assumption iationaae Assumption Objective Security Objectives Rationale A.PHYSEC OE.PHYSEC This objective assuies that the assumption about a physicaaay secuie TOE can be made. A.NOEVIL OE.NOEVIL This objective assuies that the administiatois and auditois aie tiained and theiefoie that they aie no thieat to the TOE. A.ADMIN OE.ADMIN This objective assuies that the administiation onay occuis in a distinct physicaaay secuied neteoik, onay used foi administiation duiing noimaa opeia- tion mode. A.SINGEN OE.SINGEN This objective assuies that the TOE can not be by- passed and theiefoie assuies that the assumption is met. A.POLICY OE.POLICY This objective assuies that an assumption about the secuiity poaicy can be made. A.TIMESTMP OE.TIMESTMP OE.RTCLOCK These objectives piovides ieaiabae time stamps. A.HANET OE.HANET This objective piovides the extia neteoik to tians- fei TSF data beteeen nodes in the optionaa HA setup. A.USER OE.USER This objective assuies that the useis use appiopii- ate passeoids and keep them seciet. A.TRUSTK OE.TRUSTK This objective assuies that the non-TOE paits of the keinea space aie tiusteoithy. A.TRUSTU OE.TRUSTU This objective assuies that the non-TOE paits of the usei space aie tiusteoithy. A.LEGACY OE.LEGACY This objective assuies that the aegacy piotocoas aie used onay in suffcientay secuie enviionments. A.REMOTE_AUTH OE.REMOTE_AUTH This objective assuies that the exteinaa authentica- tion seiveis aie aocated in secuie neteoiks. A.OSPF OE.OSPF This objective assuies that the OSPF and OSPFv6 iouteis aie secuied against attacks fiom the in- teinaa neteoik. 24 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 5 Extended Components Defnition 5.1 Class FAU: Security audit 5.1.1 Security audit data generation (FAU_GEN) 5.1.1.1 Family behaviour The famiay has been enhanced by one component FAU_GEN.1EX. It is thought as a iepaacement foi FAU_GEN.1 ehen the secuiity function do not suppoit audit geneiation foi staitup and shut- doen of the audit functions. This component can aaso be used as a iepaacement foi the dependen- cies on FAU_GEN.1, because aaa othei audit events can be specifed as in FAU_GEN.1. 5.1.1.2 Component levelling The components FAU_GEN.1 and FAU_GEN.2 aie aaieady desciibed in CC Pait2. Onay FAU_GEN.1EX is nee and desciibed in this chaptei. 5.1.1.3 Management: for FAU_GEN.1EX Theie aie no management activities foieseen. 5.1.1.4 Audit: for FAU_GEN.1EX Theie aie no actions identifed that shouad be auditabae if FAU_GEN Secuiity audit data geneiation is incauded in the PP/ST. 5.1.1.5 FAU_GEN.1EX Audit data generation Hieiaichicaa to: No othei components. FAU_GEN.1EX.1 The TSF shall be able to generate an audit record of the following auditable events: a) All auditable events for the [selection: choose one of: minimum, basic, detailed, not specifedd level of audit; and b) [assignment: other specifcally defned auditable eventsd. FAU_GEN.1EX.2 The TSF shall record within each audit record at least the following informa- tion: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event defnitions of the functional compon- ents included in the PP/ST, [assignment: other audit relevant informationd Dependencies: FPT_STM.1 Reliable time stamps 13 Dec 2017 25 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 5.2 Class FIA: Identifcation and authentication 5.2.1 User authentication (FIA_UAU) 5.2.1.1 Family behaviour The famiay has been enhanced by one component FIA_UAU.5EX. It is thought as a iepaacement foi FIA_UAU.5 ehen the piopei authentication is done by an exteinaa means. This component can aaso be used as a iepaacement foi the dependencies on FIA_UAU.5, because it iequiies the same functionaaity. 5.2.1.2 Component levelling The components FIA_UAU.1, FIA_UAU.2, FIA_UAU.3, FIA_UAU.4, FIA_UAU.5, FIA_UAU.6 and FIA_UAU.7 aie aaieady desciibed in CC Pait2. Onay FIA_UAU.5EX eiaa be desciibed in this chaptei. 5.2.1.3 Management: for FIA_UAU.5EX The foaaoeing actions couad be consideied foi the management functions in FMT: a) the management of authentication mechanisms; b) the management of the iuaes foi authentication. 5.2.1.4 Audit: for FIA_UAU.5EX The foaaoeing actions shouad be auditabae if FAU_GEN Secuiity audit data geneiation is incauded in the PP/ST: a) Minimaa: The fnaa decision on authentication; b) Basic: The iesuat of each activated mechanism togethei eith the fnaa decision. 5.2.1.5 FIA_UAU.5EX External authentication mechanisms Hieiaichicaa to: No othei components. FIA_UAU.5EX.1 The TSF shall provide [assignment: list of multiple authentication mechan- ismsd to support user authentication by external means. 26 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FIA_UAU.5EX.2 The TSF shall authenticate any user's claimed identity according to the [as- signment: rules describing how the multiple authentication mechanisms provide authenticationd. Dependencies: No dependencies 5.3 Class FPT: Protection of the TSF 5.3.1 Simple Self Test (FPT_SST) 5.3.1.1 Family behaviour The famiay defnes the iequiiements foi the seaf-testing of the TOE eith iespect to some expected coiiect opeiation. Exampaes aie expected iunning piocesses oi expected faes at some aocation in the fae system. These tests can be caiiied out at stait-up, peiiodicaaay, at the iequest of the authoi- ised usei, oi ehen othei conditions aie met. The actions to be taken by the TOE as the iesuat of seaf testing aie defned in othei famiaies. The iequiiements of this famiay aie aaso needed to detect the coiiuption of TOE executabae code (i.e. TOE softeaie) and TOE data by vaiious faiauies that do not necessaiiay stop the TOE's opeia- tion (ehich eouad be handaed by othei famiaies). These checks must be peifoimed because these faiauies may not necessaiiay be pievented. Such faiauies can occui eithei because of unfoieseen faiauie modes oi associated oveisights in the design of haideaie, fimeaie, oi softeaie, oi be- cause of maaicious coiiuption of the TOE due to inadequate aogicaa and/oi physicaa piotection. 5.3.1.2 Component levelling FPT_SST.1 TOE testing, piovides the abiaity to test the TOE's coiiect opeiation. These tests may be peifoimed at stait-up, peiiodicaaay, at the iequest of the authoiised usei, oi ehen othei condi- tions aie met. It aaso piovides the abiaity to veiify the integiity of TOE data and executabae code. 5.3.1.3 Management: for FPT_SST.1 The foaaoeing actions couad be consideied foi the management functions in FMT: a) management of the conditions undei ehich TOE seaf testing occuis, such as duiing initiaa stait- up, ieguaai inteivaa, oi undei specifed conditions; b) management of the time inteivaa if appiopiiate. 5.3.1.4 Audit: for FPT_SST.1 The foaaoeing actions shouad be audited if FAU_GEN Secuiity audit data geneiation is incauded in the PP/ST: a) Basic: Execution of the TOE seaf tests and the iesuats of the tests. 5.3.1.5 FPT_SST.1 TOE testing Hieiaichicaa to: No othei components. FPT_SST.1.1 The TSF shall run a suite of self tests [selection: during initial start-up, periodically during normal operation, at the request of the authorised user, at the conditions [assignment: conditions under which self test should occurdd to perform the following checks: [assignment: list of self testsd FPT_SST.1.2 The TSF shall provide authorised users with the capability to query the results of the fol- lowing checks:[assignment: list of self testsd Dependencies: No dependencies 13 Dec 2017 27 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 6 Security Requirements This section contains the secuiity functionaa iequiiements, the secuiity assuiance iequiiements, and the iationaae. 6.1 Security Functional Requirements Aaa of the secuiity functionaa iequiiements in subsection have been diaen fiom the CC Pait 2. The functionaa iequiiements in the subsection (FPT_SST, FAU_GEN.1EX and FIA_UAU.5EX) aie not diaen fiom CC Pait 2. The SFRs aie aisted in this chaptei. In the foaaoeing, the unmodifed text fiom the functionaa iequiiement tempaates is dispaayed in a sanseiif font. The opeiation assignment is set in a bold italic serif font. The opeiations seaection and iefnement aie set in an italic serif font. The iteiations aie done by iepeating the iequiiements and adding a coaon and a sequence numbei. In a fee occasions, the text has been modifed saightay. The iepaacement text is paaced diiectay aftei the ciossed-out oiiginaa text, and is set in an itaaic seiif font. 6.1.1 Class FAU: Security audit 6.1.1.1 Security audit automatic response (FAU_ARP) FAU_ARP.1 Security alarms FAU_ARP.1.1 The TSF shaaa take confgurable actions (log, digest, wall, exec, mail, down, halt) upon detection of a potentiaa secuiity vioaation. 6.1.1.2 Security audit data generation (FAU_GEN) FAU_GEN.1EX Audit data generation FAU_GEN.1EX.1 The TSF shaaa be abae to geneiate an audit iecoid of the foaaoeing audit- abae events: a) Aaa auditabae events foi the not specifeed aevea of audit; and b) Starting and stopping of the system, changing operation modes, relay con- fguration, loading of packet flter rules, relay usage, administration, authentic- ation. FAU_GEN.1EX.2 The TSF shaaa iecoid eithin each audit iecoid at aeast the foaaoeing infoim- ation: a) Date and time of the event, type of event, subject identity, and the out- come (success oi faiauie) of the event; and b) Foi each audit event type, based on the auditabae event defnitions of the functionaa components incauded in the PP/ST, unspecifed log data. 6.1.1.3 Security audit analysis (FAU_SAA) FAU_SAA.1 Potential violation analysis FAU_SAA.1.1 The TSF shaaa be abae to appay a set of iuaes in monitoiing the audited events and based upon these iuaes indicate a potentiaa vioaation of the en- foicement of the SFRs. FAU_SAA.1.2 The TSF shaaa enfoice the foaaoeing iuaes foi monitoiing audited events: 28 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FAU_SAA.1 Potential violation analysis a) Accumuaation oi combination of confgurable events (packet flter viola- tions, selected messages of daemons, selected messages of the relays, ARP spoofng messages, time synchronization errors, usage of duplicate IP ad- dresses, selected kernel messages and messages from the processes that imple- ment the self-tests) knoen to indicate a potentiaa secuiity vioaation; b) none. 6.1.1.4 Security audit review (FAU_SAR) FAU_SAR.1 Audit reviee FAU_SAR.1.1 The TSF shaaa piovide administrators and auditors eith the capabiaity to iead all audit information fiom the audit iecoids. FAU_SAR.1.2 The TSF shaaa piovide the audit iecoids in a mannei suitabae foi the usei to inteipiet the infoimation. FAU_SAR.2 Restricted audit reviee FAU_SAR.2.1 The TSF shaaa piohibit aaa useis iead access to the audit iecoids, except those useis that have been gianted expaicit iead-access. FAU_SAR.3 Selectable audit reviee FAU_SAR.3.1 The TSF shaaa piovide the abiaity to appay searches of audit data based on time, date, process id, additional log data (for relay audit data: relay type, con- nection state, IP addresses and ports, status of logged event, bytes transferred). 6.1.1.5 Security audit event storage (FAU_STG) FAU_STG.1:1 Protected audit trail storage FAU_STG.1.1:1 The TSF shaaa piotect the stoied automatically rotateed audit iecoids in the audit tiaia fiom unauthoiised deaetion. FAU_STG.1.2:1 The TSF shaaa be abae to prevent unauthoiised modifcations to the auto- matically rotateed audit iecoids in the audit tiaia. Application note: Automaticaaay iotated audit iecoids aie iotated on a ieguaai bases. FAU_STG.1:2 Protected audit trail storage FAU_STG.1.1:2 The TSF shaaa piotect the stoied flaggeed audit iecoids in the audit tiaia fiom unauthoiised deaetion. FAU_STG.1.2:2 The TSF shaaa be abae to prevent unauthoiised modifcations to the flaggeed audit iecoids in the audit tiaia. Application note: Faagged audit iecoids aie iotated eith the acknoeaedgement of the adminis- tiatoi duiing maintenance mode. 13 Dec 2017 2 9 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FAU_STG.4:1 Prevention of audit data loss FAU_STG.4.1:1 The TSF shaaa prevent auediteed events, except those taken by the authoriseed user with special rights and execute a confgurable action (default: inform the ad- ministrators) if the application level audit tiaia is fuaa. Application note: This SFR appaies if the audit tiaia is fooded eith messages so that the stoiage faas even eith aog fae iotation. FAU_STG.4:2 Prevention of audit data loss FAU_STG.4.1:2 The TSF shaaa prevent auediteed events, except those taken by the authoriseed user with special rights and execute a confgurable action (default: generate a pro- cess master event) if the kernel audit tiaia is fuaa. Application note: The piocess mastei actions iange fiom ignoiing the event to haating the sys- tem. Application note: The keinea aaso geneiates a piocess mastei event if a confguiabae audit tiaia thieshoad is ieached, so that the administiatoi can take pieventive measuies. 6.1.2 Class FDP: User data protection 6.1.2.1 Information fow control policy (FDP_IFC) FDP_IFC.1:1 Subset information foe control FDP_IFC.1.1:1 The TSF shaaa enfoice the unauthenticated user SFP on a) subjects: users that send and receive information through the TOE to one another; b) information: trafc sent through the TOE from one subject to another; c) operation: pass information. FDP_IFC.1:2 Subset information foe control FDP_IFC.1.1:2 The TSF shaaa enfoice the authenticated user SFP on a) subjects: users that send and receive FTP, TELNET, SMTP or SSH informa- tion through the TOE to one another, only after the user initiating the informa- tion fow has authenticated at the TOE through the FTP, TELNET, SMTP, or SSH authentication mechanism; b) information: FTP, TELNET, SMTP, or SSH trafc sent through the TOE from one subject to another; c) operation: pass information. Application note: This IFC onay appaies if the authentication method has been activated foi the ie- spective piotocoa. Application note: The HTTP-, IMAP-, POP-, SIP-, and SMTP2SMTP-ieaay do not aaaoe authentic- ation at the TOE even if the iespective piotocoas suppoit authentication. 30 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FDP_IFC.1:3 Subset information foe control FDP_IFC.1.1:3 The TSF shaaa enfoice the identifed side channel user SFP on a) subjects: users that send and receive information through the TOE to one another, only after identifying the user by IP address; b) information: trafc sent through the TOE from one subject to another; c) operation: pass information. FDP_IFC.1:4 Subset information foe control FDP_IFC.1.1:4 The TSF shaaa enfoice the authenticated gui user SFP on a) subjects: users that send and receive information to /from the TOE; b) information: html form data for side channel authentication and user pass- word changes; c) operation: pass information. FDP_IFC.1:5 Subset information foe control FDP_IFC.1.1:5 The TSF shaaa enfoice the authenticated administrator SFP on a) subjects: aedministrators from the administration network that send and re- ceive information to/from the TOE; b) information: html form data for administration; c) operation: pass information. Application Note: Aaa SFRs in this section have been iefned by using (exteinaa) useis instead of (inteinaa) subjects foi item a). 6.1.2.2 Information fow control functions (FDP_IFF) FDP_IFF.1:1 Simple security attributes FDP_IFF.1.1:1 The TSF shaaa enfoice the unauthenticated user SFP based on the foaaoeing types of subject and infoimation secuiity attiibutes: The header information of network packets, depending on their type: a) TCP: IP and TCP header; b) UDP: IP and UDP header; c) ICMP: IP header and ICMP message; d) IGMP: IP header and IGMP message; e) IP: IP header; The actual date and time. The incoming and outgoing interfaces. Additional information depending on the handling relay: a) IP-relay: none; b) PING-relay: none; c) UDP-relay: if the protocol conformance flter is active: protocol and/or ap- plication data; 13 Dec 2017 31 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FDP_IFF.1:1 Simple security attributes d) TCP-relay: if the protocol conformance flter is active: protocol and/or ap- plication data; e) NNTP-relay: protocol and application data; f) POP-relay: protocol and application data; g) SMTP-relay: protocol and application data; h) FTP-relay: protocol data; i) TELNET-relay: protocol data; j) WWWserver-relay: protocol and application data; k) WWW-relay: protocol and application data; l) SNMPtrap-relay: protocol data; m) SMTP2SMTP-relay: protocol and application data; n) SSH-relay: protocol data; o) MCASTUDP-relay: IGMP and multicast UDP packets; p) SIP-relay: protocol and application data; q) IMAP-relay: protocol and application data; r) Webservice-relay: protocol and application data. FDP_IFF.1.2:1 The TSF shaaa peimit an infoimation foe beteeen a contioaaed subject and contioaaed infoimation via a contioaaed opeiation if the foaaoeing iuaes hoad: IP spoofng check pass. IP option check pass. The 'connection' is confgured: a) PING-relay: source and destination IP address are allowed; b) IP-relay: source and destination IP address and protocol are allowed; c) UDP-relay: source and destination IP address and port are allowed; d) TCP-relay: source and destination IP address and port are allowed; e) MCASTUDP-relay: packets of the respective multicast group are allowed; f) all other relays: source and destination IP address and port are allowed. The ALG packet flter rules pass. All ACL checks for the respective relay pass. For packets that have a source or destination address from the internal net- work: The PFL packet flter rules pass. FDP_IFF.1.3:1 The TSF shaaa enfoice the none. FDP_IFF.1.4:1 The TSF shaaa expaicitay authoiise an infoimation foe based on the foaaoe- ing iuaes: none. FDP_IFF.1.5:1 The TSF shaaa expaicitay deny an infoimation foe based on the foaaoeing iuaes: The protocol data is fltered: NNTP-relay: confgurable protocol elements from the client are discarded. POP-relay: confgurable protocol elements from the client are discarded. 32 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FDP_IFF.1:1 Simple security attributes SMTP-relay: confgured checks for mail sender and recipient, greylisting, mail relay lead to the rejection of mail. FTP-relay: confgurable protocol elements from the client are discarded. TELNET-relay: none WWWserver-relay: the request URIs are blocked if they contain confgurable string pattern. The application data is fltered. WWW-relay: confgurable protocol elements from the client or server are dis- carded; confgurable cookies are fltered. The application data is fltered. NNTP-relay: application data of content-type text/html can be fltered for active contents, if confgured. A virus scanner can check the application data. MIME- encoded messages are (recursively) parsed their parts checked like non encoded messages. POP-relay: application data of content-type text/html can be fltered for active contents, if confgured. A virus scanner can check the application data. MIME- encoded messages are (recursively) parsed their parts checked like non encoded messages. SMTP-relay: E-mail contents of content-type text/html can be fltered for active contents, if confgured. A virus scanner can check the application data. MIME- encoded e-mails are (recursively) parsed their parts checked like non encoded e-mails. WWW-relay: server replies of content-type text/html can be fltered for active contents, if confgured. A virus scanner can check the application data. MIME- encoded replies are (recursively) parsed their parts checked like non encoded contents. SNMPtrap-relay: only a subset of SNMP protocol data is allowed only in one direction. SMTP2SMTP-relay: E-mail contents of content-type text/html can be fltered for active contents, if confgured. A virus scanner can check the application data. MIME-encoded e-mails are (recursively) parsed their parts checked like non encoded e-mails. SSH-relay: a subset of SSH protocol messages can be fltered out of the con- nection. SIP-relay: The tests for the confgured internal and external domains and RTP port ranges fail. The ACL and request method checks fail. IMAP-relay:The ACL and request method checks fail. A virus scanner can check the application data. Webservice-relay:The ACL and protocol (HTTP/Websockets) checks fail. The XML validation of the application data fails. All relays: An authenticated administrator can explicitly terminates an existing connection. All relays: An authenticated administrator can add IP addresses to a list of 13 Dec 2017 33 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FDP_IFF.1:1 Simple security attributes blocked IP addresses. 34 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FDP_IFF.1:2 Simple security attributes FDP_IFF.1.1:2 The TSF shaaa enfoice the authenticated user SFP based on the foaaoeing types of subject and infoimation secuiity attiibutes: The header information of network packets, depending on their type: a) TCP: IP and TCP header. The actual date and time. The interfaces from which the packets are received and to which they are de- livered. Additional information depending on the confgurable handling relay: a) FTP-relay: protocol data; b) TELNET-relay: protocol data; c) SMTP-relay: protocol data; d) SSH-relay: protocol data. FDP_IFF.1.2:2 The TSF shaaa peimit an infoimation foe beteeen a contioaaed subject and contioaaed infoimation via a contioaaed opeiation if the foaaoeing iuaes hoad: IP spoofng check pass. IP option check pass. The 'connection' is confgured: Source and destination IP and port are allowed. The ALG packet flter rules pass. All ACL checks for the relay pass. The user can be authenticated by the authentication data. For packets that have a source or destination address from the internal net- work: The PFL packet flter rules pass. FDP_IFF.1.3:2 The TSF shaaa enfoice the none. FDP_IFF.1.4:2 The TSF shaaa expaicitay authoiise an infoimation foe based on the foaaoe- ing iuaes: none. FDP_IFF.1.5:2 The TSF shaaa expaicitay deny an infoimation foe based on the foaaoeing iuaes: The protocol data is fltered: FTP-relay: confgurable protocol elements from the client are discarded. TELNET-relay: none; SMTP-relay: none; SSH-relay: none. 13 Dec 2017 35 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FDP_IFF.1:3 Simple security attributes FDP_IFF.1.1:3 The TSF shaaa enfoice the identifed side channel user SFP based on the foa- aoeing types of subject and infoimation secuiity attiibutes: The header information of network packets, depending on their type: a) TCP: IP and TCP header. The actual date and time. The interfaces from which the packets are received and to which they are de- livered. FDP_IFF.1.2:3 The TSF shaaa peimit an infoimation foe beteeen a contioaaed subject and contioaaed infoimation via a contioaaed opeiation if the foaaoeing iuaes hoad: IP spoofng check pass. IP option check pass. The 'connection' is confgured: TCP-relay: source and destination IP and port are allowed. The ALG packet flter rules pass. All ACL checks for the respective relay pass. For packets that have a source or destination address from the internal net- work: The PFL packet flter rules pass. The sender IP has been registered as a side channel IP address by an authen- ticated side channel user. FDP_IFF.1.3:3 The TSF shaaa enfoice the none. FDP_IFF.1.4:3 The TSF shaaa expaicitay authoiise an infoimation foe based on the foaaoe- ing iuaes: none. FDP_IFF.1.5:3 The TSF shaaa expaicitay deny an infoimation foe based on the foaaoeing iuaes: timeout: no data is transported on this connection for a confgurable time (de- fault 10 minutes). 36 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FDP_IFF.1:4 Simple security attributes FDP_IFF.1.1:4 The TSF shaaa enfoice the authenticated gui user SFP based on the foaaoe- ing types of subject and infoimation secuiity attiibutes: The header information of network packets, depending on their type: a) TCP: IP and TCP header. The actual date and time. The interfaces from which the packets are received and to which they are de- livered. The authentication data (cookie). FDP_IFF.1.2:4 The TSF shaaa peimit an infoimation foe beteeen a contioaaed subject and contioaaed infoimation via a contioaaed opeiation if the foaaoeing iuaes hoad: IP spoofng check pass. IP option check pass. The 'connection' is confgured: TCP-relay: source and destination IP and port are allowed. The ALG packet flter rules pass. All ACL checks for the respective relay pass. For packets that have a source or destination address from the internal net- work: The PFL packet flter rules pass. The authentication data (cookie) is accepted as a valid. FDP_IFF.1.3:4 The TSF shaaa enfoice the none. FDP_IFF.1.4:4 The TSF shaaa expaicitay authoiise an infoimation foe based on the foaaoe- ing iuaes: none. FDP_IFF.1.5:4 The TSF shaaa expaicitay deny an infoimation foe based on the foaaoeing iuaes: timeout: no data is transported on this connection for a confgurable time (de- fault 10 minutes). 13 Dec 2017 37 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FDP_IFF.1:5 Simple security attributes FDP_IFF.1.1:5 The TSF shaaa enfoice the authenticated administrator SFP based on the foaaoeing types of subject and infoimation secuiity attiibutes: The header information of network packets, depending on their type: a) TCP: IP and TCP header. The actual date and time. The interfaces from which the packets are received and to which they are de- livered. The authentication data (cookie). FDP_IFF.1.2:5 The TSF shaaa peimit an infoimation foe beteeen a contioaaed subject and contioaaed infoimation via a contioaaed opeiation if the foaaoeing iuaes hoad: IP spoofng check pass. IP option check pass. The 'connection' is confgured: TCP-relay: source and destination IP and port are allowed. The ALG packet flter rules pass. All ACL checks for the respective relay pass. For packets that have a source or destination address from the internal net- work: The PFL packet flter rules pass. The request comes from the administration network. The authentication data (cookie) is accepted as a valid. FDP_IFF.1.3:5 The TSF shaaa enfoice the none. FDP_IFF.1.4:5 The TSF shaaa expaicitay authoiise an infoimation foe based on the foaaoe- ing iuaes: none. FDP_IFF.1.5:5 The TSF shaaa expaicitay deny an infoimation foe based on the foaaoeing iuaes: timeout: no data is transported on this connection for a confgurable time (de- fault 10 minutes). 38 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 6.1.3 Class FIA: Identifcation and authentication 6.1.3.1 Authentication failures (FIA_AFL) FIA_AFL.1 Authentication failure handling FIA_AFL.1.1 The TSF shaaa detect ehen an aedministrator confgurable positive integer within 1 to infnite (default 5) unsuccessfua authentication attempts occui ieaated to authentication for administration, FTP-, TELNET, side channel, SMTP, and SSH authentication. FIA_AFL.1.2 When the defned numbei of unsuccessfua authentication attempts has been surpasseed, the TSF shaaa prevent the ofending user from successfully authentication until an authorised administrator takes some action to make authentication possible for the user in question. Application note: This SFR onay appaies if the authentication method has been activated foi FTP, TELNET, SMTP, oi SSH. 6.1.3.2 User attribute defnition (FIA_ATD) FIA_ATD.1 User attribute defnition FIA_ATD.1.1 The TSF shaaa maintain the foaaoeing aist of secuiity attiibutes beaonging to individuaa useis: a) administrative role (or none); b) user password. 6.1.3.3 Specifcation of secrets (FIA_SOS) FIA_SOS.1 Verifcation of secrets FIA_SOS.1.1 The TSF shaaa piovide a mechanism to veiify that seciets meet the follow- ing metric: the user name is not part of the password; the minimal password length is 8 characters; it consists not exclusively of lower- or upper-case letters. Application note: This SFR does not appay to the passeoid fae authentication, because the fae is impoited fiom the outside. This SFR does not appay to authentication at an exteinaa RADIUS oi LDAP seivei, because the passeoids aie confguied at the exteinaa seiveis. 6.1.3.4 User authentication (FIA_UAU) FIA_UAU.2 User authentication before any action FIA_UAU.2.1 The TSF shaaa iequiie each usei to be successfuaay authenticated befoie aaaoeing any othei TSF-mediated actions on behaaf of that usei. FIA_UAU.5EX External authentication mechanisms FIA_UAU.5EX.1 The TSF shaaa piovide password, RADIUS, LDAP, S/Key, password fle, and crypto card mechanisms to suppoit usei authentication by exteinaa means. FIA_UAU.5EX.2 The TSF shaaa authenticate any usei's caaimed identity accoiding to the following list: a) administrator authentication: password or LDAP; 13 Dec 2017 3 9 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FIA_UAU.5EX External authentication mechanisms b) user side channel authentication: password, RADIUS, LDAP, S/Key, or crypto card (as confgured by the administrator); c) user authentication (FTP and TELNET): password, RADIUS, LDAP, S/Key, password fle, or crypto card (as confgured by the administrator); d) user authentication (SMTP, SSH): password, RADIUS, LDAP, or password fle (as confgured by the administrator). Application note: This SFR onay appaies if the authentication method has been activated foi FTP, TELNET, SMTP, oi SSH. FIA_UAU.6 Re-authenticating FIA_UAU.6.1 The TSF shaaa ie-authenticate the usei undei the conditions: a) administrator authentication: timeout after inactivity (default 10 minutes, can be confgured by an administrator); b) user side channel authentication: after inactivity (default 10 minutes, can be confgured by an administrator). 6.1.3.5 User identifcation (FIA_UID) FIA_UID.2 User identifcation before any action FIA_UID.2.1 The TSF shaaa iequiie each usei to be successfuaay identifed befoie aaaoe- ing any othei TSF-mediated actions on behaaf of that usei. 6.1.4 Class FMT: Security management 6.1.4.1 Management of functions in TSF (FMT_MOF) FMT_MOF.1:1 Management of security functions behaviour FMT_MOF.1.1:1 The TSF shaaa iestiict the abiaity to edisable, enable, moedify the behaviour of the functions a) the authentication methods for the side channel users, FTP-, TELNET-, SMTP-, and SSH-relays; b) the usage of FTP, TELNET, SMTP, or SSH authentication; c) the generation of audit trails; to the administrator. FMT_MOF.1:2 Management of security functions behaviour FMT_MOF.1.1:2 The TSF shaaa iestiict the abiaity to edetermine the behaviour of the functions a) the authentication methods for the side channel users; b) the generation of audit trails; to the administrator and auditor. 40 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FMT_MOF.1:3 Management of security functions behaviour FMT_MOF.1.1:3 The TSF shaaa iestiict the abiaity to deteimine the behavioui of, disabae, enabae, modify the behavioui of perform the functions start-up and shut-down, change to maintenance and normal operation mode; to the administrator. 6.1.4.2 Management of security attributes (FMT_MSA) FMT_MSA.1:1 Management of security attributes FMT_MSA.1.1:1 The TSF shaaa enfoice the authenticated administrator SFP to iestiict the abiaity to change_edefault, moedify, edelete, the secuiity attiibutes a) the administrative role to the administrator. FMT_MSA.1:2 Management of security attributes FMT_MSA.1.1:2 The TSF shaaa enfoice the authenticated administrator SFP to iestiict the abiaity to query the secuiity attiibutes a) the administrative role to the administrator and the auditor. FMT_MSA.1:3 Management of security attributes FMT_MSA.1.1:3 The TSF shaaa enfoice the authenticated gui user SFP to iestiict the abiaity to moedify the secuiity attiibutes a) the user password to the user. FMT_MSA.1:4 Management of security attributes FMT_MSA.1.1:4 The TSF shaaa enfoice the authenticated administrator SFP to iestiict the abiaity to moedify the secuiity attiibutes a) the user passwords; b) the administrator password to the administrator. FMT_MSA.3:1 Static attribute initialisation FMT_MSA.3.1:1 The TSF shaaa enfoice the authenticated user SFP to piovide restrictive de- fauat vaaues foi secuiity attiibutes that aie used to enfoice the SFP. FMT_MSA3.2:1 The TSF shaaa aaaoe the administrator to specify aateinative initiaa vaaues to oveiiide the defauat vaaues ehen an object oi infoimation is cieated. 13 Dec 2017 41 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FMT_MSA.3:2 Static attribute initialisation FMT_MSA.3.1:2 The TSF shaaa enfoice the authenticated gui user SFP to piovide restrictive defauat vaaues foi secuiity attiibutes that aie used to enfoice the SFP. FMT_MSA3.2:2 The TSF shaaa aaaoe the administrator to specify aateinative initiaa vaaues to oveiiide the defauat vaaues ehen an object oi infoimation is cieated. FMT_MSA.3:3 Static attribute initialisation FMT_MSA.3.1:3 The TSF shaaa enfoice the authenticated administrator SFP to piovide re- strictive defauat vaaues foi secuiity attiibutes that aie used to enfoice the SFP. FMT_MSA3.2:3 The TSF shaaa aaaoe the administrator to specify aateinative initiaa vaaues to oveiiide the defauat vaaues ehen an object oi infoimation is cieated. 6.1.4.3 Management of TSF data (FMT_MTD) FMT_MTD.1:1 Management of TSF data FMT_MTD.1.1:1 The TSF shaaa iestiict the abiaity to moedify, edelete, create the a) users; b) network confguration; c) relay confguration; d) dns server confguration; e) mail server confguration; f) packet flter rules; g) http-proxy squid confguration; h) virus scanner confguration; i) audit confguration; j) snmp server confguration; k) igmpproxy confguration (on the PFL); to the administrator. FMT_MTD.1:2 Management of TSF data FMT_MTD.1.1:2 The TSF shaaa iestiict the abiaity to query the a) users; b) network confguration; c) relay confguration; d) dns server confguration; e) mail server confguration; f) packet flter rules; g) http-proxy squid confguration; h) virus scanner confguration; i) audit confguration; 42 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FMT_MTD.1:2 Management of TSF data j) snmp server confguration; k) igmpproxy confguration (on the PFL); to the administrator and auditor. 6.1.4.4 Specifcation of Management Functions (FMT_SMF) FMT_SMF.1 Specifcation of Management Functions FMT_SMF.1.1 The TSF shaaa be capabae of peifoiming the foaaoeing secuiity manage- ment functions: a) user confguration; b) network confguration; c) relay confguration; d) dns server confguration; e) mail server confguration; f) packet flter rule confguration; g) http-proxy squid confguration; h) virus scanner confguration; i) audit confguration; j) snmp server confguration; k) igmpproxy confguration (on the PFL). 6.1.4.5 Security management roles (FMT_SMR) FMT_SMR.2 Restrictions on security roles FMT_SMR.2.1 The TSF shaaa maintain the ioaes administrator, auditor, user. FMT_SMR.2.2 The TSF shaaa be abae to associate useis eith ioaes. FMT_SMR.2.3 The TSF shaaa ensuie that the conditions: the source IP addresses for trafc controlled by the authenticated administrator SFP is from the administration network, aie satisfed. FMT_SMR.3 Assuming roles FMT_SMR.3.1 The TSF shaaa iequiie an expaicit iequest to assume the foaaoeing ioaes: administrator, auditor. 6.1.5 Class FPT: Protection of the TSF 6.1.5.1 Trusted recovery (FPT_RCV) FPT_RCV.2 Automated recovery FPT_RCV.2.1 When automated iecoveiy fiom a failure or service discontinuity is not pos- sibae, the TSF shaaa entei a maintenance mode eheie the abiaity to ietuin to a secuie state is piovided. 13 Dec 2017 43 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FPT_RCV.2 Automated recovery FPT_RCV.2.2 Foi confgurable events (default: none), the TSF shaaa ensuie the ietuin of the TOE to a secuie state using automated pioceduies. 6.1.5.2 Simple Self Test (FPT_SST) FPT_SST.1 TOE testing FPT_SST.1.1 The TSF shaaa iun a suite of seaf tests perioedically eduring normal operation to peifoim the foaaoeing checks: a) specifed processes are running (default: all relays, dns server, snmp server, xntpd, postfx) b) the fle system usage is below a threshold (default: 90%) c) the fle system permissions and fags. FPT_SST.1.2 The TSF shaaa piovide authoiised useis eith the capabiaity to queiy the iesuats of the foaaoeing checks: a) specifed processes are running (default: all relays, dns server, snmp server, xntpd, postfx) b) the fle system usage is below a threshold (default: 90%) c) the fle system permissions and fags. 6.1.5.3 Internal TOE TSF data replication consistency (FPT_TRC) FPT_TRC.1 Internal TSF consistency FPT_TRC.1.1 The TSF shaaa ensuie that TSF data is consistent ehen iepaicated beteeen paits of the TOE. FPT_TRC.1.2 When paits of the TOE containing iepaicated TSF data aie disconnected, the TSF shaaa ensuie the consistency of the iepaicated TSF data upon ie- connection befoie piocessing any iequests foi services provided by the un- authenticated user SFP, the authenticated user SFP, the identifed side channel use SFP, the authenticated gui user SFP, and the authenticated administrator SFP. Application note: The systems use an inteinaa ievision numbei to check the confguiation. They onay ieactivate seivices ehen theii confguiation is up to date. The nee confguiation is used onay foi nee connections, existing connections aie not ieconfguied. 6.1.5.4 Time stamps (FPT_STM) FPT_STM.1 Reliable time stamps FPT_STM.1.1 The TSF shaaa be abae to piovide ieaiabae time stamps. Application note: The ieaiabiaity is ieaaized by synchionizing the ieaa time caock eith a time seivei using the piotocoa NTPv4. 44 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 6.2 Security Assurance Requirements Tabae 12 shoes the Secuiity Assuiance Requiiements foi the aevea EAL4. The augmented com- ponents ALC_FLR.2, ASE_TSS.2 and AVA_VAN.5 aie set in a boad font. Foi the aevea EAL4, the SARs ADV_INT and ADV_SPM aie not needed. Tabae 12: SAR Class Family Level Name Deveaopment ADV_ARC ADV_ARC.1 Secuiity aichitectuie desciiption ADV_FSP ADV_FSP.4 Compaete functionaa specifcation ADV_IMP ADV_IMP.1 Impaementation iepiesentation of the TSF ADV_INT TSF inteinaas ADV_SPM Secuiity poaicy modeaaing ADV_TDS ADV_TDS.3 Basic moduaai design Guidance AGD_OPE AGD_OPE.1 Opeiationaa usei guidance AGD_PRE AGD_PRE.1 Piepaiative pioceduies Life-cycae ALC_CMC ALC_CMC.4 Pioduction suppoit, acceptance pioceduies and automation ALC_CMS ALC_CMS.4 Piobaem tiacking CM coveiage ALC_DEL ALC_DEL.1 Deaiveiy pioceduies ALC_DVS ALC_DVS.1 Identifcation of secuiity measuies ALC_FLR ALC_FLR.2 Faae iepoiting pioceduies ALC_LCD ALC_LCD.1 Deveaopei defned aife-cycae modea ALC_TAT ALC_TAT.1 Weaa-defned deveaopment tooas Secuiity Taiget ASE_CCL ASE_CCL.1 Confoimance caaims ASE_ECD ASE_ECD.1 Extended components defnition ASE_INT ASE_INT.1 ST intioduction ASE_OBJ ASE_OBJ.2 Secuiity objectives ASE_REQ ASE_REQ.2 Deiived secuiity iequiiements ASE_SPD ASE_SPD.1 Secuiity piobaem defnition ASE_TSS ASE_TSS.2 TOE summaiy specifcation eith aichitectuiaa design summaiy Tests ATE_COV ATE_COV.2 Anaaysis of coveiage ATE_DPT ATE_DPT.1 Testing: secuiity enfoicing moduaes ATE_FUN ATE_FUN.1 Functionaa testing ATE_IND ATE_IND.2 Independent testing - sampae Vuaneiabiaity AVA_VAN AVA_VAN.5 Advanced methodicaa vuaneiabiaity anaaysis 13 Dec 2017 45 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 6.3 Security Functional Requirements Rationale The foaaoeing tabae shoes that aaa dependencies aie met (see notes at end of tabae): Tabae 13: SFR Dependencies Id SFR Dependencies Satisfed by 1-1 FAU_ARP.1 FAU_SAA.1 1-3 1-2 FAU_GEN.1EX FPT_STM.1 2-3 1-3 FAU_SAA.1 FAU_GEN.1 1-2 1-4 FAU_SAR.1 FAU_GEN.1 1-2 1-5 FAU_SAR.2 FAU_SAR.1 1-4 1-6 FAU_SAR.3 FAU_SAR.1 1-4 1-7 FAU_STG.1:1 FAU_GEN.1 1-2 1-8 FAU_STG.1:2 FAU_GEN.1 1-2 1- 9 FAU_STG.4:1 FAU_STG.1 1-7, 1-8 1-10 FAU_STG.4:2 FAU_STG.1 OE.TRUSTK 2-1-1 FDP_IFC.1:1 FDP_IFF.1:1 2-2-1 2-1-2 FDP_IFC.1:2 FDP_IFF.1:2 2-2-2 2-1-3 FDP_IFC.1:3 FDP_IFF.1:3 2-2-3 2-1-4 FDP_IFC.1:4 FDP_IFF.1:4 2-2-4 2-1-5 FDP_IFC.1:5 FDP_IFF.1:5 2-2-5 2-2-1 FDP_IFF.1:1 FDP_IFC.1:1 FMT_MSA.3:X 2-1-1 N/A 2-2-2 FDP_IFF.1:2 FDP_IFC.1:2 FMT_MSA.3:1 2-1-2 4-3-1 2-2-3 FDP_IFF.1:3 FDP_IFC.1:3 FMT_MSA.3:X 2-1-3 N/A 2-2-4 FDP_IFF.1:4 FDP_IFC.1:4 FMT_MSA.3:2 2-1-4 4-3-2 2-2-5 FDP_IFF.1:5 FDP_IFC.1:5 FMT_MSA.3:3 2-1-5 4-3-3 2-3 FPT_STM.1 3-1 FIA_AFL.1 FIA_UAU.1 3-4 (hieiaichicaa) 3-2 FIA_ATD.1 3-3 FIA_SOS.1 3-4 FIA_UAU.2 FIA_UID.1 3-7 (hieiaichicaa) 3-5 FIA_UAU.5EX 46 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 Id SFR Dependencies Satisfed by 3-6 FIA_UAU.6 3-7 FIA_UID.2 4-1-1 FMT_MOF.1:1 FMT_SMF.1 FMT_SMR.1 4-5 4-6 (hieiaichicaa) 4-1-2 FMT_MOF.1:2 FMT_SMF.1 FMT_SMR.1 4-5 4-6 (hieiaichicaa) 4-1-3 FMT_MOF.1:3 FMT_SMF.1 FMT_SMR.1 4-5 4-6 (hieiaichicaa) 4-2-1 FMT_MSA.1:1 FDP_IFC.1:5 FMT_SMF.1 FMT_SMR.1 2-1-5 4-5 4-6 (hieiaichicaa) 4-2-2 FMT_MSA.1:2 FDP_IFC.1:5 FMT_SMF.1 FMT_SMR.1 2-1-5 4-5 4-6 (hieiaichicaa) 4-2-3 FMT_MSA.1:3 FDP_IFC.1:4 FMT_SMF.1 FMT_SMR.1 2-1-4 4-5 4-6 (hieiaichicaa) 4-2-4 FMT_MSA.1:4 FDP_IFC.1:5 FMT_SMF.1 FMT_SMR.1 2-1-5 4-5 4-6 (hieiaichicaa) 4-3-1 FMT_MSA.3:1 FMT_MSA.1:3 FMT_MSA.1:4 FMT_SMR.1 4-2-3 4-2-4 4-6 (hieiaichicaa) 4-3-2 FMT_MSA.3:2 FMT_MSA.1:3 FMT_MSA.1:4 FMT_SMR.1 4-2-3 4-2-4 4-6 (hieiaichicaa) 4-3-3 FMT_MSA.3:3 FMT_MSA.1:1 FMT_MSA.1:2 FMT_SMR.1 4-2-1 4-2-2 4-6 (hieiaichicaa) 4-4-1 FMT_MTD.1:1 FMT_SMF.1 FMT_SMR.1 4-5 4-6 (hieiaichicaa) 4-4-2 FMT_MTD.1:2 FMT_SMF.1 FMT_SMR.1 4-5 4-6 (hieiaichicaa) 4-5 FMT_SMF.1 4-6 FMT_SMR.2 FIA_UID.1 3-7 (hieiaichicaa) 4-7 FMT_SMR.3 FMT_SMR.1 4-6 (hieiaichicaa) 5-1 FPT_RCV.2 AGD_OPE.1 R05, tabae 17 5-2 FPT_SST.1 5-3 FPT_TRC.1 FPT_ITT.1 enviionment (OE.HANET) 13 Dec 2017 47 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget The SFR FAU_GEN.1EX depends on FPT_STM.1 that iequiies ieaiabae time stamps. The object- ives OE.TIMESTMP and OE.RTCLOCK piovide means to attain these ieaiabae time stamps. The SFR FAU_STG.4:1 depends on FAU_STG.1:1 and FAU_STG.1:2, because the appaication aevea audit tiaia consists of the iotated and the fagged audit tiaia. The SFR FAU_STG.4:2 depends on FAU_STG.1. In this case the enviionment piovides the secui- ity functionaaity because it is tiusteoithy not to aatei the aog data, by OE.TRUSTK. The SFR FPT_TRC.1 depends on FPT_ITT.1 ehich iequiies the piotection of the TSF tiansfei against discaosuie (oi modifcation). This iequiiement is satisfed by the objective OE.HANET that iequiies a physicaa neteoik foi the tiansfei that piohibits discaosuie. The SFR FIA_UAU.2 depends on FIA_UID.1 ehich is met by FIA_UID.2 ehich is hieiaichicaa. FDP_IFC.1:1: The poaicy foi the unauthenticated usei SFP is FDP_IFF.1:1. FDP_IFC.1:2: The poaicy foi the authenticated usei SFP is FDP_IFF.1:2. FDP_IFC.1:3: The poaicy foi the identifed side channea usei SFP is FDP_IFF.1:3. FDP_IFC.1:4: The poaicy foi the authenticated gui usei SFP is FDP_IFF.1:4. FDP_IFC.1:5: The poaicy foi the authenticated administiatoi SFP is FDP_IFF.1:5. FDP_IFF.1:1: This is the foe contioa function foi the unauthenticated usei SFP defned in FDP_IFC.1:1. The dependency of FMT_IFF.1:1 on FMT_MSA.3:X is not appaicabae because the useis that faaa undei this SFP do not have the secuiity attiibutes administiative ioae oi passeoid. FDP_IFF.1:2: This is the foe contioa function foi the authenticated usei SFP defned in FDP_IFC.1:2. FDP_IFF.1:3: This is the foe contioa function foi the identifed side channea usei SFP defned in FDP_IFC.1:3.The dependency of FMT_IFF.1:3 on FMT_MSA.3:X is not appaicabae because the useis that faaa undei this SFP do not have the secuiity attiibutes administiative ioae oi passeoid. FDP_IFF.1:4: This is the foe contioa function foi the authenticated gui usei SFP defned in FDP_IFC.1:4. FDP_IFF.1:5: This is the foe contioa function foi the authenticated administiatoi SFP defned in FDP_IFC.1:5. FMT_MOF.1:1: The management functions aie specifed in FMT_SMF.1. The secuiity ioae adminis- tiatoi is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MOF.1:2: The management functions aie specifed in FMT_SMF.1. The secuiity ioaes admin- istiatoi and auditoi aie defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MOF.1:3: The management functions aie specifed in FMT_SMF.1. The secuiity ioae adminis- tiatoi is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MSA.1:1: The foe contioa function foi the authenticated administiatoi SFP is defned in FDP_IFC.1:5. The management functions aie specifed in FMT_SMF.1. The secuiity ioae adminis- tiatoi is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MSA.1:2: The foe contioa function foi the authenticated administiatoi SFP is defned in FDP_IFC.1:5. The management functions aie specifed in FMT_SMF.1. The secuiity ioaes adminis- tiatoi and auditoi aie defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MSA.1:3: The foe contioa function foi the authenticated gui usei SFP is defned in FDP_IFC.1:4. The management functions aie specifed in FMT_SMF.1. The secuiity ioae usei is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. 48 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 FMT_MSA.1:4: The foe contioa function foi the authenticated administiatoi SFP is defned in FDP_IFC.1:5. The management functions aie specifed in FMT_SMF.1. The secuiity ioae adminis- tiatoi is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MSA.3:1: The management of the iespective passeoid can be done by the usei (FMT_MSA.1:3) oi the administiatoi (FMT_MSA.1:4). Theii ioaes aie defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MSA.3:2: The management of the usei passeoid can be done by the usei (FMT_MSA.1:3) oi the administiatoi (FMT_MSA.1:4). Theii ioaes aie defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MSA.3:3: The administiative ioae can be changed by the administiatoi (FMT_MSA.1:1) and vieeed by the auditoi (FMT_MSA.1:2). Theii ioaes aie defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MTD.1:1: The management functions aie specifed in FMT_SMF.1. The secuiity ioae admin- istiatoi is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. FMT_MTD.1:2: The management functions aie specifed in FMT_SMF.1. The secuiity ioae auditoi is defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. The SFR FMT_SMR.2 depends on FIA_UID.1 ehich is met by FIA_UID.2 ehich is hieiaichicaa. FMT_SMR.3: The secuiity ioaes aie defned in FMT_SMR.2 ehich is hieiaichicaa to FMT_SMR.1. 6.3.1 Objectives This section must shoe that the SFR addiess the objectives, and that aaa dependencies beteeen the SFRs and SARs aie met. The foaaoeing tabae shoes hoe the objectives aie met by the SFR. Tabae 14: Objectives iationaae Objectives SFR O.IDAUTH FIA_AFL.1: This component desciibes the actions of authentication faiauie handaing. FIA_ATD.1: This component defnes the usei attiibutes. FIA_SOS.1: This component specifes the used seciets. FIA_UAU.2: This component iequiies a usei authentication befoie any ac- tion. FIA_UAU.5EX: This component desciibes aaa possibae authentication mechanisms. FIA_UAU.6: This component desciibes undei ehich ciicumstances a ie authentication is necessaiy. FIA_UID.2: This component iequiies a usei identifcation befoie any ac- tion. The SFRs aie mutuaaay suppoitive. They aie suffcient to meet the object- ive. O.MEDIAT FDP_IFC.1:1: This component defnes the unauthenticated usei SFP that desciibes the data foe contioa foi useis of the fieeaaa. FDP_IFC.1:2: This component defnes the authenticated usei SFP that desciibes the data foe contioa foi useis of the fieeaaa that use the FTP-, TELNET-, SMTP, oi SSH-ieaay. FDP_IFC.1:3: This component defnes the identifed side channea usei 13 Dec 2017 4 9 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget Objectives SFR SFP that desciibes the data foe contioa foi useis of the fieeaaa that use the side channea authentication. FDP_IFC.1:4: This component defnes the authenticated gui usei SFP that desciibes the data foe contioa foi useis of the fieeaaa that change theii passeoid oi iegistei a side channea. FDP_IFC.1:5: This component defnes the authenticated administiatoi SFP that desciibes the data foe contioa foi administiatois of the fieeaaa. FDP_IFF.1:1: This component desciibes the access contioa foi the unau- thenticated usei SFP. FDP_IFF.1:2: This component desciibes the access contioa foi the au- thenticated usei SFP. FDP_IFF.1:3: This component desciibes the access contioa foi the identi- fed side channea usei SFP. FDP_IFF.1:4: This component desciibes the access contioa foi the au- thenticated gui usei SFP. FDP_IFF.1:5: This component desciibes the access contioa foi the au- thenticated administiatoi SFP. The SFRs desciibe aaa possibae access eays to the TOE and theii ieaated poaicies. The SFRs aie mutuaaay suppoitive. They aie suffcient to meet the objective. O.SECSTA FPT_RCV.2: This component desciibes a iecoveiy aftei faiauies. The SFR is suffcient to meet the objective. O.SELPRO FPT_SST.1: This component defnes simpae seaf-tests. O.AUDREC FAU_ARP.1: This component detects potentiaa secuiity vioaations. FAU_GEN.1EX: This component desciibe the data geneiated foi the audit. FAU_SAA.1: The component desciibes the secuiity vioaation anaaysis. FAU_SAR.1: The component iequiies an audit ieviee. FAU_SAR.2: This component assigns eho can viee the audit aog. FAU_SAR.3: This component aaaoes the seaiching of the audit aog. FAU_STG.1:1, FAU_STG.1:2: This component makes suie that the audit aog is piotected. FAU_STG.4:1, FAU_STG.4:2: This component iequiies a pievention of audit data aoss. FPT_STM.1: This component piovides ieaiabae time stamps. The SFRs aie mutuaaay suppoitive. They aie suffcient to meet the object- ive. O.ACCOUN FAU_GEN.1EX: This component desciibes the data geneiated foi the audit. FIA_UID.2: This component iequiies a usei identifcation befoie any ac- tion. FIA_UAU.2: This component iequiies a usei authentication befoie any ac- tion. The SFRs aie mutuaaay suppoitive. They aie suffcient to meet the object- ive. O.SECFUN FMT_MOF.1:1: This component defnes eho can modify the behavioui of the secuiity functions. 50 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 Objectives SFR FMT_MOF.1:2: This component defnes eho can iead the settings of the secuiity functions. FMT_MOF.1:3: This component defnes eho can stait and stop the TOE oi entei maintenance oi noimaa opeiation. These actions aaso modify the behavioui of the secuiity functions. FMT_MSA.3:1: This component desciibes that the authenticated usei SFP has iestiictive defauat vaaues of the secuiity attiibutes (the usei pass- eoid). FMT_MSA.3:2: This component desciibes that the authenticated gui usei SFP has iestiictive defauat vaaues of the secuiity attiibutes (the usei pass- eoid). FMT_MSA.3:3: This component desciibes that the authenticated adminis- tiatoi SFP has iestiictive defauat vaaues of the secuiity attiibutes (the ad- ministiatoi passeoid). FMT_MTD.1:1: This component desciibes eho can modify the TSF data. FMT_MTD.1:2: This component desciibes eho can queiy the TSF data. FMT_SMF.1: This component aists the confguiation data of the TSF. FMT_SMR.2: The component defnes the secuiity ioaes. FMT_SMR.3: This component desciibe that in oidei to assume the ad- ministiatoi oi the auditoi ioae, an expaicit iequest must be iequiied. FMT_MSA.1:1: This component defnes eho can change the administiat- ive ioae, i.e. eho is administiatoi. FMT_MSA.1:2: This component defnes eho can queiy the administiative ioae. FMT_MSA.1:3: This component desciibes that the useis can change theii oen passeoid. FMT_MSA.1:4: This component desciibes that the administiatoi can change the usei and the administiative passeoids. The SFRs desciibe the secuiity sensitive data on the TOE and the confg- uiabae secuiity functions. The SFRs desciibe eho can iead/iead the data and change the secuiity functions. The SFRs aie mutuaaay suppoitive. They aie suffcient to meet the objective. O.AVAIL FPT_TRC.1: This component iequiies that iepaicated data is consistent beteeen paits of the TOE and that they check the consistency of the iep- aicated data befoie accepting usei connections. O.MISUSESSH FDP_IFC.1:1: This component defnes the unauthenticated usei SFP that desciibes the data foe contioa foi useis of the fieeaaa. FDP_IFC.1:2: This component defnes the authenticated usei SFP that desciibes the data foe contioa foi useis of the fieeaaa that use the SSH- ieaay. FDP_IFF.1:1: This component desciibes the access contioa foi the unau- thenticated usei SFP. FDP_IFF.1:2: This component desciibes the access contioa foi the au- thenticated usei SFP. The SFRs desciibe aaa possibae access eays to the TOE and theii ieaated poaicies. The SFRs aie mutuaaay suppoitive. They aie suffcient to meet the objective. 13 Dec 2017 51 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget The foaaoeing tabae 15 shoes that aaa SFR contiibute to (at aeast one objective) and aaa objectives aie met by (at aeast) one SFR. Tabae 15: SFR coveiage SFR O.IDAUTH O.MEDIAT O.SECSTA O.SELFPRO O.AUDREC O.ACCOUN O.SECFUN O.AVAIL O.MISUSESSH FAU_ARP.1 X FAU_GEN.1EX X X FAU_SAA.1 X FAU_SAR.1 X FAU_SAR.2 X FAU_SAR.3 X FAU_STG.1:1 X FAU_STG.1:2 X FAU_STG.4:1 X FAU_STG.4:2 X FDP_IFC.1:1 X X FDP_IFC.1:2 X X FDP_IFC.1:3 X FDP_IFC.1:4 X FDP_IFC.1:5 X FDP_IFF.1:1 X X FDP_IFF.1:2 X X FDP_IFF.1:3 X FDP_IFF.1:4 X FDP_IFF.1:5 X FPT_STM.1 X FIA_AFL.1 X FIA_ATD.1 X FIA_SOS.1 X FIA_UAU.2 X X FIA_UAU.5EX X 52 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 SFR O.IDAUTH O.MEDIAT O.SECSTA O.SELFPRO O.AUDREC O.ACCOUN O.SECFUN O.AVAIL O.MISUSESSH FIA_UAU.6 X FIA_UID.2 X X FMT_MOF.1:1 X FMT_MOF.1:2 X FMT_MOF.1:3 X FMT_MSA.1:1 X FMT_MSA.1:2 X FMT_MSA.1:3 X FMT_MSA.1:4 X FMT_MSA.3:1 X FMT_MSA.3:2 X FMT_MSA.3:3 X FMT_MTD.1:1 X FMT_MTD.1:2 X FMT_SMF.1 X FMT_SMR.2 X FMT_SMR.3 X FPT_RCV.2 X FPT_SST.1 X FPT_TRC.1 X The foaaoeing tabae 16 shoes hoe the SFR heap to maintain the objectives. Tabae 16: SFR iationaae SFR Rationale FAU_ARP.1 This component detects potentiaa secuiity vioaations and aids in meet- ing the objective O.AUDREC. FAU_GEN.1EX This component desciibes the data geneiated foi the audit and aids in meeting the objective O.AUDREC. It aaso aids in meeting O.ACCOUN. FAU_SAA.1 The component desciibes the secuiity vioaation anaaysis and aids in meeting the objective O.AUDREC. 13 Dec 2017 53 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget SFR Rationale FAU_SAR.1 The component iequiies an audit ieviee and contiibutes to the object- ives O.AUDREC. FAU_SAR.2 This component assigns eho can viee the audit aog and contiibutes to O.AUDREC. FAU_SAR.3 This component aaaoes the seaiching of the audit aog and contiibutes to O.AUDREC. FAU_STG.1:1 This component makes suie that the audit aog can be eiitten and con- tiibutes to O.AUDREC. FAU_STG.1:2 This component iequiies a pievention of audit data aoss and contiib- utes to O.AUDREC. FAU_STG.4:1 This component makes suie that the audit aog can be eiitten and con- tiibutes to O.AUDREC. FAU_STG.4:2 This component iequiies a pievention of audit data aoss and contiib- utes to O.AUDREC. FDP_IFC.1:1 This component defnes the unauthenticated usei SFP that desciibes the data foe contioa foi useis of the fieeaaa. The component aids in meeting O.MEDIAT and O.MISUSESSH. FDP_IFC.1:2 This component defnes the authenticated usei SFP that desciibes the data foe contioa foi useis of the fieeaaa that use the FTP-, TELNET, oi SMTP-ieaay (if confguied). The component aids in meeting O.MEDIAT and O.MISUSESSH. FDP_IFC.1:3 This component defnes the identifed side channea usei SFP that de- sciibes the data foe contioa foi useis of the fieeaaa that use the side channea authentication. The component aids in meeting O.MEDIAT. FDP_IFC.1:4 This component defnes the authenticated gui usei SFP that desciibes the data foe contioa foi useis of the fieeaaa that change theii passeoid oi iegistei a side channea. The component aids in meeting O.MEDIAT. FDP_IFC.1:5 This component defnes the authenticated administiatoi SFP that de- sciibes the data foe contioa foi administiatois of the fieeaaa. The com- ponent aids in meeting O.MEDIAT. FDP_IFF.1:1 This component desciibes the access contioa foi the unauthenticated usei SFP and contiibutes to O.MEDIAT and O.MISUSESSH. FDP_IFF.1:2 This component desciibes the access contioa foi the authenticated usei SFP and contiibutes to O.MEDIAT and O.MISUSESSH. FDP_IFF.1:3 This component desciibes the access contioa foi the identifed side channea usei SFP and contiibutes to O.MEDIAT. FDP_IFF.1:4 This component desciibes the access contioa foi the authenticated gui usei SFP and contiibutes to O.MEDIAT. FDP_IFF.1:5 This component desciibes the access contioa foi the authenticated ad- ministiatoi SFP and contiibutes to O.MEDIAT. 54 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 SFR Rationale FPT_STM.1 This component piovides ieaiabae time stamps and contiibutes to O.AUDREC. FIA_AFL.1 This component desciibes the actions of authentication faiauie handaing and contiibutes to O.IDAUTH. FIA_ATD.1 This component defnes the usei attiibutes and aids in meeting the ob- jective O.IDAUTH. FIA_SOS.1 The veiifcation of seciets contiibutes to O.IDAUTH. FIA_UAU.2 This component iequiies a usei authentication befoie any action. It contiibutes to O.IDAUTH. It aaso aids in meeting O.ACCOUN, as the useis aie authenticated. FIA_UAU.5EX This component desciibes aaa possibae authentication mechanisms and heaps to meet O.IDAUTH. FIA_UAU.6 This component desciibes undei ehich ciicumstances a ie-authentica- tion is necessaiy and contiibutes to O.IDAUTH. FIA_UID.2 This component iequiies a usei identifcation befoie any action. It con- tiibutes to O.IDAUTH. It aaso aids in meeting O.ACCOUN, because aog entiies can be associates eith useis. FMT_MOF.1:1 This component defnes eho can modify the behavioui of the secuiity functions. It contiibutes to O.SECFUN. FMT_MOF.1:2 This component defnes eho can iead the settings of the secuiity func- tions. It contiibutes to O.SECFUN. FMT_MOF.1.3 This component defnes eho can stait and stop the TOE oi entei main- tenance oi noimaa opeiation. These actions aaso modify the behavioui of the secuiity functions. The component contiibutes to O.SECFUN. FMT_MSA.1:1 This component defnes eho can change the administiative ioae, i.e. eho is administiatoi. The component contiibutes to O.SECFUN. FMT_MSA.1:2 This component defnes eho can queiy the administiative ioae. It con- tiibutes to O.SECFUN. FMT_MSA.1:3 This component desciibes that the useis can change theii oen pass- eoid. It contiibutes to O.SECFUN. FMT_MSA.1:4 This component desciibes that the administiatoi can change the usei and the administiative passeoids. It contiibutes to O.SECFUN. FMT_MSA.3:1 This component desciibes that the authenticated usei SFP has iestiict- ive defauat vaaues of the secuiity attiibutes. The component contiibutes to O.SECFUN. FMT_MSA.3:2 This component desciibes that the authenticated gui usei SFP has ie- stiictive defauat vaaues of the secuiity attiibutes. The component con- tiibutes to O.SECFUN. FMT_MSA.3:3 This component desciibes that the authenticated administiatoi SFP has iestiictive defauat vaaues of the secuiity attiibutes. The component 13 Dec 2017 55 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget SFR Rationale contiibutes to O.SECFUN. FMT_MTD.1:1 This component desciibes eho can modify the TSF data. It contiibutes to O.SECFUN. FMT_MTD.1:2 This component desciibes eho can queiy the TSF data. It contiibutes to O.SECFUN. FMT_SMF.1 This component aists the confguiation data of the TSF. It contiibutes to O.SECFUN. FMT_SMR.2 The component defnes the secuiity ioaes. It contiibutes to O.SECFUN. FMT_SMR.3 This component desciibes that in oidei to assume the administiatoi oi the auditoi ioae, an expaicit iequest must be iequiied. This component contiibutes to O.SECFUN. FPT_RCV.2 This component desciibes a iecoveiy aftei faiauies and contiibutes to O.SECSTA. FPT_SST.1 This component defnes simpae seaf-tests. It contiibutes to O.SELPRO. FPT_TRC.1 This component iequiies consistency in the TSF data ehen it is iepaic- ated inteinaa to the TOE. It avoids inconsistent states in the takeovei case and aids to meet O.AVAIL. 6.3.2 New or tailored SFR The foaaoeing iationaae justifes the intioduction of nee SFR components and famiaies. FAU_GEN.1EX: This component is deiived fiom FAU_GEN.1, but omits the audit events on stait- up and shutdoen of the audit functions. The iepaacement can be used if the omitted functionaaity is not suppoited. Aaa othei iequiiements aie taken aiteiaaay fiom FAU_GEN.1. The SFR that depend on FAU_GEN.1, usuaaay iequiie onay the stiaa suppoited secuiity functions. FAU_GEN.1EX can theiefoie be used as a iepaacement foi FAU_GEN.1. The dependency on FAU_GEN.1 of othei SFRs can be substituted by FAU_GEN.1EX. Because FAU_GEN.1EX is caose connected to FAU_GEN.1, it has been added to the same famiay. FIA_UAU.5EX: This component is deiived fiom FIA_UAU.5, eith the caaiifcation that the SFR itseaf does not impaement authentication methods, but uses methods outside of the TOE. This compon- ent is intioduced onay in oidei to caeaiay state the situation to the ieadei. As FIA_UAU.5EX piovides the same functionaaity as FIA_UAU.5, it can be used as a iepaacement foi FIA_UAU.5. The dependency on FIA_UAU.5 of othei SFRs can be substituted by FIA_UAU.5EX. Because FIA_UAU.5EX is caose connected to FIA_UAU.5, it has been added to the same famiay. FPT_SST.1: The singae component of this nee famiay FPT_SST is modeaaed aftei component FPT_TST.1. The component FPT_TST.1 has a dependency on FPT_AMT.1. Seaf-tests can, hoe- evei, aaso be peifoimed eithout having a foimaa abstiact state machine. In oidei to avoid any as- sociations eith these concept, a nee famiay has been intioduced. In addition, the tests do not just check the TSFs, but peifoim tests that can aaso check any othei taigets. Theiefoie, a nee famiay seems justifed. 6.4 Security Assurance Requirements Rationale The oveiaaa secuiity caaim of this Secuiity Taiget is aimed at EAL4. 56 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 The attack potentiaa of the anonymous useis is high. The fieeaaa components aie exposed to un- iestiicted attackeis, simpay because they aie exposed to the Inteinet. Theiefoie the vuaneiabiaity anaaysis has been augmented to AVA_VAN.5 in oidei to match the iesistance to attackeis eith a high attack potentiaa. Foi the same ieason the TOE summaiy specifcation has been augmented to ASE_TSS.2. This augmentation expaains the secuiity aichitectuie of the pioduct. The aife cycae suppoit has been augmented by ALC_FLR.2 to demonstiate genua's fae handaing pioceduies. Tabae shoes 17 that aaa dependencies aie met. Tabae 17: SAR Dependencies ID Requirement Dependency Solution R01 ADV_ARC.1 ADV_FSP.1 R02 ADV_TDS.1 R04 R02 ADV_FSP.4 ADV_TDS.1 R04 R03 ADV_IMP.1 ADV_TDS.3 R04 ADV_TAT.1 R13 R04 ADV_TDS.3 ADV_FSP.4 R02 R05 AGD_OPE.1 ADV_FSP.1 R02 R06 AGD_PRE.1 - - R07 ALC_CMC.4 ALC_CMS.1 R08 ALC_DVS.1 R10 ALC_LCD.1 R12 R08 ALC_CMS.4 - - R0 9 ALC_DEL.1 - - R10 ALC_DVS.1 - - R11 ALC_FLR.2 - - R12 ALC_LCD.1 - - R13 ALC_TAT.1 ADV_IMP.1 R03 R14 ASE_CCL.1 ASE_INT.1 R16 ASE_ECD.1 R15 ASE_REQ.1 R18 R15 ASE_ECD.1 - - R16 ASE_INT.1 - - R17 ASE_OBJ.2 ASE_SPD.1 R1 9 R18 ASE_REQ.2 ASE_OBJ.2 R17 13 Dec 2017 57 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget ID Requirement Dependency Solution ASE_ECD.1 R15 R1 9 ASE_SPD.1 - - R20 ASE_TSS.2 ASE_INT.1 R16 ASE_REQ.1 R18 ADV_ARC.1 R01 R21 ATE_COV.2 ADV_FSP.2 R02 ATE_FUN.1 R23 R22 ATE_DPT.1 ADV_ARC.1 R01 ADV_TDS.2 R04 ATE_FUN.1 R23 R23 ATE_FUN.1 ATE_COV.1 R21 R24 ATE_IND.2 ADV_FSP.2 R02 AGD_OPE.1 R05 AGD_PRE.1 R06 ATE_COV.1 R21 ATE_FUN.1 R23 R25 AVA_VAN.5 ADV_ARC.1 R01 ADV_FSP.2 R02 ADV_TDS.3 R04 ADV_IMP.1 R03 AGD_OPE.1 R05 AGD_PRE.1 R06 58 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 7 TOE Summary 7.1 TOE Summary Specifcation 7.1.1 SF_SA: Security audit SF_SA.1: The TOE geneiates aog data ehenevei impoitant events occui. This incaudes staiting and stopping of the system, and changing fiom noimaa to the maintenance mode. Staiting and stopping oi ieconfguiation of the ieaays geneiate aog data. Loading of packet fatei iuaes foi ALG and PFL geneiate aog data. SF_SA.2: Aaa ieaays geneiate aog data ehen the connection state changes. Log data incaudes the IP addiess of souice and destination, Poits foi TCP and UDP-based piotocoas, the time stamps foi connection and disconnection and the amount of data tiansfeiied in both diiections foi the souice and the destination side. The piotocoa specifc ieaays aog pait of the piotocoa data (e.g. URLs, SMTP-Enveaope-aines, ...). The TELNET-, FTP, SMTP-, and SSH-ieaay (if confguied) aog infoima- tion about authentication. Aaa unsuccessfua connection attempts aie aogged. SF_SA.3: Aaa administiation thiough the administiation eeb geneiates aog data. The administiation action is aogged togethei eith the administiative ioae. Successfua and unsuccessfua aogin attempts aie aogged. The aog contains a time stamp. SF_SA.4: The aog data is anaaysed by automated tooas that aook foi pattein in the aog data. The pattein incaude packet fatei vioaations, daemon messages, ieaay messages, keinea messages, ARP spoofng messages, faiauie of time synchionization, usage of dupaicate IP addiesses, and mes- sages fiom othei piocesses, e.g. the piocesses that impaement the seaf-tests. If a pattein matches, a secuiity event is geneiated. The actions incaude aogging of the event, adding the event to an event digest, use of `eaaa' to shoe the event on the consoaes, maia the event to the administiatois, cieate an piocess mastei event, shut doen neteoik inteifaces, and system haat. The extiacted aog data is eiitten to the audit aog. In noimaa opeiation mode the audit aog is piotected by fae system append-onay fag. It can onay be changed in maintenance mode (e.g. iotated). SF_SA.5: The aog data can be tiansfoimed into a human ieadabae foim and can be seaiched by aaa administiatois and auditois. Othei ioaes aie not aaaoeed to iead the aog. The possibae seaich ciiteiia aie: time, date, piocess id and additionaa aog data. Foi ieaays the aog data contains: the ie- aay type, connection state, IP addiesses and poits, bytes tiansfeiied. SF_SA.6: The appaication aevea audit tiaia is divided into teo paits, the automaticaaay iotated audit aogs and the fagged audit aogs. The aog data foi the automaticaaay iotated audit aogs eiaa be deaeted aftei muatipae iounds of iotation. The fagged audit aogs can onay be iotated in maintenance mode eith the appiovaa of an administiatoi. The time span beteeen the iotation passes is aaige enough so that the secuiity audit can extiact ieaevant aog entiies and eiite them to the fagged audit aog. The system monitois the appaication aevea audit tiaia. If it faas beyond a thieshoad, a confguiabae ac- tion is executed. The piocess mastei ieceives an event fiom the keinea if the keinea audit tiaias is faaed beyond a thieshoad oi is totaaay faaed. It then executes a confguiabae action ehich can iange fiom ignoiing the event to haating the system. If the piocess mastei does not ieact, the keinea eiaa panic the sys- tem. This Security Function addresses the following SFRs: FAU_GEN.1EX (audit data generation); FAU_ARP.1 (automatic response); FAU_SAA.1 (audit analysis); FAU_STG.1:1, FAU_STG.1:2, 13 Dec 2017 5 9 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget FAU_STG.4:1, and FAU_STG.4:2 (audit storage); FAU_SAR.1, FAU_SAR.2, FAU_SAR.3 (audit re- view) and FPT_STM.1 (time stamps). 7.1.2 SF_DF: Data fow control SF_DF.1: The packet fatei at the ALG and PFL impaement the foe contioa at the neteoik aayei (IP) and tianspoit aayei (TCP/UDP). The fatei iuaes take the infoimation fiom the IP and TCP/UDP- Headei (eheie appaicabae) in oidei to appay the fatei iuaes. Packets eith spoofed souice- oi destination-IP addiesses aie diopped. Packets eith souice iout- ing aie diopped. Packets aie not foieaided at the ALG; so that packets that cannot be tiansmitted to the socket aayei aie diopped. The packet fatei of the PFL has a iestiictive defauat fatei set. Any TCP-connections (oi UDP pack- ets) fiom the ALG into the inteinaa net have to be activated by an administiatoi. SF_DF.2: The ieaays check the foaaoeing attiibutes: The headei infoimation of neteoik packets, depending on theii type: TCP: IP and TCP headei; UDP: IP and UDP headei; ICMP: IP headei and ICMP message; IGMP: IP headei and IGMP message; IP: IP headei; The incoming and outgoing inteifaces. The actuaa date and time. Additionaa infoimation depending on the handaing ieaay: IP-ieaay: none; PING-ieaay: none; UDP-ieaay: piotocoa confoimance by appaying ieguaai expiessions at the stait of the communica- tion if the fatei is activated. TCP-ieaay: piotocoa confoimance by appaying ieguaai expiessions at the stait of the communica- tion if the fatei is activated. NNTP-ieaay: piotocoa and appaication data; POP-ieaay: piotocoa and appaication data; SMTP-ieaay: piotocoa and appaication data; FTP-ieaay: piotocoa data; TELNET-ieaay: piotocoa data; WWWseivei: piotocoa and appaication data; WWW-ieaay: piotocoa and appaication data; SNMPtiap: piotocoa data. SMTP2SMTP-ieaay: piotocoa and appaication data; SSH-ieaay: piotocoa data; MCASTUDP-ieaay: IGMP and muaticast UDP packets; 60 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 SIP-ieaay: piotocoa and appaication data; IMAP-ieaay: piotocoa and appaication data; Webseivice-ieaay: piotocoa and appaication data. A viius scannei can be used to scan the appaication data of SMTP-ieaay, POP-ieaay, NNTP-ieaay, FTP-ieaay, WWW-ieaay, WWWseivei-ieaay, SMTP2SMTP-ieaay, and IMAP-ieaay. SF_DF.3: The SMTP-ieaay can baock maias depending on the maia data (viius, baocked extension type of a MIME pait). The maia stays on the TOE and must be handaed by an administiatoi. SF_DF.4: WWW-ieaay: Foi data of the content-type text/htma a fatei can iemove the foaaoeing tags that impay active content: , , , , and comments. Typicaa JavaS- ciipt-fiagments, aike event handaei (on-tags) can aaso be iemoved. SF_DF.5: MIME-encoded messages aie (iecuisiveay) paised. Theii paits aie checked aike non en- coded messages. SF_DF.6: The SSH-ieaay can baock the foaaoeing SSH piotocoa messages: sheaa spaening, com- mand execution and fae tiansfei eith scp, aocaa poit foieaiding, iemote poit foieaiding, X11 foi- eaiding, authentication agent foieaiding, and subsystem execution. SF_DF.7: The SIP-ieaay can baock connections that do not use the confguied inteinaa and exteinaa domains oi use RTP poits outside the confguied poit iange. The piotocoa methods can be fateied. SF_DF.8: The Webseivice-ieaay can vaaidate the appaication data against confguiabae XML schemas and use onay confguiabae tianspoit piotocoas. SF_DF.9: An authenticated administrator can teiminate connections in the traffc monitor section at the genugate administiation inteiface oi add an IP addiess to a aist of baocked IP addiesses. This Security Function addresses the SFRs: FDP_IFC.1:1, FDP_IFC.1:2, FDP_IFC.1:3, FDP_IFC.1:4, and FDP_IFC.1:5 (information fow control policy); FDP_IFF.1:1, FDP_IFF.1:2, FDP_IFF.1:3, FDP_IFF.1:4, and FDP_IFF.1:5 (information fow control functions). They cover the policies unauthenticated user SFP, authenticated user SFP, identifed side channel user SFP, authenticated gui user SFP, and authenticated administrator SFP. 7.1.3 SF_IA: Identifcation and Authentication SF_IA.1: Aaa IP packets aie identifed at the neteoik aayei by theii souice and destination IP ad- diesses (and poits if appaicabae). SF_IA.2: The TCP-based ieaays aie aaieady connection oiiented. The UDP- and IP-ieaated ieaays intioduce a UDP-association oi IP-association iespectiveay. Packages eith the same destination IP, (destination poit,) souice IP, (souice poit,) and packets eheie souice and destination aie ieveised aie tieated as beaonging to a connection if they appeai eithin a shoit timespan one aftei the othei. The connections time out aftei an idae time eith no tiaffc. As eith TCP connections, the connec- tion estabaishment can be confguied to be initiated onay by one side. Foi the IP-ieaay, the IP pio- tocoa takes the ioae of the poit. SF_IA.3: Foi the FTP-, TELNET-, SMTP, and SSH-ieaay a usei authentication at the TOE can be confguied by the administiatoi. The authentication method can be confguied and eithei be pass- eoid, RADIUS, LDAP, oi passeoid fae. Additionaa methods foi the TELNET and FTP-ieaay aie S/Key and ciypto caid. The passeoid can be changed by the useis themseaves, but a minimum quaaity is checked by the TOE. The passeoid must be of minimum aength 8, must not onay contain uppei-case- oi aoeei- 13 Dec 2017 61 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget case aetteis, and must not contain the usei name. Foi the passeoid fae authentication method, the passeoid can not be changed by the useis. The TELNET- and FTP-ieaay captuie the eventuaa option-negotiation commands sent befoie the authentication pioceeds, and iepaay them to the destination, if the authentication compaetes suc- cessfuaay. SF_IA.4: The side channea authentication aaaoes useis to activate confguiabae TCP-ieaays aftei a successfua authentication at the side channea eeb site. The authentication method can be con- fguied by the administiatois and eithei be passeoid, RADIUS, LDAP, S/Key, oi ciypto caid. The passeoid can be changed by the useis themseaves, but a minimum quaaity is checked by the TOE. The passeoid must be of minimum aength 6, must not onay contain uppei-case- oi aoeei-case aet- teis, and must not contain the usei name. SF_IA.5: Administiation is onay possibae aftei successfua authentication at the administiation eeb seivei. Auditois (administiatois eith iead-onay iights) can viee the confguiation aftei successfua authentication at the administiation eeb seivei. Connections to the administiation eeb seivei aie onay accepted fiom the administiation neteoik. The authentication method is passeoid. The pass- eoid can be changed by the iespective administiatois themseaves, but a minimum quaaity is checked by the TOE. The passeoid must be of minimum aength 6, must not onay contain uppei- case- oi aoeei-case aetteis, and must not contain the usei name. SF_IA.6: Aaa of the diffeient authentication methods disabae a usei/administiatoi account aftei a confguiabae numbei of unsuccessfua attempts. The defauat vaaue is 5. An administiatoi has to ie- activate the usei account. SF_IA.7: The side channea, usei and the administiation eeb seivei have a timeout foi inactivity, aftei ehich the usei/administiatoi have to ie-authenticate. The defauat timeout is 10 minutes. SF_IA.8: To gain inteiactive access (sheaa access) to the consoae, the administiatoi has to authen- ticate. Othei inteiactions at the consoae iequiie administiatoi input. On (ie)boot the system eaits foi keyboaid input but does not iequiie a passeoid. The appaication of boot instaaa sciipts in main- tenance mode continue eithout appaying the sciipts, if the passeoid is not enteied duiing the timeout peiiod. Changing the keinea iequiies keyboaid input but does not iequiie a passeoid. This Security Function addresses the SFRs: FIA_AFL.1 (authentication failures), FIA_SOS.1 (spe- cifcation of secrets), FIA_UAU.2, FIA_UAU.5EX, FIA_UAU.6 (user authentication), FIA_UID.2 (user identifcation); FDP_IFC.1:2, FDP_IFC.1:3, FDP_IFC.1:4, and FDP_IFC.1:5 (Information fow control policy); FDP_IFF.1:2, FDP_IFF.1:3, FDP_IFF.1:4, and FDP_IFF.1:5 (Information fow con- trol functions), FMT_MOF.1:3 (management of functions in TSF), FMT_SMR.2 and FMT_SMR.3 (security management roles). They cover the policies authenticated user SFP, identifed side channel user SFP, authenticated gui user SFP, and authenticated administrator SFP. 7.1.4 SF_SM: Security management SF_SM.1: The secuiity management can be divided into thiee diffeient ioaes: noimaa useis do not have any iights, auditois (administiatois eith iead-onay iights) can viee the confguiation, and (noimaa) administiatois can change the confguiation. Aaa useis have the secuiity attiibutes admin- istiative ioae and passeoid. SF_SM.2: The confguiation is divided into the foaaoeing feads: System, Connections, Useis, Packet Fiatei, HA, Statistics, Logging SF_SM.3: Onay administiatois can change the passeoid and secuiity ioae of useis, auditois and administiatois. The auditois can viee the settings. Aaa secuiity attiibutes foi nee useis and admin- 62 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 istiatois aie set to a iestiictive defauat. The usei can change theii passeoids at the usei eeb seivei. SF_SM.4: Onay administiatois can change the timeouts foi the administiatoi, usei and side chan- nea eeb seivei. The auditois can viee the settings. SF_SM.5: Onay administiatois can change the aog detaias and authentication methods. The audit- ois can viee the settings. SF_SM.6: The attiibutes synchionized beteeen HA peeis aie a) usei confguiation (but not theii baocked status); b) neteoik confguiation; c) ieaay confguiation; d) dns seivei confguiation; e) maia seivei confguiation; f) packet fatei iuae confguiation; g) http-pioxy squid confguiation; h) viius scannei confguiation; i) audit confguiation; k) snmp seivei confguiation; a) igmppioxy confguiation (on the PFL). This Security Function addresses the SFRs: FIA_ATD.1 (user attribute defnition); FMT_SMR.2 and FMT_SMR.3 (security management roles); FMT_MTD.1:1 and FMT_MTD.1:2 (management of TSF data); FMT_SMF.1 (specifcation of management functions); FMT_MSA.1:1, FMT_MSA.1:2, FMT_MSA.1:3, FMT_MSA.1:4, FMT_MSA.3:1, FMT_MSA.3:2, and FMT.MSA.3:3 (management of security attributes); FMT_MOF.1:1 and FMT_MOF.1:2 (management of functions in TSF). 7.1.5 SF_PT: Protection of the TSF SF_PT.1: Aftei a shutdoen due to a faiauie oi seivice discontinuity, the TOE does not ieboot auto- maticaaay, but iequiies an administiatoi inteiaction at the consoae. Foi the high avaiaabiaity system this stop of seivice is not desiied. Theiefoie a peei eiaa take ovei the seivices of the faiaed system. The HA peeis synchionize the attiibutes given in SF_SM.6. SF_PT.2: In maintenance mode, system fags can be modifed and theiefoie piotected faes can be manipuaated. To aaaoe an inteiactive session at the TOE onay foi the administiatoi at the consoae, aaa neteoik packets (and Etheinet fiames) aie diopped siaentay in maintenance mode. SF_PT.3: The TOE executes seaf tests ieguaaiay. The seaf tests consist of checking that (a confgui- abae numbei) of piocesses aie iunning, the fae system usage is beaoe a confguiabae thieshoad, and of tests foi the fae system consistency (fae system peimissions and fag settings). Administiat- ois and auditois (the authoiized useis) can viee the iesuats of the seaf tests. SF_PT.4: Duiing noimaa opeiation the packet fatei iuaes of the PFL cannot be modifed. They aie seaaed ehen changing into noimaa opeiation mode. This Security Function addresses the SFRs: FPT_SST.1 (simple self test); FPT_RCV.2 (trusted re- covery); FPT_TRC.1 (internal TOE TSF data replication consistency) 13 Dec 2017 63 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 7.2 Self-Protection against Interference and Logical Tampering The pioduct takes the foaaoeing seaf-piotection measuies, suppaied by the TOE: ● The system is a teo-tieied fieeaaa. Both systems have to be oveicome to gain unauthoi- ised access fiom the exteinaa neteoik on the inteinaa neteoik. ● On the ALG aaa connections aie accepted by ieaay ehich aie aocated in a ieduced iuntime enviionment (cages). An attackei has onay aimited capabiaities. ● The ALG has a haidened keinea, some system caaas aie modifed and deviate fiom theii POSIX-confoimant behavioui. This pievents attackeis fiom escape out of the cages. The system caaas aie chroot, mknod, ktrace, and strace. ● Aaa centiaa piocesses of the ALG aie contioaaed by the piocess mastei. In case of stiange behavioui the piocess mastei can take actions. ● The ALG uses the BSD fae system fags and iuns at securelevel=2. The fags aie used to maik most faes as iead-onay and aog faes as append-onay. The secuieaevea pievents changing the fags eithout going thiough singae usei mode. ● A ieboot iequiies a manuaa inteiaction at the consoae. An attackei cannot modify the fags by going thiough singae usei mode. ● The PFL iuns at securelevel=3. This means that the packet fatei iuaes aie immutabae. The foaaoeing seaf-piotection measuies aie suppaied by the enviionment: ● The OpenBSD keinea uses a iandomized stack top, a stack canaiy to detect stack oveifoe, and excausive eiite oi executabae memoiy segments (W^X) to mitigate expaoits. ● The OpenBSD appaications use a iandomized stack top, a stack canaiy to detect stack oveifoe, and excausive eiite oi executabae memoiy segments (W^X) to mitigate expaoits. Fuithei, they use iandom aibiaiy memoiy aocations, iandom mmap and malloc function iesuats, a iead-onay data segment .rodata foi constant data to mitigate expaoits. ● The OpenBSD daemons use eithei piiviaege ievocation oi piiviaege sepaiation if they tem- poiaiy need enhanced piiviaeges. ● Both the OpenBSD keinea and the coie OpenBSD appaications use the functions strlcat and strlcpy to iepaace strncat and strncpy that guaiantee to nuaa-teiminate the ies- uat. The measuies togethei buiad up a muati-aayeied secuiity baiiiei that iesuats in a suffcient aevea of seaf-piotection: ● The aoe aevea strlcat and strlcpy functions piohibit oveieiiting the aaaocated memoiy. ● The stack and memoiy piotection mechanisms make it diffcuat to inseit sheaa code. ● The piiviaege ieduction functions inhibit a successfua attackei to gain fuithei piiviaeges. Fuithei, enciyption of the TOE data ehen it is tianspoited ovei an insecuie path pievent an at- tackei to obtain infoimation foi continued attacks. The TOE suppaies a confguiation GUI that check the paiameteis enteied in the HTML foims. This heaps to mitigate misconfguiation by administiatois. It aaso gives a caeai usei inteiface foi the ad- ministiatois and ievisois. 64 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 7.3 Self-Protection against Bypass As the TOE is a fieeaaa system, theie can be no bypassing if it is instaaaed piopeiay. The assump- tion A.SINGEN iefects this. 13 Dec 2017 65 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 8 Abbreviations ALG Appaication Levea Gateeay BSD Beikeaey Softeaie Distiibution BGP Boidei Gateeay Piotocoa CARP Common Addiess Redundancy Piotocoa DMZ demiaitaiised zone DNS Domain Name Seivice oi Domain Name System FTP Fiae Tiansfei Piotocoa HTTP Hypei Text Tiansfei Piotocoa HTTPS Hypeitext Tiansfei Piotocoa Secuie ICMP Inteinet Contioa Message Piotocoa IGMP Inteinet Gioup Management Piotocoa IMAP Inteinet Message Access Piotocoa IMAPS IMAP ovei SSL IP Inteinet Piotocoa LDAP Lighteeight Diiectoiy Access Piotocoa MTA Maia Tiansfei Agent MSSQL Miciosoft SQL Seivei ieaationaa database management system MySQL a ieaationaa database management system NNTP Neteoik Nees Tiansfei Piotocoa NTP Neteoik Time Piotocoa OSPF Open Shoitest Path Fiist PAP packet fatei - appaication aevea gateeay - packet fatei PCF Piotocoa Confoimance Fiatei PFL Packet Fiatei PING send ICMP ECHO_REQUEST packets to neteoik hosts POP Post Offce Piotocoa POP3 Post Offce Piotocoa, veision 3 PPTP Point-to-Point Tunneaing Piotocoa Postgres PostgieSQL object-ieaationaa database management system RDP Remote Desktop Piotocoa RADIUS Remote Authentication Diaa-In Usei Seivice RTP Reaa-time Tianspoit Piotocoa RTSP Reaa Time Stieaming Piotocoa 66 13 Dec 2017 genugate fieeaaa 9.0 Secuiity Taiget Veision 6 SIP Session Initiation Piotocoa S/KEY Secuie Key SMB Seivei Message Baock SMTP Simpae Maia Tiansfei Piotocoa SNMP Simpae Neteoik Management Piotocoa SOAP Simpae Object Access Piotocoa SSH Secuie Sheaa SSL Secuie Sockets Layei Telnet Teaecommunication neteoik TCP Tiansmission Contioa Piotocoa TLS Tianspoit Layei Secuiity UDP Usei Datagiam Piotocoa URL Unifoim Resouice Locatoi VNC Viituaa Neteoik Computing WSDL Web Seivice Desciiption Language WWW Woiad Wide Web 13 Dec 2017 67 Veision 6 genugate fieeaaa 9.0 Secuiity Taiget 9 Bibliography [CC_1] Common Ciiteiia foi Infoimation Technoaogy Secuiity Evaauation, Pait 1: Intio- duction and geneiaa modea, Veision 3.1, Revision 4 [CC_2] Common Ciiteiia foi Infoimation Technoaogy Secuiity Evaauation, Pait 2: Secui- ity functionaa iequiiements, Veision 3.1, Revision 4 [CC_3] Common ciiteiia foi Infoimation Technoaogy Secuiity Evaauation, Pait 3: Secui- ity assuiance iequiiements, Veision 3.1, Revision 4 [OpenBSD] http://eee.openbsd.oig/ 68 13 Dec 2017