122-B
UK IT SECURITY EVALUATION AND
CERTIFICATION SCHEME
COMMON CRITERIA CERTIFICATION REPORT No. P180
Cisco Secure PIX Firewall
Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Issue 1.0
December 2002
© Crown Copyright 2002
Reproduction is authorised provided the report
is copied in its entirety
UK IT Security Evaluation and Certification Scheme
Certification Body, PO Box 152
Cheltenham, Glos GL52 5UF
United Kingdom
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page ii Issue 1.0 December 2002
ARRANGEMENT ON THE
MUTUAL RECOGNITION OF COMMON CRITERIA CERTIFICATES
IN THE FIELD OF INFORMATION TECHNOLOGY SECURITY
The Certification Body of the UK IT Security Evaluation and Certification Scheme is a
member of the above Arrangement and as such this confirms that the Common Criteria
certificate has been issued by or under the authority of a Party to this Arrangement and is
the Party’s claim that the certificate has been issued in accordance with the terms of this
Arrangement.
The judgements contained in the certificate and Certification Report are those of the
Qualified Certification Body which issued it and of the Evaluation Facility which carried
out the evaluation. There is no implication of acceptance by other Members of the
Agreement Group of liability in respect of those judgements or for loss sustained as a
result of reliance placed upon those judgements by a third party.*
* Whilst the Arrangement has not yet been extended to address ALC_FLR.1 (basic flaw remediation), a working
agreement exists amongst Parties to the Arrangement to recognise the Common Evaluation Methodology ALC_FLR
supplement (Reference [h] in this report) and the resultant inclusion of ALC_FLR.1 elements in certificates issued
by a Qualified Certification Body.
Trademarks:
The following trademarks are acknowledged:
Cisco and PIX are registered trademarks of Cisco Systems Inc.
Ethernet is a registered trademark of Xerox Corporation.
Intel and Pentium are registered trademarks of the Intel Corporation.
Microsoft and Windows NT are registered trademarks of Microsoft Corporation.
Sun is a trademark of Sun Microsystems, Inc.
All other products or services mentioned herein are trademarks of their respective owners.
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page iii
CERTIFICATION STATEMENT
Cisco Secure PIX Firewall Version 6.2(2) is a stateful packet filtering firewall that controls the
flow of IP traffic by matching information contained in the headers of connection-oriented or
connectionless IP packets against a set of rules specified by the firewall’s authorised user.
Traffic flow is also controlled by the use of other information, such as the direction (incoming or
outgoing) of the IP packet on any given firewall network interface. The product was evaluated
in a multi-homed configuration, mediating between up to 10 networks and having a network
address on each.
Cisco Secure PIX Firewall Version 6.2(2) has been evaluated under the terms of the UK IT
Security Evaluation and Certification Scheme and has met the Common Criteria Part 3
conformant requirements of Evaluation Assurance Level EAL4, augmented with ALC_FLR.1,
for the specified Common Criteria Part 2 conformant functionality, extended by a bespoke audit
generation component (FAU_AUD.1), in the specified environment when running on the PIX
501, 506, 506E, 515, 515E, 520, 525 and 535 hardware platforms as specified in Annex A.
Originator CESG
Certifier
Approval and
Authorisation
CESG
Head of the Certification Body
UK IT Security Evaluation
and Certification Scheme
Date authorised 20 December 2002
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page iv Issue 1.0 December 2002
(This page is intentionally left blank)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page v
TABLE OF CONTENTS
CERTIFICATION STATEMENT.............................................................................................iii
TABLE OF CONTENTS..............................................................................................................v
ABBREVIATIONS .....................................................................................................................vii
REFERENCES.............................................................................................................................ix
I. EXECUTIVE SUMMARY .................................................................................................1
Introduction............................................................................................................................1
Evaluated Product..................................................................................................................1
TOE Scope.............................................................................................................................2
Protection Profile Conformance ............................................................................................3
Assurance Requirement.........................................................................................................3
Strength of Function Claims..................................................................................................3
Security Policy.......................................................................................................................4
Security Functionality Claims ...............................................................................................4
Evaluation Conduct................................................................................................................4
Certification Result................................................................................................................5
General Points........................................................................................................................5
II. EVALUATION FINDINGS................................................................................................7
Introduction............................................................................................................................7
Security Policy Model ...........................................................................................................7
Delivery .................................................................................................................................7
Installation and Guidance Documentation.............................................................................8
Strength of Function ..............................................................................................................9
Vulnerability Analysis...........................................................................................................9
Testing .................................................................................................................................10
Platform Issues.....................................................................................................................12
Assurance Maintenance and Re-evaluation Issues..............................................................13
III. EVALUATION OUTCOME ............................................................................................15
Certification Result..............................................................................................................15
Recommendations................................................................................................................15
ANNEX A: EVALUATED CONFIGURATION .....................................................................17
ANNEX B: PRODUCT SECURITY ARCHITECTURE .......................................................21
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page vi Issue 1.0 December 2002
(This page is intentionally left blank)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page vii
ABBREVIATIONS
AAA Authentication, Authorization and Accounting
ARP Address Resolution Protocol
BIOS Basic Input/Output System
CC Common Criteria
CCI Console Command Interface
CCO Cisco Connection Online
CD-ROM Compact Disk – Read Only Memory
CEM Common Evaluation Methodology
CLEF Commercial Evaluation Facility
DDTS Distributed Defect Tracking System
DHCP Dynamic Host Configuration Protocol
DMZ DeMilitarised Zone
DNS Domain Name Server
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
FTP File Transfer Protocol
HTTP HyperText Transfer Protocol
ICMP Internet Control Message Protocol
IP Internet Protocol
IPC Inter-Process Communication
MTU Maximum Transmission Unit
NAT Network Address Translation
NT New Technology
PFSS PIX Firewall Syslog Server
POP3 Post Office Protocol 3
RAM Random Access Memory
RIP Routing Information Protocol
ROM Read Only Memory
RSH Remote Shell
RTSP Real Time Streaming Protocol
SCCP Simple Client Control Protocol
SFR Security Functional Requirement
SIP Session Initiation Protocol
SMTP Simple Message Transfer Protocol
SNMP Simple Network Management Protocol
SoF Strength of Function
SPM Security Policy Model
SQLNET Structured Query Language NETworking
SUNRPC Sun Remote Procedure Call
TCP Transfer Control Protocol
TELNET TELecommunications NETworking Protocol
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
UDP User Datagram Protocol
UKSP United Kingdom Scheme Publication
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page viii Issue 1.0 December 2002
(This page is intentionally left blank)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page ix
REFERENCES
a. Security Target for Cisco Secure PIX Firewall 501, 506, 506E, 515, 515E, 520, 525 and
535 Version 6.2(2),
Cisco Systems Inc,
ST, Version 2.4, November 2002.
b. Description of the Scheme,
UK IT Security Evaluation and Certification Scheme,
UKSP 01, Issue 5.0, July 2002.
c. The Appointment of Commercial Evaluation Facilities,
UK IT Security Evaluation and Certification Scheme,
UKSP 02, Issue 3.0, 3 February 1997.
d. Common Criteria Part 1,
Common Criteria Interpretations Management Board,
CCIMB-99-031, Version 2.1, August 1999.
e. Common Criteria Part 2,
Common Criteria Interpretations Management Board,
CCIMB-99-032, Version 2.1, August 1999.
f. Common Criteria Part 3,
Common Criteria Interpretations Management Board,
CCIMB-99-033, Version 2.1, August 1999.
g. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology,
Common Criteria Evaluation Methodology Editorial Board,
Version 1.0, CEM-099/045, August 1999.
h. Common Methodology for Information Technology Security Evaluation,
Part 2: Evaluation Methodology, Supplement: ALC_FLR - Flaw Remediation,
Common Criteria Evaluation Methodology Editorial Board,
CEM-2001/0015R, Version 1.1, February 2002.
i. Evaluation Technical Report, Common Criteria EAL4 Augmented Evaluation of Cisco
Secure PIX Firewall, 501, 506, 506E, 515, 515E, 520, 525 and 535, Version 6.2(2),
Syntegra CLEF,
LFS/T398/ETR, Issue 1.0, December 2002.
j. TOE Security Policy Model for Cisco Secure PIX Firewall 501, 506, 506E, 515, 515E,
520, 525 and 535 Version 6.2(2),
Cisco Systems Inc,
Version 2.3, November 2002.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page x Issue 1.0 December 2002
k. Certified Installation and Configuration for the Cisco Secure PIX Firewall Version 6.2(2),
Cisco Systems Inc,
78-15361-01.
l. Installation Guide for the Cisco Secure PIX Firewall Version 6.2,
Cisco Systems Inc,
78-13880-01.
m. Configuration Guide for the Cisco Secure PIX Firewall Version 6.2,
Cisco Systems Inc,
78-13943-01.
n. System Log Messages for the Cisco Secure PIX Firewall Version 6.2,
Cisco Systems Inc,
78-13879-01.
o. Certification Report No. P152, Cisco Secure PIX Firewall, Version 5.2(3), running on PIX
515, 520 and 525,
UK IT Security Evaluation and Certification Scheme,
Issue 1.0, February 2001.
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 1
I. EXECUTIVE SUMMARY
Introduction
1. This Certification Report states the outcome of the Common Criteria (CC) evaluation of
Cisco Secure PIX Firewall Version 6.2(2) to the Sponsor, Cisco Systems Ltd, and is intended to
assist prospective consumers when judging the suitability of the IT security of the product for
their particular requirements.
2. Prospective consumers are advised to read this report in conjunction with the Security
Target [Reference a] which specifies the functional, environmental and assurance evaluation
requirements.
Evaluated Product
3. The version of the product evaluated was:
• Cisco Secure PIX Firewall Version 6.2(2)
The product is also described in this report as the Target of Evaluation (TOE). The Developer
was Cisco Systems Inc.
4. Cisco Secure PIX Firewall Version 6.2(2) is a stateful packet filtering firewall that controls
the flow of IP traffic by matching information contained in the headers of connection-oriented or
connectionless IP packets against a set of rules specified by the firewall’s authorised user. This
header information includes source and destination host (IP) addresses, source and destination
port numbers and the Transport Service Application Protocol held within the data field of the IP
packet.
5. For connection-oriented transport services, the firewall either permits connections and
subsequent packets for the connection or denies the connection and subsequent packets
associated with the connection. Depending upon the rule and the results of the match, the
firewall either passes or drops the packet. In addition to IP header information, the Cisco Secure
PIX Firewall uses other information, such as the direction (incoming or outgoing) of the packet
on any given firewall network interface.
6. For connectionless IP services, UDP and ICMP, the firewall either permits or denies
connections on the basis of the interface at which the packet arrives, and the rules and the results
of the match.
7. The product supports several connection topologies. No distinction is made between
external and internal networks, although the evaluated configuration includes 10 networks, with
at least one internal and one external network. The additional network interfaces provide for
additional internal network connections (eg a DeMilitarised Zone (DMZ)) or external network
connections. The product provides a single point of defence and was evaluated in a multi-homed
configuration, mediating between up to 10 networks and having a network address on each PIX
interface.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 2 Issue 1.0 December 2002
8. The Cisco Secure PIX Firewall software includes the Cisco proprietary operating system,
Finesse, which is integrated in the TOE to provide the supporting environment under which the
trusted servers of the TOE execute. The TOE software “image” is pre-installed in flash ROM on
a purpose-built hardware platform or delivered as a binary image to be installed if the consumer
already has Cisco PIX hardware. No configuration of the embedded operating system is required
by the consumer to obtain a secure product. A summary of the configuration aspects is provided
under “Installation and Guidance”.
9. Further identification of the evaluated TOE, including the platforms on which it was
evaluated, follows below under “TOE Scope”.
10. Details of the evaluated configuration, including the TOE’s supporting guidance
documentation, are given in Annex A.
11. An overview of the TOE’s security architecture can be found in Annex B.
TOE Scope
12. Cisco Secure PIX Firewall Version 6.2(2), which includes the operating system, was
evaluated running on the PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 hardware platforms
as specified in Annex A. These platforms utilise a single AMD SC520, Intel Celeron, Intel PI-
MMX, or Intel Pentium (II or III) processor.
13. Each PIX platform incorporates network interface cards for 2 or more interfaces
(dependent on the PIX model). The initial configuration of each platform is identical (ie the
network security policy is to DENY everything). The TOE’s physical boundary includes the
PIX hardware and network interface cards. A fuller discussion of the consideration given to
hardware platforms is detailed below under “Platform Issues”.
14. The connection protocols through the TOE that are within the scope of the evaluation are
Ethernet, ARP, DNS, Echo, Finger, H.323, IP, ICMP, TCP, UDP, FTP, HTTP, POP3, RTSP,
Skinny (also known as SCCP), SIP, SMTP and TELNET. Any other type of connection through
the TOE (eg SQLNET, RSH and SUNRPC) is outside the scope of the evaluation.
15. Software and hardware features beyond the scope of the TOE Security Functions (TSF)
and therefore unevaluated were:
• Cut-Through Proxies
• Failover
• RIP
• Remote Management, except via TELNET from a trusted host on an inside interface
• SNMP
• DHCP Server
• Virtual Private Networks
• AAA server to provide Identification and Authentication
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 3
16. The TOE interacts with a Windows NT Server 4.0 machine for the purpose of storing the
audit data generated by the TOE (ie to provide protected audit trail storage) and of providing
audit review facilities. The requirements for the component of the IT environment providing this
functionality are identified in the Security Target [a] as follows:
Operating System Software Requirements
Windows NT Server Version 4.0 Microsoft Windows NT Server 4.0 operating
system with Service Pack 6a.
Requirements of the machine storing audit data generated by the TOE
17. The functionality provided by the above machine for the storage and review of the audit
data generated by the TOE is beyond the scope of the evaluation.
18. The TOE has been evaluated using configurations of pre-installed and supported network
interface cards configured for operation with at least 2 and at most 10 networks. In the minimum
configuration, the TOE is connected to one internal network and one external network. The
installation of additional unsupported network interface cards (beyond the pre-installed and
supported cards), unsupported RAM and the PIX Firewall Syslog Server (PFSS) are outside the
scope of the evaluation.
19. Consumer verification of TOE authenticity, using the Cisco Connection Online (CCO)
website, was within the scope of the evaluation. The consumer acquisition of new build releases
and patches to the product via the same CCO website, together with the consideration of
potential vulnerabilities related to website downloads (eg spoofing the CCO website), were also
included. Although the HTTP functionality was used during the evaluation to transfer software
between the CCO website and the consumer, this functionality was not evaluated.
20. Aspects such as performance and reliability are beyond the scope of the evaluation.
Protection Profile Conformance
21. The Security Target [a] did not claim conformance to any Protection Profile.
Assurance Requirement
22. CC Part 3 [f] describes the scale of assurance given by predefined Evaluation Assurance
Levels (EALs) on the scale EAL1 to EAL7 (where EAL0 represents no assurance). An
overview of CC is given in CC Part 1 [d]. The assurance requirement for the TOE, as defined in
the Security Target [a], was EAL4 augmented with ALC_FLR.1 (basic flaw remediation).
Strength of Function Claims
23. The minimum Strength of Function (SoF) was SoF-Medium. There were no IT Security
Functions that had an associated SoF claim.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 4 Issue 1.0 December 2002
24. Although the TOE is designed to operate with an AAA server to provide Identification and
Authentication of local and remote authorised users and of communication sessions set-up
through the TOE, this functionality was outside the scope of the evaluation. Therefore, the SoF
claims did not extend to the authentication mechanism.
Security Policy
25. The TOE security policies are detailed in the Security Policy Model (SPM) [j] and
summarised under “Security Policy Model”. There are no Organisational Security Policies or
rules with which the TOE must comply.
Security Functionality Claims
26. The Security Target [a] specifies the TOE’s security objectives, the threats that these
objectives counter and the Security Functional Requirements (SFRs) and IT Security Functions
that elaborate these objectives. All are fully specified in the Security Target.
27. All but one of the SFRs are drawn from CC Part 2 [e], the use of this standard facilitating
comparison with other evaluated products. The exception was FAU_AUD.1, which is a bespoke
security functional component based on the CC Part 2 component FAU_GEN.1. It was found
necessary to include FAU_AUD.1, rather than FAU_GEN.1, as the requirements imposed by
FAU_GEN.1 were not appropriate for the TOE. FAU_AUD.1 requires generation of audit
events for all attempted connections, both successful and unsuccessful.
28. Security functionality claims are made for the following IT Security Functions:
• Security Management Function, allowing changes to the information flow policy
• Information Control Flow Function, allowing interface rules to be set
• Audit Function, providing flexibility in audit event generation
• Protection Function, ensuring that TSP enforcement functions are invoked
• Clock Function, providing date and time information for reliable time stamps
Evaluation Conduct
29. The evaluation was carried out in accordance with the requirements of the UK IT Security
Evaluation and Certification Scheme as described in United Kingdom Scheme Publication 01
(UKSP 01) and UKSP 02 [b, c]. The Scheme has established a Certification Body which is
managed by the Communications-Electronics Security Group on behalf of Her Majesty’s
Government. As stated on page ii of this Certification Report, the Certification Body is a
member of the Common Criteria Mutual Recognition Arrangement and the evaluation was
conducted in accordance with the terms of this Arrangement.
30. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE
in meeting its Security Target [a], which prospective consumers are advised to read. To ensure
that the Security Target gave an appropriate baseline for a CC evaluation, it was first itself
evaluated. The TOE was then evaluated against this baseline. Both parts of the evaluation were
performed in accordance with CC Part 3 [f] and the Common Evaluation Methodology (CEM)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 5
[g]. In addition, the ALC_FLR.1 component was evaluated in accordance with the latest
guidance detailed in the CEM Supplement on Flaw Remediation [h] and the appropriate
Common Criteria Interpretation Management Board interpretations (numbers 3, 4, 6, 8, 16, 25,
27, 31 (Rev. 1), 32, 37, 38, 43, 49, 51 (Rev. 1), 64, 69, 74, 75, 84, 85, 116, 127 (Rev. 1), 128
(Rev. 1) and 133 (Rev. 1)).
31. The Certification Body monitored the evaluation which was carried out by the Syntegra
Commercial Evaluation Facility (CLEF). The evaluation was completed when the CLEF
submitted the Evaluation Technical Report (ETR) [i] to the Certification Body in December
2002.
Certification Result
32. For the certification result see the “Evaluation Outcome” chapter.
General Points
33. The evaluation addressed the security functionality claimed in the Security Target [a] with
reference to the assumed operating environment specified by the Security Target. The evaluated
configuration was that specified in Annex A. Prospective consumers are advised to check that
this matches their identified requirements and to give due consideration to the recommendations
and caveats of this report.
34. Certification is not a guarantee of freedom from security vulnerabilities; there remains a
small probability (smaller with greater assurance) that exploitable vulnerabilities may be
discovered after a certificate has been awarded. This Certification Report reflects the
Certification Body’s view at the time of certification. Consumers (both prospective and existing)
should check regularly for themselves whether any security vulnerabilities have been discovered
since this report was issued and, if appropriate, should check with the Vendor to see if any
patches exist for the products and whether such patches have been evaluated and certified.
35. The issue of a Certification Report is not an endorsement of a product.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 6 Issue 1.0 December 2002
(This page is intentionally left blank)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 7
II. EVALUATION FINDINGS
Introduction
36. The evaluation addressed the requirements specified in the Security Target [a]. The results
of this work were reported in the ETR [i] under the CC Part 3 [f] headings. The following
sections note considerations that are of particular relevance to either consumers or those involved
with the subsequent assurance maintenance and re-evaluation of the TOE.
Security Policy Model
37. The Evaluators confirmed that the security behaviour of the TOE was clearly articulated by
the rules and characteristics of the SPM [j]. The policies modeled in the SPM were as follows:
• Security Management Policy
• Audit Security Policy
• Information Flow Control Security Policies
• Protection Security Policy
• Clock Security Policy
38. The Evaluators were satisfied that all security policies represented by the SFRs claimed in
the Security Target [a] were modeled and complete.
Delivery
39. Information on the TOE delivery is provided to the customer on the CCO website and in
the Certified Installation and Configuration document [k]. These sources of information provide
guidance for tracking the shipment, ensuring that the evaluated versions of the TOE constituent
components have been supplied and that the security of the TOE has not been compromised
during delivery, together with guidance for the use of the TOE within its evaluated
configuration.
40. The following measures provide security for delivery of the TOE hardware and software:
a. The Cisco Release Operations Group installs the TOE image on to the PIX hardware at
the Cisco production site. The TOE image is also placed on the CCO website and its
integrity is checked by calculating and comparing the MD5 hash value for this image
against that of the master image.
b. The PIX hardware is then packaged in a sealed box and stored in a Cisco secure
warehouse until shipping. (Similar storage measures apply to any related CD-ROMs
containing updated product releases.)
c. The sealed box that contains the PIX hardware is labeled with the Cisco company name
and logo.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 8 Issue 1.0 December 2002
d. The sealed box details the PIX hardware and software contained inside and the Cisco
Customer reference number, which the customer is able to confirm.
e. When an order is received, the TOE (in the sealed box) and accompanying licence pack
are distributed according to availability, using the recorded delivery service of a
shipping company trusted by Cisco, direct to the customer. The identity of the
shipping company is detailed on the CCO website to enable checking by the customer.
The licence pack contains product documentation, including the Certified Installation
and Configuration document [k], welcome letter and PIX hardware serial number.
(The serial number is used by the consumer to check that the received hardware
matches the serial number on the delivery note and packaging.)
f. The Certified Installation and Configuration document [k] instructs the consumer to
verify the authenticity of the TOE software by downloading the software from the
CCO website and calculating the MD5 hash value for the software image. (This will
provide protection against an attacker with low attack potential as required by EAL4.)
The expected value is detailed in the Certified Installation and Configuration document
and is reproduced in the following Table:
Software Image Expected MD5 Hash Value
Version 6.2(2) abf75efd73b4003ba85f334a779a2188
MD5 hash value for validating TOE authenticity
g. The customer then starts up the TOE as instructed in the Installation Guide [l] and uses
the show version command to verify that the TOE Version number is 6.2(2).
41. Delivery is also available via CD-ROM or from the CCO website. When an order is
received for software only, a CD-ROM is delivered using the same procedures as described
above for the PIX hardware, but with the CD-ROM part number replacing the PIX serial
number. When existing customers order a software upgrade, they are given access to the CCO
website and can download software from specified areas of the website (based on a maintenance
or SmartNet contract number) as described above.
Installation and Guidance Documentation
42. Procedures for the installation and startup of the TOE are described in the Certified
Installation and Configuration document [k]. This document refers out to the Installation Guide
[l] and Configuration Guide [m], indicating the relevant sections for information on:
a. the security parameters to be entered during the secure installation and startup of the
TOE (changing the installation-specific security characteristics of entities under the
control of the TSF); and
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 9
b. the exceptions and problems that may arise from the use of the console commands
during installation and startup.
43. The Installation Guide [l] provides descriptions of the procedures for the secure
installation, generation and startup of the TOE. It discusses the following relevant topics:
• Requirements and Safety Information
• Installation Overview and Installing PIX Firewall 501, 506, 506E, 515, 515E, 520,
525 and 535 models
• Opening a PIX Firewall Chassis
• Installing additional network cards, memory and DC voltage
44. Secure operation of the Cisco Secure PIX Firewall by an administrator is fully described in
the Configuration Guide [m], System Log Messages guide [n] and the Certified Installation and
Configuration document [k]. There is no end-user documentation as there are no end-users of
the TOE.
45. The Configuration Guide [m] includes details of the firewall commands, including the
method used to invoke the command (via the Console Command Interface (CCI)) and the
command parameters that can be set, together with examples. The guide also details the large
number of security parameters that are under the control of the administrator. The System Log
Messages guide [n] contains a listing of all those events relevant to TOE administration that are
logged by the System Logger Agent. The guide is structured into sections for groups of error
messages.
46. The Certified Installation and Configuration document [k] ensures that the TOE will be
maintained in the evaluated configuration and that it will be administered in a secure manner.
Strength of Function
47. The SoF claim for the TOE was as given above under “Strength of Function Claims”.
Based on their examination of all the evaluation deliverables, the Evaluators confirmed that there
were no probabilistic or permutational mechanisms in the TOE.
Vulnerability Analysis
48. The Developer’s vulnerability analysis described all known vulnerabilities identified in the
CCO website, which had been used as the public domain source of vulnerability information
relating to the TOE.
49. The Evaluators’ vulnerability analysis considered public domain sources on 9 different
recognised websites, but found no vulnerabilities beyond those detailed on the CCO website.
The Evaluators’ analysis also considered the evaluation deliverables for potential vulnerabilities.
The Evaluators confirmed that the Developer’s vulnerability analysis was consistent with the
Security Target [a] and the countermeasures detailed in the Certified Installation and
Configuration document [k]. This analysis resulted in the identification of 21 penetration tests, 2
of which were subsequently deemed to be not applicable.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 10 Issue 1.0 December 2002
Testing
50. The correspondence between the tests specified in the Developer’s test documentation and
the IT Security Functions specified in the Functional Specification, and between the tests and the
High Level Design, was complete and accurate in terms of the coverage of the Security
Functions and High Level Design. Although the Evaluators identified some additional tests in
the test documentation that were not identified in the Developer’s mappings, the Evaluators were
nevertheless satisfied that the tests were suitable to demonstrate the expected behaviour of the
Security Functions. For each command used in a test, the Developer tested for correct operation,
error conditions, incorrect entry of the command, incorrect parameters (where appropriate) and
parameters out of range (where appropriate).
51. The test documentation included the Test Plan and Analysis document, which detailed the
test descriptions/procedures (including the pre-requisites, test order dependencies and expected
results), the mapping of Security Functions to test cases, the mapping of High Level Design to
test cases, the mapping of interfaces to test cases, the test environments, the test tools and the
actual test results. The test results included the results of regression testing and all test results
were found to be consistent with the expected results. The Evaluators noted that the test
environment, including the PFSS configuration, was consistent with the security environment
requirements and assumptions stated in the Security Target [a].
52. The Developer’s testing was performed using a largely automated test suite, comprising
both fully automated tests and manual tests, the latter prompting for external stimuli before
return of control to the test suite. The test suite recorded the test results. All IT Security
Functions and the TSF Interface were exercised during the testing and were addressed under the
following test categories:
• Initialisation
• Basic network operation
• Console command interface
• Accounting and auditing
• Network application access control
53. The Developer tested all commands identified in the Functional Specification, except
exit (from unprivileged mode), pager, name, show tech-support, hostname,
names, show traffic and help. These were included in the independent tests performed
by the Evaluators. The Evaluators concluded that, although the testing performed by the
Developer was not exhaustive, it provided completeness in terms of testing all of the Security
Functions identified in the Functional Specification.
54. As agreed by the Developer, Evaluators and Certifier, Developer tests were carried out on
PIX 501, 515 and 535 hardware platforms.
55. The Evaluators used similar test configurations as the Developer to perform independent
testing on PIX 506E, 515E and 525 hardware platforms as follows:
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 11
a. Prior to the start of each test on the PIX 506E, 515E or 525 platform, the TOE
configuration was set to a known, initial state.
b. A subset of the TOE-specific developer tests was repeated on PIX 506E and 525
platforms to validate the Developer’s security functional testing. The sample
included tests of all Security Functions and all developer tests that involved the use
of test tools and scripts.
c. An additional test subset was devised and performed on the PIX 506E and 515E
platforms that:
i. exercised other attributes of security functionality specified in the Functional
Specification that were not completely covered by the testing performed by the
Developer, as documented in the Test Plan and Analysis, ie usage of
commands available at the CCI;
ii. exercised most Security Functions specified in the Functional Specification,
augmenting and supplementing the developer tests to more rigorously test and
vary the testing approach of the Security Functions where possible;
iii. exercised the TOE using additional supported network interface cards
configured for operation;
iv. focussed on the information flow control Security Functions, as these are the
most complex and significant Security Functions of the TOE;
v. concentrated on “incorrect” Security Function parameters, as the developer
tests were mainly positive testing of security functionality; and
vi. enabled all required TOE configuration changes to be performed at the CCI.
d. The test subset included 17 independent functional tests.
56. The Evaluators performed the 19 penetration tests, together with a further 2 ad-hoc tests,
on PIX 506E and 525 platforms. These penetration tests were devised to confirm the non-
exploitability of potential vulnerabilities that had been noted during the course of the evaluation.
The tests were categorised under the headings of Reboot, Flood, Connection State, Spoof, Scan,
ACK Spoof and Bypass. They included port flood, port scanning, ACK spoofing and TELNET
flood tests using the following tools:
• Divine Intervention – Plague, Version 3.0,
• Port Flooding tool from 7th Sphere, Version 1.02,
• Sniffer Pro, Version 1.5.02
• AA Tools, Version 4.0c
• SuperScan, Version 3.00
• Ethereal, Version 0.8.18
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 12 Issue 1.0 December 2002
• Nmap, Version 3.00
• Fragroute for Linux, Version 1.2
• Lcrzoex (packet generator), Version 4.17.0
57. Test coverage on the PIX 506E, 515E and 525 hardware platforms was as outlined below
under “Platform Issues”.
Platform Issues
58. The Developer repeated all security functional tests on each TOE platform to demonstrate
secure operation of the TOE on the PIX 501, 515 and 535 hardware platforms, including tests for
all types of connection protocol. These tests used the Test Configuration as detailed in Annex A.
The Evaluators confirmed that all of the test results were identical and consistent with the
expected results.
59. The Evaluators repeated their sample of 7 developer tests on the PIX 506E platform using
an equivalent Test Configuration as detailed in Annex A. No significant differences were found
from the Developer’s tests. To confirm consistency of results across the PIX platforms, the
Evaluators repeated 3 of these 7 developer tests on the PIX 525 platform. The Evaluators:
• repeated 39% of the total developer tests performed on the PIX 506E platform
• repeated all developer tests introduced since the previous evaluation [o]
• repeated selected developer tests on both the PIX 506E and 525
• repeated tests for all Security Functions, except some minor aspects (some sampled
previously [o])
60. The Evaluators performed their 17 independent functional tests on the PIX 506E using the
same Test Configuration with 2 network interface cards in use. To confirm consistency of
results across the PIX platforms, in particular for the information flow controls, the Evaluators
repeated 8 of these 17 tests on the PIX 515E platform with an additional quad-port network
interface card in use.
61. The Evaluators performed their 19 penetration and 2 ad-hoc tests on the PIX 506E
platform using the Test Configuration detailed in Annex A. To confirm consistency of results
across the PIX platforms, the Evaluators repeated 6 of these 21 tests on the PIX 525 platform
with an additional quad-port network interface card in use.
62. The Evaluators found that the test results were consistent with the expected results and that
the test results were consistent across all the platforms tested. No discrepancies were found for
any of the tests repeated on multiple platforms.
63. The TOE has no firmware components other than the flash memory that holds the TOE
image. There were no firmware dependencies affecting the evaluation.
64. The Evaluators confirmed that no security functionality traced to the hardware. However,
the hardware was relied upon to provide general supporting protection mechanisms, including
protected mode, interrupts and exceptions, processor execution levels, memory allocation and
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 13
the system real time clock. The Evaluators confirmed that these mechanisms, which were
controlled by TOE software components, operated correctly.
Assurance Maintenance and Re-evaluation Issues
65. With respect to the ALC_FLR.1 augmentation, the Evaluators confirmed that the flaw
remediation procedures documentation was satisfactory. The procedures dealt with Bug Reports
and Customer Reported Issues, including all those related to TOE security. Updated product
releases and patch downloads are distributed to consumers using the measures described under
“Delivery”. Details of all the security flaws are maintained using the Distributed Defect
Tracking System (DDTS), which tracks the corrective action and status for each product defect.
Existing customers are notified of each security flaw and associated fix and the method for
obtaining an updated product release or patch by a variety of methods:
• TOE users are informed of information relating to a security flaw either via the
monthly electronic newsletter distributed to all registered customers (ie CCO Users)
or by visiting the CCO website, hosted at http://www.cisco.com.
• Information relating to flaws raised by security advisories are detailed at
http://www.cisco.com/warp/public/707/#pix. This is updated with fixes and
workarounds as soon as they are identified by the DDTS process.
• Information relating to a product release, patch or updated guidance can be found at
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_sw_index.htm. This
will include any guidance to the User required to mitigate a security flaw or to
implement the patch to a security flaw.
• The website entry http://www.cisco.com/cgi-bin/tablebuild.pl/pix provides links to
all released versions of the product available to the User. The User must be a
registered CCO User to access these downloads. The User is able to access patches
to counter security flaws from this site.
66. Consumers should note that the EAL4 augmentation with assurance component
ALC_FLR.1 was expressly included as the Sponsor intends to maintain the assurance established
in the TOE under a UK assurance maintenance scheme. If the Sponsor decides to proceed with
this approach, details of the product builds or patches covered by this scheme would be provided
on the UK Scheme website. Details of all updated product builds and patches covered by this
scheme would also be provided on the CCO website.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 14 Issue 1.0 December 2002
(This page is intentionally left blank)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
December 2002 Issue 1.0 Page 15
III. EVALUATION OUTCOME
Certification Result
67. After due consideration of the ETR [i], produced by the Evaluators, and the conduct of the
evaluation, as witnessed by the Certifier, the Certification Body has determined that Cisco
Secure PIX Firewall Version 6.2(2) meets the Common Criteria Part 3 conformant requirements
of Evaluation Assurance Level EAL4, augmented with ALC_FLR.1, for the specified Common
Criteria Part 2 conformant functionality, extended by FAU_AUD.1, in the specified environment
when running on the PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 hardware platforms as
specified in Annex A.
Recommendations
68. Prospective consumers of Cisco Secure PIX Firewall Version 6.2(2) should understand the
specific scope of the certification by reading this report in conjunction with the Security Target
[a]. The TOE should only be used in accordance with the environmental considerations
specified in the Security Target.
69. Only the evaluated TOE configuration should be installed. This is specified in Annex A
with further relevant information given above under “TOE Scope” and “Evaluation Findings”.
70. The TOE should only be configured and used in accordance with the supporting guidance
documentation as listed in Annex A and as summarised under “Installation and Guidance
Documentation”.
71. Potential consumers and administrators of the product should note the following general
points with regard to the firewall:
a. A network security policy should be defined prior to any attempted installation or
implementation of the firewall.
b. Only the approved administrators should have physical access to the firewall, the
firewall console and the PFSS.
c. The network connections to the firewall should be controlled to prevent any firewall
bypass connection from being installed.
d. The accounting option logging console debug should only be used with great care
during operational use of the TOE, because this option can delay the invocation of
modifications to the configuration when the PIX is under heavy loading of network
traffic.
72. Potential consumers of the TOE should ensure that the security functionality and assurance
of the AAA server for the identification and authentication of administrators and of FTP and
TELNET connections, where required, is adequate for their needs.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 16 Issue 1.0 December 2002
73. Potential consumers of the TOE should also ensure that the PFSS (ie the separate Windows
NT 4.0 machine allocated to the storage and review of audit data generated by the TOE) has
adequate assurance to meet their needs.
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 Annex A
December 2002 Issue 1.0 Page 17
ANNEX A: EVALUATED CONFIGURATION
TOE Identification
1. The TOE consists of :
• Cisco Secure PIX Firewall Version 6.2(2)
2. The Cisco Secure PIX Firewall software “image” (Version 6.2(2)) is pre-installed during
manufacture on the PIX platforms.
3. The supporting guidance documents are:
• Certified Installation and Configuration for the Cisco Secure PIX Firewall Version
6.2(2) [k]
• Installation Guide for the Cisco Secure PIX Firewall Version 6.2 [l]
• Configuration Guide for the Cisco Secure PIX Firewall Version 6.2 [m]
• System Log Messages for the Cisco Secure PIX Firewall Version 6.2 [n]
4. Further discussion of the supporting guidance material is given above under “Installation
and Guidance Documentation”.
TOE Configuration
5. The TOE can be configured for operation with up to 10 network interfaces to internal and
external networks. In all cases, at least one internal and one external network interface card are
configured.
6. The following initial product configuration was used for the developer and evaluator tests:
a. TOE configuration as defined in the installation and configuration guidance
documentation [k-m], including identification of network interfaces and their
security levels, creation of default routes and configuration of the PFSS;
b. Network interface cards for 1 internal network and 1 external network, together with
1 DMZ (one interface configured on a quad-port card) as appropriate to the test;
c. connections permitted for Ethernet, ARP, DNS, Echo, Finger, H.323, IP, ICMP,
TCP, UDP, FTP, HTTP (World Wide Web), POP3, RTSP, Skinny (SCCP), SIP,
SMTP and TELNET; and
d. Network Address Translation (NAT) enabled.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
Annex A running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 18 Issue 1.0 December 2002
Environmental Configuration
7. The TOE was evaluated on the PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 hardware
platforms specified below. These platforms incorporate single AMD SC520 (501), Intel Celeron
(506E and 515E), Intel Pentium II (520), Intel Pentium III (525 and 535) or Intel PI-MMX (506
and 515) processors. The TOE includes device drivers to support the network interface cards.
8. For Developer testing, the platforms used were:
• PIX 501 with 5 network interfaces, 2 configured
• PIX 515 with 3 Ethernet interfaces, 2 configured
• PIX 535 with 10 interfaces using single-port Ethernet, 2 quad-port Ethernet and single-port Gigabit
Ethernet
9. For independent Evaluator functional and penetration testing, the platforms used were:
• PIX 506E with 2 fast Ethernet interfaces
• PIX 515E with 6 fast Ethernet interfaces
• PIX 525 with 2 fast Ethernet interfaces (as for PIX 506E)
• PIX 525 with 6 fast Ethernet interfaces (as for PIX 515E)
10. The following diagram illustrates the configuration of the test environment used for the
Evaluator functional and penetration tests that took place in the Cisco Systems Ltd (Feltham)
premises. (It replicates the configuration used by the Developer.)
PIX 6.2(2) Windows
2000
dmz1
outside
Windows
2000
inside
Win.2000/
Red Hat
Linux
Router 1
Gateway 3
CallGen
(PEN-9, -12)
Router 2
(PEN-11, -15)
Gateway 4
CallGen
NT
Syslog Server (PEN-15)
Win.2000/
Red Hat
Linux
(PEN-12)
Windows
2000
Windows
2000
(PEN-15, -
16, -18, -19,
-21)
Test Configuration
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 Annex A
December 2002 Issue 1.0 Page 19
11. The TOE in each of these test configurations was running on the PIX 506E, 515E or 525
hardware platform as appropriate to the specific test.
12. The test environment included unique IP addresses for all firewalls, workstations, servers,
gateways and routers in the internal and external networks of the test configurations. (The target
firewall platform required 3 unique IP addresses.) All test equipment was connected to the
internal and external networks via Ethernet using 10BaseT network connections (RJ45
connectors).
13. The Test Configuration enabled all developer and evaluator tests (ie functional and
penetration tests) related to connection protocols, different network configurations (ie 2 or more
network interface cards operational) and the PFSS to be performed. Two of the network hosts
(ie the Windows 2000 and Windows 2000 with Red Hat Linux hosts) were moved around the
Test Configuration dependent on the specific test requirements.
14. The specifications of the TOE platforms are detailed below. In addition to these platforms,
the test environment required the use of a variety of workstations and servers on the internal
network, external network and DMZ. These machines were used to test the functionality of the
TOE and to launch various penetration attacks. Although these test machines are not within the
scope of the TOE, their specifications are summarised below for completeness.
15. The specification of the PIX 506E platform was as follows:
• 300MHz Intel Celeron single processor
• BIOS: 32KB Flash
• 8MB Flash, 32MB RAM
• 2 Intel Fast Ethernet 82559 network interface cards
16. The specification of the PIX 515E platform was as follows:
• 433MHz Intel Celeron single processor
• BIOS: 32KB Flash
• 16MB Flash, 64MB RAM
• 2 Intel Fast Ethernet 82559 and 4 Intel Fast Ethernet 82558 network interface cards
17. The specification of the PIX 525 platform was as follows:
• 600MHz Intel Pentium III single processor
• BIOS: 32KB Flash
• 16MB Flash, 128MB RAM
• 2 Intel Fast Ethernet 82559 and 4 Fast Ethernet 82558 network interface cards
18. The specification of the Inside Host (NT Syslog Server) was as follows:
• KAYAK XA PC, x86 Family 6 Model 5 Stepping 2
• Windows NT Server 4.0
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
Annex A running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 20 Issue 1.0 December 2002
19. The specification of the Outside Host (Windows 2000) was as follows:
• Compaq Proliant DL320, x86 Family 6 Model 8 Stepping 10
• Windows 2000 SP2
20. The specification of the DMZ1 Host (Windows 2000) was as follows:
• Compaq Proliant DL380, x86 Family 6 Model 8 Stepping 6
• Windows 2000 SP2
21. The specification of the Linux Host (Win.2000/Red Hat Linux) was as follows:
• IBM ThinkPad, x86 Pentium Family
• Red Hat Linux Release 7.0
22. The specification of the other network hardware was as follows:
• Routers: Cisco 3640 Series Router
• Gateways: Cisco 3640 Gateway
23. The TOE network interface cards were either built-in network interfaces or supported
modules. There were 3 types of supported modules: a single-port 10/100Module, a quad-port
10/100 Module and a single-port Gigabit Ethernet Module. Examples of each type of network
interface card were used in the Developer and Evaluator tests. (See the Security Target [a] for
part number details.)
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 Annex B
December 2002 Issue 1.0 Page 21
ANNEX B: PRODUCT SECURITY ARCHITECTURE
1. This annex gives an overview of the product architectural features that are relevant to the
security of the TOE. Other details of the scope of evaluation are given in the main body of the
report.
Major Architectural Features
Trusted Components and Privilege
2. The Cisco Secure PIX Firewall product consists of a set of servers executing in the
environment of the Finesse operating system kernel. These operating system and server
subsystems provide the network services that are executed on the firewall on behalf of an
internal network machine. All subsystems are security enforcing. (For further details of these
subsystems, see next subsection.)
3. The Finesse operating system subsystem is an integral part of the TOE and performs the
following functions:
• Enables the administrator to configure the system real time clock
• Ensures that residual memory is cleared before reallocation
• Maintains the clock used by the Logger Agent
• Verifies the stack on each context switch to prevent stack overflow
• Provides device control
• Provides process management (including context switching)
• Provides memory management
4. Cisco Secure PIX Firewall has only one class of user who is the administrator. The
administrator is trusted to manage the TOE, either locally or remotely, but remote management,
except via TELNET from a trusted host on an inside interface, is outside the scope of the
evaluation. Users of the network service connections through the firewall have limited rights
and privileges and cannot log on to the firewall.
5. Aspects such as user identification and authentication and the storage of audit records are
outside the scope of the evaluation.
External Interfaces
6. The external interfaces that comprise the TSF Interface are as follows:
• The user interface between the CCI subsystem and the terminal server
• The network interface between the IP subsystem and the network interface card
• The software/hardware interface between the Finesse subsystem and the underlying
hardware
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
Annex B running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 22 Issue 1.0 December 2002
7. The CCI provides the method by which the administrator can configure the network
services and directly accesses all subsystems of the TSF as described in the Configuration Guide
[m]. The mechanism operates in 3 stages: unprivileged stage, privileged stage and config stage.
To enter the privileged stage, the user enters a password, which changes the prompt from
‘pixfirewall>’ to ‘pixfirewall#’. To enter the config stage, the user enters ‘configure terminal’
and the prompt changes to ‘pixfirewall(config)#’. This mechanism helps protect changes being
made to Security Functions by providing a warning to the user about the current stage. (The
password mechanism is outside the scope of the evaluation.)
8. The network interface is required to enable the firewall to control traffic between an
internal and external network. There are at most 10 physical network interfaces to the TOE.
The interface to all hardware other than the network interfaces (eg the real time clock) is via the
Finesse subsystem.
Design Subsystems
9. The Cisco Secure PIX Firewall controls the flow of IP traffic between network interfaces
in the context illustrated below. The Cisco Secure PIX Firewall is a purpose built hardware
device that uses a single AMD SC520, Intel Celeron, PI-MMX, Pentium II or Pentium III
processor and runs the Cisco Secure PIX Firewall software “image” (Version 6.2(2)).
Context for the Cisco Secure PIX Firewall
PIX Firewall
Internet
Outside
Inside
Protected
Servers
Server 1
Internet
Accessible
Server
Server 3
Server 2
Protected
Clients
DMZ1
DMZ2
DMZ3
DMZ4
PIX Firewall
Internet
Internet
Outside
Inside
Protected
Servers
Server 1
Internet
Accessible
Server
Server 3
Server 2
Protected
Clients
DMZ1
DMZ2
DMZ3
DMZ4
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 Annex B
December 2002 Issue 1.0 Page 23
10. The physical scope of the TOE is:
• Hardware - PIX 501 (fixed configuration with 5 network interfaces); PIX 506 or PIX
506E (fixed configuration with 2 network interfaces); PIX 515 or PIX 515E (with up
to 6 network interfaces); PIX 525 (with up to 8 network interfaces); and PIX 535
(with up to 10 network interfaces)
• Software - Cisco Secure PIX Firewall “image” (Version 6.2(2))
11. The TOE interacts with a Windows NT Server 4.0 machine (running Service Pack 6a) for
the purpose of storing the audit data generated by the TOE.
12. The software code in the Cisco Secure PIX Firewall can be divided into 2 classes,
operating system (Finesse) and trusted servers (Console Command Interface, IP, ICMP, TCP,
Logger and Firewall). Finesse is the core kernel that provides the supporting environment under
which the various trusted servers execute. The trusted servers are runtime instances of the
software subsystems that provide services to other servers or to external events.
13. The purpose of each of these subsystems is identified in the table below:
Subsystem Description
Finesse Provides an executing environment, scheduling
device management, inter-process communication
and memory management.
Console Command Interface
(CCI)
Provides a mediating interface agent between the
TOE and the administrator.
IP Subsystem Provides addressing, packet forwarding and packet
delivery of the Internet Protocol over Ethernet.
ICMP Subsystem Notifies IP of remote node errors such as remote
host unreachable or communications failure due to
link MTU and provides command interface for
host discovery, ICMP (ping).
TCP Subsystem Handles TCP packets that terminate at the TOE.
Logger Subsystem Fans out auditing events to a console, remote
Syslog Server and internal buffer.
Firewall Subsystem Provides access control (based on packets
received), NAT and application level inspection.
Handles all IP packets routed through the TOE.
Purpose of TOE subsystems
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
Annex B running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 24 Issue 1.0 December 2002
Finesse
Executing Environment
14. Finesse provides a runtime environment for program execution. Each instance of the
program is a thread that includes a per-thread stack for variables of local scope, a virtual set of
registers and a shared memory address pool. The use of a globally shared memory pool enables
Finesse to avoid the high context switch penalty associated with a full flushing of the translation
look-aside buffer on every context switch.
15. Finesse supports the execution of servers that are constructed with the Cisco Secure PIX
Firewall image. No execution of external or third party programs is possible with Finesse. The
implication is that only trusted servers are executed. Therefore, there is no functional need for
the operating system to protect itself from malicious programs.
Scheduling
16. Finesse employs a simple scheduler that has 4 priorities: critical, high, normal and low.
Each lightweight process or thread selects an immutable priority and is scheduled to execute
when no other higher-priority thread is ready to be executed.
Device Management
17. Finesse provides a standard framework (initialisation, registration and interfaces) for
device management. Each device, except those supported directly by Finesse (such as CPU,
memory, real time clock and interrupt controller), exports a device initialisation routine at
startup, an initial entry point, an announcement or registration routine and a standard set of
Input/Output interface functions.
Inter-Process Communication (IPC)
18. There are 3 IPC mechanisms in the Cisco Secure PIX Firewall: shared memory, standard
device interface and block queue. Shared memory is the simplest mechanism and provides
access to shared values. It is used mainly as communication between the CCI and the various
software modules.
Memory Management
19. Finesse provides 3 types of runtime memory: automatic memory, dynamic memory and
block memory.
Console Command Interface (CCI)
20. The CCI is composed of a single thread that accepts input from the user at the control
console. The command is then parsed and relayed into the appropriate subsystems. It is then
that the subsystem will act upon the command.
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 Annex B
December 2002 Issue 1.0 Page 25
IP Subsystem
21. The IP subsystem provides addressing, packet forwarding and packet delivery of the
Internet Protocol over Ethernet.
22. The IP subsystem is composed of IP devices or IP stacks and a single global routing table.
The number of IP stacks corresponds to the number of datalink interfaces that exist in the TOE.
One IP stack is instantiated per physical interface.
ICMP Subsystem
23. The ICMP subsystem implements the helper protocol to IP. The ICMP notifies IP of
remote node errors such as remote host unreachable or communication failure due to link MTU.
The ICMP also exports a command interface for host discovery (ping).
TCP Subsystem
24. The TCP subsystem handles TCP packets that terminate at the TOE.
Logger Subsystem
25. The Logger subsystem fans out auditing events to a console, remote Syslog Server and
internal buffer, as illustrated below.
Message
Queue
Console
Buffer
Syslog Server
Logger Agent
Audit Events
Logger Processing
26. The Logger subsystem is composed of a single functional interface, syslog, for the various
systems to invoke and to deposit messages to the Logger Agent. The Logger Agent then fans
out the messages to the console, remote Syslog Servers, or an internal buffer syslog monitor.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
Annex B running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 26 Issue 1.0 December 2002
Firewall
27. The Firewall subsystem provides access control, NAT and application level inspection.
The Firewall subsystem handles all IP packets that are routed through the TOE.
28. The Firewall Engine controls network sessions between 2 security zones. Each security
zone is physically associated with the networks that are reachable, through to a network
interface. Logically the security zone is represented by a security level associated with an
interface. Networks that reside behind an interface with high security level are assumed to be
more secure than networks that reside behind an interface with lower security level. At the
policy level, the implication is that a session initiated from low security zone to a high secure
zone is implicitly denied, while a session that is initiated from a high security level to a low
security level is implicitly permitted.
29. The Firewall subsystem implements stateful inspection. With stateful inspection, once a
flow is established, data that belong to the flow will not need permission from the access-list to
traverse the Cisco Secure PIX Firewall. The data, however, must pass the stateful inspection of
the application inspection function.
30. Each flow is mapped loosely to an application communication. For TCP, the flow is
defined to be the 4 tuples of source address, destination address, source port and destination port,
that is initiated by a 3-way set-up handshake and is terminated with a 4-way close down
sequence. For UDP, the flow is based on the same 4 tuple fields as in TCP, but with a timeout
mechanism. For all other protocols, each flow degenerates to one packet.
Access Control Database (access-list)
31. The Access Control Database is the main database that controls what flows can be
established through the TOE. The access-list is composed of elements that define wildcard
selectors that are used to match the control data that initiated a flow. Definable selectors are IP
source address, IP destination address, IP protocol and transport fields, such as TCP and UDP
ports and ICMP types.
Application Level Inspection Functions (fixup)
32. The fixup database contains a static pre-defined set of application level inspection
functions. These functions include FTP, H.323, HTTP, RTSP, SIP, Skinny (SCCP) and SMTP.
(RSH and SQLNET are also supported, but are outside the scope of the evaluation.)
33. During initial flow set-up, a set of application level inspection functions is associated with
the fixup function. The fixup command is used to specify the set of connection protocols and
associated ports for inspection by these functions. These connection protocols and ports are then
inspected in a pre-established order for each datum that uses the flow.
Cisco Secure PIX Firewall EAL4
Version 6.2(2) augmented by ALC_FLR.1
running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535 Annex B
December 2002 Issue 1.0 Page 27
Application Sessions (connection)
34. The connection database holds the states or contexts for all flows. The states are used by
the protocol inspection function (stateful inspection) to verify the security attributes of data that
use the connection. In addition to inspection, the states of the flow can also be used to prepare
other flows that belong to the same application.
Network Address Translation
35. The NAT engine implements network address translation and port address translation
(generically referred to as NAT). The NAT engine processes the traffic flow to perform NAT
before and after the Firewall processing. NAT pre-processing is performed after the initial
packet connection and before permission is granted. NAT post-processing is performed after the
inspection and before the initial packet connection with the outside server.
36. NAT must be configured before flows will successfully be processed by the Cisco Secure
PIX Firewall. The configuration of NAT may be to specify the rules for translation or simply to
disable NAT.
Environmental Dependencies
37. FTP and TELNET connections requiring an authentication mechanism to verify user
identity rely on the AAA server, which is outside the scope of the TOE. The AAA server
mediates all TELNET sessions destined for the firewall (ie those for Remote Management). For
TELNET and FTP traffic flow connections routed through the TOE, the use of the AAA server
depends on the TELNET and FTP server settings). Users of these connections have limited
rights and privileges. Only TELNET connections related to Remote Management can log on to
the firewall. The PIX is configured to accept only TELNET sessions from a single trusted host
on the internal network. The administrator local login uses the same authentication mechanism
to verify the administrator’s access to the firewall.
38. Auditing events are recorded on the PFSS, which is outside the scope of the TOE. The
PFSS is hosted on a separate machine that meets the software, hardware and security
environment requirements specified in the Security Target [a]. This machine is relied upon to
securely store (ie physically protect) the audit records so that only authorised access is provided
to review these records.
EAL4 Cisco Secure PIX Firewall
augmented by ALC_FLR.1 Version 6.2(2)
Annex B running on PIX 501, 506, 506E, 515, 515E, 520, 525 and 535
Page 28 Issue 1.0 December 2002
(This page is intentionally left blank)