Security Target for Juniper Networks JUNOScope IP
Service Manager 8.2R2
Version 1.1
July 2007
Prepared for:
Juniper Networks
1194 North Mathilda Avenue
Sunnyvale
California 94089
USA
Prepared by:
BT
Aldershot TE
Ordnance Road, Aldershot
Hampshire, GU11 2AH
UK
© 2007 Juniper Inc. 2
All Rights Reserved
Contents
1 ST Introduction ..................................................................................................................................4
1.1 ST Identification...........................................................................................................................4
1.2 ST Overview ................................................................................................................................4
1.3 CC Conformance.........................................................................................................................4
1.4 Conventions.................................................................................................................................4
2 TOE Description ................................................................................................................................6
2.1 TOE Identification ........................................................................................................................6
2.2 TOE Type ....................................................................................................................................6
2.3 Product Description .....................................................................................................................6
2.3.1 JUNOScope Service Manager............................................................................................6
2.3.2 Network Connections..........................................................................................................8
2.3.3 TOE Boundaries .................................................................................................................8
3 TOE Security Environment..............................................................................................................10
3.1 Assumptions ..............................................................................................................................10
3.1.1 Physical Assumptions.......................................................................................................10
3.1.2 Personnel Assumptions ....................................................................................................10
3.1.3 IT Environment Assumptions............................................................................................10
3.2 Threats.......................................................................................................................................10
3.3 Organizational Security Policies................................................................................................11
4 Security Objectives..........................................................................................................................12
4.1 Security Objectives for the TOE ................................................................................................12
4.2 IT Security Objectives for the Environment...............................................................................12
4.3 Non-IT Security Objectives for the Environment .......................................................................12
5 IT Security Requirements................................................................................................................13
5.1 Security Functional Requirements.............................................................................................13
5.2 Security Functional Requirements for JUNOScope ..................................................................14
5.2.1 Audit (FAU) .......................................................................................................................14
5.2.2 User data protection..........................................................................................................15
5.2.3 Identification and authentication (FIA) ..............................................................................16
5.2.4 Management.....................................................................................................................17
5.2.5 TOE access (FTA) ............................................................................................................18
5.3 IT Environment Security Functional Requirements...................................................................18
5.3.1 Identification and authentication (FIA) ..............................................................................18
5.3.2 Protection of the TSF (FPT)..............................................................................................19
5.4 Minimum strength of function ....................................................................................................19
5.5 Security Assurance Requirements ............................................................................................19
6 TOE Summary Specification ...........................................................................................................21
6.1 TOE Security Functions.............................................................................................................21
6.1.1 User Data Protection.........................................................................................................21
6.1.2 Identification and Authentication.......................................................................................21
6.1.3 Security Management.......................................................................................................22
6.1.4 Audit..................................................................................................................................23
6.1.5 TOE access ......................................................................................................................24
6.2 Assurance Measures.................................................................................................................24
7 Rationale .........................................................................................................................................27
7.1 Rationale for Security Objectives ..............................................................................................27
7.1.1 Rationale for Security Objectives for the TOE..................................................................27
7.1.2 Rationale for Security Objectives for the Environment.....................................................28
7.2 Rationale for Security Requirements.........................................................................................29
7.2.1 Rationale for TOE security functional requirements.........................................................29
7.2.2 Rationale for TOE Environment Security Functional Requirements ................................31
7.2.3 Rationale for Security Assurance Requirements (SAR)...................................................32
7.2.4 Dependencies Rationale...................................................................................................32
7.3 TOE Summary Specification Rationale .....................................................................................32
7.4 IT security functions mutually supportive ..................................................................................35
8 Acronyms.........................................................................................................................................36
© 2007 Juniper Inc. 3
All Rights Reserved
List of tables
Table 5.1 Security Functional Components for JUNOScope .................................................................13
Table 5.2 IT Environment Security Functional Components..................................................................18
Table 5.3 TOE Assurance Components.................................................................................................20
Table 6.1 Assurance Measures..............................................................................................................25
Table 7.1 TOE Security Objectives Rationale........................................................................................27
Table 7.2 Environment Security Objectives Rationale ...........................................................................28
Table 7.3 Security functional requirements rationale .............................................................................30
Table 7.4 Security functions rationale ....................................................................................................33
© 2007 Juniper Inc. 4
All Rights Reserved
1 ST Introduction
1.1 ST Identification
TOE Identification: Juniper Networks JUNOScope IP Service Manager 8.2R2
ST Identification: Security Target for Juniper Networks JUNOScope IP Service Manager
8.2R2
Assurance Level: Evaluation Assurance Level (EAL) 3, augmented with ALC_FLR.3.
ST Author: BT
Keywords: IP, Service Manager
CC Identification: Common Criteria for Information Technology Security Evaluation,
Version 2.3, August 2005, plus applicable CCMB and UK national interpretations up to 1
September 2006. Where specific changes result from application of an interpretation or
precedent this is noted in the security target.
1.2 ST Overview
The TOE is the JUNOScope IP Service Manager, also referred to as JUNOScope within
this document, on Sun Solaris version 9/04 and 10.
JUNOScope provides tools for managing routers via a web based interface, giving a
network operator access to the day-to-day tasks required to manage a network of routers,
including monitoring, configuration management, inventory management, software
management and administration.
The chapters of this Security Target are structured in accordance with the families in the
[CC] ASE class, with the various rationales required by the ASE families collated in
section 7.
1.3 CC Conformance
The TOE is Part 2 conformant, Part 3 conformant, and meets the requirements of EAL3
augmented with ALC_FLR.3.
1.4 Conventions
The following conventions have been applied in this document:
• Security Functional Requirements – Part 2 of the CC defines the approved set of
operations that may be applied to functional requirements: assignment, selection,
refinement and iteration.
o The refinement operation is used to add detail to a requirement, and thus further
restricts a requirement. Refinement of security requirements is denoted by bold
text. For an example, see FMT_SMR.1 in this security target.
o The selection operation is used to select one or more options provided by the CC
in stating a requirement. Selections are denoted by italicized text. For an example,
see FAU_GEN.1 in this security target.
© 2007 Juniper Inc. 5
All Rights Reserved
o The assignment operation is used to assign a specific value to an unspecified
parameter, such as the length of a password. Assignment is indicated by showing
the value in square brackets, [assignment value]. For an example, see FIA_ATD.1
in this security target.
o The iteration operation is used when a component is repeated with varying
operations. Iteration is denoted by showing the iteration sequence letter following
the component identifier. For example, see FMT_MTD.1 in this security target.
• User privilege in accessing the TOE is based on the usergroup association. A
usergroup can be configured with one of the four access levels available:
administrator, read-write, read-only or nobody1
. Users belonging to the administrator
group have full access to all devices managed by the TOE, including the
administrative tasks of TOE, e.g. creating a new user, and a new device. Read-only
and read-write usergroups can be applied to one or more devices at a finer granular
level. Users belonging to the nobody usergroup have no access to any device except
the login to TOE. The term “user” refers to a user that belongs to any of the four
usergroups mentioned above.
1
Also referred to as “no one”
© 2007 Juniper Inc. 6
All Rights Reserved
2 TOE Description
2.1 TOE Identification
The TOE is the JUNOScope IP Service Manager release 8.2R2 running on Sun Solaris
version 9/04 and 10
2.2 TOE Type
The TOE is software to monitor and manage router operations centrally
2.3 Product Description
2.3.1 JUNOScope Service Manager
The JUNOScope software is an element management application that provides tools for
managing IP services for the M-Series, T-Series and J-Series routing platforms.
JUNOScope element management tools include:
Looking Glass for viewing real-time device operational, diagnostic and troubleshooting
information. This includes showing outstanding alarms on a router.;
Configuration Manager for archiving, importing, comparing, displaying and restoring the
configuration files on devices in the network. The Configuration Manager also includes a
Web-based Configuration Browser and a Configuration Editor for managing configuration
file content. The device configuration files are referred to as “revisions” and are stored in
the “Configs” repository as shown in Figure 1.
Inventory Management System for scanning software, license, and hardware inventory
and activity, such as additions, deletions or changes of inventory on selected devices on
the network. The Inventory Management System also allows viewing of predefined
reports or generation of custom reports.
Software Management System for network-wide deployment and installation of JUNOS
software images (bundles, packages, patches).
Monitoring logs for viewing the status of completed, scheduled or pending operations.
An audit log allows viewing of the status of all authentication activities and privileged
operations performed by authorized users.
Settings (administration) for modification of JUNOScope settings. JUNOScope
administration tools allow:
• Definition of user IDs and passwords used to log in to a device;
• Definition of usergroup, its associated users and device access privilege;
• Definition of how to connect to devices and the authentication information used to log
in;
• Connection of the JUNOScope software to devices in the network;
• Definition of a dynamic group of devices so JUNOScope tasks can operate on many
devices at the same time;
• Application of labels to statically organize a large group of devices in the network so
that JUNOScope operations, such as archive a configuration or inventory scan, can be
performed;
© 2007 Juniper Inc. 7
All Rights Reserved
• Setting the date, time and interval when a JUNOScope software operation is to occur
on devices in the network;
• Setting up local accounts and template accounts so that local users and users with
RADIUS accounts can log in to JUNOScope with appropriate permissions;
• Setting up an authentication policy for users with local accounts and remote RADIUS
accounts to authenticate to JUNOScope;
• Setting up RADIUS authentication server host information so that users with RADIUS
accounts can log in to JUNOScope with appropriate permissions;
• Setting up RADIUS accounting server host information so that authentication records
and privileged operations can be audited;
• Import and export of all JUNOScope settings data to the local file system;
• Creation, editing, viewing and running saved operations, such as archive, restore and
inventory scan.
Figure 1 JUNOScope architecture
Access to JUNOScope software is controlled by username and password. The software
enforces an authentication policy for each user. The JUNOScope administrator can edit
the user authentication policy, including locking the account, specifying maximum login
attempts, and setting an access window in which failed login attempts occur.
JUNOScope tasks are controlled under a privilege mechanism. There are four levels of
authorization for users/usergroups: nobody, read-only, read-write, and administrator.
The JUNOScope software provides audit logging of user authentication activity, and
privileged operations that change information in the JUNOScope system and on the
network to an internal audit log, the system log server, and an optional RADIUS
accounting server if one is configured.
Looking
Glass
Software
Manager
Configuration
Manager
Presentation Layer (HTML)
Inventory
Manager
Browser interface (https)
Application Server (Tomcat)
JUNOS
XNM
Task Manager
RADIUS
Syslog JDBC
XML
CVS
Authentication,
Accounting
Messages
Configs MySQL
SQL
inventory
interface
Local
(Solaris)
syslogd
RADIUS
server
Monitor &
Settings
Authorization Layer
TOE
Boundary
© 2007 Juniper Inc. 8
All Rights Reserved
2.3.2 Network Connections
2.3.2.1 JUNOScope to Router connection
JUNOScope is a web server application that runs on a UNIX workstation. The
JUNOScope software is a client of the JUNOScript server that runs on the router. The
JUNOScope software connects to the JUNOScript server, which allows connection to
routers via SSL (authentication to the routers for the query and upload of policies is
transparent). The JUNOScope software uses the JUNOScript Application Programming
Interface (API) to interact with the router, sending and receiving information in Extensible
Markup Language (XML) for operations such as archiving, restoring and browsing a
configuration file, and obtaining router status information.
The JUNOScope software connects to Juniper routing platforms running the current
JUNOS software release and including at least two previous releases. Previous releases
of JUNOS are outside the scope of this evaluation.
2.3.2.2 JUNOScope to Browser connection
The administrator connects to JUNOScope via a browser running on a client workstation.
The JUNOScope software provides security between the client and the server. SSL2
is
available between the JUNOScope server and the client web browser. All communication
is encrypted between the client Web browser and the JUNOScope server.
Management access from a browser to JUNOScope first requires exchange of X.509
digital certificate to instigate an HTTPS connection, prior to a login request.
2.3.3 TOE Boundaries
The TOE is a software-only TOE installed on a Sun Solaris 9/04 or Solaris 10 platform,
with Sun’s Java Cryptography Extension installed, including JRE 1.4.2_13.
There is no security functionality provided by the browser the administrator uses to
connect to JUNOScope. The only requirement of the browser is a functional aspect;
namely that the browser has Javascript enabled.
2.3.3.1 Physical Boundary
The TOE operates within the physical boundary of the server Sun Server that runs the
JUNOScope software.
The JUNOScope software has no physical interfaces, access being provided via the
physical interfaces of the Sun Server (console3
and network).
2.3.3.2 Logical Boundaries
The logical boundaries of the TOE are defined by the functions that can be carried out at
the TOE external interfaces. These functions include identification and authentication for
the administrative functions, management of the security configurations, audit and
protection of the TOE itself. These can be carried out either via a console directly
connected to the Sun Solaris platform or terminal session, or via a browser on a client
workstation connected over the LAN. (The only requirement of the client browser for
management is that Javascript is enabled.)
2
SSL is outside the scope of the TOE as this is implemented by the underlying operating system.
3
An interface to JUNOScope functionality from the Solaris console is only available during the installation and
reconfiguration of JUNOScope
© 2007 Juniper Inc. 9
All Rights Reserved
• Identification and Authentication
The TOE requires users to provide unique identification and authentication data before
any administrative access to JUNOScope is granted. The TOE provides four levels of
authority for users, providing administrative flexibility. Administrators have the ability to
define usergroups and their authority and they have complete control over the TOE.
Authentication services can be handled either internally (fixed passwords) or through
an authentication server in the IT environment, such as a RADIUS server (the external
authentication server is considered outside the scope of the TOE).
• Security Management
JUNOScope uses XML (JUNOScript) to interact with the router to view and modify
configuration information. The ability to access the management functions is
constrained according to the user’s group association, and authentication to the router
from JUNOScope is transparent to the user. The management functions available are
described in Section 2.3.1 above.
• Audit
JUNOScope auditable events are stored in the JUNOScope database and are
subsequently sent to the system log server. Audit events cover authentication activity
and privileged operations. Audit records include the date and time, event category,
event type, username and client IP address. The audit log can be viewed only by an
administrator. Search and sort facilities are provided.
The following interfaces are excluded from the evaluation:
• Inventory interface to MySQL
OSS/BSS inventory integration via a published SQL API for JUNOScope Inventory
datastore. This is a query interface directly into the database which stores the data
collected from the network devices. This interface is excluded from the evaluation as
it merely provides a method of querying the datastore, and does not provide a method
to access any of the management functions. This interface is to be disabled in the
evaluated configuration.
• XML-based Admin Settings import/export interface
An interface is provided to import/export required JUNOScope database data from/to
another JUNOScope server (encrypted or in clear text form). Such a farm
configuration of multiple JUNOScope servers is not considered in the evaluated
configuration.
© 2007 Juniper Inc. 10
All Rights Reserved
3 TOE Security Environment
The TOE security environment describes the security aspects of the intended
environment in which the TOE is to be used and the manner in which it is expected to be
employed.
The statement of TOE security environment defines the following:
• Threats that the TOE is designed to counter;
• Assumptions made on the operational environment and the method of use intended
for the TOE;
• Organizational security policies with which the TOE is designed to comply.
3.1 Assumptions
The following usage assumptions are made about the intended environment of the TOE.
3.1.1 Physical Assumptions
A.LOCATE The processing resources of the TOE will be located within controlled
access facilities, which will prevent unauthorized physical access.
3.1.2 Personnel Assumptions
A.NOEVIL The authorized users will be competent, and not careless, wilfully
negligent, or hostile, and will follow and abide by the instructions provided
by the TOE documentation.
3.1.3 IT Environment Assumptions
A.EAUTH External authentication services will be available via RADIUS.
A.THREAT The threat level in the environment where the TOE will be deployed is
considered low.
A.ACCESS Access to data and processes on the Solaris platform underlying the TOE
will be restricted to authorised personnel (i.e. JUNOScope Installer).
A.CRYPTO Management traffic will be protected using SSL.
3.2 Threats
T.PRIVIL An unauthorized user may gain access to the TOE and exploit system
privileges to gain access to TOE security functions and data,
inappropriately changing the configuration data for TOE security
functions.
T.OPS An unauthorized process or application may gain access to the TOE
security functions and data, inappropriately changing the configuration
data for the TOE security functions.
T.DEVCONF An unauthorized user or process may gain access to change the
configuration of a network device held on the TOE, inappropriately
changing the archived configuration of the device.
T.CONFLOSS Failure of network components may result in loss of configuration data
that cannot quickly be restored.
© 2007 Juniper Inc. 11
All Rights Reserved
T.NOAUDIT Unauthorized changes to the TOE configuration and other management
information will not be detected.
3.3 Organizational Security Policies
There are no organizational security policies that the TOE must meet.
© 2007 Juniper Inc. 12
All Rights Reserved
4 Security Objectives
4.1 Security Objectives for the TOE
The following security objectives are intended to be satisfied by the TOE.
O.EADMIN The TOE must provide services that allow effective management of its
functions, TSF data and user data.
O.AMANAGE The TOE management functions must be accessible only by authorized
users.
O.ACCESS The TOE must only allow authorized users and processes (applications)
to access protected TOE functions and data.
O.ROLBAK The TOE must enable rollback of router configurations to a known state.
O.AUDIT Users must be accountable for their actions in administering the TOE.
4.2 IT Security Objectives for the Environment
The following security objectives for the IT environment of the TOE must be satisfied in
order for the TOE to fulfill its own security objectives.
OE.EAUTH A RADIUS server must be available for external authentication services.
OE.BYPASS The IT environment for JUNOScope must ensure that the TOE is not
bypassed and will provide access control to TOE processes and files.
OE.BROWSE The IT environment must secure the communication channel between the
browser interface and the TOE.
OE.CRYPTO SSL must be enabled for all management traffic.
4.3 Non-IT Security Objectives for the Environment
OE.PHYSICAL Those responsible for the TOE must ensure that those parts of the TOE
critical to the security policy are protected from any physical attack.
OE.ADMIN Authorized users must follow all administrator guidance.
OE.EAL The TOE must be certified to EAL3 with flaw remediation (ALC_FLR.3).
© 2007 Juniper Inc. 13
All Rights Reserved
5 IT Security Requirements
5.1 Security Functional Requirements
This section specifies the security functional requirements (SFRs) for the TOE. This
section organises the SFRs by CC class. Table 5.1 identifies all SFRs implemented by
the TOE (JUNOScope). Following the table the components are listed, showing
completed operations.
Security Functional Class Security Functional Components
Security alarms (FAU_ARP.1)
Audit data generation (FAU_GEN.1)
User identity association (FAU_GEN.2)
Potential violation analysis (FAU_SAA.1)
Audit review (FAU_SAR.1)
Audit (FAU)
Protected audit trail storage (FAU_STG.1)
Basic rollback (FDP_ROL.1)
Subset access control (FDP_ACC.1)
User data protection (FDP)
Security attribute based access control (FDP_ACF.1)
User attribute definition (FIA_ATD.1)
Verification of secrets (FIA_SOS.1)
User authentication before any action (FIA_UAU.2)
Multiple authentication mechanisms (FIA_UAU.5)
Identification and authentication
(FIA)
User identification before any action (FIA_UID.2)
Management of security attributes (FMT_MSA.1)
Static attribute initialization (FMT_MSA.3)
Management of TSF data (FMT_MTD.1a)
Management of TSF data (FMT_MTD.1b)
Management of security functions behaviour
(FMT_MOF.1)
Specification of Management Functions
(FMT_SMF.1)
Security management (FMT)
Security roles (FMT_SMR.1)
TSF-initiated termination (FTA_SSL.3)
TOE access (FTA)
TOE session establishment (FTA_TSE.1)
Table 5.1 Security Functional Components for JUNOScope
© 2007 Juniper Inc. 14
All Rights Reserved
5.2 Security Functional Requirements for JUNOScope
5.2.1 Audit (FAU)
5.2.1.1 Security alarms (FAU_ARP.1)
FAU_ARP.1.1
The TSF shall take [the following action: lock the user account once the user
authentication policy is violated4
] upon detection of a potential security violation.
5.2.1.2 Audit data generation (FAU_GEN.1)
FAU_GEN.1.1
The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events for the [not specified] level of audit; and
c) [User login/logout;
d) Login attempt fails due to invalid username and/or password;
e) User session timeout;
f) Configuration is committed on a device;
g) Configuration is archived from a device;
h) Configuration is restored on a device;
i) User account created/changed (usergroup association)/deleted;
j) User password changed;
k) Device added/changed/deleted;
l) Label association changed;
m) Access method changed;
n) Authentication information changed;
o) Deletion of audit records;
p) RADIUS server configuration added/changed/deleted;
q) Software image is imported;
r) Software image is deleted;
s) Software image is downloaded/installed to a device;
t) Usergroup is created/changed (device access privilege)/deleted;
u) User account is locked/unlocked]
FAU_GEN.1.2
The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity, and the outcome (success
or failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the functional
components included in the PP/ST,[no information]; and
c) [Client IP address where applicable].
5.2.1.3 User identity association (FAU_GEN.2)
FAU_GEN.2.1
The TSF shall be able to associate each auditable event with the identity of the user that
caused the event.
5.2.1.4 Potential violation analysis (FAU_SAA.1)
FAU_SAA.1.1
The TSF shall be able to apply a set of rules in monitoring the audited events and based
upon these rules indicate a potential violation of the TSP.
FAU_SAA.1.2
The TSF shall enforce the following rules for monitoring audited events:
4
The authentication policy consists of a maximum login attempts bound by an access window. The account will remain locked
until the administrator manually unlocks it.
© 2007 Juniper Inc. 15
All Rights Reserved
a) Accumulation or combination of [number of failed login attempt audit records
as specified by the Administrator] known to indicate a potential security
violation;
b) [no other events].
5.2.1.5 Audit review (FAU_SAR.1)
FAU_SAR.1.1
The TSF shall provide [administrators] with the capability to read [all information] from the
audit records.
FAU_SAR.1.2
The TSF shall provide the audit records in a manner suitable for the user to interpret the
information.
5.2.1.6 Protected audit trail storage (FAU_STG.1)
FAU_STG.1.1
The TSF shall protect the stored audit records from unauthorised deletion.
FAU_STG.1.2
The TSF shall be able to [prevent] unauthorised modifications to the stored audit records
in the audit trail.
5.2.2 User data protection (FDP)
5.2.2.1 Basic rollback (FDP_ROL.1)
FDP_ROL.1.1
The TSF shall enforce [the access control SFP] to permit the rollback of the [committed
configuration change] on the [router tables].
FDP_ROL.1.2
The TSF shall permit operations to be rolled back within the [configurations archived
within the TOE].
5.2.2.2 Subset access control (FDP_ACC.1)
FDP_ACC.1.1
The TSF shall enforce [the access control SFP] on
• [subjects: users
• Objects: device revisions stored in “configs” database
• Operations: operations that view/create data in “configs” database].
5.2.2.3 Security attribute based access control (FDP_ACF.1)
FDP_ACF.1.1
The TSF shall enforce [the access control SFP] to objects based on the following:
• [Subjects: users
• Subject security attributes: user permissions, user group membership
• Objects: device revisions stored in “configs” database
• Object security attributes: device the revision was created from].
Application Note:
The user permission is inherited from the predefined user groups (see FMT_SMR.1) as
follows:
User group Permission level
Administrator superuser
Read-write user read-write;
Read-only user read-only
Nobody none
© 2007 Juniper Inc. 16
All Rights Reserved
FDP_ACF.1.2
The TSF shall enforce the following rules to determine if an operation among controlled
subjects and controlled objects is allowed: [
For file objects:
• The user can display or compare the revisions of a device only if the user is a
member of a user group to which the device is associated and the user
permissions include “read-only” or “read-write”.
• The user can edit current device revision only if the user is a member of a user
group to which the device is associated and the user has the “read-write”
permission.
• The user can create a revision of a device only if the user is a member of a user
group to which the device is associated and the user has the “read-write”
permission.
• The user can perform a restore rollback function to restore a revision to a device
only if they are a member of the administrator or read-write user groups.
• A member of the administrator user group has full permissions to access the
revisions of any device managed by the JUNOScope software.
FDP_ACF.1.3
The TSF shall explicitly authorize access of subjects to objects based on the following
additional rules: [none].
FDP_ACF.1.4
The TSF shall explicitly deny access of subjects to objects based on the [non of the rules
in FDP_ACF.1.2 matching].
5.2.3 Identification and authentication (FIA)
5.2.3.1 User attribute definition (FIA_ATD.1)
FIA_ATD.1.1
The TSF shall maintain the following list of security attributes belonging to individual
users: [
a) User identity;
b) Authentication data;
c) Privileges].
5.2.3.2 Verification of secrets (FIA_SOS.1)
FIA_SOS.1.1
The TSF shall provide a mechanism to verify that secrets meet [password minimum
length of 6 characters with at least one change of character set (upper, lower, numeric,
other)].
5.2.3.3 User authentication before any action (FIA_UAU.2)
FIA_UAU.2.1
The TSF shall require each user to be successfully authenticated before allowing any
other TSF-mediated actions on behalf of that user.
5.2.3.4 User identification before any action (FIA_UID.2)
FIA_UID.2.1
The TSF shall require each user to identify itself before allowing any other TSF-mediated
actions on behalf of that user.
5.2.3.5 Multiple authentication mechanisms (FIA_UAU.5a)
FIA_UAU.5.1a
The TSF shall provide [internal fixed password mechanism and external server (RADIUS)
mechanism] to support user authentication.
© 2007 Juniper Inc. 17
All Rights Reserved
FIA_UAU.5.2a
The TSF shall authenticate any user’s claimed identity according to the [authentication
mechanism specified by an authorized user].
5.2.4 Management (FMT)
5.2.4.1 Application Note for FMT:
The “management access control SFP” is specified through the restrictions detailed in the
management security functional requirements (i.e. those taken from the FMT class).
These functions detail the manner in which different management functions are
constrained to particular administrator roles.
5.2.4.2 Management of security attributes
FMT_MSA.1.1
The TSF shall enforce the [management access control SFP] to restrict the ability to
[query, modify, delete] the security attributes [user permissions, user group membership
and device/user group association] to [Administrators].
5.2.4.3 Static attribute initialization
FMT_MSA.3.1
The TSF shall enforce the [management access control SFP] to provide [restrictive]
default values for security attributes that are used to enforce the SFP.
FMT_MSA.3.2
The TSF shall allow the [Administrators] to specify alternative initial values to override the
default values when an object or information is created.
5.2.4.4 Management of TSF data (FMT_MTD.1a)
FMT_MTD.1.1a
The TSF shall restrict the ability to [view, add, modify, delete] the [devices, access
methods, groups, schedules, authentication information, user accounts (local
authentication, user group authorization, authentication policy)] to [Administrators].
5.2.4.5 Management of TSF data (FMT_MTD.1b)
FMT_MTD.1.1b
The TSF shall restrict the ability to [view, delete] the [audit trail] to [Administrators].
5.2.4.6 Management of security functions behaviour(FMT_MOF.1)
FMT_MOF.1.1
The TSF shall restrict the ability to [modify] the function [operation of the user session
timeout function] to [TOE application installer].
5.2.4.7 Specification of Management Functions (FMT_SMF.1)
FMT_SMF.1.1
The TSF shall be capable of performing the following security management functions:[
a) download/install software images;
b) configure devices;
c) configure groups;
d) configure schedules;
e) configure access methods;
© 2007 Juniper Inc. 18
All Rights Reserved
f) configure users (local authentication, user group authorization, authentication
policy) ;
g) configure authentication information;
h) provide the audit trail for review;
i) configure the interval of inactivity following which a user session is
terminated].
5.2.4.8 Security roles (FMT_SMR.1)
FMT_SMR.1.1
The TSF shall maintain the roles [read-only user, read-write-user, administrator, nobody].
Application notes:
TOE application installer is a distinct role of TSF such that it does not have any users
associated with this role. The TOE application installer creates the initial administrator
account, specifies the server ports which TOE listens to, database password and other
parameters during the installation. This installer role is not visible nor accessible to any
other users.
The “nobody” group allows a user account to be created without access permission to
any device.
FMT_SMR.1.2
The TSF shall be able to associate users with roles.
5.2.5 TOE access (FTA)
5.2.5.1 TSF-initiated termination (FTA_SSL.3)
FTA_SSL.3.1
The TSF shall terminate an interactive session after a [specified inactivity time period].
5.2.5.2 TOE session establishment (FTA_TSE.1)
FTA_TSE.1.1
The TSF shall be able to deny session establishment based on [IP address].
5.3 IT Environment Security Functional Requirements
This section specifies the security functional requirements (SFRs) for the IT Environment.
This section organizes the SFRs by CC class. Table 5.2 identifies all SFRs implemented
by the IT Environment and indicates the ST operations performed on each requirement.
Security Functional Class Security Functional Components
Identification and authentication
(FIA)
Multiple authentication mechanisms (FIA_UAU.5)
Protection of the TSF Reliable time stamps (FPT_STM.1)
Protection of the TSF TSF Domain Separation (FPT_SEP.1)
Table 5.2 IT Environment Security Functional Components
5.3.1 Identification and authentication (FIA)
5.3.1.1 Multiple authentication mechanisms (FIA_UAU.5b)
FIA_UAU.5.1b
© 2007 Juniper Inc. 19
All Rights Reserved
The TOE environment shall provide [an external server (RADIUS) mechanism] to support
user authentication.
FIA_UAU.5.2b
The TOE environment shall authenticate any user’s claimed identity according to the
[RADIUS authentication mechanism as specified by an authorized user].
5.3.2 Protection of the TSF (FPT)
5.3.2.1 Reliable time stamps (FPT_STM.1)
FPT_STM.1.1
The TOE environment shall be able to provide reliable time stamps for use by the TOE.
5.3.2.2 TSF Domain Separation (FPT_SEP.1)
FPT_SEP.1.1
The TOE environment shall maintain a security domain for its own execution that protects
it from interference and tampering by untrusted subjects.
FPT_SEP.1.2
The TOE environment shall enforce separation between the security domains of subjects
in the TSC.
5.4 Minimum strength of function
The minimum strength of function required for the TOE is SOF-medium.
5.5 Security Assurance Requirements
The following table describes the TOE security assurance requirements drawn from Part
3 of the CC. The security assurance requirements represent EAL3, augmented with
ALC_FLR.3.
Assurance Class Assurance Components
Authorisation controls (ACM_CAP.3)
Configuration Management
(ACM)
TOE CM coverage (ACM_SCP.1)
Delivery procedures (ADO_DEL.1)
Delivery and operation (ADO)
Installation, generation, and start-up procedures
(ADO_IGS.1)
Informal functional specification (ADV_FSP.1)
Security enforcing high-level design (ADV_HLD.2)
Development (ADV)
Informal correspondence demonstration (ADV_RCR.1)
Administrator guidance (AGD_ADM.1)
Guidance documents (AGD)
User guidance (AGD_USR.1)
Identification of security measures (ALC_DVS.1)
Life cycle support (ALC)
Systematic flaw remediation (ALC_FLR.3)
Tests (ATE) Analysis of coverage (ATE_COV.2)
© 2007 Juniper Inc. 20
All Rights Reserved
Testing: high-level design (ATE_DPT.1)
Functional testing (ATE_FUN.1)
Independent testing – sample (ATE_IND.2)
Examination of guidance (AVA_MSU.1)
Strength of TOE security function evaluation (AVA_SOF.1)
Vulnerability assessment (AVA)
Developer vulnerability analysis (AVA_VLA.1)
Table 5.3 TOE Assurance Components
© 2007 Juniper Inc. 21
All Rights Reserved
6 TOE Summary Specification
6.1 TOE Security Functions
6.1.1 User Data Protection
FDP_ACC.1 Subset access control and FDP_ACF.1 Security attribute based access
control
Configuration Manager provides users with the capability to manage device revisions
(archived router configurations),
Access to router configurations (revisions) is based upon the user group membership of
the user. User group membership of the user determines the user’s permission
(superuser, read-write, read-only, none). Also, devices are associated with user groups
(a single device may be added to the user group authorization of multiple user groups). A
user only has access to revisions of a given device if the user and device are associated
with the same user group. The type of access the user has to the device revision is
further determined by the user group membership, in accordance with the pre-defined
user groups (see application note to FDP_ACC.1):
Configuration Manager function Superuser Read-write Read-only None
Configuration Editor 9 9 - -
Archive 9 9 - -
Compare 9 9 9 -5
Display 9 9 9 -
Restore 9 9 - -
FDP_ROL.1 Basic rollback
JUNOScope can be used to restore a device revision. This is used to store a
configuration that can later be used for rollback, and when rollback is to be performed it
allows specification of which saved configuration is to be used.
6.1.2 Identification and Authentication
FIA_ATD.1 User Attribute Definition
User accounts in the TOE have the following attributes: user name, authentication data
(password or an authentication server in the IT environment), and their privileges.
5
Although the user will be able to see the links to display device configuration, they will not have permission to
access any device information and so these links will always be empty. So effectively the users with “None”
privilege will not be able to to display device configurations.
© 2007 Juniper Inc. 22
All Rights Reserved
FIA_SOS.1 Verification of secrets
Locally stored authentication data for fixed password authentication is a case-sensitive,
alphanumeric value. The password has a minimum length of 6 characters with at least
one change of character set (upper, lower, numeric, other), and can be up to 40 ASCII
characters in length (control characters are not recommended).6
FIA_UAU.2 User authentication before any action. FIA_UAU.5 Multiple
authentication mechanisms and FIA_UID.2 User identification before any action
The TOE requires users to provide unique identification and authentication data
(passwords) before any administrative access to the system is granted.
The JUNOScope software supports two methods of user authentication: local password
authentication, Remote Authentication Dial-In User Service (RADIUS).
With local password authentication, you configure a password for each user allowed to
log into JUNOScope. RADIUS is an authentication method for validating users whose
user credentials are stored external to JUNOScope. RADIUS is a distributed client/server
systems—the RADIUS client runs on JUNOScope, and the server runs on a remote
network system.
If the identity specified is defined locally, the TOE will successfully authenticate that
identity if the authentication data provided matches that stored in conjunction with the
provided identity. Alternatively, if the TOE is configured to work with a RADIUS server,
the identity and authentication data is provided to the server and the TOE enforces the
result returned from the server. Regardless, no administrative actions are allowed until
successful authentication as an authorized administrator.
Authentication data can be stored either locally or on a separate server. The separate
server must support either the RADIUS protocol to be supported by the TOE.
6.1.3 Security Management
FMT_MSA.1 Management of Security Attributes and FMT_MSA.3 Static Attribute
Initialization
The administrator can manage user group authorization; assigning devices and users to
user groups. When a new instance of any of these objects is created, they are created
with nil ‘values’, and the administrator has to enter an initial value for each security
attribute of the object.
FMT_MTD.1 Management of TSF Data
The TOE provides the ability for the administrator to manage the configuration of the TOE
(manage the TOE data) as follows:
1. View, add, modify or delete the configuration of:
• devices
• access methods
• groups
• schedules
6
This function is the only function to which a strength of function claim is applicable.
© 2007 Juniper Inc. 23
All Rights Reserved
• authentication information
• users (local authentication, user group authorization, authentication policy)
2. View and delete the audit trail.
FMT_MOF.1 Management of functions in TSF
The TOE restricts the management of the user session timeout function to TOE installer.
FMT_SMF.1 Management of Security Functions
The TOE provides the ability to manage the following security functions:
a) Configure devices;
b) Download/install software images
c) Configure groups
d) Configure schedules
e) Configure access methods
f) Configure users (local authentication, user group authorization, authentication policy);
g) Provide the audit trail for review;
h) Configure session termination following user inactivity.
FMT_SMR.1 Security Roles
The TOE has four pre-defined roles/usergroups. When a new user account is created, it
must be assigned one of these roles.
a) Administrator: this role can perform all management functions on the TOE. A user with
this role can manage user accounts (create, delete, modify), view and modify the TOE
settings information, and full access to the routers via all functions available.
b) Read-write user: this role has full access to the routers via all functions available, but
without any access to the TOE settings,
a) Read-only user: this role can read router configuration, but cannot modify any
configuration, nor perform any operation which results in a change to the TOE or the
routers being managed, e.g. software upgrade.
b) Nobody: this role is denied access to all TOE functions except login.
6.1.4 Audit
FAU_GEN.1 Audit data generation
JUNOScope creates and stores audit records for the following events:
a) Start-up and shutdown of the audit function;
b) User login/logout;
c) Login attempt fails due to invalid username and/or password;
d) User session timeout;
e) Configuration is committed on a device;
f) Configuration is archived from a device;
g) Configuration is restored on a device;
h) User account created/changed/deleted;
i) User password changed;
j) Device added/changed/deleted;
k) Label association changed;
l) Access method changed;
© 2007 Juniper Inc. 24
All Rights Reserved
m) Authentication information changed;
n) Deletion of audit records;
o) RADIUS server configuration added/changed/deleted;
p) Software image is imported;
q) Software image is deleted;
r) Software image is downloaded/installed to a device
s) Usergroup is created/changed (device access privilege)/deleted;
t) User account is locked/unlocked
FAU_GEN.2 User identity association
JUNOScope will record within each audit record the following information:
a) Date and time of the event, type of event, subject (user) identity, and the outcome
(success or failure) of the event; and
b) Client IP address where applicable.
FAU_SAR.1 Audit review
Administrator can review and sort all audit records via the audit log table. Administrator
can analyze audit records by applying filters, such as event category, event type, last
updated timestamp, and associated user.
FAU_SAA.1 Potential violation analysis and FAU_ARP.1 Security alarms
An audit record is generated each time a failed authentication attempt is made. If the
maximum number of authentication attempts, as configured by the administrator, is
reached within the time period specified by the administrator then the account is locked
and an audit record generated identifying that the account has been locked.
FAU_STG.1 Protected audit trail storage
JUNOScope users with Administrator privilege can select audit log records for deletion.
Such deletions will be audited locally, and the record will be written to the syslog server
and remote RADIUS servers.
6.1.5 TOE access
FTA_SSL.3 TSF-initiated termination
A user session will be terminated by TOE once it has been idle for a period of time which
exceeds the inactivity timeout configured.
FTA_TSE TOE session establishment
The TOE will restrict or deny client access from specific IP addresses or subnets.
The user session is established (between the browser client and TOE) using HTTPS,
protected via SSL7
.
6.2 Assurance Measures
Table 6.1, below, identifies the deliverables that will meet the assurance requirements of
Common Criteria EAL 3. The identified deliverables describe the approach taken to meet
the assurance requirements, and meet all of the assurance requirements contained in this
assurance package.
7
SSL is outside the TOE, as it is implemented in the operating system.
© 2007 Juniper Inc. 25
All Rights Reserved
Table 6.1 Assurance Measures
Assurance Class Assurance
Components
Assurance Measures (Juniper
documentation)
Security target
(ASE)
All This security target meets all of the
requirements within class ASE.
Authorisation controls
(ACM_CAP.3)
Configuration
Management
(ACM)
TOE CM coverage
(ACM_SCP.1)
Delivery procedures
(ADO_DEL.1)
Delivery and
operation (ADO)
Installation,
generation, and start-
up procedures
(ADO_IGS.1)
Configuration Management Procedures for
Juniper
Delivery Procedures for Juniper
Installation Guide for the Juniper
Configuration Guide for the Juniper Release
Notes for Juniper
The Configuration Management Procedures
describe the use of a configuration
management system that meets the
requirements of ACM_CAP.3. All
documentation required by ACM_SCP.1 is held
under configuration control. The Delivery
procedures describe secure delivery process to
preserve the integrity of the TOE, meeting the
requirements of ADO_DEL.1 .
The Common Criteria Guide, Installation Guide,
Configuration Guide and Release Notes provide
information on how to bring the delivered TOE
into an operational state in accordance with
ADO_IGS.1.
Informal functional
specification
(ADV_FSP.1)
Functional Specification for JUNOScope
This document describes the external interfaces
to the TOE in a manner consistent with the
requirements of ADV_FSP.1.
Security enforcing
high-level design
(ADV_HLD.2)
High-level design for JUNOScope
This document describes the TOE in terms of
subsystems, and documents the interfaces
between them.
Development
(ADV)
Informal
correspondence
demonstration
(ADV_RCR.1)
Correspondence demonstration for
JUNOScope
A description of correspondence between the
TOE summary specification and the high-level
design is provided by means of cross-
references in this document.
Administrator
guidance
(AGD_ADM.1)
Guidance
documents (AGD)
User guidance
(AGD_USR.1)
Installation Guide for JUNOScope
Configuration Guide for JUNOScope
Command reference Guide for JUNOScope
Release Notes for JUNOScope
CC Evaluated Configuration Guide for
JUNOScope
These documents provide detailed guidance on
the administration of the TOE in a secure
manner. They also provide information on
achieving the evaluated configuration.
© 2007 Juniper Inc. 26
All Rights Reserved
Assurance Class Assurance
Components
Assurance Measures (Juniper
documentation)
Identification of
security measures
(ALC_DVS.1)
Development Security for Juniper.
This document defines the procedures used to
maintain the security of the development
environment. These measures provide a
combination of procedural, personnel and
technical measures that safeguard the integrity
and confidentiality of the TOE.
Life cycle support
(ALC)
Systematic flaw
remediation
Configuration Management Procedures
This document includes a description of the
problem reporting procedure used to log, track
and report flaws.
Analysis of coverage
(ATE_COV.2)
Testing: high-level
design (ATE_DPT.1)
Functional testing
(ATE_FUN.1)
Tests (ATE)
Independent testing –
sample (ATE_IND.2)
Testing plan and analysis for JUNOScope
The test documentation describes how each
external security functional interface is tested,
and also how it is demonstrated that the
subsystem interfaces are also operating
correctly. The documentation describes the test
environments used, the tests that are carried
out, and the results that are expected and
obtained. The TOE is made available to the
evaluators for testing.
Strength of TOE
security function
evaluation
(AVA_SOF.1)
Strength of function analysis for JUNOScope
The strength of function analysis provides an
analysis of the password mechanism that
demonstrates that the SOF claims are upheld.
Examine of guidance
(AVA_MSU.1)
The evidence provided for AGD_ADM.1 and
ADO_IGS.1 will detail the guidance provided to
the administrator for secure operation of the
TOE.
Vulnerability
assessment
(AVA)
Developer
vulnerability analysis
(AVA_VLA.1)
Vulnerability analysis for JUNOScope
Juniper carries out and documents an analysis
of the TOE deliverables searching for
weaknesses that might allow an attacker to
violate the TOE security policy. This analysis is
provided to the evaluators.
© 2007 Juniper Inc. 27
All Rights Reserved
7 Rationale
This section provides the rationale for completeness and consistency of the security
target. The rationale addresses the following areas:
• Security objectives
• Security functional requirements
• Security assurance requirements
• Dependencies
• Security functions
• Mutual support
7.1 Rationale for Security Objectives
This section shows that all assumptions and threats are countered by security objectives,
and that each security objective addresses at least one assumption or threat.
7.1.1 Rationale for Security Objectives for the TOE
This section provides a mapping of TOE security objectives to those threats that the TOE
is intended to mitigate, and to those assumptions that must be met.
T.PRIVIL
T.OPS
T.DEVCONF
T.CONFLOSS
T.NOAUDIT
A.LOCATE
A.NOEVIL
A.EAUTH
A.THREAT
A.CRYPTO
A.ACCESS
O.EADMIN 9 9 9
O.AMANAGE 9 9 9
O.ACCESS 9 9 9
O.ROLBAK 9
O.AUDIT 9 9 9 9 9
Table 7.1 TOE Security Objectives Rationale
O.EADMIN This objective is to provide effective management tools that help prevent
unauthorised access and exploitation of system privileges (T.PRIVIL) and
help to recover from failures (T.CONFLOSS). Also this objective is also
to provide effective management of user data and therefore helps to
counter the threat T.DEVCONF.
O.AMANAGE The objective to limit access to management functions helps counter the
threats of unauthorised access to privileged functions and data
(T.PRIVIL, T.DEVCONF, T.OPS).
O.ACCESS This objective addresses the need to protect the TOE’s operations and
data. This helps counter the threats of unauthorised access (T.PRIVIL,
T.DEVCONF, T.OPS).
O.ROLBAK The objective to restore previous configurations (user data) helps recover
from loss of configuration data (T.CONFLOSS).
© 2007 Juniper Inc. 28
All Rights Reserved
O.AUDIT This objective serves to discourage and detect inappropriate use of the
TOE, and as such helps counter T.PRIVIL, T.OPS, T.NOAUDIT and
T.DEVCONF. It also helps to support the assumption A.NOEVIL, by
recording actions of users.
7.1.2 Rationale for Security Objectives for the Environment
This section provides a mapping of environment security objectives to those threats that
the environment is expected to counter, and to those assumptions that must be met.
T.PRIVIL
T.OPS
T.DEVCONF
T.CONFLOSS
T.NOAUDIT
A.LOCATE
A.NOEVIL
A.EAUTH
A.THREAT
A.CRYPTO
A.ACCESS
OE.EAUTH 9 9
OE.BYPASS 9 9 9
OE.BROWSE 9 9
OE.CRYPTO 9 9
OE.PHYSICAL 9
OE.ADMIN 9
OE.EAL 9
Table 7.2 Environment Security Objectives Rationale
OE.EAUTH The objective to have an authentication server in the TOE environment
helps to mitigate the threat of unauthorised access (T.PRIVIL), and
supports the assumption that such a server is present (A.EAUTH).
OE.BYPASS The objective that the underlying platform provides access control and
protection to JUNOScope management functions and data helps to
mitigate the threats that unauthorised users gain access to the TOE SFs
and data (T.PRIVIL, T.OPS) and supports the assumption (A.ACCESS)
that access is controlled to JUNOScope data and processes.
OE.BROWSE The objective to secure the communication channel between the browser
interface and the TOE helps to mitigate the threat that unauthorised users
gain access to the TOE SFs (T.PRIVIL) and that unauthorised changes
could be made to the network configuration through interception of
management traffic (T.DEVCONF).
OE.CRYPTO The objective to use SSL to protect management traffic supports the
assumption that cryptography is used to protect management traffic
(A.CRYPTO) a) preventing unauthorised users from gaining access to
and being able to modify network device configuration data when it is
transferred between the TOE and the network device, and b).helping to
prevent interception of communication between the browser and the TOE
(T.DEVCONF interception of configuration data between TOE and
device).
© 2007 Juniper Inc. 29
All Rights Reserved
OE.PHYSICAL The objective to provide physical protection for the TOE supports the
assumption that the TOE will prevent unauthorised physical access
(A.LOCATE).
OE.ADMIN The objective that users should follow administrator guidance supports
the assumption that they will not be careless, wilfully negligent or hostile
(A.NOEVIL).
OE.EAL This objective for assurance is appropriate to the level of threat assumed
in A.THREAT.
7.2 Rationale for Security Requirements
7.2.1 Rationale for TOE security functional requirements
This section demonstrates that all security objectives for the TOE are met by security
functional requirements for the TOE, and that each security functional requirement for the
TOE addresses at least one security objective for the TOE.
O.EADMIN
O.AMANAGE
O.ACCESS
O.ROLBAK
O.AUDIT
FAU_ARP.1 9 9
FAU_GEN.1 9 9
FAU_GEN.2 9
FAU_SAA.1 9 9
FAU_SAR.1 9 9 9 9
FAU_STG.1 9 9
FDP_ROL.1 9
FDP_ACC.1 9 9 9
FDP_ACF.1 9 9 9
FIA_ATD.1 9 9 9
FIA_SOS.1 9 9
FIA_UAU.2 9 9
FIA_UAU.5 9 9
FIA_UID.2 9 9
FMT_MSA.1 9 9 9
FMT_MSA.3 9 9 9
FMT_MTD.1a 9 9 9
FMT_MTD.1b 9 9 9
FMT_MOF.1 9 9 9
FMT_SMF.1 9 9 9 9 9
FMT_SMR.1 9 9 9 9 9
© 2007 Juniper Inc. 30
All Rights Reserved
O.EADMIN
O.AMANAGE
O.ACCESS
O.ROLBAK
O.AUDIT
FTA_SSL.3 9
FTA_TSE.1 9
Table 7.3 Security functional requirements rationale
FAU_ARP.1 This component takes action following detection of potential security
violations, and therefore contributes to meeting O.EADMIN and O.AUDIT
FAU_GEN.1 This component outlines what events must be audited, and aids in
meeting O.AUDIT, and provides the effective management of the audit
function to help meet O.EADMIN .
FAU_GEN.2 This component required that each audit event be associated with a user,
and aids in meeting O.AUDIT.
FAU_SAA.1 This component helps to detect potential security violations, and aids in
meeting O.AUDIT and provides the effective management of the alarm
function to help meet O.EADMIN.
FAU_SAR.1 This component requires that the audit trail can be read, and aids in
meeting O.AUDIT, and ensures the SF to read the audit trail is only
accessible by authorised users, helping to meet O.EADMIN,
O.AMANAGE and O.ACCESS.
FAU_STG.1 This components ensures that audit records are not deleted in an
unauthorised manner (O.AMANAGE) and users remain accountable for
their actions (O.AUDIT).
FDP_ROL.1 This component allows the function to provide router configurations to be
managed and restored (rollback), and aids in meeting O.ROLBAK.
FDP_ACC.1 This component specifies the security attributes on which the policy to
control access to device revisions is based and therefore helps in
meeting O.EADMIN, O.AMANAGE and O.ACCESS.
FDP_ACF.1 This component specifies the rules controlling access to the device
revisions and therefore helps in meeting O.EADMIN, O.AMANAGE and
O.ACCESS.
FIA_ATD.1 This component exists to provide users with attributes to distinguish one
user from another, for accountability purposes, and to associate roles
with users. The component aids in meeting O.AMANAGE, O.ACCESS
and O.AUDIT.
FIA_SOS.1 This component specifies metrics for authentication, and aids in meeting
objectives to restrict access; O.AMANAGE and O.ACCESS.
FIA_UAU.2 This component ensures that users are authenticated to the TOE. As
such it aids in meeting objectives to restrict access; O.AMANAGE and
O.ACCESS.
© 2007 Juniper Inc. 31
All Rights Reserved
FIA_UAU.5a This component ensures multiple authentication mechanisms are
provided to authenticate users to the TOE. As such it aids in meeting
objectives to restrict access; O.AMANAGE and O.ACCESS.
FIA_UID.2 This component ensures that users are identified to the TOE. As such it
aids in meeting objectives to restrict access; O.AMANAGE and
O.ACCESS.
FMT_MSA.1 This component restricts the ability to modify security attributes that
enforce the access control SFP and as such aids in meeting
O.AMANAGE and O.ACCESS, and provides effective management of
the related TSF data, helping to meet O.EADMIN.
FMT_MSA.3 This component restricts the ability to modify the initial values of the
security attributes that enforce the access control SFP and as such aids
in meeting O.AMANAGE and O.ACCESS, and provides effective
management of the related TSF data, helping to meet O.EADMIN.
FMT_MTD.1a This component restricts the ability to modify configuration details, and as
such aids in meeting O.AMANAGE and O.ACCESS, and provides
effective management of the related TSF data, helping to meet
O.EADMIN.
FMT_MTD.1b This component restricts the ability to control the audit trail, and as such
aids in meeting O.AMANAGE and O.ACCESS, and provides effective
management of the related TSF data, helping to meet O.EADMIN.
FMT_MOF.1 This component relates to control of the user session timeout function,
and as such aids in meeting O.AMANAGE, O.ACCESS and O.EADMIN.
FMT_SMF.1 This component lists the security management functions that must be
controlled. As such it aids in meeting O.EADMIN, O.AMANAGE,
O.ACCESS, O.ROLBAK and O.AUDIT.
FMT_SMR.1 Each of the components in the FMT class listed above relies on this
component. It defines the roles on which access decisions are based. As
such it aids in meeting O.EADMIN, O.AMANAGE, O.ACCESS,
O.ROLBAK and O.AUDIT.
FTA_SSL.3 This component limits the period of inactivity before a user session is
terminated, and hence reduces the chance of unauthorised access. As
such it aids in meeting O.AMANAGE.
FTA_TSE.1 This component limits the range of locations from which a user session
can be established, and hence reduces the chance of unauthorised
access. As such it aids in meeting O.AMANAGE.
7.2.2 Rationale for TOE Environment Security Functional Requirements
Multiple authentication mechanisms FIA_UAU.5b
This component was chosen to ensure that multiple authentication mechanisms are used
appropriately in all attempts to authenticate to the TOE. This component traces back to
and aids in meeting the following objective: OE.EAUTH. Its presence under TOE
environment security functional requirements is to address authentication using an
external authentication server.
Reliable time stamps FPT_STM.1
© 2007 Juniper Inc. 32
All Rights Reserved
This component was included to ensure the underlying platform of the TOE provides a
reliable time stamps for audit records and aids in meeting O.AUDIT.
TSF Domain Separation FPT_SEP.1
This component was included to ensure the underlying platform of the TOE provides
domain separation for TOE and non-TOE processes, helping to meet OE.BYPASS.
OE.CRYPTO/OE.BROWSE
This objective was specified to ensure that all management traffic (both between the
browser and the TOE and between the TOE and the managed network device) is
protected from network sniffing through encryption of the packets in accordance with the
SSL standard. Any algorithms and key sizes specified in the SSL standard (as defined in
www.ietf.org/rfc/rfc2246.txt. SSLv3 corresponds to TLSv1) are acceptable to meet this
requirement.
7.2.3 Rationale for Security Assurance Requirements (SAR)
The ST is requires EAL3 assurance, augmented with ALC_FLR.3.
EAL3 was chosen because it is based upon good commercial development practices with
thorough functional testing. EAL3 provides the developers and users a moderate level of
independently assured security in conventional commercial TOEs.
Systematic flaw remediation was added to demonstrate that the developer has effective
procedures in place to address any security issues identified in the product, ensuring the
customers are notified how the issues are addressed.
The chosen assurance level as supported by OE.EAL is consistent with the postulated
threat environment. Specifically, that the threat of malicious attacks is not greater than
low, the security environment provides physical protection, and the TOE itself offers a
very limited interface, offering essentially no opportunity for an attacker to subvert the
security policies without physical access.
SOF-medium is defined in [CC] Part 1 as “provides adequate protection against
straightforward or intentional breach of TOE security by attackers possessing a moderate
attack potential”. This claim relates to the resistance of TSF’s Identification and
Authentication security function with authentication data meeting the requirements of
FIA_SOS.1. The authentication interface is one which is generally subject to increased
attack due to its probabilistic/permutational nature, so a higher level of resistance in this
interface is appropriate. This is consistent with the objectives for the TOE, specifically
O.AMANAGE that states management functions must be accessible by authorized users,
thereby identifying the identification and authentication mechanism to be a key barrier for
the protection of the TOE against unauthorized use.
7.2.4 Dependencies Rationale
All functional and assurance requirements dependencies indicated in [CC] have been
satisfied. Dependencies on FIA_UAU.1 and FIA_UID.1 have been satisfied through
inclusion of the hierarchical components FIA_UAU.2 and FIA_UID.2, respectively.
7.3 TOE Summary Specification Rationale
This section illustrates that the security functions as described in the TOE Summary
Specification (Section 6) are necessary and sufficient to implement the SFRs and SARs.
© 2007 Juniper Inc. 33
All Rights Reserved
User
data
protection
Identification
and
authentication
Security
management
Audit
TOE
Access
FAU_ARP.1 9
FAU_GEN.1 9
FAU_GEN.2 9
FAU_SAA.1 9
FAU_SAR.1 9
FAU_STG.1 9
FDP_ROL.1 9
FDP_ACC.1 9
FDP_ACF.1 9
FIA_ATD.1 9
FIA_SOS.1 9
FIA_UAU.2 9
FIA_UAU.5a 9
FIA_UID.2 9
FMT_MSA.1 9
FMT_MSA.3 9
FMT_MTD.1a 9 9 9
FMT_MTD.1b 9
FMT_MOF.1 9 9
FMT_SMF.1 9 9 9 9
FMT_SMR.1 9 9
FTA_SSL.3 9
FTA_TSE.1 9
Table 7.4 Security functions rationale
The User Data Protection function allows the user to manage the device revisions
(FDP_ACC.1, FDP_ACF.1), including initiating rollback of the device configuration
(FDP_ROL.1)
The Identification and Authentication Function requires that users be identified
(FIA_UID.2, FIA_ATD.1) and authenticated (FIA_UAU.2, FIA_ATD.1) before being
granted access to any other TOE functions. The authentication data must be at least 6
characters long and be comprised of a minimum of two character sets (FIA_SOS.1).
© 2007 Juniper Inc. 34
All Rights Reserved
Authentication can be achieved through either local password or external RADIUS
authentication (FIA_UAU.5a).
The function is controlled by administrators (FMT_SMF.1, FMT_SMR.1, FMT_MTD.1a),
who may modify user attributes, the authentication method and manage the number of
permitted authentication attempts (FMT_MTD.1a).
The claimed strength of function for the password mechanism is SOF-Medium. This is
consistent with the overall claim for the TOE of SOF-Medium.
The Security Management Function permits the users to perform the following actions
(view/modify according to their permissions (FMT_SMR.1)):
• Manage access methods to connect between client and server (FMT_SMF.1,
FMT_MTD.1a);
• Manage groups (FMT_SMF.1, FMT_MTD.1a);
• Manage schedules (FMT_SMF.1, FMT_MTD.1a);
• Manage authentication information (FMT_SMF.1, FMT_MTD.1a);
• Manage users (local authentication, user group authorization, authentication policy);
• Manage devices (as represented in the TOE) (FMT_SMF.1, FMT_MTD.1a);
• Download/install software images (FMT_SMF.1);
The TOE installer can perform the following security management action:
• Modify the user session timeout function (FMT_MOF.1, FMT_SMF.1).
The administrator can also manage the following security attributes, creating instances of
them in the TOE and specifying alternative initial values for the attributes: user
permissions, user group membership and device. user group association (FMT_MSA.1,
FMT_MSA.3).
The Audit Function provides a reliable audit trail of network connections and other
events (FAU_GEN.1) that can be viewed and deleted only by an administrator
(FMT_SMF.1, FMT_MTD.1b, FAU_SAR.1, FAU_STG.1). For all events the Audit
Function will record the:
• Date and time of the event (FAU_GEN.1), using the date and time information
provided by the IT environment (underlying Solaris platform);
• The identity of the user (FAU_GEN.2);
• Type of event or service (FAU_GEN.1);
• Success or failure of the event (FAU_GEN.1).
The TOE can be configured to monitor sequences of events (FAU_SAA.1) and take
action when they occur (FAU_ARP.1).
The TOE Access Function provides for TSF initiated session termination (FTA_SSL.3,
FMT_SMF.1, FMT_MTD.1a), and for restrictions on session establishment (FTA_TSE.1,
FMT_MOF.1).
© 2007 Juniper Inc. 35
All Rights Reserved
7.4 IT security functions mutually supportive
The mutually supportive nature of the IT security functions can be derived from the
mutual support of the SFRs (demonstrated in Section 7.3.), as each of the IT security
functions can be mapped to one or more SFRs, as demonstrated in Table 7.4.
© 2007 Juniper Inc. 36
All Rights Reserved
8 Acronyms
ACM Access Control Management
AGD Administrator Guidance Document
API Application Programming Interface
ASCII American Standard Code for Information Interchange
CC Common Criteria
CM Control Management
CVS Concurrent Versions System
EAL Evaluation Assurance Level
HTML Hypertext Mark-up Language
HTTP Hypertext Transfer Protocol
HTTPS Secure HTTP
IP Internet Protocol
JDBC Java Database Connectivity
OSS/BSS Operation Support Systems/Business Support Systems
PP Protection Profile
RADIUS Remote Authentication Dial In User Service
SF Security Functions
SFR Security Functional Requirements
SQL Structured Query Language
SSL Secure Sockets Layer
ST Security Target
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy
TSC TSF Scope of Control
XML Extensible Markup Language
XNM XML-based Network Management