Australasian Information
Security Evaluation Program
Juniper Networks, Inc. JUNOS 12.1 X44
D15.5 for SRX-Series Platforms
Certification Report
2013/85
6 September 2013
Version 1.1
Commonwealth of Australia 2013
Reproduction is authorised provided
that the report is copied in its entirety.
6-Sept-13 Version 1.1 ii
Amendment Record
Version Date Description
1.1 6 September 2013 Public release
6-Sept-13 Version 1.1 iii
Executive Summary
This report describes the findings of the IT security evaluation of Juniper Networks,
Inc. JUNOS 12.1 X44 D15.5 for SRX Series against Common Criteria and Protection
Profiles.
The Target of Evaluation (TOE) is Juniper Networks, Inc. JUNOS 12.1 X44 D15.5
for SRX Series Platforms. The TOE is a product that is designed to provide for the
support of the definition and enforcement of information flow policies among network
nodes. Routers provide for stateful packet inspection of every packet that traverses
the network and provides centralised management functions to manage and administer
the network security policy. All information flowing from one network node to
another will pass through an instance of the TOE.
The functionality defined in the Security Target that was subsequently evaluated is
summarised as follows:
 Security Audit – JUNOS auditable events are stored in syslog files, which can
be sent securely to an external server;
 Cryptological Support – baseline cryptological module is included to provide
confidentiality and integrity services for authentication;
 User Data Protection / Information Flow Control – TOE is designed to
forward packets (i.e. “information flows”) to source and destination entries as
provided by TOE users;
 Identification and Authentication – TOE requires users to provide unique
identification and authentication data before any administration access to the
system is granted;
 Security Management – TOE provides for an authorised Administrator role;
 Protection of the TSF – TOE provides a protection mechanism for its
security functions, including cryptological keys and administrator passwords;
 TOE Access – TOE can be configured to terminate inactive sessions;
 Trusted Path / Channels – TOE creates trusted channels between itself and
remote, trusted authorised IT product and remote administrator; and
 Stateful Traffic Filtering – TOE provides stateful network traffic filtering.
The report concludes that the product has complied with the NDPP version 1.1 and
FWEP version 1.0 and that the evaluation was conducted in accordance with the
Common Criteria and the requirements of the Australasian Information Security
Evaluation Program (AISEP). The evaluation was performed by BAE Systems Detica
and was completed on 15 July 2013.
With regard to the secure operation of the TOE, the Australasian Certification
Authority (ACA) recommends that administrators:
a) Ensure that the TOE is operated in the evaluated configuration and that
assumptions concerning the TOE security environment are fulfilled;
b) Configure and Operate the TOE according to the vendor’s product
administrator guidance; and
6-Sept-13 Version 1.1 iv
c) Maintain the underlying environment in a secure manner so that the integrity
of the TOE Security Function is preserved.
This report includes information about the underlying security policies and
architecture of the TOE, and information regarding the conduct of the evaluation.
It is the responsibility of the user to ensure that the TOE meets their requirements. For
this reason, it is recommended that a prospective user of the TOE refer to the Security
Target and read this Certification Report prior to deciding whether to purchase the
product.
6-Sept-13 Version 1.1 v
Table of Contents
Chapter 1 – Introduction ...............................................................................1
1.1 Overview .............................................................................................1
1.2 Purpose...............................................................................................1
1.3 Identification........................................................................................1
Chapter 2 – Target of Evaluation..................................................................3
2.1 Overview .............................................................................................3
2.2 Description of the TOE........................................................................3
2.3 TOE Functionality................................................................................4
2.4 TOE Architecture.................................................................................4
2.6 Clarification of Scope ..........................................................................4
2.6.1 Evaluated Functionality ................................................................................... 4
2.6.2 Non-evaluated Functionality and Services...................................................... 4
2.7 Security ...............................................................................................5
2.7.1 Security Policy ................................................................................................. 5
2.7.2 Security Target ................................................................................................ 5
2.8 Usage..................................................................................................6
2.8.1 Evaluated Configuration .................................................................................. 6
2.8.2 Determining the Evaluated Configuration........................................................ 6
2.8.3 Installation of the TOE..................................................................................... 7
2.8.4 Testing Activity ................................................................................................ 7
2.8.5 Testing Coverage ............................................................................................ 7
2.9 Delivery Procedures............................................................................7
2.10 Documentation and Guidance.............................................................7
2.11 Secure Usage .....................................................................................8
Chapter 3 – Evaluation ..................................................................................9
3.1 Overview .............................................................................................9
3.2 Evaluation Procedures ........................................................................9
3.3 Testing ................................................................................................9
3.4 Entropy Testing ...................................................................................9
3.5 Penetration Testing .............................................................................9
Chapter 4 – Certification .............................................................................11
4.1 Overview ...........................................................................................11
4.2 Assurance .........................................................................................11
4.3 Certification Result ............................................................................11
4.3 Recommendations ............................................................................12
6-Sept-13 Version 1.1 vi
6-Sept-13 Version 1.1 vii
Annex A – References and Abbreviations.................................................13
A.1 References........................................................................................13
A.2 Abbreviations ....................................................................................14
Chapter 1 – Introduction
1.1 Overview
This chapter contains information about the purpose of this document and how to
identify the Target of Evaluation (TOE).
1.2 Purpose
The purpose of this Certification Report is to:
a) Report the certification of results of the IT security evaluation of the
Juniper Networks, Inc. JUNOS 12.1 X44 D15.5 for SRX Series Platforms
against the requirements of the Common Criteria (CC), the NDPP v1.1;
and FWEP v1.0; and
b) Provide a source of detailed security information about the TOE for any
interested parties.
This report should be read in conjunction with the TOE’s Security Target (Ref 9)
which provides a full description of the security requirements and specifications that
were used as the basis of the evaluation.
1.3 Identification
The TOE is Juniper Networks, Inc. JUNOS 12.1 X44 D15.5 for SRX-Series
Platforms.
Table 1 Identification Information
Description Version
Evaluation Scheme Australasian Information Security Evaluation
Program.
TOE Juniper Networks, Inc. JUNOS 12.1 X44 D15.5
for SRX Series Platforms
Software Version JUNOS US/Canada Version 12.1 X44 D15.5
Security Target Juniper Networks, Inc. JUNOS 12.1 X44 D15.5
for SRX-Series Platforms v2.1 August 26, 2013
Evaluation Technical
Report
Evaluation Technical Report JUNOS 12.1
D15.5 X44 D15 for SRX-Series Platforms,
dated 29 August 2013, Version 1.0,
Document reference EFS-T031-ETR.
6-September- 2013 Version 1.1 1
Criteria Common Criteria for Information Technology
Security Evaluation Part 2 Extended and Part 3
Extended, July 2009, Version 3.1.
Methodology Common Methodology for Information
Technology Security
Conformance NDPP
FWEP
Sponsor Juniper Networks, Inc
1194 North Mathilda Avenue
Sunnyvale CA 94089
Developer Juniper Networks, Inc
1194 Mathilda Avenue
Sunnyvale CA 94089
Evaluation Facility BAE Systems Detica
1 / 50 Geils Court
Deakin ACT 2600
Australia
6-September- 2013 Version 1.1 2
Chapter 2 – Target of Evaluation
2.1 Overview
This chapter contains information about the Target of Evaluation (TOE), including a
description of functionality provided, its architectural components, the scope of
evaluation, security policies, and its secure usage.
2.2 Description of the TOE
The TOE is Juniper Networks, Inc. JUNOS 12.1 X44 D15.5 for SRX Series Platforms
developed by Juniper Networks Inc.
The TOE is a product that is designed to provide for the support of the definition and
enforcement of information flow policies among network nodes. Routers provide for
stateful packet inspection of every packet that traverses the network and provides
centralised management functions to manage and administer the network security
policy. All information flowing from one network node to another will pass through
an instance of the TOE.
The functionality defined in the Security Target that was subsequently evaluated is
summarised as follows:
 Security Audit – JUNOS auditable events are stored in syslog files, which can
be sent securely to an external server;
 Cryptological Support – baseline cryptological module is included to provide
confidentiality and integrity services for authentication;
 User Data Protection / Information Flow Control – TOE is designed to
forward packets (i.e. “information flows”) to source and destination entries as
provided by TOE users;
 Identification and Authentication – TOE requires users to provide unique
identification and authentication data before any administration access to the
system is granted;
 Security Management – TOE provides for an authorised Administrator role;
 Protection of the TSF – TOE provides a protection mechanism for its
security functions, including cryptological keys and administrator passwords;
 TOE Access – TOE can be configured to terminate inactive sessions;
 Trusted Path / Channels – TOE creates trusted channels between itself and
remote, trusted authorised IT product and remote administrator; and
 Stateful Traffic Filtering – TOE provides stateful network traffic filtering.
6-September- 2013 Version 1.1 3
2.3 TOE Functionality
Each Juniper Networks routing platform is a complete routing system that supports a
variety of high-speed interfaces for medium to large networks and network
applications.
The TOE is a component of Juniper Networks routing platforms and provide
components that manage and process authentication and authorisation claims across
trusted organisational network boundaries and also across heterogeneous
environments. The TOE provides the necessary infrastructure for implementing users
from trusted partner organisations.
2.4 TOE Architecture
The TOE consists of the following major architectural components:
 The Routing Engine; and
 The Packet Forwarding Engine.
The Routing Engine (RE) runs the Junos software and provides Layer 3 routing and
network management services, including the control of the flow of information
through the TOE, applying Network Address Translation (NAT) where applicable and
encryption/decryption operations of packets to provide for secure communication
using the IPSec protocol.
The Packet Forwarding Engine (PFE) provides all operations necessary for transitory
packet forwarding.
2.6 Clarification of Scope
The evaluation was conducted in accordance with the Common Criteria and
associated methodologies.
The evaluated configuration is based on the default installation of the TOE with
additional configuration implemented as per the JUNOS Secure Configuration Guide
(Ref 7).
The scope of the evaluation was limited to those claims made in the Security Target
(Ref 9).
2.6.1 Evaluated Functionality
All tests performed during the evaluation were taken from NDDP (Ref 3) and the
FWEP (Ref 4) and sufficiently demonstrate through exercise the security functionality
of the TOE. Some of the tests were combined for ease of execution.
2.6.2 Non-evaluated Functionality and Services
Potential users of the TOE are advised that some functions and services have not been
evaluated as part of the evaluation. Potential users of the TOE should carefully
consider their requirements for using functions and services outside of the evaluated
configuration; Australian Government users should refer to Australian Government
Information Security Manual (ISM) (Ref 6) for policy relating to using an evaluated
6-September- 2013 Version 1.1 4
product in an un-evaluated configuration. New Zealand Government users should
consult the Government Communications Security Bureau (GCSB).
The following components are considered outside of the scope of the TOE:
 Use of an external syslog server;
 Use of telnet (note the use of telnet violates the Trusted Path Requirement
Set);
 Use of file transfer protocol (FTP) (note the use of FTP violates the Trusted
Path Requirement Set);
 Use of Simple Network Management Protocol (SNMP) (note the use of SNMP
violates the Trusted Path Requirement Set);
 Management via “J-Web” (note the use of J-Web violates the Trusted Path
Requirement Set); and
 Use of media (other than the media required during the installation process).
In addition, the Web Authentication Policy Enforcement’s web interface was not
included in testing and evaluation when the active vulnerability assessments were
conducted.
2.7 Security
2.7.1 Security Policy
The TOE Security Policy (TSP) is a set of rules that defines how the information
within the TOE is managed and protected. The Security Target (Ref 9) contains a
summary of the functionality to be evaluated:
 Security Audit;
 Cryptographic Support;
 User Data Protection / Information Flow Control;
 Identification and Authentication – note that Telnet and FTP are considered to
be out of scope;
 Security Management;
 Protection of the TSF;
 TOE Access;
 Trusted Path/Channel; and
 Stateful Traffic Filtering.
2.7.2 Security Target
The Security Target (Ref 7) introduction contains an overview which describes the
usage and major security features of the TOE.
This report describes the findings of the IT security evaluation of Juniper Networks,
Inc. JUNOS 12.1 X44 D15.5 for SRX Series Platforms against Common Criteria and
Protection Profiles:
6-September- 2013 Version 1.1 5
 The Common Criteria (CC) Part 2 Security Functional Components Extended
Package, Version 3.1 Revision 3 (Ref 1);
 The Common Criteria (CC) Part 3 Security Assurance Components Extended
Package, Version 3.1 Revision 3 (Ref 2);
 The Network Device Protection Profile (NDPP) Extended Package (Ref 3);
and
 The Stateful Traffic Filter Firewall Extended Package (FWEP) version 1.0, 19
December 2011 (Ref 4).
As the TOE/Security Target are claiming conformance to the Network Devices
Protection Profile (NDPP) and Stateful Traffic Filter Firewall package, all extended
components for the Security Functional Requirements (SFR) were taken from the
NDPP and FWEP. Evaluators confirmed that these extended components had been
properly declared according to the NDPP and FWEP.
2.8 Usage
2.8.1 Evaluated Configuration
This section describes the configuration of the TOE that was included within scope of
the evaluation. The assurance gained via evaluation applies specifically to the TOE in
this defined evaluated configuration. Australian Government users should refer to the
ISM (Ref 6) to ensure that the configuration meets the minimum Australian
Government policy requirements. New Zealand Government users should consult the
GCSB.
The TOE consists of the Software version JUNOS 12.1 X44 D15.5. The evaluation
was conducted on the default installation and configuration of the TOE with
additional guidance and configuration information drawn from the JUNOS Secure
Configuration Guide (Ref 7).
2.8.2 Determining the Evaluated Configuration
To ensure that the software received is the evaluated product the customer must check
the version details received against the list specified in the TOE. The customer should
perform the following checks to ensure that they have received the correct version of
the TOE:
 The shipping label should correctly identify the customer’s name and address
as well as the product;
 The outside packaging should not appear to be tampered with so as to allow
access to the contents, packing tape cut or the packaging resealed;
 The inside packaging should be sealed and the seal itself should be intact;
 Shipment of the device included a confirmation of the order number;
 Verify that a shipment notification has been sent via email to the customer
point of contact regarding the shipment of the order. The email should include
details such as the purchase order number, Juniper Networks order number
(which is used to track a shipment), list of items that have been shipped
6-September- 2013 Version 1.1 6
 Verify that the shipment was initiated by Juniper Networks by comparison of
shipment tracking numbers (Juniper’s shipping notification email and tracking
number of the package received);
 View/Check the delivery/shipment status of the order by logging into
https://www.juniper.net/customers/csc/management; and
 View/Check the carrier tracking number (or Juniper Networks order number)
against the information provided to the customer by Juniper.
2.8.3 Installation of the TOE
The Secure Configuration Guide (Ref 7) contains all relevant information for the
secure configuration of the TOE. It should be noted that some well-known protocols
are prevented from operating as per the FWEP (in particular the IPv6 Neighbourhood
Discovery Protocol (NDP)). Network design should take this into account.
2.8.4 Testing Activity
The evaluation was conducted in two phases.
a) Phase 1: The TOE was in its default configuration was not conformant to
FWEP. The first phase of testing was between 11 April 2013 and 16 April
2013.
b) Phase 2: The developer re-issued the TOE and associated guidance. The
evaluation was then conducted again during 20 June 2013 to 15 July 2013.
This Certification Report is based on the second round of evaluation testing.
2.8.5 Testing Coverage
All tests performed by the evaluators were taken from the NDPP and FWEP. These
tests are designed in such a way as to provide a full coverage of testing for all security
functions claimed by the TOE. All SFR listed in the Security Target and the
Protection Profile packages were exercised during testing.
2.9 Delivery Procedures
The verification of the TOE is largely automatic, including the verification using
MD5 hashes. This was demonstrated during testing. The TOE cannot load a
modified image. The software image can be downloaded from https://juniper.net.
2.10 Documentation and Guidance
It is important that the TOE is used in accordance with guidance documentation in
order to ensure secure usage. The following documentation is available to the
consumer when the TOE is purchased. All guidance material is available for
download at www.juniper.com. All common criteria guidance material is available
at www.commoncriteriaportal.org. The Information Security Manual (ISM) is
available at www.dsd.gov.au.
6-September- 2013 Version 1.1 7
2.11 Secure Usage
The evaluation of the TOE took into account certain assumptions about its operational
environment. These assumptions must hold in order to ensure the security objectives
of the TOE are met.
No assumptions were noted in the testing documentation or the resultant reports.
6-September- 2013 Version 1.1 8
Chapter 3 – Evaluation
3.1 Overview
This chapter contains information about the procedures used in conducting the
evaluation, the testing conducted as part of the evaluation and the certification result.
3.2 Evaluation Procedures
The criteria against which the Target of Evaluation (TOE) has been evaluated are
contained in the NDPP (Ref 3), FWEP (Ref 4), Common Criteria for Information
Technology Security Evaluation Version 3.1 Revision 3, Parts 2 and 3 (Ref 1 and 2).
The methodology used is described in the Common Methodology for Information
Technology Security Evaluation Version 3.1 Revision 3 (Refs 16).
The evaluation was carried out in accordance with the operational procedures of the
Australasian Information Security Evaluation Program (AISEP).
In addition, the conditions outlined in the Arrangement on the Recognition of
Common Criteria Certificates in the field of Information Technology Security were
also upheld.
The evaluation was based on the default installation and configuration of the TOE
with additional configuration taken from JUNOS secure configuration guide (Ref 8).
3.3 Testing
Testing is determined in the Assurance activities in the Protection Profiles.
3.4 Entropy Testing
The entropy design description, justification, operation and health tests are assessed
and documented in a separate report (Ref 14).
3.5 Penetration Testing
The developer performed a vulnerability analysis of the TOE in order to identify any
obvious vulnerability in the product and to show that the vulnerabilities were not
exploitable in the intended environment of the TOE. This analysis included a search
for possible vulnerability sources in publicly-available information.
The following factors have been taken into consideration during the penetration tests:
a) Time taken to identify and exploit (elapsed time);
b) Specialist technical expertise required (specialist expertise);
c) Knowledge of the TOE design and operation (knowledge of the TOE):
d) Window of opportunity; and
6-September- 2013 Version 1.1 9
e) IT hardware/software or other equipment required for the exploitation.
The evaluators conducted testing on both JUNOS US/Canada Version 12.1 X44
D15.5-Domestic (Domestic Edition) and JUNOS 12.1 X44 D15.5 FIPS edition (FIPS
Edition) for the SRX Series.
6-September- 2013 Version 1.1 10
Chapter 4 – Certification
4.1 Overview
This chapter contains information about the result of the certification, an overview of
the assurance provided by the level chosen, and recommendations made by the
certifiers.
4.2 Assurance
This certification is focused on the evaluation of product compliance with a Protection
Profile that covers the technology area of network devices. Agencies can have
confidence that the scope of an evaluation against a DSD-approved Protection Profile
covers the necessary security functionality expected of the evaluated product and
known security threats will have been addressed.
The effectiveness and integrity of cryptographic functions are also within the scope of
product evaluations performed in line with Protection Profiles. PPs provide assurance
by a full security target and an analysis of the SFR in that ST, guidance
documentation and a basic description of the architecture of the TOE, to understand
the security behaviour.
The analysis is supported by testing as outlined in the NDPP assurance activities, and
a vulnerability analysis (based upon TOE design, security architecture description and
guidance evidence provided) demonstrating resistance to penetration attackers with a
basic attack potential.
Compliance also provides assurance through evidence of secure delivery procedures.
4.3 Certification Result
After due consideration of the conduct of the evaluation as witnessed by the certifiers
and of the Evaluation Technical Report (Ref 6) the Australasian Certification
Authority certifies the evaluation of the Juniper Networks, Inc. JUNOS 12.1 X44
D15.5 for SRX Series Platforms product performed by the Australasian Information
Security Evaluation Facility, BAE Systems Detica.
Detica has determined that Juniper Networks, Inc. JUNOS 12.1 X44 D15.5 for SRX
Series Platforms uphold the claims made in the Security Target (Ref 9) and has met
the requirements of NDPP and FWEP.
This certification is focused on the evaluation of product compliance with a Protection
Profile that covers the technology area of network devices. Agencies can have
confidence that the scope of an evaluation against a DSD-approved Protection Profile
covers the necessary security functionality expected of the evaluated product and
known security threats will have been addressed.
6-September- 2013 Version 1.1 11
The effectiveness and integrity of cryptographic functions are also within the scope of
product evaluations performed in line with Protection Profiles.
The analysis is supported by testing as outlined in the NDPP assurance activities, and
a vulnerability survey demonstrating resistance to penetration attackers with a basic
attack potential.
Compliance also provides assurance through evidence of secure delivery procedures.
Certification is not a guarantee of freedom from security vulnerabilities.
4.3 Recommendations
Not all of the evaluated functionality present in the TOE may be suitable for
Australian and New Zealand Government users. For further guidance, Australian
Government users should refer to ISM (Ref 5) and New Zealand Government users
should consult the GCSB.
In addition to ensuring that the assumptions concerning the operational environment
are fulfilled and the guidance document is followed, the ACA also recommends that
users and administrators:
a) Ensure that the TOE is operated in the evaluated configuration; and
b) Maintain the underlying environment in a secure manner so that the integrity
of the TOE Security Function is preserved.
6-September- 2013 Version 1.1 12
Annex A – References and Abbreviations
A.1 References
1. Common Criteria for Information Technology Security Evaluation Part 2: Security
functional components July 2009, Version 3.1 Revision 3
2. Common Criteria for Information Technology Security Evaluation Part 3: Security
assurance components July 2009, Version 3.1 Revision 3
3. US Government approved Protection Profile – Protection Profile for Network
Devices (NDPP) version 1.1 June 8, 2012.
4. US Government approved Network Devices Protection Profile – Protection Profile
Stateful Traffic Filter Firewall Extended Package (FWEP) Version 1.0 December
2011
5. 2013 Australian Government Information Security Manual (ISM), Defence
Signals Directorate
6. Test Report for JUNOS 12.1 X44 D15.5 for SRX Platforms, Version 1.0, 29
August 2013, Document reference EFS-T031-TR
7. ASE Workbook version 1.0, 29 August 2013, Document reference EFS-T031-
ASE-EWB
8. JUNOS Secure Configuration Guide Security Requirements for Network Devices
Version 1.1, 08 June 2012
9. Juniper: Security Target – Juniper Networks, Inc. JUNOS 12.1 D15.5 X44 for
SRX-Series Platforms version 2.1 August 26, 2013
10. AGD Workbook JUNOS 12.1 X44 D15.5 for SRX Series Platforms, version 1.0,
29 August 2013, Document Reference EFS-T031-AGD-EWB
11. AVA Workbook JUNOS 12.1 X44 D15.5 NDPP/FWEP Evaluation, Version 1.0,
29 August 2013, Document Reference EFS-T031-EWB-AVA
12. Arrangement on the Recognition of Common Criteria Certificates in the field of
Information Technology Security, May 2000.
13. Common Criteria Secure Configuration Guide for SRX-series Security Devices
Release 12.1 Published 24 July 2013
6-September- 2013 Version 1.1 13
6-September- 2013 Version 1.1 14
14. Seeding of the Kernel RBG in SRX Series Appliances Running Junos 12.1
version 1.3, 13 May 2013
15. NIST publication SP800-90A Recommendations for Random Number Generation
Using Deterministic Random Bit Generation, January 2012.
16. Common Methodology for Information Technology Security Evaluation,
Evaluation methodology, July 2009, Version 3.1, Revision 3.
A.2 Abbreviations
AISEF Australasian Information Security Evaluation Facility
AISEP Australasian Information Security Evaluation Program
ASD Australian Signals Directorate
CA Certification Authority
CC Common Criteria
CEM Common Evaluation Methodology
DSD Defence Signals Directorate
EAL Evaluation Assurance Level
ETR Evaluation Technical Report
FTP File Transfer Protocol
GCSB Government Communications Security Bureau
IDM IPS Device Manager
NTP Network Time Protocol
NDPP US Government approved Protection Profile for Network Devices
PP Protection Profile
SFP Security Function Policy
SFR Security Functional Requirements
SNMP Secure Network Management Protocol
ST Security Target
TOE Target of Evaluation
TSF TOE Security Functions
TSP TOE Security Policy