National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme. Validation Report. Juniper Networks Security Appliances

Transcription

1 Natinal Infrmatin Assurance Partnership Cmmn Criteria Evaluatin and Validatin Scheme TM Validatin Reprt Juniper Netwrks Security Appliances Reprt Number: CCEVS-VR Dated: 28 June 2012 Versin: 1.0 Natinal Institute f Standards and Technlgy Natinal Security Agency Infrmatin Technlgy Labratry Infrmatin Assurance Directrate 100 Bureau Drive 9800 Savage Rad STE 6940 Gaithersburg, MD Frt Gerge G. Meade, MD

2 Juniper Netwrks Security Appliances ACKNOWLEDGEMENTS Validatin Team Jandria S. Alexander The Aerspace Crpratin Dr. Patrick W. Mallett The MITRE Crpratin Cmmn Criteria Testing Labratry SAIC Clumbia, MD ii

3 Juniper Netwrks Security Appliances Table f Cntents 1 Executive Summary Evaluatin Details Interpretatins Threats Organizatinal Security Plicies Identificatin Security Plicy Security audit Cryptgraphic supprt User data prtectin Identificatin and authenticatin Security management Prtectin f the TSF Assumptins Architectural Infrmatin Dcumentatin Prduct Testing Develper Testing Evaluatin Team Independent Testing Penetratin Testing Evaluated Cnfiguratin Results f the Evaluatin Validatr Cmments/Recmmendatins Annexes Security Target Bibligraphy...17 iii

4 Juniper Netwrks Security Appliances 1 Executive Summary The evaluatin f Juniper Netwrks Security Appliances was perfrmed by SAIC, in the United States and was cmpleted in June The evaluatin was carried ut in accrdance with the Cmmn Criteria Evaluatin and Validatin Scheme (CCEVS) prcess and scheme. The criteria against which the Juniper Netwrks Security Appliances TOE was judged are described in the Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 3.1, Revisin 3, July The evaluatin methdlgy used by the evaluatin team t cnduct the evaluatin was available in the Cmmn Methdlgy fr Infrmatin Technlgy Security Evaluatin, Evaluatin Methdlgy, Versin 3.1, Revisin 3, July Science Applicatins Internatinal Crpratin (SAIC) determined that the prduct satisfies evaluatin assurance level EAL 2 augmented with ALC_FLR.2 as defined within the Cmmn Criteria (CC). The prduct, when cnfigured as specified in the installatin guides and user guides, satisfies all f the security functinal requirements stated in the Juniper Netwrks Security Appliances Security Target, Versin 0.8, April 6, This Validatin Reprt applies nly t the specific versin f the TOE as evaluated. In this case the TOE is Juniper Netwrks Security Appliances. The evaluatin has been cnducted in accrdance with the prvisins f the NIAP Cmmn Criteria Evaluatin and Validatin Scheme (CCEVS) and the cnclusins f the testing labratry in the evaluatin technical reprt are cnsistent with the evidence adduced. This Validatin Reprt is nt an endrsement f Juniper Netwrks Security Appliances by any agency f the US Gvernment and n warranty f the prduct is either expressed r implied. The validatin team mnitred the activities f the evaluatin team, examined evaluatin evidence, prvided guidance n technical issues and evaluatin prcesses, and reviewed the individual wrk units and versins f the ETR. Als, at sme discrete pints during the evaluatin, validatrs frmed a Validatin Oversight Review panel in rder t review the Security Target and ther evaluatin evidence materials alng with the crrespnding evaluatin findings in detail. The validatin team fund that the evaluatin shwed that the prduct satisfies all f the security functinal and assurance requirements stated in the Security Target (ST). Therefre the validatin team cncludes that the testing labratry s findings are accurate, the cnclusins justified, and the cnfrmance results are crrect. The cnclusins f the testing labratry in the evaluatin technical reprt are cnsistent with the evidence prduced. The technical infrmatin included in this reprt was btained frm the Evaluatin Technical Reprt Fr Juniper Netwrks Security Appliances Parts 1 and 2 and the Evaluatin Team Test Reprt Fr Juniper Netwrks Security Appliances prduced by SAIC. 1

5 1.1 Evaluatin Details VALIDATION REPORT Juniper Netwrks Security Appliances Evaluated Prduct: Spnsr: Develper: Evaluatin Facility: Juniper Netwrks Security Appliances Juniper Netwrks 1194 Nrth Mathilda Ave Sunnyvale, CA Juniper Netwrks 1194 Nrth Mathilda Ave Sunnyvale, CA Science Applicatins Internatinal Crpratin 6841 Benjamin Franklin Drive Clumbia, MD Kickff Date: May 2011 Cmpletin Date: June 2012 CC: Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 1: Intrductin, Versin 3.1, Revisin 3, July 2009 Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 2: Security Functinal Requirements, Versin 3.1 Revisin 3, July 2009 Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 3: Security assurance cmpnents, Versin 3.1 Revisin 3, July 2009 Interpretatins: CEM: Evaluatin Class: Descriptin: Disclaimer: PP: Validatin Bdy: Nne Cmmn Methdlgy fr Infrmatin Technlgy Security Evaluatin, Evaluatin Methdlgy, Versin 3.1, Revisin 3, July 2009 EAL 2 augmented with ALC_FLR.2 The Target f Evaluatin (TOE) is Juniper Netwrks Security Appliances, a line f integrated security netwrk devices cmbining firewall, virtual private netwrking (VPN), and traffic management functins. The TOE cnsists f ne r mre f the fllwing security appliances running the specified ScreenOS firmware versin: The TOE is administered via a cmmand line interface (CLI). During nrmal peratin, the CLI is accessed remtely ver a Secure Shell (SSH) cnnectin. The infrmatin cntained in this Validatin Reprt is nt an endrsement f the Juniper Netwrks Security Appliances by any agency f the U.S. Gvernment and n warranty f Juniper Netwrks Security Appliances is either expressed r implied. U.S. Gvernment Prtectin Prfile fr Traffic-Filter Firewall in Basic Rbustness Envirnments, versin 1.1, July 25, 2007 Natinal Infrmatin Assurance Partnership CCEVS 2

6 Juniper Netwrks Security Appliances 1.2 Interpretatins Nt applicable. 1.3 Threats The fllwing threats, defined in the U.S. Gvernment Prtectin Prfile fr Traffic-Filter Firewall in Basic Rbustness Envirnments, are mitigated by the TOE. T.NOAUTH T.REPEAT T.REPLAY T.ASPOOF T.MEDIAT T.OLDINF T.PROCOM T.AUDACC T.SELPRO T.AUDFUL An unauthrized persn may attempt t bypass the security f the TOE s as t access and use security functins and/r nn-security functins prvided by the TOE. An unauthrized persn may repeatedly try t guess authenticatin data in rder t use this infrmatin t launch attacks n the TOE. An unauthrized persn may use valid identificatin and authenticatin data btained t access functins prvided by the TOE. An unauthrized persn may carry ut spfing in which infrmatin flw thrugh the TOE int a cnnected netwrk by using a spfed surce address. An unauthrized persn may send impermissible infrmatin thrugh the TOE which results in the explitatin f resurces n the internal netwrk. Because f a flaw in the TOE functining, an unauthrized persn may gather residual infrmatin frm a previus infrmatin flw r internal TOE data by mnitring the padding f the infrmatin flws frm the TOE. An unauthrized persn r unauthrized external IT entity may be able t view, mdify, and/r delete security related infrmatin that is sent between a remtely lcated authrized administratr and the TOE Persns may nt be accuntable fr the actins that they cnduct because the audit recrds are nt reviewed, thus allwing an attacker t escape detectin. An unauthrized persn may read, mdify, r destry security critical TOE cnfiguratin data. An unauthrized persn may cause audit recrds t be lst r prevent future recrds frm being recrded by taking actins t exhaust audit strage capacity, thus masking an attackers actins. 1.4 Organizatinal Security Plicies The fllwing rganizatinal plicies are fulfilled by the TOE. P.INTEGRITY The TOE shall supprt the IETF Internet Prtcl Security Encapsulating Security Paylad (IPSEC ESP) as specified in RFC Sensitive infrmatin transmitted t a peer TOE shall apply integrity mechanisms as specified in Use f HMAC-SHA-1-96 within ESP and AH (RFC 2404) 2 Identificatin The evaluated prduct is as fllws: 3

7 Juniper Netwrks Security Appliances Security Target: Juniper Netwrks Security Appliances Security Target, Versin 0.7, March 7, 2012 TOE Identificatin: The TOE cnsists f ne r mre f the fllwing security appliances running the specified ScreenOS firmware versin: Prduct Juniper Netwrks NetScreen ISG 1000 Juniper Netwrks NetScreen ISG 2000 Juniper Netwrks NetScreen 5200 Juniper Netwrks NetScreen 5400 Juniper Netwrks SSG5 Secure Services Juniper Netwrks SSG20 Secure Services Juniper Netwrks SSG140 Secure Services Juniper Netwrks SSG320M Secure Services Juniper Netwrks SSG350M Secure Services Juniper Netwrks SSG520M Secure Services Juniper Netwrks SSG550M Secure Services Part Numbers NS-ISG-1000, NS-ISG-1000-DC, NS-ISG-1000B, NS-ISG-1000B-DC NS-ISG-2000, NS-ISG-2000-DC, NS-ISG-2000B, NS-ISG-2000B-DC NS-5200, NS-5200-DC NS-5400, NS-5400-DC SSG-5-SB, SSG-5-SH SSG-20-SB, SSG-20-SH SSG-140-SB, SSG-140-SH SSG-320M-SH, SSG-320M-SH-N-TAA, SSG-320M-SH-DC-N-TAA SSG-350M-SH, SSG-350M-SH-N-TAA, SSG-350M-SH-DC-N-TAA SSG-520M-SH, SSG-520M-SH-N-TAA, SSG-520M-SH-DC-N-TAA SSG-550M-SH, SSG-550M-SH-N-TAA, SSG-550M-SH-DC-N-TAA Firmware Versin TOE Envirnment: The TOE is a self-cntained netwrk appliance. 3 Security Plicy The TOE enfrces the fllwing security plicies as described in the ST. Security audit 4

8 Juniper Netwrks Security Appliances Cryptgraphic supprt User data prtectin Identificatin and authenticatin Security management Prtectin f the TSF Nte: The ST shuld be cnsulted fr mre descriptin f these and ther security functins f the TOE. 3.1 Security audit Audit data is stred in memry and is separated int three types f lgs; events, traffic lgs, and self lgs. Events are system-level ntificatins and alarms which are generated by the system t indicate events such as cnfiguratin changes, netwrk attacks detected, r administratrs lgging in ur ut f the device. Traffic lgs are directly driven by plicies that allw traffic t g thrugh the device. Self lgs stre infrmatin n traffic that is drpped and traffic that is sent t the device. Bth audit events and traffic messages can be further defined depending n the severity f the message and/r event. Lgs are prtected and a searching/srting mechanism f these lgs is ffered t administratrs. 3.2 Cryptgraphic supprt The Juniper Netwrks Security Appliances are FIPS validated as multi-chip standalne mdules. All supprt the use f AES with SSH using key sizes greater than r equal t 128-bits. 3.3 User data prtectin The user data prtectin prvided by the Security Appliance is prvided thugh the cncept f znes. Security plicies are applied t the flw f infrmatin frm netwrk ndes in ne zne t netwrk ndes in ther znes. These plicies cntrl interzne and intrazne infrmatin flws. Traffic frm ne netwrk nde in a zne will nly be frwarded t a nde in anther zne if the cnnectin requests and the traffic satisfy the infrmatin flw plicies cnfigured in the security appliance. If data is received by an appliance that des nt cnfrm t thse plicies, it will be discarded and an audit recrd will be sent t the traffic lg. A zne is a lgical abstractin n which a security appliance prvides services that are typically cnfigurable by the administratr. A zne can be a segment f netwrk space t which security measures are applied (a security zne), a lgical segment t which a VPN tunnel interface is bund (a tunnel zne), r either a physical r lgical entity that perfrms a specific functin (a functin zne). See the Security Target fr mre infrmatin abut znes. 3.4 Identificatin and authenticatin The security appliances prvide an authenticatin mechanism fr administrative users thrugh an internal authenticatin database. Administrative lgin is supprted thrugh the lcally cnnected cnsle fr initial cnfiguratin, r remtely via an SSH prtected cmmunicatin channel. The 5

9 Juniper Netwrks Security Appliances TOE perates in a mde that has been certified t FIPS level 2 verall, and supprts AES encryptin fr the SSH prtected cmmunicatin channel. A knwn administratr user id and its crrespnding authenticatin data must be entered crrectly in rder fr the administratr t successfully lgn and thereafter gain access t administrative functins. Fr lcal authenticatin, all administratr user name and passwrd pairs are managed in a database internal t the security appliance. Excessive failed lgin attempts while initiating a remte administratin sessin can cause the sessin being created t be clsed. 3.5 Security management Every security appliance prvides a cmmand line administrative interface and supprts remte administratin thrugh an SSH cmmand line interface. SSH prvides fr the prtectin f remte administratin activity frm bth disclsure and mdificatin. Neither the web interface nr the Netwrk and Security Manager are part f the evaluated cnfiguratin. T execute the CLI, the administratr can establish a trusted SSH cnnectin t the security appliance. The authrized administratr must be successfully identified and authenticated befre they are permitted t perfrm any security management functins n the TOE. The Security Appliances als supprt distinct administrative rles: Rt Administratr, Audit Administratr, Cryptgraphic Administratr and Security Administratr. In additin t these administrative rles, an administratr may be given a read-write r read-nly attribute that affects that administratr s ability t change the device s cnfiguratin data. All f these rles are cnsidered t be authrized administratrs. Mre details abut these management peratins available t administratrs can be fund in Sectin 6.1.5, 'Security management'. 3.6 Prtectin f the TSF Each security appliance is a hardware and firmware device that prtects itself largely by ffering nly a minimal lgical interface t the netwrk and attached ndes. ScreenOS is a special purpse OS that prvides n general purpse prgramming capability. All netwrk traffic frm ne netwrk zne t anther r between tw netwrks within the same netwrk zne passes thrugh the TOE; hwever, n prtcl services are prvided fr user cmmunicatin with the security appliance itself. The TOE als utilizes a hardware clck t maintain and prvide reliable time stamps. 4 Assumptins The ST identifies the fllwing assumptins abut the use f the prduct: A.PHYSEC A.LOWEXP A.GENPUR A.PUBLIC The TOE is physically secure. The threat f malicius attacks aimed at discvering explitable vulnerabilities is cnsidered lw. There are n general-purpse cmputing capabilities (e.g., the ability t execute arbitrary cde r applicatins) and strage repsitry capabilities n the TOE. The TOE des nt hst public data. 6

10 A.NOEVIL A.SINGEN A.DIRECT A.NOREMO A.REMACC 4.1 Clarificatin f Scpe VALIDATION REPORT Juniper Netwrks Security Appliances Authrized administratrs are nn-hstile and fllw all administratr guidance; hwever, they are capable f errr. Infrmatin can nt flw amng the internal and external netwrks unless it passes thrugh the TOE. Human users within the physically secure bundary prtecting the TOE may attempt t access the TOE frm sme direct cnnectin (e.g., a cnsle prt) if the cnnectin is part f the TOE. Human users wh are nt authrized administratrs can nt access the TOE remtely frm the internal r external netwrks. Authrized administratrs may access the TOE remtely frm the internal and external netwrks. The Target f Evaluatin (TOE) is the Juniper Netwrks Security Appliances previusly identified. All mdels cmprising the TOE have been validated t FIPS Security Level 2. As a cnsequence f this validatin, and in rder t ensure the evaluated cnfiguratin f the TOE satisfies its security requirements, the fllwing clarificatins are nted: The TOE appliance shuld be cnfigured fr FIPS 140 mde t perate in the evaluated cnfiguratin External authenticatin servers are nt permitted in the evaluated cnfiguratin Use f the Web interface fr security management is nt permitted in the evaluated cnfiguratin SNMP is excluded frm the evaluated TOE. SNMP security features are nt cnsistent with thse identified in the ST ( The IPv6 capabilities f the prduct were nt subject t evaluatin t simplify the evaluatin and testing. The ST specifically indicates that ALG is nt supprted in a PAT cnfiguratin. The client prt translatin thrugh NAT will nt wrk. The NAT prcess n the firewall will always pick a high number prt fr surce prt translatin, which will be subsequently denied by the rsh server. This is an applicatin design issue and nt a result f the ALG implementatin Virtual Systems were excluded t simply the evaluatin. 5 Architectural Infrmatin Juniper Netwrks Security Appliances all share a very similar hardware architecture and packet flw. All run ScreenOS with cmmn cre features acrss all prducts. All security appliances perfrm the same security functins and exprt the same types f interfaces. A sample f the differences between these prducts is listed belw. 7

11 VALIDATION REPORT Juniper Netwrks Security Appliances The SSG 5 and SSG 20 use an Intel IXP625 ASIC; the SSG 140 uses the Intel IXP2325. The Intel IXP ASICs prvide acceleratin f AES, and SHA-1. The remaining cryptgraphic and firewall functinality is perfrmed in sftware. The 320M, 350M, 520M and 550M use the Cavium Nitrx Lite ASIC t accelerate AES, SHA-1 and mdular expnentiatin peratins. The remaining cryptgraphic and firewall functinality is perfrmed in sftware. The Juniper Netwrks NetScreen-5200, NetScreen-5400, NetScreen-ISG1000 and NetScreen-ISG2000 use ne r mre custm GigaScreen3 ASICs. The GigaScreen3 ASIC is capable f prviding mst f the firewall and cryptgraphic functinality, and uses the CPU as a c-prcessr fr handling management traffic and first packet inspectins (plicy lkups). The GigaScreen3 ASIC can prcess an incming packet, perfrm a sessin lkup, NAT, TCP/IP sequence checking, and can then send the packet back ut f the device withut ever being prcessed by the system CPU. The nly time the CPU is used is fr first packet inspectin, management traffic, and packet fragment reassembly fr inspectin. These platfrms use the Cavium Nitrx Lite ASIC fr acceleratin f mdular expnentiatin peratins. 5.1 Hardware The hardware is manufactured t Juniper s specificatins by sub-cntracted manufacturing facilities. Juniper s custm OS, ScreenOS, runs in firmware. The security appliances prvide n extended permanent strage like disk drives and n abstractins like files. Audit infrmatin is stred in memry. The main cmpnents f a security appliance are the prcessr, ASIC, memry, interfaces, and surrunding chassis and cmpnents. The differences between security appliances are the types f prcessr(s), traffic interfaces, management interfaces, number f pwer supplies, type f ASIC, and redundancy t ensure high availability. The supprted netwrk interfaces that carry netwrk traffic include supprt fr Gigabit r 10/100Mbps cpper-based cnnectins as well as Fibre channel cnnectins. All devices supprt 10/100Mbps ethernet cnnectivity, while sme als prvide a management interface thrugh an RJ-45 serial prt. 5.2 ScreenOS ScreenOS pwers the entire system. At its cre is a custm-designed, real time perating system built frm the utset t deliver security and perfrmance. ScreenOS prvides an integrated platfrm fr its functins, including: Stateful inspectin firewall Traffic management Site-t-Site VPN ScreenOS des nt supprt a general-purpse, cmputing envirnment. 5.3 Physical Bundaries The physical bundary f the security appliances is the physical appliance. The cnsle, which is part f the TOE peratinal envirnment, prvides the visual I/O fr the administrative interface. 8

12 Juniper Netwrks Security Appliances After the TOE is placed int the evaluated cnfiguratin, the administrative interface is prvided ver an SSH cnnectin using encryptin. The security appliance attaches t physical netwrks that have been separated int znes thrugh prt interfaces. Security appliances cme in several mdels. Each mdel differs in the perfrmance capabilities; hwever all prvide the same security functins. Each appliance enfrces a security plicy fr all cnnectin request and traffic flw between any tw netwrk znes. All hardware n which each security appliance perates is part f the TOE. Each security appliance has a custm perating system that is part f the TOE. The perating system, ScreenOS, runs cmpletely in firmware. There is ne assumptin pertaining t the crrect peratin f the TOE and that is fr the cnsle, which must be a device that can emulate a VT- 100 terminal. The cnsle is part f the TOE envirnment and is expected t crrectly display what is sent t it frm ScreenOS. Als within the TOE envirnment are ptinal servers that can prvide time keeping r syslg services. These servers cmmunicate with the TOE ver trusted channels using certificate-based authenticatin and encryptin. The physical bundaries f the security appliance include the interfaces t cmmunicate between an appliance and a netwrk nde assigned t a netwrk zne. All netwrk cmmunicatin flw ges frm the sender netwrk nde in ne zne, thrugh a security appliance, and frm a security appliance t the receiving nde in anther netwrk zne, if the security plicy allws the infrmatin flw. Please refer t the Security Target fr mre technical details abut the prduct and its assciated security claims and functins. 6 Dcumentatin 6.1 Prduct Guidance The guidance dcumentatin examined during the curse f the evaluatin and therefre delivered with the TOE (nte that the first is Cmmn Criteria specific and is nrmative while the thers are generally infrmative) is as fllws: ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 1: Overview ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 2: Fundamentals ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 3: Administratin ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 4: Attack Detectin ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 5: VPNs ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 8: Address Translatin ScreenOS CLI Reference Guide: IPv4 Cmmand Descriptins ScreenOS Message Lg Reference Guide Juniper Netwrks ScreenOS 6.3 Evaluated Cnfiguratin fr Cmmn Criteria, EAL4 9

13 VALIDATION REPORT Juniper Netwrks Security Appliances SSG 5 Hardware Installatin and Cnfiguratin Guide SSG 20 Hardware Installatin and Cnfiguratin Guide SSG 140 Hardware Installatin and Cnfiguratin Guide SSG 300M-series Hardware Installatin and Cnfiguratin Guide SSG 500M-series Hardware Installatin and Cnfiguratin Guide ISG 1000 Hardware Installatin and Cnfiguratin Guide ISG 2000 Hardware Installatin and Cnfiguratin Guide NetScreen-5000 Series Hardware Installatin and Cnfiguratin Guide Nte: Several sectins f the ScreenOS Cncepts and Example, ScreenOS Reference Guide are NOT included as part f the TOE dcumentatin. These sectins were excluded because this ST makes n claims regarding the functinality within these sectins. Operatin f the TOE with these features is nt part f this evaluatin. 6.2 Evaluatin Evidence The fllwing tables identify the additinal dcumentatin submitted as evaluatin evidence by the vendr. With the exceptin f the Security Target, these dcuments are prprietary and nt available t the general public. Juniper Netwrks Security Appliances Security Target, Versin 0.8, April 6, 2012 Functinal Specificatin, Juniper Netwrks Security Appliances, Versin 2.1, August 29, 2011 [FSP] Juniper Netwrks Security Appliances Security Architecture Dcument, Revisin 0.5, May 31, 2011 Tracings fr BRPP Evaluatin.xlsx [Tracings] Administratr Subsystem TOE Design Specificatin, Juniper Netwrks Security Appliances, Versin 2.1, August 29, 2011 [Admin] Audit Subsystem TOE Design Specificatin, Juniper Netwrks Security Appliances, Versin 2.1, August 29, 2011 [Audit] Authenticatin Subsystem TOE Design Specificatin, Juniper Netwrks Security Appliances, Versin 2.1, August 29, 2011 [Authenticatin] File System Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 Hardware Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 Initializatin Subsystem TOE Design Specificatin Specificatin, Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 Kernel Services Subsystem TOE Design Specificatin, Juniper Netwrks Security Appliances, Versin 2.1, August 29, 2011 [Kernel Services] 10

14 Juniper Netwrks Security Appliances Memry Management Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 26, 2011 NSRP Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 Packet Flw Prcessing Subsystem TOE Design Specificatin, Juniper Netwrks Security Appliances, Versin 2.1, August 29, 2011 [Packet Flw Prcessing] Ruting Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 TCP/IP Stack Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 Traffic Management Subsystem TOE Design Specificatin Juniper Netwrks Security Appliances, Versin 2.0, May 31, 2011 VPN Subsystem TOE Design Specificatin, Juniper Netwrks Security Appliances, Versin 2.0, August 29, 2011 [VPN] Juniper Netwrks ScreenOS 6.3 Evaluated Cnfiguratin fr Cmmn Criteria, EAL4, Versin 1.0, March 8, 2012 [ECCC] Other prduct guidance available fr the TOE n the develper prduct website ( Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 1: Overview, Release 6.3.0, Rev. 01 [RG1] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 2: Fundamentals, Release 6.3.0, Rev. 01 [RG2] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 3: Administratin, Release 6.3.0, Rev. 01 [RG3] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 4: Attack Detectin and Defense Mechanisms, Release 6.3.0, Rev. 01 [RG4] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 5: VPNs, Release 6.3.0, Rev. 01 [RG5] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 6: Vice-ver-Internet Prtcl, Release 6.3.0, Rev. 01 [RG6] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 7: Ruting, Release 6.3.0, Rev. 01 [RG7] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 8: Address Translatin, Release 6.3.0, Rev. 01 [RG8] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 9: User Authenticatin, Release 6.3.0, Rev. 01 [RG9] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 11: High Availability, Release 6.3.0, Rev. 01 [RG11] 11

15 VALIDATION REPORT Juniper Netwrks Security Appliances Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 12: WAN, ADSL, Dial, and Wireless, Release 6.3.0, Rev. 01 [RG12] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 13: General Packet Radi Service, Release 6.3.0, Rev. 01 [RG13] Juniper Netwrks ScreenOS Cncepts and Example, ScreenOS Reference Guide, Vlume 14: Dual-Stack Architecture with IPv6, Release 6.3.0, Rev. 01 [RG14] Juniper Netwrks ScreenOS Reference Guide: IPv4 Cmmand Descriptins, Release 6.3.0, Rev. 01 [CD4] Juniper Netwrks ScreenOS Reference Guide: IPv6 Cmmand Descriptins, Release 6.3.0, Rev. 01 [CD6] Juniper Netwrks Secure Delivery Prcesses and Prcedures, Revisin D, December 1, 2009 [DEL] SSG 5 Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( SSG 20 Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( SSG 140 Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( SSG 300M-series Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( SSG 500M-series Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( ISG 1000 Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( ISG 2000 Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( NetScreen-5000 Series Hardware Installatin and Cnfiguratin Guide, Juniper Netwrks ( ScreenOS Cnfiguratin Items, Revisin C, April 11, 2011 (JNPR_ScreenOS_62_CC_MRPP_Cnfiguratin_Items.xml) ScreenOS Maintenance Release QA Prcess, Versin 1.1, August 17, 2009 [Maintenance] 12

16 Juniper Netwrks Security Appliances Cnfiguratin Management Plan, Revisin D, December 4, 2009 [CMP] Secure Delivery Prcesses and Prcedures, Revisin E, March 8, 2012 [DEL] Juniper Netwrks ScreenOS 6.3 Cmmn Criteria Test Plan, Vlume 1 Intrductin & Overview, Dcument Number: SPEC-9242, Revisin: 2.0, Date: Jan 1, 2012 Juniper Netwrks ScreenOS 6.3 Cmmn Criteria Test Plan, Vlume 2 - General Test Cases, Dcument Number: SPEC-9243, Revisin: 2.0, Date: Jan 1, 2012 Juniper Netwrks ScreenOS 6.3 Cmmn Criteria Test Plan, Vlume 3 Mre General Tests, Dcument Number: SPEC-9244, Revisin: 2.0, Date: Jan 1, 2012 Juniper Netwrks ScreenOS 6.3 Cmmn Criteria Test Plan, Vlume 4 Transparent Mde VPN Tests, Dcument Number: SPEC-9245, Revisin: 2.0, Date: Jan 1, 2012 Juniper Netwrks ScreenOS 6.3 Cmmn Criteria Test Plan, Vlume 5 Rute Mde VPN Tests, Dcument Number: SPEC-9246, Revisin: 2.0, Date: Jan 1, 2012 Juniper Netwrks ScreenOS 6.3 Cmmn Criteria Test Plan, Vlume 7 Transparent Mde Firewall Tests, Dcument Number: SPEC-9248, Revisin: 2.0, Date: Jan 1, 2012 Test Results 7 Prduct Testing This sectin describes the testing effrts f the develper and the Evaluatin Team. It is derived frm infrmatin cntained in the Evaluatin Technical Reprt Fr Juniper Netwrks Security Appliances Part 1, 0.1, 3/7/2012. Evaluatin team testing was cnducted at the vendr s develpment site in Sunnyvale, CA during the week f February 27, Develper Testing The vendr s apprach t testing fr the Juniper Netwrks Security Appliances is based n testing the claimed security functins f the TOE as represented by the SFRs specified in the ST. The vendr has develped a test suite cmprising varius autmated tests designed t demnstrate that the TSF satisfies the SFRs specified in the ST. The vendr addressed test depth by mapping SFRs t specific subsystems and mdules and by simultaneusly mapping SFRs t specific test cases. The vendr s tests are fcused n demnstrating the satisfactin f specific SFRs, but the vendr als analyzed the functinalities addressed in the TOE design and als mapped test cases that address thse functinalities. The vendr ran the entire test suite n all TOE mdels n the test cnfiguratin described in the test dcumentatin and gave the evaluatin team the actual results. The evaluatin team verified the results demnstrated all vendr tests had passed. The evaluatin team nted the vendr s test suite is cmprehensive, including psitive and negative test cases and a significant number f vulnerability tests. 7.2 Evaluatin Team Independent Testing The evaluatin team executed a sample f the vendr test suite, per the evaluated cnfiguratin as described in the Juniper Netwrks Security Appliances Security Target. The tests were run n a 13

17 Juniper Netwrks Security Appliances selectin f the test cnfiguratins described in the vendr test dcumentatin, using the vendr s test infrastructure. The evaluatin team devised a test subset based n cverage f the security functins described in the ST. The test envirnment described abve was used with team generated test prcedures and team analysis t determine the expected results. The subset f vendr tests selected was spread ut ver all f the TOE mdels, which includes cverage fr five f the 18 test beds defined in the vendr s test suite. The evaluatrs selected the test cases s that there was at least 20% test cverage fr each functinal requirement. Hwever, since sme f the test cases are mapped t multiple requirements, the verall independent test cverage was ver 30%. This sample was successfully exercised substantiating the vendr s wn mre cmprehensive test results. The evaluatrs devised a series f independent tests crrespnding t the security functins as fllws: Audit Data Generatin Audit Review Audit Srting Cryptgraphic Operatin fr remte sessins Cryptgraphic Operatin fr VPN sessins NAT Mde firewall prtectin Interzne and Glbal Zne Plicy enfrcement Single-use Authenticatin Mechanisms Management f Security Functins Behavir fr User Security Attributes Management f Security Functins Behavir fr Cnfiguratin Backup Management f Security Functins Behavir fr SYSLOG Cnfiguratin Management f Security Functins Behavir fr Remte Administratin 7.3 Penetratin Testing The evaluatin team cnducted an pen surce search fr vulnerabilities in the TOE, identifying five vulnerabilities reprted against earlier versins f ScreenOS. The evaluatin team determined, thrugh analysis f vulnerability descriptins and cnsideratin f the methd f use f the TOE, n reprted vulnerabilities are relevant t the TOE in its evaluated cnfiguratin. In additin t the pen surce search, the evaluatin team cnsidered ther ptential vulnerabilities, based n a search f the evaluatin evidence. Sme f the ideas fr vulnerability tests identified by the evaluatin team were already cvered by vendr functinal tests r by the independent functinal tests devised by the evaluatin team. Others were determined, thrugh analysis, nt t present explitable vulnerabilities. Finally, the evaluatrs ran cmprehensive prts scans in rder t ensure that all pened prts were expected and their purpses understd. 14

18 Juniper Netwrks Security Appliances Given the cmplete set f test results frm test prcedures exercised by the develper and the sample f tests directly exercised by the evaluatrs, the testing requirements fr EAL 2 augmented with ALC_FLR.2 are fulfilled. 8 Evaluated Cnfiguratin As identified in the Juniper Netwrks Security Appliances Security Target, Versin 0.7, March 7, 2012 the evaluated cnfiguratin cnsists f the fllwing TOE cmpnents. Ultimately the guidance identified previusly describes specifically hw each f the identified cmpnents needs t be installed and used in rder t perate the evaluated prducts in their evaluated cnfiguratin. Prduct Juniper Netwrks NetScreen ISG 1000 Juniper Netwrks NetScreen ISG 2000 Juniper Netwrks NetScreen 5200 Juniper Netwrks NetScreen 5400 Juniper Netwrks SSG5 Secure Services Juniper Netwrks SSG20 Secure Services Juniper Netwrks SSG140 Secure Services Juniper Netwrks SSG320M Secure Services Juniper Netwrks SSG350M Secure Services Juniper Netwrks SSG520M Secure Services Juniper Netwrks SSG550M Secure Services Part Numbers NS-ISG-1000, NS-ISG-1000-DC, NS-ISG-1000B, NS-ISG-1000B-DC NS-ISG-2000, NS-ISG-2000-DC, NS-ISG-2000B, NS-ISG-2000B-DC NS-5200, NS-5200-DC NS-5400, NS-5400-DC SSG-5-SB, SSG-5-SH SSG-20-SB, SSG-20-SH SSG-140-SB, SSG-140-SH SSG-320M-SH, SSG-320M-SH-N-TAA, SSG-320M-SH-DC-N-TAA SSG-350M-SH, SSG-350M-SH-N-TAA, SSG-350M-SH-DC-N-TAA SSG-520M-SH, SSG-520M-SH-N-TAA, SSG-520M-SH-DC-N-TAA SSG-550M-SH, SSG-550M-SH-N-TAA, SSG-550M-SH-DC-N-TAA Firmware Versin 9 Results f the Evaluatin The evaluatin was cnducted based upn Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 3.1, Revisin 3, July A verdict fr an assurance cmpnent is determined by the resulting verdicts assigned t the crrespnding evaluatr actin elements. The evaluatin team assigned a Pass, Fail, r Incnclusive verdict t each wrk unit f 15

19 Juniper Netwrks Security Appliances each assurance cmpnent. Fr Fail r Incnclusive wrk unit verdicts, the evaluatin team advised the develper f issues requiring reslutin r clarificatin within the evaluatin evidence. In this way, the evaluatin team assigned an verall Pass verdict t the assurance cmpnent nly when all f the wrk units fr that cmpnent had been assigned a Pass verdict. The validatin team agreed with the cnclusin f the evaluatin team, and recmmended t CCEVS management that an EAL 2 augmented with ALC_FLR.2 certificate rating be issued fr Juniper Netwrks Security Appliances. The details f the evaluatin are recrded in the Evaluatin Technical Reprt Fr Juniper Netwrks Security Appliances Parts 1 and 2 and the Evaluatin Team Test Reprt Fr Juniper Netwrks Security Appliances, which are cntrlled by the SAIC CCTL. The security assurance requirements are listed in the fllwing table. Requirement Class ADV: Develpment AGD: Guidance dcuments ALC: Life-cycle supprt ATE: Tests AVA: Vulnerability assessment TOE Security Assurance Requirements Requirement Cmpnent ADV_ARC.1: Security architecture descriptin ADV_FSP.2: Security-enfrcing functinal specificatin ADV_TDS.1: Basic design AGD_OPE.1: Operatinal user guidance AGD_PRE.1: Preparative prcedures ALC_CMC.2: Use f a CM system ALC_CMS.2: Parts f the TOE CM cverage ALC_DEL.1: Delivery prcedures ALC_FLR.2: Flaw reprting prcedures ATE_COV.1: Evidence f cverage ATE_FUN.1: Functinal testing ATE_IND.2: Independent testing - sample AVA_VAN.2: Vulnerability analysis 10 Validatr Cmments/Recmmendatins See Sectin 4.1 Clarificatin f Scpe. 11 Annexes Nt applicable. 12 Security Target The ST fr this prduct s evaluatin is Juniper Netwrks Security Appliances Security Target, Versin 0.8, April 6,

20 13 Bibligraphy VALIDATION REPORT Juniper Netwrks Security Appliances [1] Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 1: Intrductin, Versin 3.1, Revisin 3, July [2] Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 2: Security Functinal Requirements, Versin 3.1 Revisin 3, July [3] Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 3: Security assurance cmpnents, Versin 3.1 Revisin 3, July [4] Cmmn Methdlgy fr Infrmatin Technlgy Security Evaluatin, Evaluatin Methdlgy, Versin 3.1, Revisin 3, July [5] Juniper Netwrks Security Appliances Security Target, Versin 0.8, April 6, [6] Cmmn Criteria Evaluatin and Validatin Scheme - Guidance t CCEVS Apprved Cmmn Criteria Testing Labratries, Versin 2.0, 8 Sep [7] Evaluatin Technical Reprt Fr Juniper Netwrks Security Appliances Part 1, 0.1, 3/7/2012. [8] Evaluatin Technical Reprt Fr Juniper Netwrks Security Appliances Part 2, 0.2, 3/7/2012. [9] Evaluatin Team Test Reprt Fr Juniper Netwrks Security Appliances, versin 0.1 3/7/