Security Target. Version 3.1 February 5, Prepared for: Palo Alto Networks Inc Great America Parkway Santa Clara, CA 95054

Transcription

1 Pal Alt Netwrks PA-200, PA-500, PA-7050, PA-2000 Series, PA-3000 Series, PA-4000 Series, and PA-5000 Series Next-Generatin Firewall running PAN-OS Security Target Versin 3.1 February 5, 2015 Prepared fr: Pal Alt Netwrks Inc Great America Parkway Santa Clara, CA Prepared By: Leids (frmerly SAIC) Cmmn Criteria Testing Labratry 6841 Benjamin Franklin Drive Clumbia, MD 21046

2 Revisin Histry Versin Date Descriptin Authr August 2010 Initial versin SAIC May 2011 Added PA-5000 platfrms Wes Higaki December 2011 Changed prduct name and updated ST N. Campagna accrding t ETR January 2012 Updating ST accrding t ETR N. Campagna February 2012 Further ETR updates N. Campagna February 2012 EAL 4 Augmentatin list and further Jake Bajic ETR updates April 2012 X9.31 RNG update and further ETR Jake Bajic updates May 2012 ETR updates Jake Bajic August 2012 ETR updates Jake Bajic September 2012 ETR updates Jake Bajic Nvember 2012 ETR updates Jake Bajic Nvember 2012 Accepted changes and remved Jake Bajic cmments, added algrithm certificatin numbers February 2013 Test VOR updates Jake Bajic February 2013 Pre Final VOR updates Jake Bajic March 2013 Minr updates Jake Bajic April 2013 Final VOR updates Jake Bajic April Minr updates after Final VOR Jake Bajic presentatin February 2014 Assurance Cntinuity Updates Jake Bajic September 2014 Assurance Cntinuity Updates Jake Bajic February 2015 Assurance Cntinuity Updates updated FIPS certificate number Jake Bajic 2

3 Table f Cntents 1. SECURITY TARGET INTRODUCTION SECURITY TARGET, TOE AND CC IDENTIFICATION CONFORMANCE CLAIMS CONVENTIONS, TERMINOLOGY AND ABBREVIATIONS TOE DESCRIPTION TOE OVERVIEW TOE ARCHITECTURE Physical Bundaries Lgical Bundaries Prduct Capabilities nt supprted in the TOE TOE DOCUMENTATION SECURITY PROBLEM DEFINITION ASSUMPTIONS THREATS ORGANIZATIONAL SECURITY POLICIES SECURITY OBJECTIVES SECURITY OBJECTIVES FOR THE TOE SECURITY OBJECTIVES FOR THE OPERATING ENVIRONMENT IT SECURITY REQUIREMENTS EXTENDED COMPONENT DEFINITIONS TOE SECURITY FUNCTIONAL REQUIREMENTS Security Audit Cryptgraphic Supprt User Data Prtectin Identificatin and Authenticatin Security Management Prtectin f the TSF Resurce Allcatin TOE Access Trusted Path/Channels TOE SECURITY ASSURANCE REQUIREMENTS Develpment (ADV) Guidance Dcuments (AGD) Life-cycle Supprt (ALC) Tests (ATE) Vulnerability Assessment (AVA) TOE SUMMARY SPECIFICATION TOE SECURITY FUNCTIONS Security Audit Cryptgraphic Supprt Identificatin and Authenticatin User Data Prtectin Security Management TSF Prtectin Resurce Utilizatin TOE Access Trusted Path/Channels PROTECTION PROFILE CLAIMS

4 8. RATIONALE SECURITY OBJECTIVES RATIONALE SECURITY FUNCTIONAL REQUIREMENTS RATIONALE SECURITY ASSURANCE REQUIREMENTS RATIONALE REQUIREMENT DEPENDENCY RATIONALE PP CLAIMS RATIONALE LIST OF TABLES Table 1: TOE Security Functinal Requirements Table 2: Audit Events Table 3: Assurance Cmpnents Table 4: Requirement Dependency Summary

5 1. Security Target Intrductin This sectin identifies the Security Target (ST) and Target f Evaluatin (TOE) identificatin, ST cnventins, ST cnfrmance claims, and the ST rganizatin. The TOE is the next-generatin firewall running PAN-OS v6.0.3, with User Identificatin Agent, v , prvided by Pal Alt Netwrks Inc. The next-generatin firewall includes the PA-200, PA-500, PA-7050, PA-2020, PA-2050, PA-3020, PA-3050, PA-4020, PA-4050, PA-4060, PA- 5020, PA-5050, and PA-5060 appliances, which are used t manage enterprise netwrk traffic flws using functin specific prcessing fr netwrking, security, and management. The next-generatin firewalls identify which applicatins are flwing acrss the netwrk, irrespective f prt, prtcl, r SSL encryptin. The User Identificatin Agent (installed n a PC in the netwrk) cmmunicates with the dmain cntrller t retrieve userspecific infrmatin. It allws the next-generatin firewall t autmatically cllect user infrmatin and include it in plicies and reprting. The Security Target cntains the fllwing additinal sectins: TOE Descriptin (Sectin 2) prvides an verview f the TOE and describes the physical and lgical bundaries f the TOE Security Prblem Definitin (Sectin 3) describes the assumptins, threats, and rganizatinal security plicies that define the security prblem t be addressed by the TOE and its envirnment Security Objectives (Sectin 4) describes the bjectives necessary t cunter the defined threats and satisfy the assumptins and rganizatinal security plicies IT Security Requirements (Sectin 5) prvides a set f security functinal requirements t be met by the TOE. The IT security requirements als prvide a set f security assurance requirements that are t be satisfied by the TOE TOE Summary Specificatin (Sectin 6) describes the security functins f the TOE and hw they satisfy the security functinal requirements Prtectin Prfile Claims (Sectin 7) prvides ratinale that the TOE cnfrms t the PP(s) fr which cnfrmance has been claimed Ratinale (Sectin 8) prvides mappings and ratinale fr the security prblem definitin, security bjectives, security requirements, and security functins t justify their cmpleteness, cnsistency, and suitability. 1.1 Security Target, TOE and CC Identificatin ST Title Pal Alt Netwrks PA-200, PA-500, PA-7050, PA-2000 Series, PA-4000 Series, and PA-5000 Series Next-Generatin Firewall running PAN-OS Security Target ST Versin See ST title page ST Date See ST title page TOE Identificatin Pal Alt Netwrks next-generatin firewall mdels PA-200, PA-500, PA-7050, PA-2020, PA-2050, PA-3020, PA-3050, PA-4020, PA-4050, PA-4060, PA-5020, PA-5050, and PA-5060 with PAN-OS v6.0.3 and the User Identificatin Agent v TOE Develper Pal Alt Netwrks Inc. Evaluatin Spnsr Pal Alt Netwrks Inc. CC Identificatin Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin, Versin 3.1, Revisin 2, September

6 1.2 Cnfrmance Claims This ST and the TOE it describes are cnfrmant t the fllwing CC specificatins: Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 2: Security Functinal Cmpnents, September 2007, Versin 3.1, Revisin 2, CCMB Part 2 Extended Cmmn Criteria fr Infrmatin Technlgy Security Evaluatin Part 3: Security Assurance Cmpnents, September 2007, Versin 3.1, Revisin 2; CCMB Part 3 Cnfrmant This ST and the TOE it describes meet all f the Security Functinal Requirements (SFRs) f the fllwing Prtectin Prfile (PP): U.S. Gvernment Traffic-Filter Firewall Prtectin Prfile Fr Medium Rbustness Envirnments, Versin 1.1, July 25, This ST and the TOE it describes are cnfrmant t the fllwing assurance package: EAL4 augmented with ALC_FLR.2, and ATE_DPT Cnventins, Terminlgy and Abbreviatins Cnventins Where requirements are drawn frm the U.S. Gvernment Traffic-Filter Firewall Prtectin Prfile Fr Medium Rbustness Envirnments, the requirements are cpied frm the Prtectin Prfile and all peratin cnventins emplyed by the Prtectin Prfile are remved, with the exceptin f the iteratin cnventin. Otherwise, nly peratins perfrmed in this Security Target are identified. Where requirements are drawn frm the Cmmn Criteria (and are nt fund in the Prtectin Prfile), the requirements are cpied and the peratins perfrmed in this Security Target are identified. Where applicable, the fllwing cnventins are used t identify peratins: Iteratin: Iterated requirements (cmpnents and elements) are identified with a number in parentheses fllwing the base cmpnent identifier. Fr example, iteratins f FCS_COP.1 are identified in a manner similar t FCS_COP.1(1) (fr the cmpnent) and FCS_COP.1.1(1) (fr the elements). Assignment: Assignments are identified in brackets and bld (e.g., [assigned value]). Selectin: Selectins are identified in brackets, bld, and italics (e.g., [selected value]). Assignments within selectins are identified using the previus cnventins, except that the assigned value wuld als be italicized and extra brackets wuld ccur (e.g., [selected value [assigned value]]). Refinement: Refinements are identified using bld text (e.g., added text) fr additins and strike-thrugh text (e.g., deleted text) fr deletins Terminlgy and Abbreviatins The fllwing terms and abbreviatins are used in this ST: Security plicy Security prfile Prvides the firewall rule sets that specify whether t blck r allw netwrk cnnectins. A security prfile specifies prtectin rules t apply when prcessing netwrk traffic. The prfiles supprted by the TOE include Antivirus, Anti-spyware, Vulnerability Prtectin, File Blcking, and Data Filtering. Security prfiles are specified in security plicies. 6

7 Security zne SFP SSL Virtual system VLAN VPN A gruping f TOE interfaces. Each TOE interface must be assigned t a zne befre it can prcess traffic. Security Functin Plicy set f rules describing specific security behavir enfrced by the TOE security functins and expressible as a set f security functinal requirements. Secure Sckets Layer a cryptgraphic prtcl that prvides security fr cmmunicatins ver netwrks. Virtual systems allw the TOE administratr t custmize administratin, netwrking, and security plicies fr netwrk traffic belnging t specific user grupings (such as departments r custmers). Virtual Lcal Area Netwrk Virtual Private Netwrk In additin, refer t the U.S. Gvernment Traffic-Filter Firewall Prtectin Prfile Fr Medium Rbustness Envirnments, Versin 1.1, fr a list f terminlgy that may be used within this ST. 7

8 2. TOE Descriptin The Target f Evaluatin (TOE) is Pal Alt Netwrks next-generatin firewall, which includes mdels PA-200, PA-500, PA-7050, PA-2020, PA-2050, PA-3020, PA-3050, PA-4020, PA-4050, PA-4060, PA-5020, PA-5050, and PA-5060, each equipped with PAN-OS v6.0.3, and the User Identificatin Agent, v The next-generatin firewall is a firewall that prvides plicy-based applicatin visibility and cntrl t prtect traffic flwing thrugh the enterprise netwrk. 2.1 TOE Overview The next-generatin firewalls are netwrk firewall appliances used t manage enterprise netwrk traffic flw using functin specific prcessing fr netwrking, security, and management. The next-generatin firewalls let the administratr specify security plicies based n an accurate identificatin f each applicatin seeking access t the prtected netwrk. The next-generatin firewall uses packet inspectin and a library f applicatins t distinguish between applicatins that have the same prtcl and prt, and t identify ptentially malicius applicatins that use nn-standard prts. The next-generatin firewall als supprts the establishment f Virtual Private Netwrk (VPN) cnnectins t ther next-generatin firewalls r third party security devices. A next-generatin firewall is typically installed between an edge ruter r ther device facing the Internet and a switch r ruter cnnecting t the internal netwrk. The Ethernet interfaces n the firewall can be cnfigured t supprt varius netwrking envirnments, including: Layer 2 switching and VLAN envirnments; Layer 3 ruting envirnments; transparent in-line deplyments; and cmbinatins f the three. The next-generatin firewalls prvide granular cntrl ver the traffic allwed t access the prtected netwrk. They allw an administratr t define security plicies fr specific applicatins, rather than rely n a single plicy fr cnnectins t a given prt number. Fr each identified applicatin, the administratr can specify a security plicy t blck r allw traffic based n the surce and destinatin znes, surce and destinatin addresses, r applicatin services. The next-generatin firewall prducts prvide the fllwing security related features: Applicatin-based plicy enfrcement the prduct uses a traffic classificatin technlgy named App- ID t classify traffic by applicatin cntent irrespective f prt r prtcl. Prtcl and prt can be used in cnjunctin with applicatin identificatin t cntrl what prts an applicatin is allwed t run n. High risk applicatins can be blcked, as well as high-risk behavir such as file-sharing. SSL encrypted traffic can be decrypted and inspected. Threat preventin the firewall includes threat preventin capabilities that can prtect the netwrk frm viruses, wrms, spyware, and ther malicius traffic. Traffic visibility the firewall includes the capability t generate extensive reprts, lgs, and ntificatin mechanisms that prvide detailed visibility int netwrk applicatin traffic and security events. Fail-safe peratin the firewall can be cnfigured fr fault-tlerant peratins, where the firewall can be deplyed in active/passive pairs s that if the active firewall fails fr any reasn, the passive firewall becmes active autmatically with n lss f service. Management each firewall can be managed thrugh a Graphical User Interface (GUI) r a text-based cmmand-line interface (CLI). Bth interfaces prvide an administratr with the ability t establish plicy cntrls, prvide the means t cntrl what applicatins netwrk users are allwed access t, and t cntrl lgging and reprting. These interfaces als prvide dynamic visibility tls that enable views int the actual applicatins running n the netwrk. The GUI can identify the applicatins with the mst traffic and the highest security risks. When cnfigured in a Cmmn Criteria mde f peratin, the GUI is secured using HTTP ver TLSv1.0. When used in Cmmn Criteria cmpliant deplyments, the CLI may be used fr maintenance, recvery and debugging purpses, which is utside the nrmal peratin f the TOE. Firewall Plicy Enfrcement 8

9 The App-ID classificatin technlgy uses fur classificatin techniques t determine exactly what applicatins are traversing the netwrk irrespective f prt number. As traffic flws thrugh the TOE, App-ID identifies traffic using the fllwing classificatin engines. Applicatin Prtcl/Prt: App-ID identifies the prtcl (such as TCP r UDP) and the prt number f the traffic. Prtcl/Prt infrmatin is primarily used fr plicy enfrcement, such as allwing r blcking a specific applicatin ver a specific prtcl r prt number, but is smetimes used in classificatin, such as ICMP traffic where the prtcl is the primary classificatin methd used. Applicatin Prtcl Decding: App-ID s prtcl decders determine if the applicatin is using a prtcl as a nrmal applicatin transprt (such as HTTP fr web brwsing applicatins), r if it is nly using the apparent prtcl t hide the real applicatin prtcl (fr example, Yah! Instant Messenger might hide inside HTTP). Applicatin Signatures: App-ID uses cntext-based signatures, which lk fr unique applicatin prperties and related transactin characteristics t crrectly identify the applicatin regardless f the prtcl and prt being used. Heuristics: App-ID requires multi-packet heuristics fr identifying sme encrypted applicatins like Skype and encrypted Bittrrent. This cmpnent f App-ID identifies patterns acrss multiple packets t identify these mre cmplex applicatins. The applicatin-centric nature f App-ID means that it cannt nly identify and cntrl traditinal applicatins such as SMTP, FTP, and SNMP, but it can als accurately identify many mre applicatins thrugh the use f prtcl decders and applicatin signatures. These applicatins are categrized in rder t simplify the prcess f building a security plicy that matches an rganizatin s infrmatin security plicy. Threat Preventin The next-generatin firewall includes a real-time threat preventin engine that inspects the traffic traversing the netwrk fr a wide range f threats. The threat preventin engine scans fr all types f threats with a unifrm signature frmat, and can identify and blck a wide range f threats acrss a brad set f applicatins in a single pass. The threats that can be detected by the threat preventin engine include: viruses; spyware (inbund file scanning, and cnnectins t infected web sites); applicatin vulnerability explits; and phishing/malicius URLs. App-ID and Threat Preventin Signature Updates App-ID and threat preventin signatures (cllectively knwn as cntent updates) may be updated peridically using the dynamic updates feature f the firewall. The TOE can be instructed t cntact Pal Alt Netwrks update server t dwnlad new cntent updates as they are made available. The cnnectin t the update server is secured with TLS v1.0 and is secured using FIPS-apprved algrithms. Fr an additinal layer f prtectin, Pal Alt Netwrks has chsen t sign (using RSA-2048) and encrypt (using AES-256) all cntent that is dwnladed t the firewall. Management The next-generatin firewall prvides a Web Management interface and a Cmmand-Line interface. The Web interface prvides a GUI fr management and cntrl f TOE cnfiguratin and mnitring ver HTTP r HTTPS frm an Internet Explrer (IE, versin 7 r later), Firefx (versin 3.6 r later), Safari (versin 5 r later), and Chrme (versin 11 r later) brwser. The CLI prvides text-based cnfiguratin and mnitring ver Telnet, Secure Shell (SSH), r the cnsle prt. In Cmmn Criteria mde, the firewall must be administered via HTTPS. HTTP-based management is excluded frm the evaluated cnfiguratin. The CLI may be used fr maintenance, recvery and debugging purpses, which is utside the nrmal peratin f the TOE. Nte that sme additinal management features are nt permitted in the evaluated cnfiguratin (see sectin Prduct Capabilities nt supprted in the TOE fr a detailed list f excluded features). User Identificatin Agent User Identificatin Agent (UIA) versin client sftware prgram installed n ne r mre PCs n the prtected netwrk. The UIA prvides the firewall with the capability t autmatically cllect user-specific infrmatin that is used in security plicy enfrcement and reprting. The UIA is nt related t Identificatin and Authenticatin. 9

10 Fault Tlerance Fault-tlerant peratin is prvided when the TOE is deplyed in active/passive pairs s that if the active firewall fails fr any reasn, the passive firewall becmes active autmatically with n lss f service. A failver can als ccur if selected Ethernet links fail r if ne r mre specified destinatins cannt be reached by the active firewall. The active firewall cntinuusly synchrnizes its cnfiguratin and sessin infrmatin with the passive firewall ver tw dedicated high availability (HA) interfaces. If ne HA interface fails, synchrnizatin cntinues ver the remaining interface. Cmmn Criteria Cmpliant Mde f Operatin The TOE is cmpliant with the capabilities utlined in this Security Target nly when perated in Cmmn Criteria mde. Cmmn Criteria mde is a special peratinal mde in which the FIPS requirements fr startup and cnditinal self-tests as well as algrithm selectin are enfrced. In this mde, nly FIPS-apprved and FIPSallwed cryptgraphic algrithms are available. The TOE will als enable certain PP-related functinality when cnfigured in this mde f peratin. The PP-related functins include selective audit, expired private key zerizatin, and scheduled r n-demand cryptgraphic and sftware integrity self-tests. 2.2 TOE Architecture The firewalls architecture is divided int three subsystems: the cntrl plane; the data plane; and the User Identificatin Agent. The cntrl plane prvides system management functinality while the data plane handles all data prcessing n the netwrk; bth reside n the firewall appliance. The User Identificatin Agent is installed n a separate PC n the netwrk and cmmunicates with the dmain cntrller t retrieve user-specific infrmatin. It allws the next-generatin firewall t autmatically cllect user infrmatin and include it in plicies and reprting. The fllwing diagram depicts bth the hardware and sftware architecture f the next-generatin firewall. User Identificatin Agent Figure 1: TOE Architecture 10

11 The cntrl plane includes a dual cre CPU, with dedicated memry and a hard drive fr lcal lg, cnfiguratin, and sftware strage. The data plane includes three cmpnents the netwrk prcessr, the security prcessr, and the stream signature prcessr each with its wn dedicated memry and hardware prcessing. In summary, the functinality prvided by each cmpnent f the system is as fllws: Cntrl Plane The cntrl plane prvides all device management functinality, including: Data Plane All management interfaces: CLI (direct cnsle access used fr maintenance, recvery and debugging purpses, which is utside the nrmal peratin f the TOE), GUI interface, syslg lgging, SNMP, and ICMP Cnfiguratin management f the device, such as cntrlling the changes made t the device cnfiguratin, as well as the cmpilatin and pushing t the dataplane f a cnfiguratin change Lgging infrastructure fr traffic, threat, alarm, cnfiguratin, and system lgs Reprting infrastructure fr reprts, mnitring tls, and graphical visibility tls (reprting is excluded frm the evaluated cnfiguratin) Administratin cntrls, including administratr authenticatin and audit trail infrmatin fr administratrs lgging in, lgging ut, and cnfiguratin changes. Interactins with the UIA t retrieve the user t IP address mapping infrmatin that is used fr plicy enfrcement. The data plane prvides all data prcessing and security detectin and enfrcement, including: All netwrking cnnectivity, packet frwarding, switching, ruting, and netwrk address translatin Applicatin identificatin, using the cntent f the applicatins, nt just prt r prtcl SSL frward prxy, including decryptin and re-encryptin Plicy lkups t determine what security plicy t enfrce and what actins t take, including scanning fr threats, lgging, and packet marking Applicatin decding, threat scanning fr all types f threats and threat preventin Lgging, with all lgs sent t the cntrl plane fr prcessing and strage The TOE s SSL decryptin feature uses an SSL prxy t establish itself as a man-in-the-middle prxy, which decrypts and cntrls the traffic within the SSL tunnel that traverses the TOE. The SSL prxy acts as a frward prxy (internal client t an external server). The certificates used by the TOE during frward prxying include as much relevant data frm the external server s riginal certificate as pssible (i.e., validity dates, certificate purpse, cmmn name, and subject infrmatin). Fr inbund cnnectins (external client t internal server), the TOE can decrypt incming traffic and cntrl the traffic within the SSL tunnel. SSL decryptin is cnfigured as a rulebase in which match criteria include zne, IP address, and User-ID. SSL prxy is cnfigured by creating a Certificate Authrity certificate (CA cert) n the firewall. When a client attempts t cnnect with a remte server, if a decryptin plicy is matched, the firewall will create a cnnectin with the server and anther cnnectin with the client, inserting itself in the middle. The firewall will cpy the subject infrmatin, validity infrmatin, and cmmn name int a new certificate that is signed by the CA cert. If the firewall trusts the issuer f the server s certificate, it will sign the newly generated server cert with a trusted CA cert. If the firewall des nt trust the issuer f the server s certificate, it will sign the newly generated server cert with an untrusted CA cert, thereby relaying the untrusted nature f the certificate t the client. A new public/private key pair is generated fr each new SSL server t which the client s cnnect. SSH Decryptin is checked using the SSH applicatin signature, a plicy lkup will ccur n the decrypt rule t see if this sessin shuld be decrypted. If yes, the TOE will set up a man-in-the middle t decrypt the sessin and decide if any prt-frwarding request is sent in that sessin. As sn as the any prt frwarding is detected, the applicatin becmes an SSH-tunnel, and based n the plicy, the sessin might get denied. 11

12 User Identificatin Agent The user identificatin agent is a client sftware prgram installed n ne r mre PCs n the prtected netwrk t btain user-specific infrmatin. The agent can be installed n any PC running Windws XP with SP2 (r higher than SP2), r Windws Vista, r Windws Server bit with SP2 (r higher than SP2), r Windws Server bit and 64bit. The agent cmmunicates with a Micrsft Windws Dmain Cntrller t btain user infrmatin (such as user grups, users, and machines deplyed in the dmain) and makes the infrmatin available t the firewall, which uses it fr plicy enfrcement and reprting. The UIA maintains mapping infrmatin received frm the Dmain Cntrller, which it synchrnizes t the firewall table. The UIA nly wrks with IPv4 addresses and des nt wrk with IPv6 addresses Physical Bundaries The TOE cnsists f the fllwing cmpnents: Hardware appliance-includes the physical prt cnnectins n the utside f the appliance cabinet, an internal hardware cryptgraphic mdule used fr the cryptgraphic peratins prvided by the TOE, and a time clck that prvides the time stamp used fr the audit recrds. PAN-OS versin the firmware cmpnent that runs the appliance. PAN-OS is built n tp f a Linux kernel and runs alng with Appweb (the web server that Pal Alt Netwrks uses), crnd, syslgd, and varius vendr-develped applicatins that implement PAN-OS capabilities. PAN-OS prvides the lgical interfaces fr netwrk traffic. PAN-OS runs n bth the Cntrl Plane and the Data Plane and prvides all firewall functinalities prvided by the TOE, including the threat preventin capabilities as well as the identificatin and authenticatin f users and the management functins. PAN-OS prvides unique functinality n the tw planes based n the applicatins that are executing. The Cntrl Plane prvides a GUI Web management interface t access and manage the TOE functins and data. The Data Plane prvides the external interface between the TOE and the external netwrk t mnitr netwrk traffic s that the TSF can enfrce the TSF security plicy. User Identificatin Agent (UIA) versin client sftware prgram installed n ne r mre PCs n the prtected netwrk. The UIA prvides the firewall with the capability t autmatically cllect userspecific infrmatin that is used in security plicy enfrcement and reprting. The physical bundary f the TOE cmprises the firewall appliance (PA-200, PA-500, PA-7050, PA-2020, PA- 2050, PA-3020, PA-3050, PA-4020, PA-4050, PA-4060, PA-5020, PA-5050, and PA-5060), tgether with the User Identificatin Agent (UIA) cmpnent. The nine mdels f the next-generatin firewall differ in their perfrmance capability, but they prvide the same security functinality, with the exceptin f virtual systems, which are supprted by default (withut an additinal license) n the PA-4020, PA-4050, PA-4060, PA-5020, PA-5050, PA- 5060, and PA The PA-2000 Series can supprt virtual systems with the purchase f an additinal license. The PA-500 cannt supprt virtual systems. Virtual systems specify a cllectin f physical and lgical firewall interfaces that shuld be islated. Each virtual system cntains its wn security plicy and its wn set f lgs that will be kept separate frm all ther virtual systems. The firewall appliance attaches t a physical netwrk and includes the fllwing prts: PA-200: 8 RJ-45 10/100/1000 prts fr netwrk traffic (Ethernet prts); 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); and 1 RJ-45 prt fr cnnecting a serial cnsle (management cnsle prt) PA-500: 8 RJ-45 10/100/1000 prts fr netwrk traffic (Ethernet prts); 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); and 1 RJ-45 prt fr cnnecting a serial cnsle (management cnsle prt) PA-2020: 12 RJ-45 10/100/1000 prts fr netwrk traffic (Ethernet prts); 2 Small Frm-Factr Pluggable (SFP) Gbps prts fr netwrk traffic, 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); and 1 RJ-45 prt fr cnnecting a serial cnsle (management cnsle prt) 12

13 PA-2050: 16 RJ-45 10/100/1000 prts fr netwrk traffic (Ethernet prts); 4 Small Frm-Factr Pluggable (SFP) Gbps prts fr netwrk traffic, 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); and 1 RJ-45 prt fr cnnecting a serial cnsle (management cnsle prt) PA-3020/PA-3050: 12 RJ-45 10/100/1000 prts fr netwrk traffic (Ethernet prts); 8 Small Frm-Factr Pluggable (SFP) Gbps prts fr netwrk traffic, 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); 1 RJ-45 prt fr cnnecting a serial cnsle (management cnsle prt); and 2 RJ-45 prts fr high-availability (HA) cntrl and synchrnizatin PA-4020/4050: 16 RJ-45 10/100/1000 prts fr netwrk traffic (Ethernet prts); 8 Small Frm-Factr Pluggable (GFP) Mbps prts fr netwrk traffic, 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); 1 DB-9 prt fr cnnecting a serial cnsle (management cnsle prt); and 2 RJ-45 prts fr high-availability (HA) cntrl and synchrnizatin PA-4060: 4 XFP 10 Gbps prts fr management traffic; 4 Small Frm-Factr Pluggable (SFP) Mbps prts fr netwrk traffic, 1 RJ-45 prt t access the device CLI r GUI thrugh an Ethernet interface (management prts); 1 DB-9 prt fr cnnecting a serial cnsle (management cnsle prt); and 2 RJ-45 prts fr high-availability (HA) cntrl and synchrnizatin PA-5020: 12 RJ-45 10/100/1000 prts fr netwrk traffic. 8 Small Frm-Factr Pluggable (SFP) prts fr netwrk traffic. One RJ-45 prt t access the device management interfaces thrugh an Ethernet interface. One RJ-45 prt fr cnnecting a serial cnsle. Tw RJ-45 prts fr high-availability (HA) cntrl and synchrnizatin. PA-5050: 12 RJ-45 10/100/1000 prts fr netwrk traffic. Eight Small Frm-Factr Pluggable (SFP) prts fr netwrk traffic. Fur SFP+ prts fr netwrk traffic. One RJ-45 prt t access the device management interfaces thrugh an Ethernet interface. One RJ-45 prt fr cnnecting a serial cnsle. Tw RJ-45 prts fr high-availability (HA) cntrl and synchrnizatin. PA-5060: 12 RJ-45 10/100/1000 prts fr netwrk traffic. Eight Small Frm-Factr Pluggable (SFP) prts fr netwrk traffic. Fur SFP+ prts fr netwrk traffic. One RJ-45 prt t access the device management interfaces thrugh an Ethernet interface. One RJ-45 prt fr cnnecting a serial cnsle. Tw RJ-45 prts fr high-availability (HA) cntrl and synchrnizatin. PA-7050: 12 gig cpper prts fr netwrk traffic, eight Small Frm-Factr Pluggable (SFP) prts fr netwrk traffic and fur SFP+ prts fr netwrk traffic per blade (6 blades max). One RJ-45 prt t access the device management interfaces thrugh an Ethernet interface. One RJ-45 prt fr cnnecting a serial cnsle. Tw QSFP prts fr high-availability (HA) cntrl and synchrnizatin. In the evaluated cnfiguratin, the TOE can be managed by: A cmputer either directly cnnected r remtely cnnected t the Management prt via an RJ-45 Ethernet cable. The Management prt is an ut-f-band management prt that prvides access t the GUI via HTTPS. The cmputer is part f the peratinal envirnment and required t have a web brwser (fr accessing the GUI). Traffic lgs, which recrd infrmatin abut each traffic flw r prblems with the netwrk traffic, are lgged lcally by default. Hwever, the TOE ffers the capability t send the lgs as SNMP traps, Syslg messages, r ntificatins. This capability relies n the peratinal envirnment t include the apprpriate SNMP, syslg r SMTP servers. These servers are ptinal cmpnents, which have nt been subject t testing in the evaluated cnfiguratin. The peratinal envirnment includes a dmain cntrller t be used with the User Identificatin Agent. The User Identificatin Agent itself is installed n ne r mre PCs in the peratinal envirnment, and is supprted n Windws XP with SP2 (r higher than SP2), r Windws Vista, r Windws Server bit with SP2 (r higher than SP2), r Windws Server bit and 64bit. The peratinal envirnment als includes an SNMP client. The prt fr cnnecting a serial cnsle (DB-9 in PA-4000 series and RJ-45 fr PA-500, PA-7050, PA-2000, PA- 3000, and PA-5000 series) is nt part f the TOE evaluated cnfiguratin, as it is enabled nly fr utput in Cmmn Criteria mde. 13

14 2.2.2 Lgical Bundaries The lgical bundaries f the TOE are described in terms f the security functins prvided by the next-generatin firewall. These cmprise: Security Audit; Cryptgraphic Supprt; User Data Prtectin; Identificatin and Authenticatin; Security Management; TSF Prtectin; Resurce Utilizatin; TOE Access; and Trusted Path/Channels. The CMVP has validated the cryptgraphic mdule and issued the fllwing certificate: Certificate N PA-200, PA-500, PA-2000 Series, PA-3000, PA-4000 Series, PA-5000, and PA-7050 Series Firewalls by Pal Alt Netwrks. Please reference the NIST website, Validatin Lists fr Cryptgraphic Standards at Security Audit The TOE prvides the capability t generate audit recrds f a number f security events including all user identificatin and authenticatin, cnfiguratin events, and infrmatin flw cntrl events (i.e. decisins t allw and/r deny traffic flw). The management GUI is used t review the audit trail. The management GUI ffers ptins t srt and search the audit recrds, and t include r exclude auditable events frm the set f audited events. The TOE stres the audit trail lcally. The TOE prtects the audit trail by prviding nly restricted access t it; by nt prviding interfaces t mdify the audit recrds. The TOE als prvides a time-stamp fr the audit recrds. In additin, the TOE mnitrs varius events ccurring n the firewall (such as authenticatin failures and infrmatin flw plicy failures) and will generate an alarm if the number f such events reaches a cnfigured limit, indicating a ptential security vilatin Cryptgraphic Supprt The TOE prvides FIPS apprved key management capabilities and cryptgraphic algrithms implemented in a FIPS validated crypt-mdule t supprt the prvisin f: trusted paths t remte administratrs accessing the TOE via HTTPS; trusted channels t authrized external IT entities; SSL decryptin; SSH decryptin; and prtectin f TSF data cmmunicated between the firewall device and the User Identificatin Agent User Data Prtectin The TOE enfrces the Unauthenticated Infrmatin Flw SFP t cntrl the type f infrmatin that is allwed t flw thrugh the TOE and the Unauthenticated TOE Services SFP t cntrl access t services ffered by the TOE. The enfrcement prcess fr these SFPs invlves the TOE perfrming applicatin identificatin and plicy lkups t determine what actins t take. The security plicies can specify whether t blck r allw a netwrk sessin based n the applicatin, the surce and destinatin addresses, the applicatin service (such as HTTP), users, the devices and virtual systems, and the surce and destinatin security znes. Security znes are classified as the untrusted zne, where interfaces are cnnected t the Internet, and the trusted zne, where interfaces cnnect nly t the internal netwrk. Virtual systems prvide a way t custmize administratin, netwrking, and security plicies fr the netwrk traffic belnging t specific departments r custmers. Each virtual system specifies a cllectin f physical and lgical interfaces, and security znes fr which specific plicies can be tailred. Administratr accunts can be defined that are limited t the administratin f a specific virtual system. In additin, each security plicy can als specify ne r mre security prfiles, including: antivirus prfiles; antispyware prfiles; vulnerability prtectin prfiles; and file blcking prfiles. The prfiles can identify which applicatins are inspected fr viruses, a cmbinatin f methds t cmbat spyware, the level f prtectin against knwn vulnerabilities, and which type f files can be upladed r dwnladed. The TOE cmpares the plicy rules against the incming traffic t determine what actins t take including: scan fr threats; blck r allw traffic; lgging; and packet marking. The TOE als implements an infrmatin flw cntrl plicy fr its VPN capability, which uses IP Security (IPSec) and Internet Key Exchange (IKE) prtcls t establish secure tunnels fr VPN traffic. The VPN plicy makes a ruting decisin based n the destinatin IP address. If traffic is ruted thrugh a VPN tunnel, it is encrypted as VPN traffic. It is nt necessary t define special rules fr this plicy ruting and encryptin decisins are determined nly by the destinatin IP address. 14

15 Bth when the TOE receives data frm the netwrk and when it transmits data t the netwrk, it ensures that the buffers are nt padded ut with previusly transmitted r therwise residual infrmatin. The TSF relies n the dmain cntrller in the IT envirnment, which is used with the User Identificatin Agent, t prvide it with user specific infrmatin that is used in plicies and reprting Identificatin and Authenticatin The TOE ensures that all users accessing the TOE user interfaces are identified and authenticated. The TOE accmplishes this by supprting lcal user authenticatin using an internal database. The TOE maintains infrmatin that includes username, passwrd, and rle (set f privileges), which it uses t authenticate the human user and t assciate that user with an authrized rle. In additin, the TOE can be cnfigured t lck a user ut after a cnfigurable number f unsuccessful authenticatin attempts Security Management The TOE prvides a number f management functins and restricts them t users with the apprpriate privileges. The management functins include the capability t create new user accunts, cnfigure the audit functin including selectin f the auditable events, cnfigure the infrmatin flw cntrl rules, and review the audit trail. The TOE prvides Security Administratr, Audit Administratr, and Cryptgraphic Administratr and ensures the apprpriate functins are restricted t these rles and there is n verlap between the rles, except that all administratrs have read access t the audit trail. The TOE ffers ne interface t manage its functins and access its data: a GUI management interface. The GUI management interface can be accessed via direct cnnectin t the device, r remtely ver HTTPS TSF Prtectin The TOE prvides fault tlerance, when it is deplyed in active/passive pairs. If the active firewall fails because a selected Ethernet link fails, r if ne r mre f the specified destinatins cannt be reached by the active firewall, the passive firewall becmes active autmatically with n lss f service. The active firewall cntinuusly synchrnizes its cnfiguratin and sessin infrmatin with the passive firewall ver tw dedicated high availability (HA) interfaces. If ne HA interface fails, synchrnizatin cntinues ver the remaining interface. The TOE is able t detect replay attacks and reject the data. This is true fr traffic destined fr the TOE itself as well as traffic passing thrugh the TOE. In additin, the TOE prvides a set f self-tests that demnstrate crrect peratin f the TSF, the cryptgraphic functins implemented in the TSF, and the key generatin cmpnents implemented in the TSF. The TOE uses its cryptgraphic capabilities t secure cmmunicatin between the User Identificatin Agent and the firewall Resurce Utilizatin The TOE is able t enfrce transprt-layer qutas fr the number f SYN requests per secnd, the number f UDP packets per secnd that d nt match an existing UDP sessin, and the number f ICMP packets per secnd TOE Access The TOE prvides the capabilities fr bth TOE- and user-initiated lcking f interactive sessins and fr TOE terminatin f an interactive sessin after a perid f inactivity. The TOE will display an advisry and cnsent warning message regarding unauthrized use f the TOE befre establishing a user sessin. The TOE can als deny establishment f an authrized user sessin based n lcatin, day, and time Trusted Path/Channels The TOE prvides trusted paths t remte administratrs accessing the TOE via HTTPS and trusted channels t authrized external IT entities. 15

16 2.2.3 Prduct Capabilities nt supprted in the TOE The next-generatin firewall prduct prvides an ptin fr Central Management using the Panrama sftware. Panrama is a separate prduct sld separately. Panrama allws the next-generatin firewall prducts t be managed frm a centralized management server, allwing a single management cnsle fr managing multiple devices. Other items excluded frm the TOE: Cmmand Line Interface (CLI) management via Telnet r SSH (SCP is als excluded). Cmmand Line Interface (CLI) access via SSH is restricted t the Superuser rle (system admin) fr maintenance and debugging purpses, which is utside nrmal peratin f the TOE. HTTP web-based management Cnsle Prt USB Prts Dynamic rle administratr accunts. The Superuser dynamic rle may nly be used fr initial cnfiguratin and must therwise be excluded frm administratin f the TOE. The device administratr, device administratr (read-nly), virtual system administratr, virtual system administratr (read-nly), and superuser (read-nly) administratr rles may nt be used in the evaluated cnfiguratin Custm admin rles. The device cmes precnfigured with three custm admin rles. One fr the Security Administratr, ne fr the Crypt Administratr, and ne fr the Audit Administratr. Additinal custm admin rles must nt be created and used t determine access levels fr administratrs. Tap Mde (Interface mde in which traffic may nly be bserved and nt secured) Kerbers Fr authenticatin f administratrs Custm Applicatins and custm definitin methds Administratrs may define custm applicatins in rder t identify and cntrl their wn internally develped applicatins NTP T set the system s time Captive Prtal Used t identify users when they d nt authenticate t Active Directry GlbalPrtect VPN capability fr remte users; this is a separately licensed feature HIP Prfiles Part f the GlbalPrtect feature set used t verify the hst s cnfiguratin prir t granting access SSL-VPN VPN capability fr remte users Terminal Services Agent This is a separate sftware image used when terminal services are required alng with user identificatin REST API An API used t perfrm select cnfiguratin and administratin tasks n the firewall; the REST API is available nly t administratrs with Superuser accunts and is therefre nt permitted in Cmmn Criteria mde User-ID XML API An API used t prvide user t IP mappings t the firewall Lg Frwarding using FTP and TFTP RADIUS Fr administratr authenticatin SSHv1 Disabled in Cmmn Criteria mde The authenticatin methds (e.g., CHAP/PAP) fr PPPE The edirectry 16

17 The tunnel mnitring SSLv1, SSLv2, SSLv3 Disabled in Cmmn Criteria mde DNS Nt required t enfrce any SFRs; MRPP sectin 2.3 states Remte administratin is a required infrmatin flw t the TOE, authenticatin/certificate servers, Netwrk Time Prtcl (NTP) servers, as well as any ther IT entities are ptinal. Sftware Update The TOE system sftware must nt be updated in rder t maintain CC cmpliance Active/active HA pairs Btnet and cuntry based plicy enfrcement URL Categry in Match Criteria - The default setting fr the URL Categry fr the Security Plicy Rule is Any. The user shuld retain the default setting and shuld nt select a URL Categry frm the pull dwn menu. WildFire The file blcking prfile actin list includes a "frward" actin, which will cpy and frward files matching the plicy t the WildFire clud-based malware detectin service. This is disallwed in the TOE. Wildfire is a separately licensed feature. SHA-2 VPN Supprt The cryptgraphic hashing services using SHA-1 in supprt f the TOE s VPN capability can be manually selected. The internal User-ID Agent - The external, separately installed UIA is included and will be required t be used in the evaluated cnfiguratin as it was in the riginal evaluatin. IPv6 Supprt fr User-ID Pal Alt Netwrks URL Filtering Database (PAN-DB) - The use f Brightclud is still supprted and will be required fr use in the TOE. IP Based Threat Exceptins Dynamic Blck List WildFire Subscriptin Service Decryptin Cntrl A new Decryptin Prfile has been intrduced with several ptins t prvide better cntrl ver SSL and SSH sessins. These additinal Decryptin Prfile ptins have nt been subject t evaluatin. HA2 Keep-alive When cnfiguring HA, yu can enable mnitring n the HA2 data link between HA peers. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. HA Path Mnitring Update - This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. The default values shuld be applied. HA IPv6 Supprt HA cntrl and data link supprt and IPv6 HA path mnitring is available. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. The default values shuld be applied. Dataplane Health Mnitring The PA-5000 Series and PA-3000 Series devices supprt an internal dataplane health mnitr that will cntinually mnitr all f the cmpnents f the dataplane. This feature is excluded and shuld be disabled in the evaluated cnfiguratin. Virtual Wire Subinterface User can create virtual wire subinterfaces in rder t classify traffic int different znes and virtual systems. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. Bad IP Optin Prtectin In zne prtectin prfiles, user can nw specify ptins t drp packets with nn-cnfrmant IP ptins. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. 17

18 SLAAC Stateless Address Autcnfiguratin (SLAAC) is nw supprted n IPv6-cnfigured interfaces. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. IPv6 ver IPSec This feature enables ruting f IPv6 traffic ver an IPSec tunnel established between IPv4 endpints. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. NAT64 NAT64 enables the firewall t translate surce and destinatin IP headers between IPv6 and IPv4. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. Minimum Passwrd Cmplexity Allws yu t define a set f passwrd requirements that all lcal administratr accunts must adhere t, such as minimum length, minimum lwer and upper case letters, requirement t include numbers r special characters, ability t blck repeated characters and set passwrd change perids. This feature is excluded and shuld nt be enabled in the evaluated cnfiguratin. IPv6 Management Services - This feature is excluded in the TOE and the user shuld nt cnfigure them in the evaluated cnfiguratin. The OCSP respnder is a means f predefining an additinal field used during certificate generatin. It des nt need t be cnfigured and is excluded in the TOE. Shutdwn Device feature allws sessins t be lgged prir t a shutdwn is excluded in the TOE and the user shuld nt use it in the evaluated cnfiguratin. Supprt fr HSM is a new feature that is excluded in the TOE. Use f this feature requires a cmpnent in the perating envirnment that is nt included in the evaluated cnfiguratin. The Optin t Disable SIP ALG is a new feature that is excluded in the TOE. The users are instructed nt t disable SIP ALG. TLS 1.2 Decryptin is a new feature that is excluded in the TOE and has nt been subject t evaluatin. The User-ID Integratin with Syslg as excluded in the TOE. The extended-capture ptin in the Threat Detectin settings is excluded and the users are instructed nt t cnfigure extended-capture. URL Filtering Search Engine Cached Site Enhancement - This new feature enhancement is excluded in the TOE as it has nt been cvered in the scpe f the evaluatin. URL Filtering Translatin Site Filtering Enhancement - This new feature enhancement is excluded in the TOE as it has nt been cvered in the scpe f the evaluatin. URL Safe Search Enfrcement is a new feature that is excluded in the TOE. By default it is disabled. IKE PKI Certificate Authenticatin fr IPsec Site t Site VPNs is a new feature that is excluded in the TOE. Cntent Delivery Netwrk (CDN)/Update Server Verificatin - This new feature is excluded in the TOE. The users are instructed nt t check the Verify Update Server Identity check bx in the Services dialg. Supprt fr Clr-Cded Tags - This new feature is excluded in the TOE. The users are instructed nt t cnfigure tags via the Objects >Tags tab. The Virtual Machine Mnitring Agent is excluded in the TOE and the users are instructed nt t cnfigure VM infrmatin surces. Dynamic Address Grups are excluded in the TOE the users are instructed nt t cnfigure them. URL Safe Search Enfrcement is a new feature that is excluded in the TOE. By default it is disabled. The users are instructed nt t enable this ptin. 18

19 2.3 TOE Dcumentatin Pal Alt Netwrks Inc. ffers a series f dcuments that describe the installatin f Pal Alt Netwrks nextgeneratin firewalls as well as guidance fr subsequent use and administratin f the applicable security features. These dcuments include: Pal Alt Netwrks Web Interface Reference Guide, Release 6.0 PAN-OS Cmmand Line Interface Reference Guide, Release 6.0 The supprt service accunts are required fr an additinal service fee in rder t btain infrmatin abut bug fixes included in the release ntes. 19

20 3. Security Prblem Definitin This sectin describes the threats t assets the TOE is intended t cunter, the rganizatinal security plicies the TOE is required t enfrce, and assumptins abut the peratinal envirnment and methd f use f the TOE. The assumptins, threats, and rganizatinal security plicies are reprduced frm the U.S. Gvernment Traffic-Filter Firewall Prtectin Prfile Fr Medium Rbustness Envirnments, Versin 1.1, July 25, Exceptins are ntated with an asterisk. Refer t Sectin 7, which prvides the ratinale fr all changes, additins and mdificatins t the MRPP. 3.1 Assumptins The fllwing cnditins are assumed t exist in the peratinal envirnment. A.NO_GENERAL_PURPOSE A.PHYSICAL A.NO_TOE_BYPASS *A.UIA_ONLY The Administratr ensures there are n general purpse cmputing r strage repsitry capabilities (e.g., cmpilers, editrs, web servers, database servers r user applicatins) available n the TOE. Physical security, cmmensurate with the value f the TOE and the data it cntains, is assumed t be prvided by the envirnment. Infrmatin cannt flw between external and internal netwrks lcated in different enclaves withut passing thrugh the TOE. The PC used fr the UIA cmpnent is dedicated t this functin and is nt used fr any ther purpse. 3.2 Threats The fllwing threats are t be cuntered by the TOE: T.ADDRESS_MASQUERADE T.ADMIN_ERROR T.ADMIN_ROGUE T.AUDIT_COMPROMISE T.CRYPTO_COMPROMISE T.MASQUERADE T.FLAWED_DESIGN A user n ne interface may masquerade as a user n anther interface t circumvent the TOE plicy. An administratr may incrrectly install r cnfigure the TOE, r install a crrupted TOE resulting in ineffective security mechanisms. An administratr s intentins may becme malicius resulting in user r TSF data being cmprmised. A malicius user r prcess may view audit recrds, cause audit recrds t be lst r mdified, r prevent future audit recrds frm being recrded, thus masking a user s actin. A malicius user r prcess may cause key, data r executable cde assciated with the cryptgraphic functinality t be inapprpriately accessed (viewed, mdified, r deleted), thus cmprmise the cryptgraphic mechanisms and the data prtected by thse mechanisms. A user may masquerade as an authrized user r an authrized IT entity t gain access t data r TOE resurces. Unintentinal r intentinal errrs in requirements specificatin r design f the TOE may ccur, leading t flaws that may be explited by a malicius user r prgram. 20