Low Assurance Protection Profile for a VoIP Infrastructure



Similar documents
Low Assurance Security Target for a Cisco VoIP Telephony System

Low Assurance Protection Profile for a Software Based Personal Firewall for home Internet use

Low Assurance Protection Profile for a VPN gateway

Certification Report BSI-DSZ-CC for. Cisco VoIP Telephony Solution. Version 1.0. from. Cisco Systems, Inc.

Mobile Billing System Security Target

Firewall Protection Profile V

Security Target: Symantec Mail Security 8300 Series Appliances Version 5.0

EMC Documentum. EMC Documentum Content Server TM V5.3. and EMC Documentum Administrator TM V5.3. Security Target V2.0

Security Target for BorderWare Firewall Server 6.5

EAL4+ Security Target

OmniPCX Enterprise Common Criteria Security Target

Security Target SQL Server 2012 Team

Microsoft Forefront UAG 2010 Common Criteria Evaluation Security Target Microsoft Forefront Unified Access Gateway Team

Security Target for Cisco Secure PIX Firewall 515, 520, 525 Version 5.2(3)

IMPP. Identity Management Protection Profile BSI-PP-0024

Security Target. Astaro Security Gateway V8 Packet Filter Version Assurance Level EAL4+ Common Criteria v3.1

Enterasys Networks, Inc. Netsight/Network Access Control v Security Target

Network Intrusion Prevention System Protection Profile V1.1

Security Target. McAfee Enterprise Mobility Management 9.7. Document Version 0.9. July 5, 2012

Author: Roger French Version: 1.2 Date:

U.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments

Teradata Database Version 2 Release (V2R6.1.0) Security Target

EMC Corporation Data Domain Operating System Version Security Target. Evaluation Assurance Level (EAL): EAL2+ Document Version: 0.

Citrix Systems, Inc. NetScaler Platinum Edition Load Balancer Version 9.1 Security Target

IronMail Secure Gateway Software Version Security Target April 27, 2006 Document No. CipherTrust E2-IM4.0.0

Security Target. Security Target SQL Server 2008 Team. Author: Roger French Version: 1.04 Date:

Firewall Protection Profile

Security Target. McAfee Enterprise Mobility Management Document Version 1.16

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

TRUSTED SECURITY FILTER SECURITY TARGET

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

Multi-Functional Printer (Digital Copier) 7222/7322/7228/7235 Series Security Target Version 10

DataPower XS40 XML Security Gateway and DataPower XI50 Integration Appliance Version 3.6. Security Target Version 0.75

Security Target. Securonix Security Intelligence Platform 4.0. Document Version January 9, 2015

C038 Certification Report

Natek Network Access Control (NAC)

Symantec Security Information Manager Version 4.8.1

Protection Profile for UK Dual-Interface Authentication Card

IBM WebSphere Message Broker Security Target

How To Evaluate A Security Target Of Evaluation (Toe)

JMCS Northern Light Video Conferencing System Security Target

How To Protect Your Computer From Being Hacked

SECURITY TARGET FOR FORTIANALYZER V4.0 MR3 CENTRALIZED REPORTING

RSA, The Security Division of EMC RSA Data Loss Prevention Suite v6.5. Security Target

Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report

Security Target for Cisco Remote Access VPN

Red Hat Enterprise Linux 3 (running on specified Dell and Hewlett-Packard hardware) Security Target

SolarWinds Log and Event Manager Software Security Target

U.S. Government Protection Profile for Database Management Systems

Security Target Microsoft SQL Server Team

BMC ProactiveNet Performance Management 9.5. Security Target

Secuware Virtual System (SVS)

Océ Technologies B.V. Oce Venlo DAC Security Target 3.0.doc

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

IBM Security Access Manager for Enterprise Single Sign-On Version 8.2 with IMS Server Interim Fix 4 and AccessAgent Fix Pack 22 Security Target

GuardianEdge Data Protection Framework with GuardianEdge Hard Disk Encryption and GuardianEdge Removable Storage Encryption 3.0.

Trustwave Secure Web Gateway Security Target

Check Point Endpoint Security Media Encryption Security Target

Commercial Database Management System Protection Profile (C.DBMS PP)

Security Target for Citrix Presentation Server 4.0 For Windows

Security Target. Symantec TM Network Access Control Version Document Version February 14, 2013

Operating System Protection Profile. Common Criteria Protection Profile BSI-CC-PP-0067 Version 2.0

Intrusion Detection System System Protection Profile

Security Target. NetIQ Access Manager 4.0. Document Version August 7, Security Target: NetIQ Access Manager 4.0

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

Common Criteria Security Target For 1E Power and Patch Management Pack

Exchange Server 2003 Common Criteria Evaluation Security Target Exchange Server 2003 Team

Top Layer Networks. Security Target V2.3

Security Target: Symantec Endpoint Protection Version 11.0

Blue Coat Systems, Inc. ProxySG v running on SG510, SG810, and SG8100. Security Target

Forefront Identity Manager (FIM) 2010

How To Manage Security In A Network Security System (Tsi)

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Common Criteria for Information Technology Security Evaluation. Part 2: Security functional requirements. August Version 2.

Supporting Document Guidance. Security Architecture requirements (ADV_ARC) for smart cards and similar devices. April Version 2.

BSI-PP for. Protection Profile Secure Signature-Creation Device Type 1, Version developed by

HP StoreOnce Backup System Generation 3 Version Security Target

COMMON CRITERIA PROTECTION PROFILE. for SECURE COMMUNICATION MODULE FOR WATER TRACKING SYSTEM (SCM-WTS PP)

isas Security Target Lite EWSE23EN

RSA, The Security Division of EMC envision platform v4.0 SP 1. Security Target

Cisco IronPort S-Series Web Security Appliance Security Target

Protection Profile Digital Tachograph Vehicle Unit (VU PP) Version 1.0 BSI-CC-PP

Cisco Catalyst Switches (3560-X and 3750-X) Security Target

SenSage, Inc. SenSage Security Target. Evaluation Assurance Level: EAL2+ Document Version: 1.2

BMC Real End User Experience Monitoring and Analytics 2.5. Security Target

Common Criteria for Information Technology Security Evaluation. Part 2: Security functional components. September Version 3.

Check Point Endpoint Security Full Disk Encryption Security Target

EXTOL epassport Suite v2.5 Security Target v2.0. ECSB/MyCC/JL/002 Common Criteria EAL1 Certification

Samsung SCX-5637FR/SCX-5639FR Control Software V

Trust Technology Assessment Program. Validation Report

Common Criteria Protection Profile for Inspection Systems (IS) BSI-CC-PP Version 1.01 (15 th April 2010)

COMMON CRITERIA PROTECTION PROFILE. for NEW GENERATION CASH REGISTER FISCAL APPLICATON SOFTWARE (NGCRFAS PP) TSE-CCCS/PP-002

Protection Profile for Portable Storage Media (PSMPP) Common Criteria Protection Profile BSI-CC-PP Version 1.0

CA CA, Inc. Identity Manager 12.5 Identity Manager r12.1 Security Target

BSI-PP for. Smart Card Security User Group Smart Card Protection Profile (SCSUG-SCPP) Version 3.0. developed by

Protection Profile Secure Signature-Creation Device Type 3

Cisco 800, 1900, 2900, 3900 Series Integrated Service Routers (ISR) Security Target

How To Understand The Toe

RSA, The Security Division of EMC RSA Access Manager v6.1. Security Target

Transcription:

Low Assurance Protection Profile for a VoIP Infrastructure Version 1.1 Date Author(s) Dirk-Jan Out Certification ID Sponsor File name No of pages 12 TNO-ITSEF BV VoIP Low Assurance Protection Profile 1.1 with 2005 Bundesamt fur Sicherheit in der Informationstechnik (BSI)

PP-VoIP Infrastructure-1.0 (Distribution) 2 of 12 Document information Date of issue Author(s) Dirk-Jan Out Version number report 1.1 Certification ID Scheme BSI Sponsor TNO-ITSEF BV Delftechpark 1 Sponsor address 2628 XJ Delft The Netherlands PP Evaluation Lab SRC Graurheindorferstrasse 149a PP Evaluation Lab address D-53117 Bonn Germany Project leader Rob Hunter Target of Evaluation (TOE) VoIP Infrastructure TOE reference name VoIP Infrastructure CC-EAL number 1 Classification Report title Low Assurance Protection Profile for a VoIP Infrastructure Report reference name PP-VoIP Infrastructure-1.1 Document history Version Date Comment 0.1 16-Jul-04 Initial version 0.2 12 Aug 04 Processed comments from Cisco and BSI 0.3 27 Aug 04 Processed further comments from Cisco and BSI 1.0 3-Sep-04 Processed SRC evaluation comments 1.1 14-Mar-05 Processed BSI evaluation comments

PP-VoIP Infrastructure-1.0 (Distribution) 3 of 12 1. PP Introduction 1.1 PP Reference This is the Low Assurance Protection Profile for a VoIP Infrastructure,1.1, TNO-ITSEF BV, 1.2 TOE overview The TOE is a VoIP (Voice over IP) infrastructure, as it is used in a typical office environment. The goal of this VoIP infrastructure is to provide telephone and services over an already available IP network thereby obviating the need for a separate telephone infrastructure and allowing the integration between telephony services and other services (e.g. agenda services). IP telephony enables calls to be made between IP telephone devices and between an IP telephone device and a traditional telephone on a PSTN (Publicly Switched Telephone Network). A typical 1 IP-network with a typical VoIP infrastructure is depicted below: WAN Gateway PSTN Gateway IP-network Other office equipment TOE Call Control Agent(s) IP Phones Voicemail 1 Note that this is just a schematic view and not indicative of size: the IP-network may range from one to a few thousand phones, PCs, servers and other pieces of equipment. Additionally, the IP-network may itself consist of multiple connected IP networks or the IP-network may consist of a single telephone connected to a router connected to a WAN.

PP-VoIP Infrastructure-1.0 (Distribution) 4 of 12 This picture shows the following elements: An IP-network: a network connecting all the other IP elements A number of IP telephone devices: This refers to any device that supports placing calls in an IP network. IP Telephone devices are included as well as applications installed on user systems with speakers and microphones. IP Telephone devices may offer so-called IP-phone services such as user directory lookups and Internet access for stock quotes; A Call Control Agent: a central entity that provides call control and configuration management for IP telephony devices. This device provides the core functionality to provide call setup, and route calls throughout the network to other voice devices including voice gateways and voice-mail systems Voicemail system: provides IP-based voice-mail storage and services such as user directory lookup and call forwarding. PSTN gateway: A gateway between the IP-network and a PSTN providing access to legacy voice systems WAN gateway: A gateway between the IP-network and a IP-based WAN. Other office IT equipment (printers, servers, computers etc.) that are connected to the IP-network. The TOE consists of the Call Control Agent, the Voice Mail system and the IP Telephone devices 2. All other depicted elements are not part of the TOE. The TOE offers the following functionality: Making telephone calls from/to other telephones in the TOE Making telephone calls from/to other telephones not in the TOE Able to restrict calls to certain numbers and to change these restrictions Logging connection information of phone calls Storage and secure retrieval of voice mail The TOE requires a connection to an IP-based network 3 to function. It does not require further non-toe hardware/firmware/software. 2 Other configurations are allowed (e.g having the Voice Mail system integrated with the Call Control Agent). 3 See footnote 1 for an explanation of the term IP-Network in this PP.

PP-VoIP Infrastructure-1.0 (Distribution) 5 of 12 2. Conformance claims 2.1 Conformance claim This Protection Profile: claims conformance to CC version 2.4 release 256 and v2.4draft Interpretation 4 #1-#17 is CC Part 2 conformant and CC Part 3 conformant. does not claim conformance to any other PP. is EAL 1 conformant 2.2 Conformance claim rationale PP-related conformance claim rationale This PP does not claim conformance to another PP, so there is no rationale related to this. Package-related conformance claim rationale This PP is EAL1 conformant. The EAL1 package contains no uncompleted operations. As no SARs were added to EAL1, the SARs in this PP are consistent with EAL1. 2.3 Conformance statement Security targets or other PPs wishing to claim conformance to this PP can do so as strict-pp-conformance. Demonstrable-PP-conformance is not allowed for this PP. 4 V2.4 Draft Interpretation #n are interpretations that are made during the v2.4 Trial Period. They address problems with CC v2.4 as they occur.

PP-VoIP Infrastructure-1.0 (Distribution) 6 of 12 3. Definition of terms 3.1 Definition of subjects, information and operations This section is added to define the terms that are used in the Security Objectives of the Operational Environment and SFRs. 3.2 Subjects S.USER S.ADMIN S.PHONE S.IN_PHONE S.OUT_PHONE A human that uses S.IN_PHONE A human that administers the TOE S.IN_PHONE or S.OUT_PHONE A VoIP telephone that is part of the TOE Attribute: telephone_number A phone (VoIP or otherwise) that is not part of the TOE Attribute: telephone_number 3.3 Operations The operations that are performed by the TOE are: R.CONNECT R.GET_VMAIL R.DEL_VMAIL S.PHONE connecting to another S.PHONE S.USER retrieving voicemail from the TOE S.USER deleting voicemail from the TOE 3.4 Objects D.ALLOWLIST TSF data: a relation representing the allowed connections between devices

PP-VoIP Infrastructure-1.0 (Distribution) 7 of 12 4. Security Objectives for the Operational Environment The operational environment of the TOE shall conform to the following objectives: OE.PHONE_LOCATION The operational environment of the VoIP phones shall be a general office-type environment: physical access is restricted to office personnel, visitors and the like. OE.AGENT_LOCATION The operational environment of the Call Control Agent and the Voice Mail System shall be a general server room environment: physical access will be restricted to authorised administrative personnel. OE.NETWORK The Operational Environment shall contain an IPnetwork 5. OE.NW_FEATURES If required 6, the IP-Network shall ensure that: VoIP traffic will not be able to monopolise the IP- Network to the point that other network traffic is hindered; Other network traffic will not be able to monopolise the IP-Network to the point that VoIP traffic is hindered; VoIP traffic will not be able to connect to some (or all) office equipment 5 See footnote 1 for an explanation of the term IP-Network in this PP. 6 This objective is of an optional nature. It has been included to: 1) assist ST authors in formulating their security objectives for the operational environment 2) ensure that it is clear that if this functionality is required, it should be provided by the network and not by the TOE.

PP-VoIP Infrastructure-1.0 (Distribution) 8 of 12 5. Security Requirements 5.1 Extended components definition As this PP does not contain extended security requirements, there are no extended components. 5.2 SFRs Application Note: This PP only models telephony and voice mail. If a given VoIP solution allows other services than these two, it is the intention that this is modelled through the addition of other operations and ACC/ACF/MSA/MTD requirements. The SFRs are grouped for easy understanding: Restricting access to certain telephone numbers Storing and retrieving voicemail Managing telephones Identifying users Logging and auditing Self-protection

PP-VoIP Infrastructure-1.0 (Distribution) 9 of 12 5.2.1 Restricting access to certain telephone numbers Informal Explanation (informative) For each VoIP phone there is a list of forbidden numbers (e.g. 1-900 numbers, international numbers )which they cannot call. This list may be empty. A VoIP phone cannot call numbers on this list Only the admin may change this list FDP_ACC.1 Subset access control FDP_ACC.1.1 The TSF shall enforce the Connect_Policy 7 on [[S.PHONE, D.ALLOW_LIST, R.CONNECT]. FDP_ACF.1 Security attribute based access control 8 FDP_ACF.1.1 The TSF shall enforce the ConnectPolicy to objects based on the following: [S.PHONE/telephone_number, D.ALLOW_LIST] FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled subjects and controlled objects is allowed: S.IN_PHONE may R.CONNECT to S.PHONE if: [S.IN_PHONE/telephone_number, S.PHONE/telephone_number] is in D.ALLOW_LIST; Application Note: The word ALLOW_LIST does not mean that only white-list approaches are allowed. Both implementations based on Deny all except what is listed and Allow all except what is specifically listed are acceptable. FMT_MTD.1 Management of TSF data FMT_MTD.1.1 The TSF shall restrict the ability to modify the D.ALLOW_LIST to S.ADMIN. 7 The SFP Connect_Policy is defined by FDP_ACC.1, FDP_ACF.1 and FMT_MSA.1 and supported by all other SFRs. 8 The third and fourth element were completed with None and subsequently refined away.

PP-VoIP Infrastructure-1.0 (Distribution) 10 of 12 5.2.2 Voice mail Informal Explanation (informative) Users have to authenticate themselves to be able to retrieve and/or delete their voicemail Unless explicitly specified otherwise, they can do other actions without authenticating themselves FIA_UAU.1 Timing of authentication FIA_UAU.1.1 The TSF shall allow all actions except R.GET_VMAIL, R.DEL_VMAIL, [assignment: other actions] on behalf of S.USER to be performed before S.USER is authenticated. FIA_UAU.1.2 The TSF shall require S.USER to be successfully authenticated before allowing any other TSF-mediated actions on behalf of S.USER. 5.2.3 Managing telephones Informal Explanation (informative) Only the administrator can change the telephone number of a VoIP telephone The SFR is limited to S.IN_PHONE: the TOE can change only telephone numbers of telephones that are part of the TOE. FMT_MSA.1 Management of security attributes FMT_MSA.1.1 The TSF shall enforce the ConnectPolicy to restrict the ability to modify the security attributes S.IN_PHONE/ telephone_number to S.ADMIN. FIA_UAU.2 User authentication before any action FIA_UAU.12.12 The TSF shall require S.ADMIN to be successfully authenticated before allowing any other actions related to the other SFRs on behalf of S.ADMIN.

PP-VoIP Infrastructure-1.0 (Distribution) 11 of 12 5.2.4 Identifying users FMT_SMR.1 Security roles FMT_SMR.1.1 The TSF shall maintain the roles S.USER S.ADMIN FMT_SMR.1.2 The TSF shall be able to associate users with roles FIA_UID.2 User identification before any action FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF-mediated actions on behalf of that user. Application Note: A possible method for identification may be the part of the TOE with which users interact. S.USER will interact with S.PHONE while S.ADMIN will interact with the Call Control Agent. 5.2.5 Logging and auditing FAU_GEN.1 Audit data generation FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the not specified level of audit; and c) [Registration of a new S.IN_PHONE, [assignment: details of calls made by S.IN_PHONE], modification of the configuration of S.IN_PHONE, failed authentication events, [assignment: other specifically defined auditable events]]. FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event; and b) For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST, [assignment: other audit relevant information] Application Note: This PP does not prescribe what is actually done with the generated audit data. The ST author should add FAU_SAR, FAU_SAA and/or FAU_ARP requirements where necessary to describe his specific solution.

PP-VoIP Infrastructure-1.0 (Distribution) 12 of 12 5.2.6 Self-protection Informal Explanation (informative) It is not possible to logically modify the TOE such that it no longer meets the other requirements FPT_SEP.1 TSF domain separation FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution that protects it from interference and tampering by untrusted subjects. FPT_SEP.1.2 The TSF shall enforce separation between the security domains of subjects in the TSC. 5.3 SARs The SARs for this PP are the package EAL 1 with one refinement in AGD_USR.1.3: AGD_USR.1.3C The user guidance shall contain warnings about user-accessible functions and privileges that should be controlled in a secure processing environment. This shall include any and all means in which S.IN_PHONE can be used to eavesdrop on S.USER by e.g.: The microphone being on A call being turned into a conference call

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information