Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report



Similar documents
Certification Report - Firewall Protection Profile and Firewall Protection Profile Extended Package: NAT

Certification Report

SAMSUNG SDS FIDO Server Solution V1.1 Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

How To Evaluate Watchguard And Fireware V11.5.1

Certification Report

Certification Report

Certification Report

Certification Report

Certification Report

Trust Technology Assessment Program. Validation Report

Cryptographic Modules, Security Level Enhanced. Endorsed by the Bundesamt für Sicherheit in der Informationstechnik

Certification Report

EPASSPORT WITH BASIC ACCESS CONTROL AND ACTIVE AUTHENTICATION

Certification Report

C015 Certification Report

Certification Report

Certification Report StoneGate FW/VPN 5.2.5

Certification Report

C033 Certification Report

National Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report

Certification Report

Security Target. Astaro Security Gateway V8 Packet Filter Version Assurance Level EAL4+ Common Criteria v3.1

Certification Report

Common Criteria Security Target For XenApp 6.0 for Windows Server 2008 R2 Platinum Edition

MINISTERIO DE DEFENSA CENTRO NACIONAL DE INTELIGENCIA CENTRO CRIPTOLÓGICO NACIONAL ORGANISMO DE CERTIFICACIÓN

Citrix NetScaler Platinum Edition Load Balancer Version 10.5 running on MPX 9700-FIPS, MPX FIPS, MPX FIPS, MPX FIPS appliances

Oracle Business Intelligence Enterprise Edition (OBIEE) Version with Quick Fix running on Oracle Enterprise Linux 4 update 5 x86_64

Security Standards BS7799 and ISO17799

Certification Report

Protection Profile for Portable Storage Media (PSMPP) Common Criteria Protection Profile BSI-CC-PP Version 1.0

National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme

Network Device Collaborative Protection Profile (NDcPP) Extended Package Session Border Controller. July 24, 2015 Version 1

Certification Report

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February Version 1.

National Information Assurance Partnership

Protection Profile for UK Dual-Interface Authentication Card

CERTIFICATION REPORT

Certification Report

Certification Report on REDOWL SecuOS V4.0 for RHEL4 of TSonNet Co., Ltd.

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

McAfee Web Gateway Version EAL 2 + ALC_FLR.2 Security Target

Smart Card Open Platform Protection Profile V2.1 Certification Report

TIBCO ActiveMatrix BusinessWorks TM. Release 5.8

Certification Report

Courtesy Translation

Firewall Protection Profile V

BSI-DSZ-CC-S for. Dream Chip Technologies GmbH Germany. Dream Chip Technologies GmbH

BSI-DSZ-CC-S for. GLOBALFOUNDRIES Singapore Pte. Ltd. GLOBALFOUNDRIES Singapore Pte. Ltd.

Korea IT Security Evaluation and Certification Scheme

CERTIFICATION REPORT No. CRP253

Oracle Identity and Access Management 10g Release running on Red Hat Enterprise Linux AS Release 4 Update 5

Citrix NetScaler Platinum Edition Load Balancer

Extended Package for Mobile Device Management Agents

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

C038 Certification Report

Securing VoIP Networks using graded Protection Levels

C013 Certification Report

Ingate Firewall/SIParator SIP Security for the Enterprise

Validation Report. McAfee, Inc.

Low Assurance Protection Profile for a VoIP Infrastructure

Firewall Protection Profile

Citrix Password Manager, Enterprise Edition Version 4.5

Common Criteria for Information Technology Security Evaluation Protection Profile. General-Purpose Operating System Protection Profile

Voltage Security, Inc. Palo Alto, CA

Certification Report

Low Assurance Security Target for a Cisco VoIP Telephony System

- Table of Contents -

U.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments

AppGate Security Server, Version Security Target. Document Version: 2.9 Date:

Certification Report

Protection Profile for the Security Module of a Smart Meter Gateway (Security Module PP)

Transcription:

KECS-CR-16-36 Korean National Protection Profile for Voice over IP Firewall V1.0 Certification Report Certification No.: KECS-PP-0717-2016 2016. 6. 10 IT Security Certification Center

History of Creation and Revision No. Date Revised Pages 00 2016.06.10 - Description Certification report for Korean National Protection Profile for Voice over IP Firewall V1.0 - First documentation Certification Report Page 2

This document is the certification report for Korean National Protection Profile for Voice over IP Firewall V1.0 of Korea Internet & Security Agency (KISA) and Korea Security Evaluation Laboratory (KSEL). The Certification Body IT Security Certification Center (ITSCC) The Evaluation Facility Korea System (KOSYAS) Certification Report Page 3

Table of Contents Certification Report... 1 1. Executive Summary... 5 2. Identification... 6 3. Security Policy... 7 4. Assumptions and Clarification of Scope... 8 5. Results of the Evaluation... 8 5.1 Protection Profile Evaluation (APE)... 9 5.2 Evaluation Result Summary... 9 6. Recommendations... 10 7. Acronyms and Glossary... 10 8. Bibliography... 11 Certification Report Page 4

1. Executive Summary This report describes the certification result drawn by the certification body on the results of the APE evaluation of Korean National Protection Profile for Voice over IP Firewall V1.0 ( PP hereinafter) [1] with reference to the Common Criteria for Information Technology Security Evaluation ( CC hereinafter) [2]. It describes the evaluation result and its soundness and conformity. The authors of the PP [1] are Korea Internet & Security Agency (KISA) and Korea Security Evaluation Laboratory (KSEL). The Target of Evaluation (TOE) in the PP [1] is the Voice over IP ( VoIP hereinafter) firewall that protects internal assets from attackers by monitoring VoIP traffic via VoIP network, and denying or allowing the traffic in accordance with predetermined rules. The TOE protects the VoIP network from various types of attacks related to the VoIP by providing followings: VoIP traffic control, which is flowing into the protected VoIP network; abnormal message detection and blocking; and VoIP spam and session initiation protocol (SIP) / real-time transport protocol (RTP) flooding attack detection and blocking. Also, the TOE shall provide a variety of security features: security audit, the administrator identification and authentication, security management, the TOE access session management, and the TSF protection function, etc.. In addition, the TOE shall provide cryptographic support functions including the cryptographic key generation and destruction, and cryptographic operation, and the trusted path/channel function to provide the secure communications between the TOE and the administrator who accesses for management to it. These TOE Security Functional Requirements (SFRs) are outlined in the PP [1]. The evaluation of the PP [1] has been carried out by Korea System (KOSYAS) and completed on May 30, 2016. This report grounds on the evaluation technical report (ETR) KOSYAS had submitted [6]. The evaluation of the PP [1] was performed in accordance with the APE (Protection Profile Evaluation) requirements in CC Part 3 and the Common Methodology for Information Technology Security Evaluation ( CEM hereinafter) [3]. The PP [1] does not claim conformance to any other Protection Profile. All Security Requirements (SARs) in the PP [1] are based only upon assurance component in CC Part 3, and the assurance package is EAL1 augmented by ATE_FUN.1. Therefore the PP [1] is CC Part 3 conformant. The Security Functional Requirements (SFRs) are based upon both functional components in CC Part 2 and newly defined components in the Extended component definition chapter of the PP [1]. Certification Report Page 5

Therefore the PP [1] is CC Part 2 extended. The PP [1] requires strict conformance. The operational environment of the VoIP firewall is as shown in [Figure 1]. [Figure 1] Operational environment of Voice over IP Firewall Certification Validity: The certificate is not an endorsement of the Protection Profile by ITSCC or by any other organization that recognizes or gives effect to this certificate, and no warranty of the Protection Profile by ITSCC or by any other organization recognizes or gives effect to the certificate, is either expressed or implied. 2. Identification [Table 1] summarizes identification information for scheme, developer, sponsor, evaluation facility, certification body, etc.. Certification Report Page 6

Scheme Korea Evaluation and Certification Guidelines for IT Security (August 8, 2013) Korea Evaluation and Certification Scheme for IT Security (November 1, 2012) Name and Version of the Certified Protection Profile Korean National Protection Profile for Voice over IP Firewall V1.0 Common Criteria Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4, CCMB-2012-09-001 ~ CCMB-2012-09-003, September 2012 Common Methodology Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4, CCMB-2012-09-004, September 2012 EAL EAL1+ (augmented by ATE_FUN.1) Developer Korea Internet & Security Agency (KISA) Korea Security Evaluation Laboratory (KSEL) Sponsor Korea Internet & Security Agency (KISA) Evaluation Facility Korea System (KOSYAS) Completion Date of Evaluation May 30, 2016 Certification No. KECS-PP-0717-2016 Certification Body IT Security Certification Center (ITSCC) [Table 1] Identification information 3. Security Policy The PP [1] has reduced content of a low assurance PP, thus the PP [1] does not have any explicit security problem definition (i.e., threats, organisational security policies, and/or assumptions) and security objectives for the TOE. The TOE defined in the PP [1] provides following security features in accordance with the SFRs: VoIP firewall policy, detects and blocks attacks such as denial of service, misuse of service, call hijacking, VoIP spam, etc. with respect to the VoIP. Also, it is required to address encrypted VoIP traffics. Identification and authentication of the authorized administrator, identifies Certification Report Page 7

uniquely and authenticates a user as the authorized administrator who accesses to the TOE for management. To support this, the authorized administrator manages password in accordance with the rules defined. Session control, controls and manages the TOE s sessions with the authorized administrator based on the attributes such as administrator s IP address, so that TSF data transmitted through the session is protected from disclosure and modification. Security management, provides secure means to manage the TSF and the TSF data only to the authorized administrator. Security audit, records and maintains information related to security relevant activities, and provides means to review audit records. Also, it is required to take actions in case of possible audit data loss. Self-protection, tests the correct operation of the underlying hardware and TSF and provides testing results to the authorized administrator. Data protection, protects the transmitted and stored data from unauthorized disclosure or modification. Secure cryptography, supports cryptographic key management and cryptographic operation for encrypted VoIP traffics and secure management access, etc.. 4. Assumptions and Clarification of Scope The PP [1] has reduced content of a low assurance PP, thus the PP [1] does not have any explicit assumptions. The TOE defined in the PP [1] is the appliance VoIP firewall. 5. Results of the Evaluation The PP [1] claims EAL1+ (ATE_FUN.1), thus has reduced content of a low assurance PP. However, the developer, the sponsor, the evaluator, and the certifier agreed to evaluate and certify the PP [1] based on the APE requirements for the PP with full contents to demonstrate the PP [1] is sound and internally consistent. The certified and published PP [1] has been reduced from the PP with full contents in accordance with the CC [2]. The evaluation facility provided the evaluation result in the ETR [6] which references a Certification Report Page 8

Work Package Report for APE requirements and Observation Reports. The evaluation result was based on the CC [2] and CEM [3]. As a result of the evaluation, the verdict PASS is assigned to all assurance components of APE. 5.1 Protection Profile Evaluation (APE) The PP Introduction correctly identifies the PP, and the PP reference and the TOE overview are consistent with each other. Therefore the verdict PASS is assigned to APE_INT.1. The Conformance Claim properly describes how the PP conforms to the CC and packages. Therefore the verdict PASS is assigned to APE_CCL.1. The Security Problem Definition from the PP with full contents clearly defines the security problem intended to be addressed by the TOE and its operational environment. Therefore the verdict PASS is assigned to APE_SPD.1. The Security Objectives from the PP with full contents adequately and completely address the security problem definition and the division of this problem between the TOE and its operational environment is clearly defined. Therefore the verdict PASS is assigned to APE_OBJ.2. The Extended Components Definition has been clearly and unambiguously defined, and it is necessary. Therefore the verdict PASS is assigned to APE_ECD.1. The Security Requirements is defined clearly and unambiguously, and it is internally consistent and the SFRs meet the security objectives of the TOE from the PP with full contents. Therefore the verdict PASS is assigned to APE_REQ.2. Thus, the PP is sound and internally consistent, and suitable to be used as the basis for writing and ST or another PP. The verdict PASS is assigned to the assurance class APE. 5.2 Evaluation Result Summary Class Component Evaluator Action Elements Evaluator Action Elements Verdict Component Class APE APE_INT.1 APE_INT.1.1E PASS PASS PASS Certification Report Page 9

Class Component Evaluator Action Elements Evaluator Action Elements Verdict Component Class APE_CCL.1 APE_CCL.1.1E PASS PASS APE_SPD.1 APE_SPD.1.1E PASS PASS APE_OBJ.2 APE_OBJ.2.1E PASS PASS APE_ECD.1 APE_ECD.1.1E PASS PASS APE_ECD.1.2E PASS APE_REQ.2 APE_REQ.2.1E PASS PASS [Table 2] Evaluation Result Summary 6. Recommendations The PP [1] defines the minimum security requirements for VoIP firewall, and requires an ST or another PP claiming this PP [1] to fulfill the CC requirements for strict conformance. Thus, if the TOE defined in the ST which claims conformance to the PP [1] implements additional security features, then it is strongly recommended the ST author to define additional security requirements in accordance with the TOE implementation. 7. Acronyms and Glossary CC EAL ETR IP PP RTP SAR SFR SIP Common Criteria Evaluation Level Evaluation Technical Report Internet Protocol Protection Profile Real-time Transport Protocol Security Requirement Security Functional Requirement Session Initiation Protocol Certification Report Page 10

ST TOE TSF VoIP Security Target Target of Evaluation TOE Security Functionality Voice over IP 8. Bibliography The certification body has used following documents to produce this report. [1] Korean National Protection Profile for Voice over IP Firewall V1.0 [2] Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4, CCMB-2012-09-001 ~ CCMB-2012-09-003, September 2012 - Part 1: Introduction and general model - Part 2: Security functional components - Part 3: Security assurance components [3] Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4, CCMB-2012-09-004, September 2012 [4] Korea Evaluation and Certification Guidelines for IT Security (August 8, 2013) [5] Korea Evaluation and Certification Scheme for IT Security (November 1, 2012) [6] KOSYAS-2015-29 Korean National Protection Profile for Voice over IP Firewall V1.0 Evaluation Technical Report V4.00, May 30, 2016 Certification Report Page 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information