DoD ANNEX TO THE COLLABORATIVE PROTECTION PROFILE (cpp) FOR STATEFUL TRAFFIC FILTER FIREWALLS V1.0. Version 1, Release 2.



Similar documents
DoD ANNEX FOR MOBILE DEVICE MANAGEMENT (MDM) PROTECTION PROFILE Version 1, Release February 2014

Supporting Document Mandatory Technical Document. Evaluation Activities for Stateful Traffic Filter Firewalls cpp. February Version 1.

ICSA Labs Network Protection Devices Test Specification Version 1.3

Network Device Collaborative Protection Profile (NDcPP) Extended Package Session Border Controller. July 24, 2015 Version 1

RED HAT ENTERPRISE LINUX 6 SECURITY TECHNICAL IMPLEMENTATION GUIDE (STIG) OVERVIEW. Version 1, Release July 2015

U.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments

ITL BULLETIN FOR JANUARY 2011

Firewall Protection Profile

UNCLASSIFIED. Trademark Information

Executive Summary and Purpose

SonicWALL PCI 1.1 Implementation Guide

CMS Operational Policy for Firewall Administration

Firewall Defaults, Public Server Rule, and Secondary WAN IP Address

Protocol Security Where?

IPv6 SECURITY. May The Government of the Hong Kong Special Administrative Region

Guide to Network Defense and Countermeasures Third Edition. Chapter 2 TCP/IP

Introduction to IP v6

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

IPv6 Fundamentals: A Straightforward Approach

CSCI 454/554 Computer and Network Security. Topic 8.1 IPsec

Security Technology: Firewalls and VPNs

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

TECHNICAL NOTE 01/2006 ENGRESS AND INGRESS FILTERING

Security in IPv6. Basic Security Requirements and Techniques. Confidentiality. Integrity

TECHNICAL NOTE 01/02 PROTECTING YOUR COMPUTER NETWORK

Federal Computer Incident Response Center (FedCIRC) Defense Tactics for Distributed Denial of Service Attacks

Firewalls und IPv6 worauf Sie achten müssen!

SECURITY ADVISORY FROM PATTON ELECTRONICS

Vanguard Applications Ware IP and LAN Feature Protocols. Firewall

z/os V1R11 Communications Server system management and monitoring

NETWORK SECURITY (W/LAB) Course Syllabus

Security Technology White Paper

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Computer Networks. Introduc)on to Naming, Addressing, and Rou)ng. Week 09. College of Information Science and Engineering Ritsumeikan University

Network Device Protection Profile (NDPP) Extended Package (EP) for Intrusion Prevention Systems (IPS) 26 June 2014 Version 1.0

Department of Defense INSTRUCTION

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

OLD VULNERABILITIES IN NEW PROTOCOLS? HEADACHES ABOUT IPV6 FRAGMENTS

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

How To Secure A Voice Over Internet Protocol (Voip) From A Cyber Attack

Chapter 4 Firewall Protection and Content Filtering

About Firewall Protection

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Installation and configuration guide

Firewall. Vyatta System. REFERENCE GUIDE IPv4 Firewall IPv6 Firewall Zone Based Firewall VYATTA, INC.

20-CS X Network Security Spring, An Introduction To. Network Security. Week 1. January 7

Firewall Defaults and Some Basic Rules

REPORT ON AUDIT OF LOCAL AREA NETWORK OF C-STAR LAB

Tomás P. de Miguel DIT-UPM. dit UPM

Firewall. User Manual

21.4 Network Address Translation (NAT) NAT concept

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

How To Secure An Rsa Authentication Agent

Virtual private network. Network security protocols VPN VPN. Instead of a dedicated data link Packets securely sent over a shared network Internet VPN

Considerations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.

FISMA / NIST REVISION 3 COMPLIANCE

Firewalls. Chapter 3

FIREWALLS & CBAC. philip.heimer@hh.se

How To Evaluate Watchguard And Fireware V11.5.1

Securing IP Networks with Implementation of IPv6

Network Security. Chapter 3. Cornelius Diekmann. Version: October 21, Lehrstuhl für Netzarchitekturen und Netzdienste Institut für Informatik

Sitefinity Security and Best Practices

Certification Report

Security Considerations for Intrinsic Monitoring within IPv6 Networks: Work in Progress

Strategies to Protect Against Distributed Denial of Service (DD

State of New Mexico Statewide Architectural Configuration Requirements. Title: Network Security Standard S-STD Effective Date: April 7, 2005

Certification Report - Firewall Protection Profile and Firewall Protection Profile Extended Package: NAT

Creating a VPN with overlapping subnets

Firewall REFERENCE GUIDE. VYATTA, INC. Vyatta System. IPv4 Firewall IPv6 Firewall Zone-Based Firewall. Title

Implementing Secure Converged Wide Area Networks (ISCW)

Chapter 11 Cloud Application Development

MPLS Layer 3 and Layer 2 VPNs over an IP only Core. Rahul Aggarwal Juniper Networks. rahul@juniper.net

collaborative Protection Profile for Network Devices

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Internet Firewall CSIS Internet Firewall. Spring 2012 CSIS net13 1. Firewalls. Stateless Packet Filtering

Traffic monitoring with sflow and ProCurve Manager Plus

Wasting Money on the Tools? Automating the Most Critical Security Controls. Mason Brown Director, The SANS Institute

IPv6 Hardening Guide for Windows Servers

The server will respond to the client with a list of instances. One such attack was analyzed by an information security researcher in January 2015.

10 Configuring Packet Filtering and Routing Rules

Reference Guide for Security in Networks

Consensus Policy Resource Community. Lab Security Policy

OLD DOMINION UNIVERSITY Router-Switch Best Practices. (last updated : )

Government of Canada Managed Security Service (GCMSS) Annex A-1: Statement of Work - Firewall

Firewalls. Network Security. Firewalls Defined. Firewalls

This Technical Support Note shows the different options available in the Firewall menu of the ADTRAN OS Web GUI.

Guide to DDoS Attacks December 2014 Authored by: Lee Myers, SOC Analyst

NETWORK ACCESS CONTROL AND CLOUD SECURITY. Tran Song Dat Phuc SeoulTech 2015

Firewall Design Principles

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

IPv6 Security Best Practices. Eric Vyncke Distinguished System Engineer

Application Notes for Configuring a SonicWALL VPN with an Avaya IP Telephony Infrastructure - Issue 1.0

IPv6 Security. Scott Hogg, CCIE No Eric Vyncke. Cisco Press. Cisco Press 800 East 96th Street Indianapolis, IN USA

Security Target. Astaro Security Gateway V8 Packet Filter Version Assurance Level EAL4+ Common Criteria v3.1

Best Practices for PCI DSS V3.0 Network Security Compliance

BAE Systems PCI Essentail. PCI Requirements Coverage Summary Table

Transcription:

DoD ANNEX TO THE COLLABORATIVE PROTECTION PROFILE (cpp) FOR STATEFUL TRAFFIC FILTER FIREWALLS V1.0 Version 1, Release 2 24 April 2015 Developed by for the DoD

24 April 2015 Developed by for the DoD Trademark Information Names, products, and services referenced within this document may be the trade names, trademarks, or service marks of their respective owners. References to commercial vendors and their products or services are provided strictly as a convenience to our users, and do not constitute or imply endorsement by of any non-federal entity, event, product, service, or enterprise. ii

24 April 2015 Developed by for the DoD TABLE OF CONTENTS Page 1. INTRODUCTION...1 1.1 Background...1 1.2 Scope...1 1.3 Relationship to Security Technical Implementation Guides (STIGs)...1 1.4 Document Revisions...2 2. DOD-MANDATED SECURITY TARGET CONTENT...3 2.1 DoD-Mandated Selections and Assignments...3 2.2 DoD-Mandated Selection-Based, Optional, and Objective Functions...4 3. OTHER DOD MANDATES...6 3.1 Federal Information Processing Standard (FIPS) 140-2...6 3.2 Federal Information Processing Standard (FIPS) 201-2...6 3.3 Security State in Failure...6 3.4 DoD-Mandated Configuration...6 iii

24 April 2015 Developed by for the DoD LIST OF TABLES Page Table 2-1: cpp SFR Selections... 3 Table 2-2: cpp Selections and Assignments for Optional SFRs... 5 Table 3-1: Configuration Values... 6 iv

24 April 2015 Developed by for the DoD 1. INTRODUCTION 1.1 Background This Annex to the collaborative Protection Profile (cpp) for Stateful Traffic Filter Firewalls (Version 1.0, dated 27 February 2015) delineates collaborative Protection Profile content that must be included in the Security Target (ST) for the Target of Evaluation (TOE) to be fully compliant with DoD cybersecurity policies pertaining to information systems. This content includes DoD-mandated cpp selections and assignments, and cpp security functional requirements (SFRs) listed as objective in the cpp but which are mandated in DoD. Deficiencies of the TOE with respect to the DoD Annex will be reported as appropriate under the Risk Management Framework for DoD Information Technology (DoD Instruction 8510.01). DoD may determine that a TOE that does not conform to this Annex may pose an unacceptable risk to DoD. Accordingly, any vendor seeking authorization for use of its product within DoD should include the additional cpp specificity described in this Annex in its ST. The Firewall cpp, in conjunction with this Annex, addresses the DoD-required cybersecurity controls in National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53. Taken together, they supersede the DoD Firewall Security Requirements Guide. 1.2 Scope The additional information in this document is applicable to all DoD-administered systems and all systems connected to DoD networks. 1.3 Relationship to Security Technical Implementation Guides (STIGs) A successful Common Criteria evaluation certifies the capabilities of the TOE but does not assure its subsequent secure operation. To address security concerns with the ongoing operation of the TOE in the field, a product-specific STIG is prepared in conjunction with the Common Criteria evaluation. The STIG lists the configuration requirements for DoD implementations of the TOE and is published in extensible Configuration Checklist Description Format (XCCDF) to facilitate automation where feasible. This Annex contains the required DoD configuration of features implementing the security management (FMT) class of SFRs listed in the Firewall cpp. For each applicable FMT SFR, the STIG will discuss the vulnerability associated with non-compliance configuration and provide step-by-step, product-specific procedures for checking for compliant configurations and fixing non-compliant configurations. In most cases, the ST will not cover all security-relevant configurable parameters available in the TOE. However, the STIG will include these whenever they impact the security posture of DoD information systems and networks. Accordingly, the DoD Annex only addresses a subset of the controls expected to be included in a STIG. 1

06 March 2015 Developed by for the DoD 1.4 Document Revisions Comments or proposed revisions to this document should be sent via email to disa.stig_spt@mail.mil. 2

24 April 2015 Developed by for the DoD 2. DOD-MANDATED SECURITY TARGET CONTENT The following conventions are used to describe DoD-mandated ST content: If a cpp SFR is not listed, there is no DoD-mandated selection or assignment for that SFR. For cpp selections: ο The presence of the selection indicates this is a DoD-mandated selection. ο If a selection is not listed, then its inclusion or exclusion does not impact DoD compliance. ο Underlined text indicates a selection. ο Italicized and underlined text indicates an assignment within a selection. ο Strikethrough text indicates that the ST author must exclude the selection. For cpp assignments: ο The DoD-mandated assignments are listed after the assignment parameter. ο If an assignment value appears in strikethrough text, this indicates that the assignment must not include this value. ο Italicized text indicates an assignment. The Annex provides the minimum text necessary to disambiguate selections and assignments. Readers will need to view both the Firewall cpp and the DoD Annex simultaneously to place the Annex information in context. 2.1 DoD-Mandated Selections and Assignments DoD mandates the following cpp SFR selections and assignments for SFRs in Section 5 of the cpp: SFR FMT_MTD.1.1 FAU_STG_EXT.1.3 FFW_RUL_EXT.1.2 FFW_RUL_EXT.1.6 Table 2-1: cpp SFR Selections Selections, Assignments, and Application Notes Application note: This includes audit data and any tools used to generate reports using audit data. overwrite previous audit records according to the following rule: rule for overwriting previous audit records = overwrite oldest records first Application note: The term full is defined as 75 percent of capacity in the context of a DoD implementation. IPv6 Extension header type [assignment: Next Header, Hdr Ext Len, Header Specific Data, Option Type, Opt Data Len, Option Data, Routing Type] Application note to a): an invalid fragment includes any improper use of fragment offsets, such as what might be used in a ping of death attack. h) other default rules enforced by the TOE = 3

06 March 2015 Developed by for the DoD SFR Selections, Assignments, and Application Notes - block both inbound and outbound IPv6 Site Local Unicast addresses (FEC0::/10) - block IPv6 Jumbo Payload datagrams (Option Type 194). - drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values intended for Destination Options - block RFC 6598 "Carrier Grade NAT" IP address block of 100.64.0.0/10 - drop all inbound IPv6 packets for which the layer 4 protocol and ports (undetermined transport) cannot be located. - drop all inbound IPv6 packets with a Type 0 Routing header - drop all inbound IPv6 packets with a Type 1 or Types 3 through 255 Routing Header. - drop all inbound IPv6 packets containing undefined header extensions/protocol values. - drop fragmented IPv6 packets when any fragment overlaps another. drop all inbound IPv6 packets containing more than one Fragmentation Header within an IP header chain. - drop all inbound and outbound IPv6 packets containing a Hop-by-Hop header with option type values intended for Destination Options. - block IPv6 multicast addresses (FF00::/8) as a source address. 2.2 DoD-Mandated Selection-Based, Optional, and Objective Functions The following Security Functional Requirements (and associated selections and assignments) listed as objective in the cpp are mandated for the DoD: FAU_STG.1.1 FAU_STG.1.2 FAU_STG_EXT.3.1 FMT_MOF.1.1(1)/Audit FMT_MOF.1.1(2)/Audit FMT_MOF.1.1(1)/AdminAct FMT_MOF.1.1(2)/AdminAct FMT_MOF.1.1/LocSpace FMT_MTD.1.1/AdminAct FPT_FLS.1.1/LocSpace FCS_IPSEC_EXT.1.3 FMT_MOF.1.1(2)/TrustedUpdate FIA_PMG_EXT.1.1 FIA_X509_EXT.2.1 FIA_X509_EXT.2.2 FPT_TST_EXT.1.1 FPT_TUD_EXT.1.2 FPT_TUD_EXT.2.2 4

24 April 2015 Developed by for the DoD Application note: All should statements in the application notes to the SFRs listed above are required in DoD. Table 2-2: cpp Selections and Assignments for Optional SFRs SFR Selections, Assignments, and Application Notes FCS_IPSEC_EXT.1.3 tunnel mode FMT_MOF.1.1(2)/ automatic checking for updates, automatic update TrustedUpdate Application note: whatever options are supported under FPT_TUD_EXT.1.2 must be limited to the security administrator. FIA_PMG_EXT.1.1!, @, #, $, %, ^, &, *, (, ) FIA_X509_EXT.2.1 code signing for system software updates, code signing for integrity verification FIA_X509_EXT.2.2 allow the administrator to choose whether to accept the certificate in these cases FPT_TST_EXT.1.1 During initial start-up (on power on), periodically during normal operation, at the request of the authorized user, at the conditions [assignment: conditions under which self-tests should occur] to demonstrate the correct operation of the TSF: [assignment: list of self-tests run by the TSF]. FPT_TUD_EXT.1.2 support automatic updates FPT_TUD_EXT.2.2 allow the administrator to choose whether to accept the certificate in these cases 5

06 March 2015 Developed by for the DoD 3. OTHER DOD MANDATES 3.1 Federal Information Processing Standard (FIPS) 140-2 Cryptographic modules supporting any SFR in the Cryptographic Support (FCS) class must be FIPS140-2 validated. While information concerning FIPS 140-2 validation should not be included in the ST, failure to obtain validation could preclude use of the TOE within DoD. 3.2 Federal Information Processing Standard (FIPS) 201-2 The firewall implementation is expected to interface with FIPS 201-2 compliant credentials (to include derived credentials as described in NIST Special Publication 800-157). The TOE may connect to a peripheral device (e.g., a smart card reader) in order to interface with PIV credentials, or natively store derived credentials (whose protections are evaluated in the Protection Profile). 3.3 Security State in Failure Device is assumed to maintain security state or cease to forward traffic if or when it fails. 3.4 DoD-Mandated Configuration The table below lists configuration values for product features implementing the cpp Specification of Management Functions (FMT_SMF). The ST is not expected to include this configuration information but it will be included in the product-specific STIG associated with the evaluated IT product. Non-binary configuration values are shown in italics. Furthermore, the firewall implementation must not have unnecessary services and functions enabled. Only those functions and services that are necessary to support operations (mission requirements) must be enabled. This is consistent with A.LIMITED_FUNCTIONALITY (cpp Section 3.6.2). For example, if the device enables an insecure version of SNMP by default, it must be disabled. Similarly, the firewall implementation must not enable the service or feature that automatically contacts a third party to report diagnostic or other information. Table 3-1: Configuration Values FMT_SMF_1.1 DoD Selections and Values Function Access banner For firewalls accommodating advisory warning messages of 1300 characters: You are accessing a U.S. Government (USG) Information System (IS) that is provided for USG-authorized use only. By using this IS (which includes any device attached to this IS), you consent to the following conditions: 6

24 April 2015 Developed by for the DoD FMT_SMF_1.1 Function DoD Selections and Values -The USG routinely intercepts and monitors communications on this IS for purposes including, but not limited to, penetration testing, COMSEC monitoring, network operations and defense, personnel misconduct (PM), law enforcement (LE), and counterintelligence (CI) investigations. -At any time, the USG may inspect and seize data stored on this IS. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -Communications using, or data stored on, this IS are not private, are subject to routine monitoring, interception, and search, and may be disclosed or used for any USG-authorized purpose. -This IS includes security measures (e.g., authentication and access controls) to protect USG interests--not for your personal benefit or privacy. -Notwithstanding the above, using this IS does not constitute consent to PM, LE or CI investigative searching or monitoring of the content of privileged communications, or work product, related to personal representation or services by attorneys, psychotherapists, or clergy, and their assistants. Such communications and work product are private and confidential. See User Agreement for details. For firewalls with severe character limitations: I've read & consent to terms in IS user agreem't. Session inactivity time Firewall rules Application note: To the extent permitted, the system should be configured to prevent further activity on the information system unless and until the user executes a positive action to manifest agreement to the advisory message. Security Administrator-configurable time interval of session inactivity = 15 minutes. (implementing FTA_SSL.3.1 Refinement) The firewall implementation must apply ingress filters entering the network to the external interface and egress filters leaving the network to the internal interface. The firewall implementation must manage excess bandwidth to limit the effects of packet flooding types of Denial of Service (DoS) attacks (rate limiting of traffic matching a rule). Specific rules: - block any packet with a source or destination of the IPv4 local host loopback address (127.0.0.0/8). - block any packet with a source or destination of the IPv6 local host loopback address (::1/128). - block any packet from the unspecified source address (::/128). 7

06 March 2015 Developed by for the DoD FMT_SMF_1.1 Function Audit behavior DoD Selections and Values - block IPv6 6to4 addresses for inbound and outbound traffic. (2002::/16) - block IPv6 6bone address space on the ingress and egress filters (3FEE::/16). - block inbound IP packets using an RFC 1918 address space (10.0.0.0/8, 172.16.0.0/12, and 192.168.0.0/16) - block inbound and outbound IPv6 Unique Local Unicast addresses (FC00::/7) (i.e., all hexadecimal addresses that begin with FC or FD). - block all inbound traceroutes. - block ICMPv6 type 134 (router advertisements) - block inbound packets where the destination is an IP address assigned to the management or loopback addresses of the enclave protection devices unless the packet has a source address assigned to the management network or network infrastructure. - block or limit IP packets destined to the control plane of the device itself. - block outbound IP packets that contain an illegitimate address in the source address field - block all ICMP responses on the external interface. - prohibit or restrict the use of functions, ports, protocols, and/or services, as defined in the PPSM CAL and vulnerability assessments. - information flow control policies set forth by the CYBERCOM J3 and the CC/S/A/FA J6. Application note: The firewall implementation must only allow incoming communications from authorized sources routed to authorized destinations. The firewall implementation must be configured in accordance with the security configuration settings based on DoD security configuration or implementation guidance, including NSA configuration guides, Communications Tasking Orders (CTOs), and Directive-Type Memorandums (DTMs). Firewall rules in these documents and those specified or implied in the PPSM CAL, vulnerability assessments, and CYBERCOM J3 and the CC/S/A/FA J6 information control policies are expected to be defined in a manner consistent with FFW_RUL_EXT.1.2. Therefore, no additional TOE security functionality beyond the cpp is suggested by these statements. - Transfer audit logs to an external IT entity on a real time basis. - Reveal error messages only to the Information System Security Officer (ISSO), Information System Security Manager (ISSM), or System Administrator (SA). Application note: The ISSO, ISSM, and SA are personnel roles within DoD. If the TOE cannot support this requirement directly, it is acceptable to implement by assigning read permissions to the ISSO, ISSM, and SA roles on the external IT entity used to support FAU_STG_EXT.1.1. 8

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information