UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME

UK IT SECURITY EVALUATION AND CERTIFICATION SCHEME 122-B CERTIFICATION REPORT No. P166 CHECK POINT VPN-1/FireWall-1 Next Generation (NG) Issue 2.0 July 2003 Crown Copyright 2003 Reproduction is authorised provided the report is copied in its entirety UK IT Security Evaluation and Certification Scheme Certification Body, PO Box 144 Cheltenham, Glos GL52 5UF United Kingdom

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) RECOGNITION AGREEMENT OF INFORMATION TECHNOLOGY SECURITY EVALUATION CERTIFICATES The Certification Body of the UK IT Security Evaluation and Certification Scheme is a member of the above Agreement Group and as such: - indicates that it is the issuer s claim that this certificate is a conformant certificate as defined in this Agreement; and - therefore gives grounds for confidence, though it cannot in itself guarantee, that the certificate is a conformant certificate and that it will in practice be recognised by the other Members of the Agreement Group. The judgements contained in the certificate and Certification Report are those of the Qualified Certification Body which issued it and of the Evaluation Facility which carried out the evaluation. There is no implication of acceptance by other Members of the Agreement Group of liability in respect of those judgements or for loss sustained as a result of reliance placed upon those judgements by a third party. Members of the Agreement Group currently are Finland, France, Germany, Greece, Italy, Netherlands, Norway, Spain, Sweden, Switzerland and UK. Trademarks: All product or company names are used for identification purposes only and may be trademarks of their respective owners. Page ii Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 CERTIFICATION STATEMENT Check Point Software Technologies Limited s VPN-1/FireWall-1 Next Generation (NG) is a software-based firewall application which provides controlled access between physically connected networks by permitting or denying the flow of packets. It also provides IP address translation, IP address hiding and the logging of all attempts to communicate between physically connected networks. In addition, it can operate as a virtual private network which is used to establish a secure communications channel over an unsecured network using 2 installations of the VPN-1/FireWall-1 firewall. The VPN facility is also used to establish a secure communications channel between a VPN-1/FireWall-1 and a VPN-1 SecureClient allowing remote access and secure connectivity for remote and mobile users. Check Point VPN-1/FireWall-1 Next Generation (NG) with has been evaluated under the terms of the UK IT Security Evaluation and Certification Scheme and has met the requirements of ITSEC Assurance Level E3 when running on the platforms as specified in Annex B and in a trusted configuration as defined in the Security Target and summarised in Annex A. Originator CESG Certifier Approval and Authorisation CESG Technical Manager of the Certification Body Date authorised 16 July 2003 July 2003 Issue 2.0 Page iii

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page iv Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 TABLE OF CONTENTS CERTIFICATION STATEMENT...iii TABLE OF CONTENTS...v ABBREVIATIONS...vii REFERENCES...ix I. INTRODUCTION...1 II. III. Intended Audience...1 Identification of Target of Evaluation...1 Evaluation...2 General Points...3 EVALUATION FINDINGS...5 Introduction...5 Correctness - Construction...5 Correctness - Operation...6 Effectiveness - Construction...7 Effectiveness - Operation...8 Specific Functionality...8 CONCLUSIONS...9 Certification Result...9 Recommendations...9 ANNEX A: SUMMARY OF THE SECURITY TARGET...13 ANNEX B: EVALUATED CONFIGURATION...15 July 2003 Issue 2.0 Page v

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page vi Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 ABBREVIATIONS AES CESG CLEF CMT CMV CVP DES ETR FIPS FP FTP GUI IKE IP ITSEC ITSEM LAN LDAP MIME NG NIC NIST NVLAP SEF SIC SMTP SoM TOE UKSP VPN Advanced Encryption Standard Communications-Electronics Security Group Commercial Evaluation Facility Cryptographic Module Testing Cryptographic Module Verification Content Vectoring Protocol Data Encryption Standard Evaluation Technical Report Federal Information Processing Standards Feature Pack File Transfer Protocol Graphical User Interface Internet Key Exchange Internet Protocol Information Technology Security Evaluation Criteria Information Technology Security Evaluation Manual Local Area Network Lightweight Directory Access Protocol Multipurpose Internet Mail Extensions Next Generation Network Interface Card National Institute of Standards and Technology National Voluntary Laboratory Accreditation Program Security Enforcing Function Secure Internal Communications Simple Mail Transfer Protocol Strength of Mechanisms Target of Evaluation United Kingdom Scheme Publication Virtual Private Network July 2003 Issue 2.0 Page vii

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page viii Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 REFERENCES a. Description of the Scheme, UK IT Security Evaluation and Certification Scheme, UKSP 01, Issue 4.0, February 2000. b. The Appointment of Commercial Evaluation Facilities, UK IT Security Evaluation and Certification Scheme, UKSP 02, Issue 3.0, 3 February 1997. c. ITSEC E3 Certification Security Target, VPN-1/FireWall-1 Next Generation (FP1), Version 2.1.12, 18 June 2003. d. Harmonised Information Technology Security Evaluation Criteria, Commission of the European Communities, CD-71-91-502-EN-C, Version 1.2, June 1991. e. Information Technology Security Evaluation Manual, Commission of the European Communities, Version 1.0, 10 September 1993. f. Manual of Computer Security Evaluation, Part I, Evaluation Procedures, UK IT Security Evaluation and Certification Scheme, UKSP 05, Issue 3.0, October 1994. g. Manual of Computer Security Evaluation, Part III, Evaluation Techniques and Tools, UK IT Security Evaluation and Certification Scheme, UKSP 05, Issue 2.0, 30 July 1997. h. ITSEC Joint Interpretation Library (ITSEC JIL), Joint Interpretation Working Group, Version 2.0, November 1998. i. Task LFD/T316 Evaluation Technical Report, Electronic Data Systems Limited, P14784/EVAL/R-02/01, Issue 1.0, March 2002. j. Task LFD/T316 Evaluation Technical Report: Intrusion Platform Addendum, Electronic Data Systems Limited, P18164/EVAL/R-02/02, Issue 1.0, January 2003. k. LFD/T316 - Intrusion Checksum Verification Work, Electronic Data Systems Limited, P18164/EVAL/A-02/20, 20 June 2003. July 2003 Issue 2.0 Page ix

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) l. VPN-1/FireWall-1 Product Architecture, Next Generation, Formal Edition version 1.4 for ITSEC E3 evaluation, February 2002. m. VPN-1/FireWall-1 Next Generation Detailed Design - for ITSEC E3 Evaluation, Version 1.5, 9 April 2002. n. ITSEC E3 Secure Delivery - VPN-1/FireWall-1 NG ITSEC E3 Evaluation, Version 1.0, 19 November 2001. o. Check Point VPN-1/FireWall-1 NG FP1 System Generation/Installation Guide for ITSEC E3, Version 1.2, 3 March 2002. p. Check Point VPN-1/FireWall-1 Next Generation (NG) ITSEC E3 Release Notes, November 2001 (last update - 25 April, 2002). q. Check Point Getting Started Guide, NG FP1, Part No. 700360, November 2001. r. Check Point Desktop Security, NG, Part No. 700361, November 2001. s. Check Point FireWall-1 Guide, NG FP1, Part No. 700349, November 2001. t. Check Point Management Guide, NG FP1, Part No. 700348, November 2001. u. Check Point Reference Guide, NG, Part No. 700351, November 2001. v. Check Point User Management, NG, Part No. 700268, June 2001. w. Check Point Virtual Private Networks, NG, Part No. 700350, November 2001. Page x Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 x. ITSEC E3 Certification - Intrusion Inc. PDS Pilot with Check Point VPN-1/FireWall-1 Next Generation Release 2.4(7), System Generation/Installation Guide, Intrusion Inc., Version 1.4, 18 June 2003. y. Intrusion PDS Pilot v2.4 User Guide, Intrusion Inc., 700-0615-101, Rev. D, June 2003. z. VPN-1/FireWall-1 Next Generation Suitability Analysis, P14784/01/R-01/1, Issue 1.A, February 2002. aa. bb. cc. dd. ee. VPN-1/FireWall-1 NG Binding Analysis, P14784/01/R-01/5, Issue 1.A, January 2002. VPN-1/FireWall-1 NG Strength of Mechanisms Analysis, P14784/01/R-01/2, Issue 1.A, February 2002. Developers Guide, Part III, Advice to Developers, UK IT Security Evaluation and Certification Scheme, UKSP 04, Issue 1.0, July 1996. CERT Vulnerability Note VU#412115, Network device drivers reuse old frame buffer data to pad packets, Cert Coordination Centre, http://www.kb.cert.org/vuls/id/412115. EtherLeak: Ethernet frame padding information leakage, @stake, http://www.atstake.com/research/advisories/2003/atstate_etherleak_report.pdf. July 2003 Issue 2.0 Page xi

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page xii Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 I. INTRODUCTION Intended Audience 1. This Certification Report states the outcome of the IT security evaluation of Check Point VPN-1/FireWall-1 Next Generation (NG) and is intended to assist potential users when judging the suitability of the product for their particular requirements. The Developer was Check Point Software Technologies Ltd. The evaluation sponsors were as specified below in paragraph 11. Identification of Target of Evaluation 2. The version of the product evaluated was: Check Point VPN-1/FireWall-1 Next Generation (NG). The Developer was Check Point Software Technologies Limited. 3. The product operates in 2 modes: a. as a firewall which uses Stateful Inspection Technology to inspect all packets passing between networks connected to the product, promptly blocking all unwanted communication attempts (it supports the complete IP family of protocols); and b. as a Virtual Private Network (VPN) which is used to establish a secure communications channel over an unsecured network (eg the Internet) using 2 Check Point Firewalls. The product s firewall functionality and the invocation of the product s VPN functionality are the subject of this evaluation. This functionality, as described in the Security Target [Reference c], is also described in this report as the Target of Evaluation (TOE). The product s cryptographic functionality is outside the scope of this evaluation. (See paragraphs 13, 14 below for details of FIPS testing of the product.) 4. By installing the TOE on a gateway, it can be used as a firewall to supervise all traffic passing between connected networks. It uses Stateful Inspection Technology to inspect packets and ensure that only communications from permitted hosts, accessing services permitted for those hosts, are allowed to pass. A network behind the gateway may thus be protected against attack or unauthorised access originating beyond the gateway. 5. The TOE has four main components: a. a Graphical User Interface (GUI); b. a Management Server; c. one or more Firewall modules; and d. one or more SecureClients. July 2003 Issue 2.0 Page 1

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) 6. The product can also operate as a VPN which is used to establish a secure communications channel over an unsecured network (eg the Internet) using 2 installations of the VPN-1/FireWall-1 firewall. The VPN facility is also used to establish a secure communications channel between a VPN-1/FireWall-1 firewall and a remote VPN-1 SecureClient allowing remote access and secure connectivity for remote and mobile users. 7. The product is designed to operate in a distributed configuration, providing centralised management of multiple firewall enforcement points (gateways), as well as centralised management of remote VPN clients. 8. Details of the evaluated version of the TOE and of trusted configurations of the product are contained in the Security Target [c] and summarised in Annexes A and B to this report. Evaluation 9. The evaluation was carried out in accordance with the requirements of the UK IT Security Evaluation and Certification Scheme as described in UKSP 01 and UKSP 02 [a, b]. The Scheme has established a Certification Body which is jointly managed by the Communications- Electronics Security Group (CESG) and the Department of Trade and Industry on behalf of Her Majesty s Government. 10. The purpose of the evaluation was to provide assurance about the effectiveness of the TOE in meeting its Security Target [c], which prospective users are advised to read. (A copy of the Security Target may be obtained from the Developer). The criteria against which the TOE was judged are described in the IT Security Evaluation Criteria (ITSEC) [d]. This describes how the degree of assurance is expressed in terms of the levels E0 to E6 where E0 represents no assurance. The methodology used is described in the IT Security Evaluation Manual (ITSEM) [e], UKSP 05 [f, g] and the ITSEC Joint Interpretation Library [h]. 11. The Certification Body monitored the evaluation which was carried out by the EDS Commercial Evaluation Facility (CLEF). This evaluation was conducted in 2 stages. Initially, the evaluation was conducted with the TOE running on the SUN Solaris 8 and Windows NT4 SP6a operating systems. That evaluation (sponsored by the Developer) was completed in March 2002 when the CLEF submitted an Evaluation Technical Report (ETR) [i] to the Certification Body which, in turn, produced issue 1.0 of this Certification Report. Subsequently, the TOE was evaluated on the Intrusion PDS Pilot 2.4(7) operating system. This evaluation (sponsored by Intrusion Inc.), which did not affect any of the findings of the earlier evaluation, was completed in January 2003 when the CLEF submitted another ETR [j] to the Certification Body. In June 2003 the CLEF submitted an additional report [k] describing their work to verify the secure delivery of the Check Point files on the Intrusion Inc. PDS Pilot platform. The Certification Body then produced this report. 12. The Target Assurance Level for the product, as required by the Security Target [c], was E3. 13. The Cryptographic mechanisms (MD5, AES, SHA, RSA, IKE, Diffie Hellman, DES and Triple DES) are implemented within the product. These mechanisms are used to implement the Secure Internal Communications (SIC) and VPN and are outside the scope of the evaluation. Page 2 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 These mechanisms are publicly known and as such it is the policy of the national authority for cryptographic mechanisms, CESG, not to comment on their appropriateness or strength. 14. The product has been tested by a NIST NVLAP-accredited Cryptographic Module Testing (CMT) laboratory under the Cryptographic Module Verification (CMV) programme and validated by NIST (Certificate number 234) as complying with the requirements of FIPS 140-1 level 2. The Validation Report states that the TOE contains the FIPS-approved algorithms DES (Cert #142), Triple-DES (Cert #80) and SHA-1 (Cert #69) with RSA (PKCS #1 vendor affirmed) and HMAC-SHA-1 (Cert #69, vendor affirmed). Some mechanisms within the product are non- FIPS-approved. 15. The minimum Strength of Mechanisms (SoM) for the search for vulnerabilities conducted by the Evaluators was Medium. General Points 16. Prospective users of the TOE are reminded that the security functionality evaluated is that claimed in the Security Target [c]. This functionality may not necessarily meet all the threats that a user has identified in a particular operating environment. The assumed threats, intended method of use and environment are as stated in the Security Target. The TOE should only be used on the platforms as specified in Annex B and in a trusted configuration as defined in the Security Target [c] and summarised in Annex A. It is the responsibility of purchasers to ensure that Check Point VPN-1/FireWall-1, NG FP1 meets their requirements. 17. Certification is not a guarantee of freedom from security vulnerabilities; there remains a small probability (smaller with higher assurance levels) that exploitable vulnerabilities may be discovered after a certificate has been awarded. This Certification Report reflects the Certification Body s view at the time of penetration testing (6 December 2002). Users (both prospective and existing) should check regularly for themselves whether any security vulnerabilities have been discovered since this report was issued and, if appropriate, should check with the Vendor to see if any patches exist for the product and whether such patches have been evaluated and certified. In addition, users (both prospective and existing) should note the content of CERT Vulnerability Note VU#412115 [dd] which identifies the fact that many network device drivers reuse old frame buffer data to pad IP data packets. Users and potential users should review the risks identified in [ee] in the context of their particular environment and should consider the use only of network cards for which the vulnerability does not exist or for which a suitable patch has been provided. See http://www.kb.cert.org/vuls/id/412115 for vendor-specific information regarding the vulnerability status and patch availability of device drivers. 18. The issue of a Certification Report is not an endorsement of a product. July 2003 Issue 2.0 Page 3

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page 4 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 II. EVALUATION FINDINGS Introduction 19. The evaluation of Check Point VPN-1/FireWall-1, NG FP1 followed the generic Evaluation Work Programme described in the ITSEM [e] with work packages structured around the evaluator actions described in the ITSEC [d]. The results of this work were reported in the ETRs [i, j] and additional report [k] under the ITSEC headings. This Certification Report summarises the assurance results in relation to the security functionality claimed in the Security Target [c]. Correctness - Construction 20. This aspect of the evaluation examined both the development process (ie the Security Target, the Architectural and Detailed Designs, the Implementation) and the environment in which it took place. The results were as follows: a. The Security Target [c] described the Security Enforcing Functions (SEFs) provided by the TOE, and contained a product rationale identifying its method of use and intended environment; it also described how the product s functionality was appropriate for that method of use and was adequate to counter the assumed threats. b. The Architectural Design [l] described the general structure of the TOE, together with any external interfaces and supporting hardware or firmware; it also described how the SEFs of the TOE are provided and how the TOE is separated into security enforcing and other components. c. The Detailed Design [m] specified all basic components, identified all security mechanisms, described all SEFs and other security relevant functions, mapped SEFs to mechanisms and components, documented interfaces adequately and enabled the relationships between levels of specification to be identified. d. The correctness of the implementation was satisfactory, ie all security enforcing and security relevant functions offered in the Detailed Design were identifiable in the source code and test documentation and the associated tests were repeatable. e. Repeating an agreed sample of the Developer s functional tests and running additional evaluator tests produced no differences in the test results. The Evaluators were satisfied that their findings could be applied to the platforms identified in Annex B. f. The configuration control, programming standards and security aspects of the Developer s working environment were satisfactory. 21. The Evaluators concluded that the TOE met the requirements for ITSEC E3 in respect of its Security Target, Architectural and Detailed Designs, Implementation and Development Environment. July 2003 Issue 2.0 Page 5

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) Correctness - Operation 22. The Evaluators checked and confirmed that: a. there were no SEFs directly relevant to the end users; b. the operations documentation [r - w] adequately described the SEFs relevant to administrators and how to operate the TOE in a secure manner; c. the delivery and configuration documentation [n - q] for the TOE when installed on SUN Solaris 8 or Windows NT4 SP6a operating systems described the delivery arrangements from the development environment to the customer and the required system generation aspects; d. the delivery and configuration documentation [n - q, x, y] for the TOE when installed on Intrusion PDS Pilot 2.4(7) operating system described the delivery arrangements from the development environment to the customer and the required system generation aspects; e. the startup and operations documentation [n - w] for the TOE when installed on SUN Solaris 8 or Windows NT4 SP6a operating systems adequately described the procedures for secure startup and operation and, where relevant, for the deactivation or modification of SEFs; f. the startup and operations documentation [n - y] for the TOE when installed on Intrusion PDS Pilot 2.4(7) operating system adequately described the procedures for secure startup and operation and, where relevant, for the deactivation or modification of SEFs; and g. the information supplied described how these procedures maintain the security of the TOE. 23. For installation on SUN Solaris 8 and Windows NT4 SP6a operating systems, the TOE should be obtained directly from Check Point as described in [n]. 24. Intrusion Platforms are delivered with the Check Point Management Server and Firewall modules pre-loaded on the hard disk of the Intrusion platform as files: CPshrd-50-00.i386.rpm and CPfw1-50-00.i386.rpm In addition, the Check Point CD-ROM is shipped with the Intrusion platforms 25. To ensure the integrity of the Check Point Management Server and Firewall modules before performing the installation procedures [x] on the Intrusion platform administrators should compute the MD5 hash sum of each of these files. The computed sums should be as follows: Page 6 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 file CPshrd-50-00.i386.rpm CPfw1-50-00.i386.rpm MD5 hash sum c2bef39bedbc794fb8605911b4d0518c cdf0ed371437fb2a2112c2b56fc0ae42 26. The Evaluators concluded that the Operations Documentation and the Operational Environment met the requirements for ITSEC E3. Effectiveness - Construction 27. This aspect of the evaluation dealt with: a. the suitability of the TOE s SEFs to counter the threats identified in the Security Target [c]; b. the ability of the SEFs and mechanisms to bind together in a way that is mutually supportive and provides an integrated and effective whole; c. the ability of the TOE s security mechanisms to withstand direct attack; and d. the question of whether known security vulnerabilities in the construction of the TOE could, in practice, compromise its security. 28. The Evaluators were satisfied that: a. the Suitability Analysis [z] confirmed that all the threats listed in the Security Target [c] were adequately countered by one or more of the stated SEFs and mechanisms; b. the Binding Analysis [aa] demonstrated that it was not possible for any SEF or mechanism to conflict with or contradict the intent of any other SEF or mechanism; c. the procedural measures in the Developer s Security Target [c] and in the operations documentation [r - y] were sufficient to prevent all known construction vulnerabilities from being exploited; d. the independent vulnerability analysis and penetration testing did not reveal any exploitable vulnerabilities in the TOE that were not satisfactorily corrected or neutralised; and e. the SoM Analysis [bb] listed all the security enforcing mechanisms within the TOE and identified the IPSec, SSL, RSA, IKE encryption schemes and the MD5, AES, SHA, DES and Triple DES algorithms as the only critical mechanisms within the TOE. The correctness of the implementation of these mechanisms has been addressed in paragraphs 13 and 14 above. The effectiveness of these mechanisms is outside the scope of the evaluation. 29. The TOE was tested in the software configuration and on hardware platforms identified in Annex B. However, the Evaluators accepted the Developer s argument in [l] that the TOE does July 2003 Issue 2.0 Page 7

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) not rely on the software platforms to provide any of its security enforcing functionality. (Note that the underlying operating system and the underlying hardware platform are required to function correctly in order to support the method of use assumptions [c] that contribute to the secure operation of the TOE.) The Evaluators, therefore, endorsed the claim in the Security Target [c: 2.1.2 a] that, subject to the considerations of the Check Point Getting Started Guide [q] and the Check Point System Generation/Installation Guide [o], the TOE executes on any computer system from the family of workstations and servers which supports the SUN Solaris 8, Windows NT4 SP6a and PDS Pilot v 2.4(7) operating systems. 30. The Evaluators concluded that the TOE met the requirements for ITSEC E3 in respect of Suitability, Binding, SoM and Construction Vulnerability. Effectiveness - Operation 31. This work involved: a. checking that the TOE can be used in a secure manner and assessing whether known vulnerabilities in its operation could, in practice, compromise its security; and b. checking the List of Known Vulnerabilities in the operation of the TOE, as supplied by the Developer, and assessing the impact of these vulnerabilities and the measures proposed to counter their effects. 32. The evaluation confirmed that: a. the TOE could not be configured or used in a manner which was insecure but which an administrator or end-user would reasonably believe to be secure; b. the countermeasures proposed by the Developer in the List of Known Vulnerabilities in Operational Use were entirely satisfactory; and c. the independent vulnerability analysis and penetration testing on the platforms identified in Annex B did not reveal any exploitable vulnerabilities in the operation of the TOE. 33. The Evaluators concluded that the TOE met the requirements for ITSEC E3 in respect of Ease of Use and Operational Vulnerability. Specific Functionality 34. The Evaluators concluded that all the functionality claimed in the Security Target [c] had been met. This included functionality claims under the following headings: Access Control Audit Remote Supervision Secure Internal Communication Data Exchange Page 8 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 III. CONCLUSIONS Certification Result 35. After due consideration of the ETRs [i, j] and additional report [k], produced by the Evaluators, and of the conduct of the evaluation, as witnessed by the Certifier, the Certification Body has determined that Check Point VPN-1/FireWall-1 Next Generation (NG) with Feature Pack 1 (FP1) meets the requirements of ITSEC Assurance Level E3 when running on the platforms as specified in Annex B and in a trusted configuration as defined in the Security Target [c] and summarised in Annex A. Recommendations 36. The product should only be used in accordance with the intended environment and method of use described in the Security Target [c: 2.3, 2.4]. Particular care should be taken that the product is delivered and installed in accordance with the specific documentation relating to an ITSEC E3-compliant installation, and is configured and used in accordance with the operations documentation, as follows: a. for installations on SUN Solaris 8 and Windows NT4 SP6a, the product should be delivered and installed in accordance with references [n - q] and configured and used in accordance with references [r - w] (note that references [n - p] can be found on website http://www.checkpoint.com/techsupport/documentation/certdocs); and b. for installations on Intrusion PDS Pilot, the product should be delivered and installed in accordance with references [n - q, x, y] and configured and used in accordance with references [r - y] (note that references [x] and [y] can be found on web site http://www.intrusion.com/itsec/default.asp. 37. To ensure the integrity of the Check Point Management Server and Firewall modules as delivered on the Intrusion platform, administrators should ensure that the MD5 checksums of the modules are those given in paragraph 25 above. 38. The Security Target [c: 2.1.2 a] states that the product does not rely on the underlying operating system to provide any of the security enforcing/relevant capability. Purchasers of the TOE should note, however, that the underlying operating system and the underlying hardware platform are required to function correctly in order to support the method of use assumptions that contribute to the secure operation of the TOE. 39. Purchasers should note that the Check Point accelerator software has not been evaluated and, therefore, is not part of the evaluated configuration. Administrators should ensure that no accelerator cards are installed on any hardware platforms. In particular, they should ensure that (as noted in [x: 2.2]) the VPN-1 Accelerator Card II is not to be physically installed in the Intrusion hardware platform. 40. Purchasers should note that the administrators of the TOE are assumed to be trusted individuals who are appropriately vetted and trained. The TOE does not counter threats from July 2003 Issue 2.0 Page 9

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) careless, negligent or hostile administrators. It is recommended that appropriate measures, including regular, independent audits of the firewall configuration, be taken to counter these threats. 41. Firewall flow policies are complex and they need to be tailored to fit specific requirements. Purchasers of the TOE should ensure that administrators are competent to determine the firewall flow policies to be implemented or have access to people who are competent to determine such policies. 42. Administrators should be aware that the TOE does not counter the threat that a firewall module could be bypassed by connecting the internal network directly to an external network. It is recommended that the TOE is placed in a physically secure environment to which only authorised personnel have access and that internal users are prevented from connecting their workstations or servers to the external network by any link (eg a modem) that does not pass through a firewall module that is part of a trusted configuration of VPN-1/FireWall-1 NG FP1. 43. Administrators should be aware that a firewall does not prevent malicious users on the internal network colluding with hostile attackers on the external network if the user is authorised to access and send the information to external hosts. 44. Administrators should note that any traffic on the internal network not routed through a firewall module falls outside the administrator s control. Thus the TOE will not counter threats to the security of the internal network from authorised users of the internal network. 45. Administrators are recommended to inspect the TOE s audit trails on a regular basis and, also, to inspect, on a regular basis, the installed Firewall Security Policies and Desktop Security Policies to ensure that they remain correct. 46. Administrators should take particular care to ensure that IP forwarding is enabled in the TOE s computer system only when VPN-1/FireWall-1 is running and is disabled when VPN-1/FireWall-1 is not running, otherwise IP packets may be forwarded by the underlying operating system while the firewall is not running. Administrators should note that the commands for configuring IP forwarding are different for each operating system. Guidance on configuring IP forwarding is provided in the Check Point User Manuals, in particularly in [u]. 47. Potential purchasers of the TOE should be aware that the TOE does not claim to resist all denial-of-service attacks. Whilst the TOE does contain functionality to counter attacks using fragmented or overlapping IP packets, SYN flooding attacks are outside the scope of this evaluation because the SYNDefender functionality was not included in this evaluation. 48. Potential purchasers should note that the VPN-1/FireWall-1, in common with similar TOEs, does not counter the threat of Session Hi-jacking (ie an external attacker taking over an authenticated session initiated by another external host) unless using VPN-1 SecureClient for remote access to the protected network. This threat should be considered when defining the internal network security policy. Page 10 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 49. To reduce the potential impact of Session Hi-jacking, it is recommended that the internal network security policy states what executable software is authorised to be received through the firewall from the external network. Corresponding operational procedures to quarantine such software may also be required. 50. To detect whether Session Hi-jacking has affected the firewall, it is recommended that a backup of the firewall in its initial operational configuration is retained and used for comparison at periodic intervals. Operational procedures should state when this comparison is to be made. 51. Potential purchasers should be aware that the TOE does not detect viruses. It is recommended that executable programs attached to incoming mail messages should be viruschecked. Automatic explosion or execution of MIME-encoded attachments within SMTP messages should also be disabled. 52. Administrators should note that whilst VPN-1/FireWall-1 NG FP1 can coexist within the same network as VPN-1/FireWall-1 Version 4.1 provided each are configured, and their security policies defined, according to their evaluated configurations, the backward compatibility of VPN-1/FireWall-1 NG FP1 to manage VPN-1/FireWall-1 Version 4.1 is not within the scope of this evaluation and certification. It follows, therefore, that VPN-1/FireWall-1 Version 4.1 cannot be part of an evaluated configuration of VPN-1/FireWall-1 NG FP1. 53. Potential users of the product should understand the specific scope of the certification by reading this report in conjunction with the Security Target [c]. Only the relevant evaluated product configuration, as identified in paragraph 36 above, should be installed. July 2003 Issue 2.0 Page 11

E3 Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page 12 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 Annex A ANNEX A: SUMMARY OF THE SECURITY TARGET Introduction 1. The Security Target is given in [c]. The Product Rationale is summarised below. Product Rationale Intended Method of Use 2. Section 2.1.2 of the Security Target [c] defines a trusted configuration of the product as one that: a. executes on any computer system from the family of workstations and servers which supports one of the following operating systems (subject to the considerations of the Check Point Getting Started Guide [q] and the Check Point System Generation/Installation Guide [o]): i. SUN Solaris 8 ii. iii. Windows NT4 SP6a PDS Pilot v2.4(7) The PDS Pilot 2.4 OS is a customised version of the Linux OS, prepared for use with the Intrusion Inc. PDS appliance hardware, and which is pre-configured to address the environmental assumptions associated with the operating platform. This platform supports all the components of the product except the GUI and SecureClient, see c) below. The product does not rely on the underlying operating system to provide any security enforcing functions but it does rely on the correct operation of the underlying operation system to support the security enforcing functions and, therefore, the secure operation of the TOE. b. executes on a computer system which supports up to 128 port connections (note that the VPN-1/FireWall-1 uses the concept of managed ports and does not use the traditional firewall terms of internal and external network). c. consists of: i. a Management Server which resides on a protected LAN; ii. a Graphical User Interface which resides on a separate workstation running Microsoft Windows NT which is part of the protected LAN the Management Server is part of; July 2003 Issue 2.0 Page 13

E3 Annex A Check Point VPN-1/FireWall-1 Next Generation (NG) iii. iv. A VPN-1 SecureClient which resides on a remote machine outside of the protected LAN but is part of the corporate network. The VPN-1 SecureClient must reside on a machine running Windows NT; a number of FireWall Modules which may or may not reside on the protected LAN the Management Server is part of; and v. a Policy Server installed on a VPN-1/FireWall-1 machine which is resides on the protected LAN that the Management Server is part of. d. is configured, controlled and monitored using the GUI which communicates with the Management Server; the Management Server then configures the Firewall Modules and via the Policy Server downloads the Desktop Policy to the Secure Client(s). e. has been delivered and installed in accordance with the specific documentation relating to an ITSEC E3-compliant installation and is configured and used in accordance with the operations documentation. See paragraph 36 above for details of installation and operations documentation. 3. The product operates in 2 modes: a. as a firewall which uses Stateful Inspection Technology to inspect all packets passing between networks connected to the product, promptly blocking all unwanted communication attempts (it supports the complete IP family of protocols); and b. as a VPN which is used to establish a secure communications channel over an unsecured network (eg the Internet) using 2 Check Point Firewalls. Assumed Threats 4. The assumed threats are described in section 2.5 of the Security Target [c]. Security Features 5. The security features are given in section 2.1.4 of the Security Target [c]. Target Assurance Level 6. The Target Assurance Level for the product, as defined in the Security Target [c], was E3 as defined in ITSEC [d]. Claimed Minimum Strength of Mechanisms 7. All the critical mechanisms in VPN-1/FireWall-1 are publicly known cryptographic algorithms and therefore a SoM claim is not appropriate, in accordance with Chapter 4 of [cc]. Page 14 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 Annex B ANNEX B: EVALUATED CONFIGURATION Hardware 1. Subject to the considerations of the Check Point Getting Started Guide [q] and the Check Point System Generation/Installation Guide [o], the TOE executes on any computer system from the family of workstations and servers which supports one of the following operating systems: a. SUN Solaris 8 b. Windows NT4 SP6a c. PDS Pilot v2.4(7) Hardware test configuration - SUN Solaris 8 and Windows NT SP6a 2. The Evaluators conducted penetration testing of Check Point VPN-1/FireWall-1 on the SUN Solaris and Windows NT4 SP6a operating systems using the following platforms: a. Two generic Intel machines, each with dual Pentium III processors, 512Mb RAM, 18Gb hard disk, CD ROM drive, floppy drive and 9 NICs. These machines were each pre-installed with Windows NT4.0 with SP6a. b. One Sun Ultra 10 with 128 Mb RAM, hard disk, CD ROM drive, floppy drive and 8 NICs. This machine was pre-installed with Sun Solaris 8. c. One Dell Latitude laptop with Pentium processor, 128mb RAM, hard disk, CD ROM drive, floppy drive and 1 NIC. This machine was pre-installed with Windows NT4.0 with SP6a. TOE test configuration - SUN Solaris 8 and Windows NT SP6a 3. The platforms identified in the preceding paragraph were configured as follows: a. The TOE GUI and Management Server were installed on one generic Intel machine. b. The TOE Firewall modules were installed on one generic Intel machine and on the Sun machine, and configured in a VPN. c. The TOE SecureClient was installed on the Dell laptop and configured in a VPN with a Firewall machine. Hardware test configuration - PDS Pilot v2.4(7) 4. The Evaluators conducted penetration testing of Check Point VPN-1/FireWall-1 on the PDS Pilot v2.4(7) operating system using the following platforms: July 2003 Issue 2.0 Page 15

E3 Annex B Check Point VPN-1/FireWall-1 Next Generation (NG) a. Two Intrusion PDS 5315 machines pre-installed and configured with the Pilot 2.4(7) operating system and the TOE. b. One Dell Latitude laptop PC, with Pentium III processor, preinstalled with Windows NT4 SP6a. c. One Toshiba Satellite Pro 4200 laptop PC, with Pentium II processor. This machine was pre-installed with Windows NT4 SP6a. 5. In addition, the Evaluators used a laptop PC as necessary to check the installation and configuration of the Intrusion machines. TOE test configuration - PDS Pilot v2.4(7) 6. The platforms identified in the preceding paragraph were configured as follows: Firmware a. The TOE GUI was installed on the Dell laptop. b. The TOE Management Server was installed on one Intrusion PDS 5315 machine. c. The TOE Firewall was installed on one Intrusion PDS 5315 machine. d. The TOE SecureClient was installed on the Toshiba laptop and configured in a VPN with the Firewall machine. 7. Firmware is present on all hardware platforms and in the network interface hardware. It does not provide any of the SEFs and does not, directly, support the SEFs and is not, therefore, security enforcing. However, the firmware is required to operate correctly in order to support the correct operation of the SEFs. Software 8. The TOE consists of Check Point VPN-1/FireWall-1, NG FP1 with the following features and facilities of VPN-1/FireWall-1 Network security provided by Firewall and remote Desktop (SecureClient) components Remote Management capability, including separate GUI management client Secure internal communications (note that only the invocation of the SIC was in scope of the evaluation - the cryptographic mechanisms used to provide SIC were not addressed during the evaluation (see paragraph 13 of this report). VPN facility (note that only the invocation of the VPN facility was in scope of the evaluation - the cryptographic mechanisms used to provide VPN facility were not addressed during the evaluation (see paragraph 13 of this report). Page 16 Issue 2.0 July 2003

Check Point VPN-1/FireWall-1 Next Generation (NG) E3 Annex B Security Server functionality (note: the actual services for which the Security Server is used to arbitrate requests were outside the scope of the evaluation) LDAP client interface CVP interface End-user authentication (to interface level only - the actual authentication mechanism was outside the scope of the evaluation) Content analysis (to interface level only) Auditing 9. Note that with regard to the above functionality, the following were outside the scope of the evaluation: LDAP Server Authentication agent Content Verification Server Service Servers eg FTP, SMTP 10. Also, any product functionality that does not correspond with the TOE security functions defined in the security target [c] is outside the scope of the evaluation. July 2003 Issue 2.0 Page 17

E3 Annex B Check Point VPN-1/FireWall-1 Next Generation (NG) (This page is intentionally left blank) Page 18 Issue 2.0 July 2003