Table Of Contents
Security Target for Cisco Firewall Services Module (FWSM) Version 1.0
Security Target Introduction
Security Target Identification
Security Target Overview
CC Conformance
Related Documents
Cryptography
Conventions
TOE Description
Overview
TOE Description
Physical Boundaries
Logical Scope and Boundaries
PP Conformance
Assurance Requirements
TOE Security Environment
Assumptions
Threats to Security of the TOE
Threats to Security of the Environment
Organizational Security Policies
Security Objectives
Security Objectives for the TOE
Security Objectives for the Environment
IT Security Requirements
TOE Security Functional Requirements
Security Audit
Cryptographic Operation
User Data Protection
Identification and Authentication
Security Management
Protection of the TSF
TOE Environment Security Functional Requirements
TOE Security Assurance Requirements
Configuration Management
Delivery and Operation
Development
Guidance Documents
Life Cycle Support
Tests
Vulnerability Assessment
TOE Summary Specification
TOE Security Functions
Security Management Function
Audit Function
Information Flow Control Function
Identification and Authentication Function
Protection Function
Clock Function
Assurance Measures
Protection Profile Claims
Environment Rationale
Objectives Rationale
Security Functional Requirements Rationale
Security Assurance Requirements Rationale
Rationale
Security Objectives Rationale
Rationale for Security Objectives for the Environment
TOE Security Functional Requirements (SFR) Rationale
TOE Environment Security Functions Rationale
Security Assurance Requirements (SAR) Rationale
Rationale for Not Satisfying All Dependencies
TOE Summary Specification Rationale
Mutually Supportive IT Security Functions
List of Acronyms
Obtaining Documentation, Obtaining Support, and Security Guidelines
Security Target for Cisco Firewall Services Module (FWSM) Version 1.0
April 2007
This document includes the following sections:
•
Security Target Introduction
•TOE Description
•TOE Security Environment
•Security Objectives
•IT Security Requirements
•TOE Summary Specification
•Protection Profile Claims
•Rationale
•List of Acronyms
•Obtaining Documentation, Obtaining Support, and Security Guidelines
Security Target Introduction
This section includes the following topics:
•Security Target Identification
•Security Target Overview
•CC Conformance
•Related Documents
•Cryptography
•Conventions
Security Target Identification
TOE Identification: Cisco Systems Firewall Services Module (FWSM) Version 3.1 (3.17) for Cisco Catalyst® 6500 switches and Cisco 7600 Series routers.
ST Identification: Security Target for Cisco Firewall Services Module (FWSM), Version 1.0, March 30, 2007.
Assurance Level: Evaluation Assurance Level (EAL) 4 augmented with Common Criteria (CC) component ALC_FLR.1.
ST Author: Cisco Systems, 170 West Tasman Drive, San Jose, CA 95124-1706.
Keywords: Firewall, Packet Filtering, Application-level.
CC Identification: Common Criteria for Information Technology Security Evaluation, Version 2.2, January 2004, plus applicable CCIMB and US National interpretations up to March 25, 2004. Where specific changes result from application of an interpretation or precedent, this is noted in the security target document.
Security Target Overview
The Cisco FWSM is a stateful packet filtering firewall. A stateful packet filtering firewall controls the flow of Internet Protocol (IP) traffic by matching information contained in the headers of connection-oriented or connectionless IP packets with a set of rules specified by the firewall's authorized administrator. This header information includes source and destination host (IP) addresses, source and destination port numbers, and the transport service application protocol (TSAP) held within the data field of the IP packet. Depending upon the rule and the results of the match, the firewall either passes or drops the packet. The stateful firewall remembers the state of the connection from information gleaned from prior packets flowing on the connection and uses it to regulate current packets. The packet will be denied if the security policy is violated.
In addition to IP header information, the Cisco FWSM mediates information flows on the basis of other information, such as the direction (incoming or outgoing) of the packet on any given firewall network interface. For connection-oriented transport services, the firewall either permits connections and subsequent packets for the connection or denies the connection and subsequent packets associated with the connection.
CC Conformance
The TOE is Part 2 conformant, Part 3 conformant, and meets the requirements of EAL4 augmented with the CC component ALC_FLR.1.
Related Documents
[ALFWPP-MR] "U.S. Department of Defense Application-level Firewall Protection Profile for Medium Robustness Environments," Version 1.0, June 28, 2000.
[FIPS 197] "FIPS 197 Specification for the Advanced Encryption Standard (AES)," November 26, 2001.
[FIPS 46-3] "FIPS 46-3 Data Encryption Standard (DES)," October 25, 1999 (TDEA only).
[RFC 4251] "The Secure Shell (SSH) Protocol Architecture," January 2006.
Cryptography
The cryptography used in this product has not been FIPS certified, nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor.
Conventions
The following conventions have been applied in this document:
•All requirements in this ST document are reproduced relative to the requirements defined in [ALFWPP-MR].
•Security Functional Requirements - Part 2 of the CC defines the approved set of operations that may be applied to functional requirements: assignment, selection, refinement, and iteration.
–The refinement operation is used to add detail to a requirement, and thus further restricts a requirement. Refinement of security requirements is denoted by boldface text. For an example, see FMT_SMR.1 in this security target document.
–The selection operation is used to select one or more options provided by the CC in stating a requirement. Selections are denoted by italicized text. For an example, see FDP_RIP.1 in this security target document.
–The assignment operation is used to assign a specific value to an unspecified parameter, such as the length of a password. Assignment is indicated by showing the value in square brackets, [assignment_value]. For an example, see FIA_AFL.1 in this security target document.
–The iteration operation is used when a component is repeated with varying operations. Iteration is denoted by showing the iteration number in parenthesis following the component identifier, (iteration_number). For example, see FMT_MSA in this security target document.
Underlining is used to identify operations completed in the security target document, to distinguish them from those completed in [ALFWPP-MR].
Other sections of the ST document use boldface and italics to highlight text of special interest, such as captions.
TOE Description
This section includes the following topics:
•Overview
•TOE Description
•PP Conformance
•Assurance Requirements
Overview
This section presents an overview of the Cisco Firewall Services Module (FWSM)) version 3.1(3.17) to assist potential users in determining whether it meets their needs.
The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst® 6500 switches and Cisco 7600 Series routers, and allows for high speed firewall data rates: 5 Gbps throughput, 100,000 CPS, and 1 M concurrent connections. Up to four FWSMs can be installed in a single chassis, providing scalability up to 20 Gbps per chassis.
The FWSM leverages Cisco PIX technology and runs the Cisco PIX Operating System (OS), a real-time, hardened, embedded system. At the heart of the system, a protection scheme based on the Adaptive Security Algorithm (ASA) offers stateful connection-oriented firewalling. Using ASA, the FWSM creates a connection table entry for a session flow, based on the source and destination addresses, randomized TCP sequence numbers, port numbers, and additional TCP flags. The FWSM controls all inbound and outbound traffic by applying the security policy to these connection table entries.
The TOE provides a single point of defense, as well as controlled and audited access to services between networks by permitting or denying the flow of information traversing the firewall.
TOE Description
Figure 1 shows the FWSM in the context of a switch or router and an example of Internet connections. This section includes the following topics:
•Physical Boundaries
•Logical Scope and Boundaries
Physical Boundaries
The TOE configuration consists of a Cisco FWSM that controls the flow of IP traffic between logical network interfaces over a single physical network connection. Up to four FWSMs may be inserted into the chassis of Cisco Catalyst® 6500 switches and Cisco 7600 Series routers. When installed inside a Cisco Catalyst 6500 Series Switch or Cisco 7600 Internet Router, the FWSM allows any port on the device to operate as a firewall port, and integrates firewall security inside the network infrastructure.
The FWSM relies on certain limited security features of the host switch or router and the associated supervisor module, and these are included within the scope of the TOE.
Figure 1 TOE Context
The TOE includes a Windows 2000 or Windows XP server for the purpose of storing the audit data generated by the TOE. The certified versions of these operating systems, as listed in Table 1, must be used. This server may be combined with the network console, if desired.
A console may be connected to the FWSM via a physical serial port on the Supervisor, and a virtual traffic path that is used to reach a Telnet prompt on the FWSM from the Supervisor.
The TOE environment includes a commercially available, single-use TACACS+ or RADIUS authentication server for the administration of authentication of remote sessions.
Both the console itself and the authentication server are outside the scope of the TOE.
The physical scope of the TOE includes the hardware and software elements identified in Table 1, and shown in Figure 1.
Table 1 TOE Component Identification
Hardware
|
FWSM
|
FWSM Part No. WS-SVC-FWM-1-K9
|
| |
Supervisor
|
Sup720 or Sup2
|
Switch or Router
|
7600 series chassis (7603, 7606, 7609, or 7613) with Supervisor Engine 720.
Catalyst 6500 series (6503, 6506, 6509-NEB, 6509, 6513) with Cisco Catalyst 6500 Series Supervisor Engine 2 with Multilayer Switch Feature Card 2 (MSFC2) or Cisco Catalyst 6500 Series Supervisor Engine 720
|
Audit Server
|
PC
|
Software
|
FWSM
|
Cisco FWSM Firewall image, Version 3.1(3.17)
|
| |
Supervisor
|
Cisco IOS Software Release 12.2(18)SXF5
|
Audit Server
|
Windows 2000 Professional Service Pack 3 and Q326886 hotfix or Windows XP Professional Service Pack 2 (including hotfixes 896423, 899587, 899588, 896422, 890859, 873333, 885250, 888302, 885835, and 907865) or Service Pack 2 (for audit server)
PIX Firewall Syslog Server (PFSS) 5.1(3)
|
Users can only physically connect to the FWSM module console through the supervisor module on the switch. Users must also enter a username and password in order to authenticate to the FWSM module. The FWSM username and password are separate from the supervisor enable password.
The external interfaces to the TOE for network traffic are the network interface cards used in the Cisco Catalyst® 6500 switches and Cisco 7600 Series routers. Thes external interfaces e are listed in the following tables.
7600 Modules
Packet Over SONET/SDH (POS)
OSM-1OC48-POS-xx+
|
Enhanced one-port OC-48/STM-16 SONET/SDH 4 GE OSM: SM-SR, SM-IR, or SM-LR
|
OSM-2OC12-POS-xx+
|
Enhanced two-port OC-12/STM-4 SONET/SDH 4 GE OSM: MM or SI
|
OSM-4OC12-POS-SI+
|
Enhanced four-port OC-12/STM-4 SONET/SDH OSM, SM-IR with 4 Gigabit Ethernet
|
OSM-4OC3-POS-SI+
|
Enhanced four-port OC-3/STM-1 SONET/SDH OSM, SI with 4 GE
|
OSM-8OC3-POS-xx+
|
Enhanced eight-port OC-3/STM-1 SONET/SDH OSM: SI with 4 GE, or SL with 4 GE
|
Ethernet
OSM-2+4GE-WAN+
|
Enhanced four-port Gigabit Ethernet OSM
|
Asynchronous Transfer Mode (ATM)
OSM-2OC12-ATM-xx+
|
Enhanced two-port OC-12 ATM, 4GE OSM: IR or MM
|
Channelized
OSM-1CHOC12/T3-SI
|
One-Port OC-12 to T3 with 4 Gigabit Ethernet Single Mode Intermediate Reach (LC)
|
OSM-1CHOC12/T1-SI
|
One-Port Channelized OC-12/STM-4 to DS-0 Optical Services Module, Single Mode Intermediate Reach (LC)
|
OSM-12CT3/T1
|
Twelve-Port Channelized T3 to DS-0 Optical Services Module
|
Dynamic Packet Transport (DPT)
OSM-2OC48/1DPT-xx
|
Two-port OC-48c/STM-16 SONET/SDH configurable to be one-port OC-48c/STM-16 DPT 4GE OSM: SM-SR1, SM-IR2, or SM-SL3
|
Catalyst 6500 Modules
WS-X6748-SFP
|
48-port High Performance Mixed Media Gigabit Ethernet interface module. Requires SFPCEF720.
|
WS-X6724-SFP
|
24-port High Performance Mixed Media Gigabit Ethernet interface module. Requires SFP CEF720.
|
WS-F6700-DFC3BXL
|
Distributed Forwarding Card-3BXL Upgrade for WS-X67xx line cards using WS-SUP720-3BXL.
|
WS-F6700-DFC3B
|
Distributed Forwarding Card-3B Upgrade for WS-X67xx line cards using WS-SUP720-3B.
|
WS-F6700-DFC3A
|
Distributed Forwarding Card-3A Upgrade for WS-X67xx line cards using WS-SUP720.
|
WS-X6816-GBIC
|
1- port dCEF256 Gigabit Ethernet interface module for the Cisco Catalyst 6500 Series switches with dual fabric channel interfaces and distributed forwarding requires GBICs and distributed forwarding card.
|
WS-F6K-DFC3A
|
Distributed forwarding card-3A for 65xx; 6816 modules used with SUP720.
|
WS-F6K-DFC
|
Distributed forwarding card for 65xx; 6816 modules used with SUP2.
|
10/100/1000
|
WS-X6748-GE-TX
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Cisco Express Forwarding 720 Interface Module; field-upgradeable to support distributed forwarding with the addition of the distributed forwarding daughter card (part number WS-F6700-DFC3A=)
|
WS-X6548-GE-TX
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Cisco Express Forwarding 256 Interface Module; field-upgradeable to support Cisco Prestandard PoE daughter card (part number WS-F6K-VPWR-GE=) or 802.3af PoE daughter card (part number WS-F6K-GE48-AF=)
|
WS-X6548-GE-45AF
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Cisco Express Forwarding 256 Interface Module with 802.3af PoE daughter card (that is, includes daughter card [part number WS-F6K-GE48-AF=])
|
WS-X6548V-GE-TX
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Cisco Express Forwarding 256 Interface Module with Cisco Prestandard PoE daughter card (that is, includes daughter card [part number WS-F6K-VPWR-GE=])
|
WS-X6516-GE-TX
|
Cisco Catalyst 6500 Series 16-Port 10/100/1000 RJ-45 Cisco Express Forwarding 256 Interface Module; field-upgradeable to support distributed forwarding with the addition of the distributed forwarding daughter card (part number WS-F6K-DFC= or DFC3)
|
WS-X6148A-GE-TX
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Classic Interface Module; field-upgradeable to support 802.3af PoE daughter card (part number WS-F6K-GE48-AF=)
|
WS-X6148-GE-TX
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Classic Interface Module; field-upgradeable to support Cisco Prestandard PoE Daughter Card (part number WS-F6K-VPWR-GE=) or 802.3af PoE daughter card (part number WS-F6K-GE48-AF=)
|
WS-X6148A-GE-45AF
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Classic Interface Module with 802.3af PoE daughter card (that is, includes daughter card (part number WS-F6K-GE48-AF=)
|
WS-X6148-GE-45AF
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Classic Interface Module with 802.3af PoE daughter card (that is, includes daughter card (part number WS-F6K-GE48-AF=)
|
WS-X6148V-GE-TX
|
Cisco Catalyst 6500 Series 48-Port 10/100/1000 RJ-45 Classic Interface Module with Cisco Prestandard PoE daughter card (that is, includes daughter card (part number WS-F6K-VPWR-GE=)
|
10/100
|
WS-X6548-RJ-45
|
Cisco Catalyst 6500 Series 48-Port Cisco Express Forwarding 256 10/100 RJ-45 Interface Module; field-upgradeable to support distributed forwarding with the addition of the distributed forwarding daughter card (part number WS-F6K-DFC= or DFC3)
|
WS-X6548-RJ-21
|
Cisco Catalyst 6500 Series 48-Port, Cisco Express Forwarding 256 10/100 RJ-21 Interface Module; field-upgradeable to support distributed forwarding with the addition of the distributed forwarding daughter card (part number WS-F6K-DFC= or DFC3)
|
WS-X6348-RJ45
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module; field-upgradeable to support Cisco Prestandard PoE daughter card (part number WS-F6K-VPWR=)
|
WS-X6348-RJ45V
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module with Cisco Prestandard PoE daughter card (that is, includes daughter card [part number WS-F6K-VPWR=])
|
WS-X6348-RJ21V
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-21 Classic Interface Module with Cisco Prestandard PoE daughter card (that is, includes daughter card [part number WS-F6K-VPWR=])
|
WS-X6148X2-RJ-45
|
Cisco Catalyst 6500 Series 96-Port 10/100 RJ-45 Classic Interface Module; field-upgradeable to support 802.3af PoE daughter card (part number WS-F6K-FE48X2-AF=)
|
WS-X6148X2-45AF
|
Cisco Catalyst 6500 Series 96-Port 10/100 RJ-45 Classic Interface Module with 802.3af PoE daughter card (that is, includes daughter card [part number WS-F6K-FE48X2-AF=])
|
WS-X6196-RJ-21
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-21 Classic Interface Module; field-upgradeable to support 802.3af PoE daughter card (part number WS-F6K-FE48X2-AF=)
|
WS-X6196-21AF
|
Cisco Catalyst 6500 Series 96-Port 10/100 RJ-21Classic Interface Module with 802.3af PoE daughter card (that is, includes daughter card [part number WS-F6K-FE48X2-AF=])
|
WS-X6148A-RJ-45
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module; field-upgradeable to support 802.3af PoE daughter card (part number WS-F6K-GE48-AF=)
|
WS-X6148-RJ-45
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module; upgradeable to support Cisco Prestandard PoE daughter card (part number WS-F6K-VPWR=) or to IEEE 802.3af PoE daughter card (part number WS-X6148-45AF-UG=)
|
WS-X6148A-45AF
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module with IEEE 802.3af PoE daughter card
|
WS-X6148-45AF
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module with IEEE 802.3af PoE daughter card
|
WS-X6148-RJ45V
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-45 Classic Interface Module with Cisco Prestandard PoE daughter card (that is, includes daughter card [part number WS-F6K-VPWR=])
|
WS-X6148-RJ-21
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-21 Classic Interface Module; upgradeable to support Cisco Prestandard PoE daughter card (part number WS-F6K-VPWR=) or to IEEE 802.3af PoE daughter card (part number WS-X6148-21AF-UG=)
|
WS-X6148-21AF
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-21 Classic Interface Module with IEEE 802.3af PoE daughter card
|
WS-X6148-RJ21V
|
Cisco Catalyst 6500 Series 48-Port 10/100 RJ-21 Classic Interface Module with Cisco Prestandard PoE daughter card (that is, includes daughter card [part number WS-F6K-VPWR=])
|
Cisco Catalyst 6500 Series Power Over Ethernet Daughter Cards
WS-F6K-GE48-AF=
|
Cisco Catalyst 6500 Series 802.3af PoE daughter card for 10/100/1000 modules (part numbers WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6548-GE-TX, and WS-X6548V-GE-TX)
|
WS-F6K-FE48X2-AF=
|
Cisco Catalyst 6500 Series 802.3af PoE daughter card for WS-X6148X2-RJ-45) module
|
WS-X6148-45AF-UG=
|
Cisco Catalyst 6500 Series 802.3af PoE Advanced Upgrade for (part number WS-X6148-RJ45 or WS-X6148-RJ45V)
|
WS-X6148-21AF-UG=
|
Cisco Catalyst 6500 Series 802.3af PoE Advanced Upgrade for (part number WS-X6148-RJ21 or WS-X6148-RJ21V)
|
WS-F6K-VPWR=
|
Cisco Catalyst 6500 Series Cisco Prestandard PoE daughter card for 10/100 modules (for WS-X6148-RJxx and WS-X6348-xx)
|
WS-F6K-VPWR-GE=
|
Cisco Catalyst 6500 Series Cisco Prestandard PoE daughter card for 10/100/1000 modules (part numbers WS-X6148-GE-TX and WS-X6548-GE-TX)
|
Cisco Catalyst 6500 Series 10/100 and 100/1000 Distributed Forwarding Cards
WS-F6K-DFC
|
Cisco Catalyst 6500 Series DFC3A for Cisco Catalyst 6500 Series; Cisco Catalyst 6816 modules used with Supervisor Engine 2
|
WS-F6K-DFC3A
|
Cisco Catalyst 6500 Series DFC3A for Cisco Catalyst 6500; Cisco Catalyst 6816 modules used with Supervisor Engine 720
|
WS-F6K-DFC3B
|
Cisco Catalyst 6500 Series DFC3B for Cisco Catalyst 6500; Cisco Catalyst 6816 modules used with Supervisor Engine 720
|
WS-F6K-DFC3BXL
|
Cisco Catalyst 6500 Series DFC3BXL for Cisco Catalyst 6500; Cisco Catalyst 6816 modules used with Supervisor Engine 720
|
MEM-DFC-256MB
|
256 MB DRAM option for DFC
|
MEM-DFC-512MB
|
512 MB DRAM option for DFC
|
WS-F6700-DFC3A
|
Cisco Catalyst 6500 Series DFC3A for Cisco Catalyst 6700 Series modules
|
WS-F6700-DFC3B
|
Cisco Catalyst 6500 Series DFC3B for Cisco Catalyst 6700 Series modules
|
WS-F6700-DFC3BXL
|
Cisco Catalyst 6500 Series DFC3BXL for Cisco Catalyst 6700 Series modules
|
The FWSM module does not contain a hardware clock, and therefore must receive time from the switch. The module receives time generated from the switch upon boot-up or when changed by the supervisor administrator, and then maintains the time locally using a software clock. The audit server includes its own hardware clock.
Logical Scope and Boundaries
The scope of the TOE includes the following security functions:
•Information Flow Control between firewall interfaces
•Security Management to enable, disable, or modify the behavior of the TOE
•Audit
•Identification and Authentication of administrators
•Provision of a Secure Environment, with residual information protection and assured invocation of security functions
•Provision of accurate Date and Time information
Information Flow Control
The TOE controls the flow of Internet Protocol (IP) traffic (datagrams) between logical network interfaces by matching information contained in the headers of connection-oriented or connectionless IP packets according to a set of rules specified by the firewall's authorized administrator. This header information includes source and destination host (IP) addresses, source and destination port numbers, and the transport service application protocol (TSAP) held within the data field of the IP packet. Depending upon the rule and the results of the match, the firewall either passes or drops the packet. In addition to IP header information, the TOE mediates information flows on the basis of other information, such as the direction (incoming or outgoing) of the packet on any given firewall logical network interface. For connection-oriented transport services, the firewall either permits connections and subsequent packets for the connection or denies the connection and subsequent packets associated with the connection.
The types of traffic through or to the TOE that can be filtered are Ethernet, ARP, CTIQBE, DNS, Echo, Finger, H.323, IP, ICMP, TCP, UDP, FTP, GTP, HTTP, ILS, MGCP, POP3, RSH, RTSP, Skinny, SIP, ESMTP, SunRPC, Telnet, TFTP and XDMCP. Application inspection is also provided within the TOE for the following protocols and applications: CTIQBE, DNS, H.323, ICMP, FTP, GTP, HTTP, ILS, MGCP, RSH, RTSP, Skinny, SIP, SMTP/ESMTP, SunRPC, TFTP, and XDMCP.
The Cisco FWSM (the TOE) provides interconnections between networks. With the Cisco FWSM, it is possible to identify each logical network interface as either internal or external. If an interface is identified as external, then the network to which it attaches is classed as being outside of the firewall. If an interface is identified as internal, then the network to which it attaches is classed as being inside (or behind) the firewall. All networks inside (or behind) the firewall can be protected by the Cisco FWSM from those outside of the firewall, and similarly traffic from inside to outside can be regulated. The Cisco FWSM firewall can also provide protection between networks connecting to the different internal network logical interfaces of the TOE.
The TOE allows for Network Address Translation (NAT). NAT is used to map IP addresses from an inside logical interface to an outside logical interface. Using this feature, an IP address on an inside interface is mapped to a range of global IP addresses that can be addressed from the outside. The feature can also be used in the opposite direction to map addresses from the outside interface to the inside interface. Port numbers can also be mapped in this way, and this function is often referred to as Port Address Translation (PAT).
The firewall can run in one of the following modes:
•Routed - The FWSM is considered to be a router hop in the network.
•Transparent - The FWSM acts like a "bump in the wire," and is not a router hop. The FWSM connects the same network on its inside and outside ports, but each port must be on a different VLAN. In this mode, no dynamic routing protocols or NAT are required.
In multiple-context mode, up to 100 separate security contexts can be created (depending on the software license). A security context is a virtual firewall that has its own security policy and interfaces. Each context can support 256 VLANs in routed mode. Transparent mode supports only two logical interfaces per context. Multiple contexts are similar to having multiple standalone firewalls. All security contexts can be run in routed mode or in transparent mode.
To avoid bypass of the TOE security policy, all traffic between each network attached to the TOE must flow through the Cisco FWSM.
Security Management
The TOE can be managed by authorized administrators via a physically secure local connection. The TOE can also be managed remotely from a connected network, through use of an encrypted link using SSH [RFC 4251] with [FIPS 46-3] or [FIPS 197]. These two types of communication are shown in Figure 2.1. For remote communication, commands are passed to the FWSM via the NIC of the switch and router and the Supervisor.
Audit
The FWSM also interacts with a Windows 2000 or Windows XP server running the PIX Firewall Syslog Server (PFSS) for the purpose of storage and analysis of the audit data generated by the TOE. PFSS (for firewall logs) and Windows Event Viewer (for the audit server log) are the tools that are included as part of the TOE. Use of other tools is not addressed by the evaluation. Windows access controls will ensure that the integrity of the audit logs is not compromised by use of these tools. The FWSM, through the export of audit data, supports the capability to perform audit analysis. The audit server is on a separate trusted network and is accessible only by trusted administrators.
Identification and Authentication
The TOE supports the authentication of authorized administrators by means of user ID and password, and supports the use of third-party, single-use authentication servers in the environment.
Secure Environment
A multitasking environment is provided for the firewall, within which each process is managed separately in memory. Memory is flushed before reallocation.
After initial installation of the FWSM module in the switch, the supervisor module must be used to assign VLANs to the FWSM module. This must be performed correctly in order for the TOE to function correctly.
The TOE will ensure that all traffic is routed via the firewall, so that the firewall is not bypassed.
The Windows operating system for the audit server also provides protection to support the audit recording and retrieval operations of the TOE, allocating and protecting memory locations for each process.
Date and Time
The FWSM module does not contain a hardware clock, and therefore must receive time from the underlying hardware of the host switch. The supervisor engine is relied upon to provide a reliable time source to the FWSM.
Exclusions from the Scope of the TOE
Software and hardware features outside the scope of the defined TOE Security Functions (TSF), and thus not evaluated are:
•Routing Information Protocol (RIP)
•Simple Network Management Protocol (SNMP)
•Dynamic Host Control Protocol (DHCP) Server
•Virtual Private Networks
The external Authentication, Authorization and Accounting (AAA) server used to provide single-use authentication is outside the scope of the TOE, although use made by the TOE of this server is within scope.
CCEVS Precedents
The TOE definition in this ST document makes use of the following precedent under the CCEVS: PD-0113.
PP Conformance
The TOE Security Functional Requirements are specified to be consistent with the U.S. Department of Defense Application-level Firewall Protection Profile for Medium Robustness Environments, Version 1.0, June 28, 2000 [ALFWPP-MR], but conformance to this PP is not claimed, and this aspect is not evaluated.
Assurance Requirements
The TOE is designed to meet the EAL4 assurance requirements augmented with ALC_FLR.1.
TOE Security Environment
This section includes the following topics:
•Assumptions
•Threats to Security of the TOE
•Threats to Security of the Environment
•Organizational Security Policies
Assumptions
The assumptions for the TOE security environment are the same as those for the [ALFWPP-MR]. Table 2 lists the assumptions for the TOE security environment.
Table 2 Assumptions
No.
|
Assumption Name
|
Description
|
1
|
A.PHYSEC
|
The TOE is physically secure.
|
2
|
A.MODEXP
|
The threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered moderate.
|
3
|
A.GENPUR
|
There are no general-purpose computing capabilities (for example, the ability to execute arbitrary code or applications) and storage repository capabilities on the TOE.
|
4
|
A.PUBLIC
|
The TOE does not host public data.
|
5
|
A.NOEVIL
|
Authorized administrators are non-hostile and follow all administrator guidance; however, they are capable of error.
|
6
|
A.SINGEN
|
Information can not flow among the internal and external networks unless it passes through the TOE.
|
7
|
A.DIRECT
|
Human users within the physically secure boundary protecting the TOE may attempt to access the TOE from some direct connection (for example, a console port) if the connection is part of the TOE.
|
8
|
A.NOREMO
|
Human users who are not authorized administrators can not access the TOE remotely from the internal or external networks.
|
9
|
A.REMACC
|
Authorized administrators may access the TOE remotely from the internal and external networks.
|
Threats to Security of the TOE
Table 3 defines security threats for the TOE. The asset under attack is the information that transits the TOE in accordance with the security policy, as represented by the TOE rule set. In general, the threat agent includes, but is not limited to: 1) people with TOE access who are expected to possess "low" expertise, resources and motivation, or 2) failure of the TOE.
Table 3 Threats for the TOE
No.
|
Threat Name
|
Threat Description
|
1
|
T.NOAUTH
|
An unauthorized person may attempt to bypass the security of the TOE so as to access and use security functions and/or non-security functions provided by the TOE.
|
2
|
T.REPEAT
|
An unauthorized person may repeatedly try to guess authentication data in order to use this information to launch attacks on the TOE.
|
3
|
T.REPLAY
|
An unauthorized person may use valid identification and authentication data obtained to access functions provided by the TOE.
|
4
|
T.ASPOOF
|
An unauthorized person on an external network may attempt to by-pass the information flow control policy by disguising authentication data (for example, spoofing the source address) and masquerading as a legitimate user or entity on an internal network.
|
5
|
T.MEDIAT
|
An unauthorized person may send impermissible information through the TOE which results in the exploitation of resources on the internal network.
|
6
|
T.OLDINF
|
Because of a flaw in the TOE functioning, an unauthorized person may gather residual information from a previous information flow or internal TOE data by monitoring the padding of the information flows from the TOE.
|
7
|
T.PROCOM
|
An unauthorized person or unauthorized external IT entity may be able to view, modify, and/or delete security related information that is sent between a remotely located authorized administrator and the TOE.
|
8
|
T.AUDACC
|
Persons may not be accountable for the actions that they conduct because the audit records are not reviewed, thus allowing an attacker to escape detection.
|
9
|
T.SELPRO
|
An unauthorized person may read, modify, or destroy security critical TOE configuration data.
|
10
|
T.AUDFUL
|
An unauthorized person may cause audit records to be lost or prevent future records from being recorded by taking actions to exhaust audit storage capacity, thus masking an attackers actions.
|
11
|
T.MODEXP
|
A skilled attacker with low attack potential may attempt to bypass the TSF to gain access to the TOE or the assets it protects.
|
Threats to Security of the Environment
This subsection defines the threats to the IT environment, which are listed in Table 4. The asset under attack is the information transiting the TOE. In general, the threat agent includes, but is not limited to: 1) people with TOE access who are expected to possess "average" expertise, few resources and moderate motivation, or 2) failure of the TOE.
Table 4 Threats to Security for the IT Environment
No.
|
Threat Name
|
Threat Description
|
1
|
T.TUSAGE
|
The TOE may be inadvertently configured, used and administered in an insecure manner by either authorized or unauthorized persons.
|
Organizational Security Policies
Table 5 Organizational Security Policies
No.
|
Policy Name
|
Policy Description
|
1
|
P.CRYPTO
|
Triple DES encryption (as specified in FIPS 46-3 [3]) or AES encryption (as specified in FIPS 197) must be used to protect remote administration functions.
|
Security Objectives
This section includes the following topics:
•Security Objectives for the TOE
•Security Objectives for the Environment
Security Objectives for the TOE
Table 6 Security Objectives for the TOE
No.
|
Objective Name
|
Objective Description
|
1
|
O.IDAUTH
|
The TOE must uniquely identify and authenticate the claimed identity of all users, before granting a user access to TOE functions.
|
2
|
O.SINUSE
|
The TOE must prevent the reuse of authentication data for users attempting to authenticate to the TOE from a connected network.
|
3
|
O.MEDIAT
|
The TOE must mediate the flow of all information between clients and servers located on internal and external networks governed by the TOE, disallowing passage of non-conformant protocols and ensuring that residual information from a previous information flow is not transmitted in any way.
|
4
|
O.SECSTA
|
Upon initial start-up of the TOE or recovery from an interruption in TOE service, the TOE must not compromise its resources or those of any connected network.
|
5
|
O.ENCRYP
|
The TOE must protect the confidentiality of its dialogue with an authorized administrator through encryption, if the TOE allows administration to occur remotely from a connected network.
|
6
|
O.SELPRO
|
The TOE must protect itself against attempts by unauthorized users to bypass, deactivate, or tamper with TOE security functions.
|
7
|
O.AUDREC
|
The TOE must provide a means to record a readable audit trail of security-related events, with accurate dates and times, and a means to search and sort the audit trail based on relevant attributes.
|
8
|
O.ACCOUN
|
The TOE must provide user accountability for information flows through the TOE and for authorized administrator use of security functions related to audit.
|
9
|
O.SECFUN
|
The TOE must provide functionality that enables an authorized administrator to use the TOE security functions, and must ensure that only authorized administrators are able to access such functionality.
|
10
|
O.LIMEXT
|
The TOE must provide the means for an authorized administrator to control and limit access to TOE security functions by an authorized external IT entity.
|
11
|
O.EAL
|
The TOE must be structurally tested and shown to be resistant to obvious vulnerabilities.
|
Security Objectives for the Environment
Table 7 Security Objectives for the Environment
No.
|
Objective Name
|
Objective Description
|
1
|
OE.IDAUTH
|
The claimed identity of a remote user must be uniquely identified and authenticated before granting the user access to TOE functions or, for certain specified services, to a connected network.
Note The objectives IDAUTH and SINUSE are present for both the TOE and the IT environment. This reflects the use of an authentication server in the environment to generate authentication credentials, in which single-use authentication is applied for remote users.
|
2
|
OE.SINUSE
|
The reuse of authentication data must be prevented for users attempting to authenticate to the TOE from a connected network.
|
3
|
OE.PHYSEC
|
The TOE and its operating environment are physically secure.
|
4
|
OE.MODEXP
|
The threat of malicious attacks aimed at discovering exploitable vulnerabilities is considered moderate.
|
5
|
OE.GENPUR
|
There are no general-purpose computing capabilities (for example, the ability to execute arbitrary code or applications) and storage repository capabilities on the TOE.
|
6
|
OE.PUBLIC
|
The TOE and the authentication server do not host public data.
|
7
|
OE.NOEVIL
|
Authorized administrators are non-hostile and follow all administrator guidance; however, they are capable of error.
|
8
|
OE.SINGEN
|
Information can not flow among the internal and external networks unless it passes through the TOE.
|
9
|
OE.DIRECT
|
Human users within the physically secure boundary protecting the TOE may attempt to access the TOE from some direct connection (for example, a console port) if the connection is part of the TOE.
|
10
|
OE.NOREMO
|
Human users who are not authorized administrators can not access the TOE remotely from the internal or external networks.
|
11
|
OE.REMACC
|
Authorized administrators may access the TOE remotely from the internal and external networks.
|
12
|
OE.GUIDAN
|
The TOE must be delivered, installed, administered, and operated in a manner that maintains security.
|
13
|
OE.ADMTRA
|
Authorized administrators are trained as to establishment and maintenance of security policies and practices.
|
IT Security Requirements
This section includes the following topics:
•TOE Security Functional Requirements
•TOE Environment Security Functional Requirements
•TOE Security Assurance Requirements
TOE Security Functional Requirements
All security functional requirements have been drawn from Part 2 of the CC. They are repeated in the ST document to demonstrate these refinements. For the conventions used for refinements, see Conventions.
This section includes the following topics:
•Security Audit
•Cryptographic Operation
•User Data Protection
•Identification and Authentication
•Security Management
•Protection of the TSF
Table 8 TOE Security Functional Components
Security Functional Requirements Class
|
Security Functional Requirements Components
|
Security Audit (FAU)
|
Audit data generation (FAU_GEN.1)
|
Audit review (FAU_SAR.1)
|
Selectable audit review (FAU_SAR.3)
|
Protected audit trail storage (FAU_STG.1)
|
Prevention of audit data loss (FAU_STG.4)
|
Cryptographic Operation (FCS)
|
Cryptographic operation (FCS_COP.1)
|
User Data Protection (FDP)
|
Subset information flow control 1 (FDP_IFC.1)
|
Subset information flow control 2 (FDP_IFC.1)
|
Simple security attributes 1 (FDP_IFF.1)
|
Simple security attributes 2 (FDP_IFF.1)
|
Subset residual information protection (FDP_RIP.1)
|
Identification and Authentication (FIA)
|
Authentication failure handling (FIA_AFL.1)
|
User attribute definition 1 (FIA_ATD.1)
|
Multiple authentication mechanisms 1 (FIA_UAU.5)
|
User identification before any action (FIA_UID.2)
|
Security Management (FMT)
|
Management of security functions behavior 1 (FMT_MOF.1)
|
Management of security functions behavior 2 (FMT_MOF.1)
|
Management of security attributes 1 (FMT_MSA.1)
|
Management of security attributes 2 (FMT_MSA.1)
|
Management of security attributes 3 (FMT_MSA.1)
|
Management of security attributes 4 (FMT_MSA.1)
|
Static attribute initialization (FMT_MSA.3)
|
Management of TSF data 1 (FMT_MTD.1)
|
Management of TSF data 2 (FMT_MTD.1)
|
Management of limits on TSF data (FMT_MTD.2)
|
Specification of management functions (FMT_SMF.1)
|
Security roles (FMT_SMR.1)
|
Protection of the TSF (FPT)
|
Non-bypassability of the TSP (FPT_RVM.1)
|
TSF domain separation (FPT_SEP.1)
|
Reliable time stamps (FPT_STM.1)
|
Security Audit
FAU_GEN.1 Audit data generation
|
Hierarchical to
|
No other components.
|
FAU_GEN.1.1
|
The TSF shall be able to generate an audit record of the following auditable events:
a. Startup and shutdown of the audit functions
b. All auditable events for the not specified level of audit
c. [The events in Table 9].
|
FAU_GEN.1.2
|
The TSF shall record within each audit record at least the following information:
a. Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the event
b. For each audit event type, based on the auditable event definitions of the functional components included in the PP/ST [information specified in column three of Table 9].
|
Dependencies
|
FPT_STM.1 Reliable time stamps
|
Table 9 Auditable Events
Functional Component
|
Auditable Event
|
Additional Audit Record Contents
|
FCS_COP.1
|
Success and failure, and the type of cryptographic operation
|
The identity of the external IT entity attempting to perform the cryptographic operation.
|
FDP_IFF.1
|
All decisions on requests for information flow.
|
The presumed addresses of the source and destination subject.
|
FIA_AFL.1
|
The reaching of the threshold for unsuccessful authentication attempts and the subsequent restoration by the authorized administrator of the user's capability to authenticate.
|
The identity of the offending user and the authorized administrator.
|
FIA_UAU.5
|
The final decision on authentication.
|
The user identity and the success or failure of the authentication.
|
FIA_UID.2
|
All use of the user identification mechanism.
|
The user identities provided to the TOE.
|
FMT_MOF.1
|
Use of the functions listed in this requirement pertaining to audit.
|
The identity of the authorized administrator performing the operation.
|
FMT_SMR.1
|
Modifications to the group of users that are part of the authorized administrator role.
Unsuccessful attempts to authenticate the authorized administrator
|
The identity of the authorized administrator performing the modification and the user identity being associated with the authorized administrator role.
The user identity and the role.
|
FPT_STM.1
|
Changes to the time.
|
The identity of the authorized administrator performing the operation.
|
Application Note: The boldface text in the table is an addition to the CC Part 2 requirement.
FAU_SAR.1 Audit review
|
Hierarchical to
|
No other components.
|
FAU_SAR.1.1
|
The TSF shall provide [an authorized audit administrator] with the capability to read [all audit trail data] from the audit records.
|
FAU_SAR.1.2
|
The TSF shall provide the audit records in a manner suitable for the user to interpret the information.
|
Dependencies
|
FAU_GEN.1 Audit data generation
|
FAU_SAR.3 Selectable audit review
|
Hierarchical to
|
No other components.
|
FAU_SAR.3.1
|
The TSF shall provide the ability to perform searches and sorting of audit data based on [:
a. User identity
b. Presumed subject address
c. Ranges of dates
d. Ranges of times
e. Ranges of addresses]
|
Dependencies
|
FAU_SAR.1 Audit review
|
FAU_STG.1 Protected audit trail storage
|
Hierarchical to
|
No other components.
|
FAU_STG.1.1
|
The TSF shall protect the stored audit records from unauthorized deletion.
|
FAU_STG.1.2
|
The TSF shall be able to prevent modifications to the audit records.
|
Dependencies
|
FAU_GEN.1 Audit data generation
|
FAU_STG.4 Prevention of audit data loss
|
Hierarchical to
|
FAU_STG.3
|
FAU_STG.4.1
|
The TSF shall prevent auditable events, except those taken by the authorized administrator and [shall limit the number of audit records lost] if the audit trail is full.
|
Dependencies
|
FAU_GEN.1 Audit data generation
|
Cryptographic Operation
FCS_COP.1 Cryptographic operation
|
Hierarchical to
|
No other components.
|
FCS_COP.1.1
|
The TSF shall perform [encryption of remote authorized
firewall and supervisor administrator sessions] in accordance with a specified cryptographic algorithm [: Triple Data Encryption Standard (DES) as specified in FIPS PUB 46-3 and implementing any mode of operation specified in FIPS PUB 46-3 with Keying Option 1 (K1, K2, and K3 are independent keys) or Advanced Encryption Standard (AES) as specified in FIPS PUB 197] and cryptographic key sizes [that are 192 binary digits in length] that meet the following [: FIPS PUB 46-3 with Keying Option 1 (for Triple DES) or FIPS PUB 197 (for AES)].
Note AES is the FIPS-approved symmetric algorithm of choice.
|
Dependencies
|
[FDP_ITC.1 Import of user data without security attributes or
FCS_CKM.1 Cryptographic key generation]
FCS_CKM.4 Cryptographic key destruction
FMT_MSA.2 Secure security attributes
|
Application Note
|
This requirement is applicable only if the TOE includes the capability for the authorized firewall or supervisor administrator to perform security functions remotely from a connected network.
|
User Data Protection
FDP_IFC.1 (1) Subset information flow control
|
Hierarchical to
|
No other components.
|
FDP_IFC.1.1(1)
|
The TSF shall enforce the [UNAUTHENTICATED SFP] on [:
a. Subjects - Unauthenticated external IT entities that send and receive information through the TOE to one another
b. Information - Traffic sent through the TOE from one subject to another
c. Operation - Pass information].
|
Dependencies
|
FDP_IFF.1 Simple security attributes
|
FDP_IFC.1 (2) Subset information flow control
|
Hierarchical to
|
No other components.
|
FDP_IFC.1.1(2)
|
The TSF shall enforce the [AUTHENTICATED SFP] on [:
a. Subjects - A human user or external IT entity that sends and receives FTP and Telnet information through the TOE to one another, only after the human user initiating the information flow has authenticated at the TOE per FIA_UAU.5
b. FTP and Telnet traffic sent through the TOE from one subject to another
c. Operation - Initiate service and pass information].
|
Dependencies
|
FDP_IFF.1 Simple security attributes
|
FDP_IFF.1 (1) Simple security attributes
|
Hierarchical to
|
No other components.
|
FDP_IFF.1.1(1)
|
The TSF shall enforce the [UNAUTHENTICATED SFP] based on the following types of subject and information security attributes: [
a. Subject security attributes:
–Presumed address
–No other subject security attributes]
b. Information security attributes:
–Presumed address of source subject
–Presumed address of destination subject
–Transport layer protocol
–TOE interface on which traffic arrives and departs
–Service
–No other information security attributes].
|
FDP_IFF.1.2(1)
|
The TSF shall permit an information flow between a controlled subject and another controlled subject via a controlled operation if the following rules hold: [
a. Subjects on an internal network can cause information to flow through the TOE to another connected network if:
–All the information security attribute values are unambiguously permitted by the information flow security policy rules, where such rules may be composed from all possible combinations of the values of the information flow security attributes, created by the authorized firewall administrator.
–The presumed address of the source subject, in the information, translates to an internal network address.
–The presumed address of the destination subject, in the information, translates to an address on the other connected network.
b. Subjects on an external network can cause information to flow through the TOE to another connected network if:
–All the information security attribute values are unambiguously permitted by the information flow security policy rules, in which such rules may be composed from all possible combinations of the values of the information flow security attributes, created by the authorized firewall administrator.
–The presumed address of the source subject, in the information, translates to an external network address.
–The presumed address of the destination subject, in the information, translates to an address on the other connected network].
|
FDP_IFF.1.3(1)
|
The TSF shall enforce the [none].
|
FDP_IFF.1.4(1)
|
The TSF shall provide the following [none].
|
FDP_IFF.1.5(1)
|
The TSF shall explicitly label an information flow based on the following rules: [none].
|
FDP_IFF.1.6(1)
|
The TSF shall explicitly deny an information flow based on the following rules:[
a. The TOE shall reject requests for access or services, in which the information arrives on an external TOE interface, and the presumed address of the source subject is an external IT entity on an internal network.
b. The TOE shall reject requests for access or services, in which the information arrives on an internal TOE interface, and the presumed address of the source subject is an external IT entity on the external network.
c. The TOE shall reject requests for access or services, in which the information arrives on either an internal or external TOE interface, and the presumed address of the source subject is an external IT entity on a broadcast network.
d. The TOE shall reject requests for access or services, in which the information arriv |
