TopLayerNetworks_IPS5500E
Uploaded by
andrewcottier123TopLayerNetworks_IPS5500E
Uploaded by
andrewcottier123Top Layer Networks IPS 5500 E Security Target
Version 1.1
April 10, 2009
Prepared For:
Top Layer Networks
2400 Computer Drive
Westborough, MA 01581
Prepared By:
CygnaCom Solutions
Security Evaluations Laboratory
7925 Jones Branch Drive, Suite 5200
Mclean, VA 22031
2007 Top Layer Networks. All Rights Reserved. I
Top Layer Networks Security Target April 10, 2009
Table of Contents
1 INTRODUCTION.............................................................................................................................................. 1
1.1 IDENTIFICATION .......................................................................................................................................... 1
1.2 CC CONFORMANCE CLAIM ......................................................................................................................... 1
1.3 OVERVIEW .................................................................................................................................................. 1
1.4 ORGANIZATION ........................................................................................................................................... 2
1.5 DOCUMENT CONVENTIONS ......................................................................................................................... 2
1.6 DOCUMENT TERMINOLOGY ......................................................................................................................... 3
1.6.1 ST Specific Terminology ........................................................................................................................ 3
1.6.2 Acronyms ............................................................................................................................................... 5
2 TOE DESCRIPTION ........................................................................................................................................ 7
2.1 TOE OVERVIEW .......................................................................................................................................... 7
2.1.1 Categories of Deployment ..................................................................................................................... 8
2.2 ARCHITECTURE DESCRIPTION ................................................................................................................... 12
2.3 PHYSICAL BOUNDARIES ............................................................................................................................ 14
2.3.1 Physical Interfaces .............................................................................................................................. 15
2.3.2 Evaluated Configuration ..................................................................................................................... 19
2.3.3 Security Functionality in the IT Environment ...................................................................................... 20
2.3.4 Management Interfaces ....................................................................................................................... 21
2.4 LOGICAL BOUNDARIES.............................................................................................................................. 21
2.4.1 Security Audit ...................................................................................................................................... 22
2.4.2 User Data Protection ........................................................................................................................... 22
2.4.3 Identification and Authentication ........................................................................................................ 22
2.4.4 Security Management .......................................................................................................................... 22
2.4.5 Protection of TOE Security Functions ................................................................................................. 22
2.4.6 Trusted Path/Channels ........................................................................................................................ 23
2.5 FUNCTIONALITY NOT INCLUDED IN THE TOE SCOPE ................................................................................ 23
3 TOE SECURITY ENVIRONMENT .............................................................................................................. 24
3.1 ASSUMPTIONS ........................................................................................................................................... 24
3.1.1 Usage Assumptions .............................................................................................................................. 24
3.1.2 Personnel Assumptions ........................................................................................................................ 24
3.1.3 Physical Environment Assumptions ..................................................................................................... 24
3.2 THREATS ................................................................................................................................................... 24
3.2.1 Threats Addressed by the TOE ............................................................................................................ 25
3.3 ORGANISATIONAL SECURITY POLICIES ..................................................................................................... 25
4 SECURITY OBJECTIVES ............................................................................................................................. 26
4.1 SECURITY OBJECTIVES FOR THE TOE ...................................................................................................... 26
4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT ...................................................................................... 27
5 IT SECURITY REQUIREMENTS ................................................................................................................ 29
5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS .......................................................................................... 30
5.1.1 Security Audit (FAU) ........................................................................................................................... 30
5.1.1.1 FAU_GEN.1 Audit data generation ........................................................................................................... 30
5.1.1.2 FAU_GEN.2 User identity association ...................................................................................................... 31
5.1.1.3 FAU_SAA.1 Potential violation analysis ................................................................................................... 31
5.1.1.4 FAU_ARP.1 Security alarms ..................................................................................................................... 32
5.1.1.5 FAU_SAR.1 Audit review ......................................................................................................................... 32
5.1.1.6 FAU_SAR.3 Selectable audit review ......................................................................................................... 33
5.1.1.7 FAU_SEL.1 Selective audit ....................................................................................................................... 33
5.1.1.8 FAU_STG.1 Protected audit trail storage .................................................................................................. 33
2007 Top Layer Networks. All Rights Reserved. i
Top Layer Networks Security Target April 10, 2009
5.1.2 User Data Protection (FDP) ............................................................................................................... 34
5.1.2.1 FDP_IFC.1 (1) Subset information flow control (1) .................................................................................. 34
5.1.2.2 FDP_IFF.1 (1) Simple security attributes (1) ............................................................................................. 34
5.1.2.3 FDP_IFC.1 (2) Subset information flow control (2) .................................................................................. 37
5.1.2.4 FDP_IFF.1 (2) Simple security attributes (2) ............................................................................................. 37
5.1.3 Identification and Authentication (FIA)............................................................................................... 42
5.1.3.1 FIA_AFL.1 Authentication failure handling .............................................................................................. 42
5.1.3.2 FIA_ATD.1 User attribute definition ......................................................................................................... 42
5.1.3.3 FIA_UAU.1 Timing of Authentication ...................................................................................................... 42
5.1.3.4 FIA_UAU.7 Protected authentication feedback ......................................................................................... 42
5.1.3.5 FIA_UID.2 User identification before any action ...................................................................................... 43
5.1.4 Security Management (FMT) ............................................................................................................... 43
5.1.4.1 FMT_MOF.1 Management of security functions behaviour ...................................................................... 43
5.1.4.2 FMT_MSA.1 Management of security attributes....................................................................................... 44
5.1.4.3 FMT_MSA.3 Static attribute initialisation ................................................................................................. 44
5.1.4.4 FMT_MTD.1 Management of TSF data .................................................................................................... 44
5.1.4.5 FMT_SMF.1 Specification of Management Functions .............................................................................. 46
5.1.4.6 FMT_SMR.1 Security roles ....................................................................................................................... 47
5.1.5 Protection of TSF (FPT) ...................................................................................................................... 47
5.1.5.1 FPT_TST.1 TSF self-testing ...................................................................................................................... 47
5.1.5.2 FPT_FLS.1 Failure with preservation of secure state ................................................................................ 47
5.1.6 Trusted Path/Channels (FTP) .............................................................................................................. 48
5.1.6.1 FTP_TRP.1 Trusted Path ........................................................................................................................... 48
5.2 EXPLICITLY STATED TOE SECURITY FUNCTIONAL REQUIREMENTS ......................................................... 48
5.2.1 Protection of TSF (FPT) ...................................................................................................................... 48
5.2.1.1 FPT_STM_EXP.1 Reliable time stamps .................................................................................................... 48
5.2.1.2 FPT_RVM_EXP.1 Partial Non-bypassability of the TSP .......................................................................... 48
5.2.1.3 FPT_SEP_EXP.1 Partial TSF domain separation ...................................................................................... 49
5.3 SECURITY REQUIREMENTS FOR THE IT ENVIRONMENT ............................................................................. 49
5.3.1 Class FAU: Security audit ................................................................................................................... 49
FAU_STG_ENV.1 Protected Audit Trail Storage .......................................................................................................... 49
5.3.2 Class FIA: Identification and Authentication ...................................................................................... 50
5.3.2.1 FIA_UAU_ENV.1 User Authentication before Action.............................................................................. 50
5.3.2.2 FIA_UID_ENV.1 User Identification before any Action ........................................................................... 50
5.3.3 Class FPT: Protection of the TOE Security Functions ........................................................................ 50
5.3.3.1 FPT_RVM_ENV.1 Non-bypassibility of the IT Environment ................................................................... 50
5.3.3.2 FPT_SEP_ENV.1 Domain Separation in IT Environment ........................................................................ 50
5.3.3.3 FPT_STM_ENV.1 Reliable Time Stamps ................................................................................................. 50
5.4 TOE STRENGTH OF FUNCTION CLAIM....................................................................................................... 50
5.5 TOE SECURITY ASSURANCE REQUIREMENTS ........................................................................................... 50
6 TOE SUMMARY SPECIFICATION ............................................................................................................ 52
6.1 TOE SECURITY FUNCTIONS ...................................................................................................................... 52
6.1.1 Security Audit ...................................................................................................................................... 53
6.1.1.1 SA-1 Audit Data Generation (FAU_GEN.1) ............................................................................................ 55
6.1.1.2 SA-2 User Identity Association (FAU_GEN.2) ........................................................................................ 55
6.1.1.3 SA-3 Potential violation analysis (FAU_SAA.1) ....................................................................................... 55
6.1.1.4 SA-4 Security alarms (FAU_ARP.1) ........................................................................................................ 55
6.1.1.5 SA-5 Audit review (FAU_SAR.1) ............................................................................................................. 55
6.1.1.6 SA-6 Selectable Audit Review (FAU_SAR.3)........................................................................................... 55
6.1.1.7 SA-7 Selective Audit (FAU_SEL.1) .......................................................................................................... 56
6.1.1.8 SA-8 Protected Audit Trail Storage (FAU_STG.1) ................................................................................... 56
6.1.2 User Data Protection ........................................................................................................................... 56
6.1.2.1 IFC-1 Rate Based Control (FDP_IFC.1 (1), FDP_IFF.1 (1)) ..................................................................... 58
6.1.2.2 IFC-2 Intrusion Prevention (FDP_IFC.1 (2), FDP_IFF.1 (2)) ................................................................. 59
6.1.3 Identification and Authentication ........................................................................................................ 60
6.1.3.1 IA-1 Authentication failure handling (FIA_AFL.1) .................................................................................. 60
6.1.3.2 IA-2 User attribute definition (FIA_ATD.1) .............................................................................................. 60
6.1.3.3 IA-3 Timing of Authentication (FIA_UAU.1) ........................................................................................... 60
6.1.3.4 IA-4 Protected authentication feedback (FIA_UAU.7) .............................................................................. 60
2007 Top Layer Networks. All Rights Reserved. ii
Top Layer Networks Security Target April 10, 2009
6.1.3.5 IA-5 User identification before any action (FIA_UID.2) ........................................................................... 60
6.1.4 Security Management .......................................................................................................................... 61
6.1.4.1 SM-1 Management of security functions (FMT_MOF.1) .......................................................................... 62
6.1.4.2 SM-2 Static attribute initialisation (FMT_MSA.3) .................................................................................... 62
6.1.4.3 SM-3 Management of security attributes (FMT_MSA.1) .......................................................................... 62
6.1.4.4 SM-4 Specification of Management Functions (FMT_SMF.1) ................................................................. 63
6.1.4.5 SM-5 Management of TSF Data (FMT_MTD.1) ....................................................................................... 63
6.1.4.6 SM-6 Security Roles (FMT_SMR.1) ........................................................................................................ 63
6.1.5 Protection of TOE Security functions .................................................................................................. 63
6.1.5.1 SP-1 TSF Self-testing (FPT_TST.1) .......................................................................................................... 63
6.1.5.2 SP-2 Failure with preservation of Secure State (FPT_FLS.1) .................................................................... 64
6.1.5.3 SP-3 Partial Non-bypassability of the TSF (FPT_RVM_EXP.1) ............................................................... 64
6.1.5.4 SP-4 TSF Domain Separation (FPT_SEP_EXP.1)..................................................................................... 64
6.1.5.5 SP-5 Reliable Time Stamps (FPT_STM_EXP.1)....................................................................................... 65
6.1.6 Trusted Path/Channels ........................................................................................................................ 65
6.1.6.1 TC-1 Trusted Path (FTP_TRP.1) ............................................................................................................... 65
6.2 SECURITY ASSURANCE MEASURES & RATIONALE .................................................................................... 65
6.3 APPROPRIATE STRENGTH OF FUNCTION CLAIM ........................................................................................ 68
7 PROTECTION PROFILE CLAIMS ............................................................................................................. 69
8 RATIONALE ................................................................................................................................................... 70
8.1 SECURITY OBJECTIVES RATIONALE .......................................................................................................... 70
8.1.1 Rationale For Threat Coverage ........................................................................................................... 70
8.1.2 Rationale For Organizational Policy Coverage .................................................................................. 73
8.1.3 Rationale For Assumption Coverage ................................................................................................... 73
8.2 SECURITY REQUIREMENTS RATIONALE .................................................................................................... 74
8.2.1 Security Functional Requirements for the TOE ................................................................................... 74
8.2.2 Security Functional Requirements for the IT Environment ................................................................. 77
8.2.3 Explicitly Stated Requirements Rationale ............................................................................................ 78
8.2.4 Rationale for TOE Security Assurance Requirements ......................................................................... 78
8.2.5 Rationale For IT Security Requirement Dependencies ........................................................................ 78
8.3 TOE SUMMARY SPECIFICATION RATIONALE ............................................................................................ 79
8.3.1 Rationale for TOE Security Functions................................................................................................. 79
8.4 RATIONALE FOR STRENGTH OF FUNCTION CLAIM .................................................................................... 81
8.5 PROTECTION PROFILE CLAIMS RATIONALE ............................................................................................... 81
9 REFERENCES ................................................................................................................................................. 82
2007 Top Layer Networks. All Rights Reserved. iii
Top Layer Networks Security Target April 10, 2009
List of Tables
Table 1-1: ST Organization and Description .................................................................................. 2
Table 2-1 Hardware Models ......................................................................................................... 15
Table 2-2 Port Types ..................................................................................................................... 16
Table 2-3 Port Information ........................................................................................................... 16
Table 2-4 Port Roles ..................................................................................................................... 18
Table 5-1: Security Functional Requirements for the TOE .......................................................... 29
Table 5-2: Auditable Events ......................................................................................................... 30
Table 5-3: Management of security functions behaviour ............................................................. 43
Table 5-4 Management of TSF Data ............................................................................................ 44
Table 5-5: Security Functional Requirements for the IT Environment ........................................ 49
Table 5-6 - Assurance Requirements: EAL4 ................................................................................ 50
Table 6-1: TSF Description .......................................................................................................... 52
Table 6-2 - Assurance Measures & Rationale: EAL4 .................................................................. 65
Table 8-1 -All Threats to Security Countered............................................................................... 70
Table 8-2 - All Objectives for the TOE Met by Functional Requirements for the TOE .............. 74
Table 8-3 - All Objectives for the IT Environment Met by SFRs for IT Environment ................ 77
Table 8-4 – SFR Dependencies..................................................................................................... 78
Table 8-5 – TOE Security Function to SFR Mapping .................................................................. 79
Table 9-1 References .................................................................................................................... 82
List of Figures
Figure 2-1 IPS Unit‘s Security........................................................................................................ 8
Figure 2-2 Network Perimeter Protection ....................................................................................... 8
Figure 2-3 Protection for a Hosting Center..................................................................................... 9
Figure 2-4 Protect Critical Online Assets ..................................................................................... 10
Figure 2-5 High Volume Single Inline with Peer ......................................................................... 11
Figure 2-6 Two Unit Protection Cluster ....................................................................................... 12
2007 Top Layer Networks. All Rights Reserved. iv
Top Layer Networks Security Target April 10, 2009
Figure 2-7 TOE Multi- Stage Architecture ................................................................................... 14
Figure 2-8 Evaluated Configuration ............................................................................................. 19
Figure 2-9 Evaluated Configuration with High Availability Feature ........................................... 20
Figure 6-1 IPS Unit Security Checks ............................................................................................ 56
Figure 6-2 Rate Based Security .................................................................................................... 57
Figure 6-3 FW +IPS Security ....................................................................................................... 58
2007 Top Layer Networks. All Rights Reserved. v
Top Layer Networks Security Target April 10, 2009
1 Introduction
This section identifies the Security Target, Target of Evaluation (TOE), conformance claims, ST
organization, document conventions, and terminology. It also includes an overview of the
evaluated product.
1.1 Identification
TOE Identification: Top Layer Networks IPS 5500 E Version 5.21 software running on an IPS
5500 E series hardware platform.
The IPS 5500 series product line includes the following hardware models:
- IPS 5500-150E,
- IPS 5500-500E and
- IPS 5500-1000E
ST Identification: Top Layer Networks IPS 5500 E Security Target
ST Version: 1.1
ST Publish Date: April 10, 2009
ST Authors: CygnaCom Solutions
PP Identification: None
1.2 CC Conformance Claim
The TOE is Common Criteria (CC) Version 2.31 Part 2 extended.
The TOE is Common Criteria (CC) Version 2.3 Part 3 conformant and meets the requirements of
Evaluation Assurance Level (EAL) 4.
There are no applicable International (CCIMB) interpretations for CC Version 2.3 as of
12/21/2008.
This TOE is not conformant to any Protection Profiles (PPs).
1.3 Overview
The Top Layer IPS 5500 E is a single-appliance security gateway Intrusion Protection System.
The IPS Unit provides network-level and application-level protection to a network from good,
bad and suspicious traffic. It is a hardware-based, multi-processor system that has an onboard
application level stateful firewall that works in conjunction with the Intrusion Prevention
subsystems to provide security. The IPS 5500 provides a 3-Dimensional approach to secure
networks of interest to:
- Stop Resource Abuse
1
Common Criteria (CC) for Information Technology Security Evaluation – August 2005, Version 2.3, CCMB-
2005-08-001.
2007 Top Layer Networks. All Rights Reserved. 1
Top Layer Networks Security Target April 10, 2009
- Prohibit Access to Unauthorized Clients
- Stop Malicious Content
The IPS Unit supports a number of management interfaces to manage it both locally and using a
remote system. It provides logging of various security events.
1.4 Organization
Table 1-1: ST Organization and Description
Section Title Description
1 Introduction Provides an overview of the Security Target.
2 TOE Description Defines the hardware and software that make up the TOE,
and the physical and logical boundaries of the TOE.
3 TOE Security Contains the threats, assumptions and organizational
Environment security policies that affect the TOE.
4 Security Objectives Contains the security objectives the TOE is attempting to
meet.
5 IT Security Requirements Contains the functional and assurance requirements for
this TOE.
6 TOE Summary A description of the security functions and assurances that
Specification this TOE provides.
7 PP Claims Protection Profile Conformance Claims
8 Rationale Contains pointers to the rationales contained throughout
the document.
1.5 Document Conventions
The notation, formatting, and conventions used in this security target (ST) are consistent with
version 2.3 of the Common Criteria for Information Technology Security Evaluation. All of the
components in this ST are taken directly from Part 2 of the CC except the ones noted with
―_EXP‖ in the component name. Font style and clarifying information conventions were
developed to aid the reader.
The CC permits four functional component operations: assignment, iteration, refinement, and
selection to be performed on functional requirements. These operations are defined in Common
Criteria, Part 1 as:
Iteration: allows a component to be used more than once with varying operations;
Assignment: allows the specification of parameters;
Selection: allows the specification of one or more items from a list; and
Refinement: allows the addition of details.
2007 Top Layer Networks. All Rights Reserved. 2
Top Layer Networks Security Target April 10, 2009
This ST indicates which text is affected by each of these operations in the following manner:
Iterations are identified with a number in brackets "(#)" right after the short name.
Assignments and Selections specified by the ST author are in [italicized bold text].
Refinements to the CC text are specified bold and underlined text.
Explicitly Stated TOE Security Functional Requirements are specified with a ―_EXP‖ added
to the component name.
IT Environment Requirements are specified with a ―_ENV‖ added to the component name.
Application notes provide additional information for the reader, but do not specify
requirements. Application notes are denoted by Application Note: italicized text.
CCIMB Interpretations have been reviewed. The original CC text modified by the interpretation
is neither denoted nor explained.
1.6 Document Terminology
Please refer to CC Part 1 Section 2.3 for definitions of commonly used CC terms.
1.6.1 ST Specific Terminology
External IT entity -- Any IT product or system, untrusted or trusted, outside of the
TOE, that interacts with the TOE.
Identity -- A representation (e.g. a string) uniquely identifying an authorized user,
which can either be the full or abbreviated name of that user or a pseudonym.
Authentication data -- Information used to verify the claimed identity of a user.
Authorized Administrator - An administrator who has been identified and authenticated
by the TOE and has been granted the authority to manage the TOE. These users are
expected to use this authority only in the manner prescribed by the guidance given to
them.
Service - A service is a policy element that identifies a protocol or set of protocols to the
IPS Unit, for example, HTTP, DNS, or FTP.
Rules - The IPS Unit contains hundreds of rules that it uses to check whether a given
flow of traffic is acceptable or not. A rule may be based on packet checks (for example,
Illegal ICMP Header) or protocol checks (for example, HTTP Unknown Method Name).
Actions - An action is a response by the IPS Unit when traffic triggers a security rule.
The IPS Unit can take one of the following actions when traffic triggers a rule:
Allow — The IPS Unit passes the traffic.
Drop — The IPS Unit discards the traffic.
Reject — The IPS Unit discards the traffic and sends TCP reset to the connection source.
Client (Client Group) -An IT entity (group of IT Entities) that is the source of an
information flow.
Server (Server Group) – An IT entity (group of IT Entities) to which an information
flow is destined.
2007 Top Layer Networks. All Rights Reserved. 3
Top Layer Networks Security Target April 10, 2009
Host Groups (Client and Servers) - A host group is a named set of IP address ranges. A
host group can define a group of clients or a group of servers. A given host group may act
as both clients and servers.
Connection Limits — Limits the number of simultaneous connections allowed for a
group of clients or a group of servers, and for individual members of the group.
Request Limits — Limits the number of requests a client within a host group can make
per minute for specified services.
SYN Flood Limits — Provides limits for the number of incomplete SYN requests for
servers and for various categories of clients (trusted, suspicious, malicious, etc.).
IP Address--Internet Protocol Address, a 32-bit numeric identifier for a computer or a
device on the network. The TOE does not support IPv6 packets.
Segments – A pair of physical ports that handle internal and external network traffic
(mission ports) is called a Segment. When configured to do so, the IPS Unit forwards all
packets received on either of the ports in the pair to the other port in the pair, subject to
the defined security policy filtering
Threat - Capabilities, intentions and attack methods of adversaries, or any circumstance
or event, with the potential to violate the TOE security policy.
Threat Agent - Any human user or Information Technology (IT) product or system,
which may attempt to violate the TSP and perform an unauthorized operation with the
TOE.
TOE Security Function (TSF) Data - Information used by the TSF in making TOE
security policy (TSP) decisions. TSF data may be influenced by users if allowed by the
TSP. Security attributes, authentication data and information flow control policy‘s subject
and object security attributes are examples of TSF data.
Audit Data - The logs generated based on the actions of the TOE itself. This includes the
authentication of users accessing the TOE, actions taken directly on the TOE, and actions
of the TOE itself. Audit data is a type of TSF data.
User - Any entity (human user or external IT entity) outside the TOE that interacts with
the TOE.
User Data - Data created by external IT entities that does not affect the operation of the
TSP. User data is separate from the TSF data. The information flows created by Clients
and Servers is an example of user Data.
VPN-Virtual Private Network, a network constructed using public wires to connect
nodes. For example, there are a number of systems that enable the administrator to create
networks using the Internet as the medium for transporting data; these systems use
encryption and other security mechanisms to ensure that only authorized users can access
the network and that the data cannot be intercepted
Vulnerability - A weakness that can be exploited to violate the TOE security policy.
Protocol Validation - Examining the payload of application datagrams and application
streams for specific network protocols (DNS, FTP, HTTP, MSNET, SIP, SSH and
Telnet) to ensure that the traffic conforms to the rules for a given protocol as well as the
IPS Unit‘s rules for reasonable usage. The protocol validation rules are specific to the
Top Layer IPS. These rules enable configuration of protocol specific parameters for
application protocols to stop attackers who abuse weaknesses in a protocol‘s defined
structure.
2007 Top Layer Networks. All Rights Reserved. 4
Top Layer Networks Security Target April 10, 2009
Content Inspection - Checks for deliberate inclusion of malicious data or other
malicious payloads into traffic that is otherwise well formed.
Attack Signatures - An attack signature is a defined arrangement of information that can
be used to identify an attacker's attempt to exploit a known vulnerability.
Firewall Rules — Rules to provide classic firewall blocking for traffic, based on IP
addresses, Layer 4 ports and segments (port pairs).
IPS Rules — Rules to provide the following types of checks:
Protocol validation
Attack Signatures
Acceptable use of network application
Rate Based Rules — Rules to protect your resources from overuse by legitimate users,
as well as abusive denial-of-service attackers.
Bypass- The IPS Unit provides a software-based bypass feature between Mission port-
pairs. There are three modes of bypass control.
- Never Bypass - The IPS Unit inspects all traffic, mitigates problem traffic, and
records all information. All traffic flows through the IPS Unit‘s functions.
- Always Bypass - The IPS Unit inspects all traffic and records traffic statistics, but
does not mitigate. All traffic always passes through the IPS Unit.
- Bypass During System Reset - The IPS Unit starts out performing as in Never
Bypass mode, checking and mitigating all traffic, but performs as Always Bypass
mode (passes all traffic) if there is a software failure and the IPS Unit needs to reboot.
1.6.2 Acronyms
The acronyms used within this Security Target:
Table 1-2 Acronyms
Acronym Definition
ACM Configuration Management
ADO Delivery and Operation
ADV Development
AGD Guidance Documents
ALC Life cycle support
ASIC Application-Specific Integrated Circuit
ATE Tests
AVA Vulnerability assessment
CC Common Criteria [for IT Security Evaluation]
CIFS Common Internet File System
DNS Domain Name System
EAL Evaluation Assurance Level
FAU Security Audit
FDP User Data Protection
FIA Identification and Authentication
FMT Security Management
FPT Protection of the TSF
FTP Trusted Path/Channels
2007 Top Layer Networks. All Rights Reserved. 5
Top Layer Networks Security Target April 10, 2009
Acronym Definition
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol over SSL
ICMP Internet Control Message Protocol
ID Identifier
IP Internet Protocol
IPS Intrusion Protection System
IT Information Technology
LAN Local Area Network
MAC Media Access Control
MSNET Microsoft NETworks
NIC Network Interface Card
OS Operating System
SF Security Function
SIP Session Initiation Protocol
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SFP Security Function Policy
SSH Secure Shell
SSL Secure Socket Layer
ST Security Target
TCP Transmission Control Protocol
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSFI TOE Security Functions Interface
TSP TOE Security Policy
TSS TOE Summary Specification
UDP User Datagram Protocol
VPN Virtual Private Network
2007 Top Layer Networks. All Rights Reserved. 6
Top Layer Networks Security Target April 10, 2009
2 TOE Description
2.1 TOE Overview
The TOE is an IPS 5500 E Hardware appliance with Version 5.21 software. The IPS Unit is
managed using a Graphical User Interface (GUI), which is a Java Web Start™ application that
runs as a stand-alone application on the Management Station. The Java Web Start application is
also included in the TOE. The TOE acts as an inline single-appliance security gateway providing
three-dimensional protection to stop resource abuse prohibit access to unauthorized clients and
stop malicious content from entering the protected network. Top Layer‘s s ASIC technology and
algorithms integrate stateful analysis techniques with deep packet inspection chip set and DoS
(Denial of Service) attack protection to provide protection from Internet-based and internal
threats. The difference between the TOE and a typical IDS is that the TOE (IPS Unit) is
deployed inline and not in an offline or a passive mode.
The TOE may be configured to:
- Handle IP fragments, TCP header and Payload.
- Implement firewall rules.
- Perform protocol analysis.
- Perform deep packet inspections.
- Handle network and security management.
- Process events, logging, and reports.
The primary design goal of the TOE is reliable protection of the customer‘s critical on-line
assets. The IPS aspect of the TOE security policy may be configured based on the following
three types of rules. The rules guide the following types of security checks:
Firewall Rules — Provide classic firewall blocking for traffic, based on IP addresses,
Layer 4 ports, and segments (port pairs).
IPS Rules — Provide the following types of checks:
• Protocol validation
• Attack Signatures
• Acceptable use of network application
Rate Based Rules — Protect resources from overuse by legitimate users, as well as
abusive denial-of-service attackers. Provide limits for:
• Client requests
• Connections for both clients and servers
• SYN Flood controls
• Application rate limiting
2007 Top Layer Networks. All Rights Reserved. 7
Top Layer Networks Security Target April 10, 2009
Figure 2-1 IPS Unit’s Security
2.1.1 Categories of Deployment
The figures in this section provide general guidelines to a prospective customer for placing an
IPS Unit in their networks.
To install and deploy the TOE in a secure evaluated configuration please see section 2.3.2
Evaluated Configuration. Also, please see section 2.3.3 Security Functionality in the IT
Environment for a description of the security functionality provided by the IT Environment.
The IPS Unit can be deployed in the following ways in a prospective customer‘s network:
Network Perimeter Protection
Increases protection against targeted DDoS attacks and application level threats. Protects the
network from cyber-threats that may traverse the VPN link.
Figure 2-2 Network Perimeter Protection
2007 Top Layer Networks. All Rights Reserved. 8
Top Layer Networks Security Target April 10, 2009
Hosting Center Protection
Protects assets from network and application level threats regardless of whether they originate
from inside or outside. The IPS unit when deployed this way could be used to protect servers in a
dedicated manner.
Figure 2-3 Protection for a Hosting Center
Critical Online Assets Protection
Protects network segments from threats and provides containment of infected segments. When
IPS units are deployed between internal network segments, they can be configured with network
segment specific policies, which provide better performance. This configuration can also keep
infected segments separate from uninfected segments.
2007 Top Layer Networks. All Rights Reserved. 9
Top Layer Networks Security Target April 10, 2009
Figure 2-4 Protect Critical Online Assets
High Volume Configuration Single Inline with Peer
Provides additional, shared processing for high volume environments. In the Single Inline with
Peer configuration, only one IPS Unit passes network traffic, but the second IPS Unit assists in
detection processing and flow setup operations, increasing the traffic load that the IPS Units can
handle and almost doubling the number of connections that can be created and analyzed.
2007 Top Layer Networks. All Rights Reserved. 10
Top Layer Networks Security Target April 10, 2009
Figure 2-5 High Volume Single Inline with Peer
ProtectionCluster Configuration
Provides active redundancy to the current configuration. ProtectionCluster refers to a network
configuration option that provides higher bandwidth and redundancy. This configuration
connects multiple IPS Units together using a special pair of GbE links. These links, called R1
and R2, provide higher bandwidth for flow rebalancing in redundant configurations. A
ProtectionCluster configuration also enables the IPS Units to share the intense processing
required for deep and stateful protocol analysis necessary to detect attempted exploits
of application-level vulnerabilities in both server and client groups. In this configuration, both
sides of the configuration receive and pass the network traffic, unless there is a failure. This
solution provides a redundant solution that offers maximum protection of the network resources.
This solution, using a combination of IPS Units, protects up to two full duplex Gigabit input
ports: stopping the "bad" traffic, while permitting the ―good‖ traffic to pass to its destination.
2007 Top Layer Networks. All Rights Reserved. 11
Top Layer Networks Security Target April 10, 2009
Figure 2-6 Two Unit Protection Cluster
2.2 Architecture Description
The TOE architecture offers network-level and application-level protection along with the
flexibility to integrate application-specific protection mechanisms. Top Layer‘s
ASIC technology provides the high-performance base required for protecting against
internet based and internal threats. The TOE provides stateful analysis firewall technology to
provide network level protection, identifying undesired access, illegal packets, illegal headers,
and various network attacks. Top Layer‘s denial-of-service protection algorithms are used by the
TOE to protect against flood-based attacks, such as ICMP, UDP, and TCP SYN Floods.
The TOE uses a packet inspection chip set to provide application-level protection against
exploits of critical vulnerabilities, including worms and application-level attacks.
The TOE is composed of the following logical subsystems:
- IP/ARP Bad Packet Filters
2007 Top Layer Networks. All Rights Reserved. 12
Top Layer Networks Security Target April 10, 2009
- L2 Filters
- DDos Filters
- Resource Limit Filters
- Stateful Analysis
- Firewall Filters
- Protocol Validation
- Content Inspection
Each subsystem performs a set of specific checks.
These specific checks, or rules, and their associated actions, make up the subsystem‘s security
policy. The IPS unit organizes the subsystems in a particular order so that traffic that is filtered
by an earlier subsystem is never seen by the later subsystems. The various subsystems work
together to provide the three-dimensional security protection
The figure below depicts the TOE as a device with multiple stages of security filtering performed
by the subsystems mentioned above.
2007 Top Layer Networks. All Rights Reserved. 13
Top Layer Networks Security Target April 10, 2009
Figure 2-7 TOE Multi- Stage Architecture
2.3 Physical Boundaries
The physical boundary of the TOE is the IPS 5500 E Hardware appliance (150 E, 500 E or 1000
E) loaded with the IPS Software Version 5.21.
2007 Top Layer Networks. All Rights Reserved. 14
Top Layer Networks Security Target April 10, 2009
2.3.1 Physical Interfaces
The TOE has the following physical interfaces:
- Console port using a 9-pin D-sub connector
- 10BASE-T/100BASE-TX copper LAN ports,
- 1000BASE-T Copper ports
- 1000BASE-SX fiber optic HA
Please see the table below for more details on the hardware models:
Table 2-1 Hardware Models
Ports NIC Chipsets Used
Model CPU Memory Power Supply
150 E, The TOE utilizes Total Number of There is no 10/100 A combination 1 or 2
500E and multiple CPU's. NIC Ports: 12 hard drive of a Top Layer
in the TOE. proprietary
1000E - 5 Top Layer Total Number of It does ASIC MAC chip
proprietary ASIC chips Serial Ports: 1 utilize a 256 and Marvell
running at 100 MHz Meg transceiver chip
Total number of
- 1 AMD 520 chip HA Ports: 2 compact (Marvell part
running at 100 MHz flash card. number
88E3082-BAR)
- 2 Freescale
PowerPC chips 1000 (Port A combination
running at 825 MHz Numbers 9 of a Top Layer
to 12) proprietary
ASIC MAC chip
and HP IC
SerDes Gigabit
chip (HP part
number HDMP-
1646A)
1000 (R1 A combination
and R2) of a Top Layer
proprietary
ASIC MAC chip
and Marvell IC
Gigabit quad
Phy SerDes
chip (Marvell
part number
88E1043-D2-
BCA-C000)
Each hardware model has 12 physical ports numbered 1 to 12 and two high availability ports
numbered R1 and R2. Most of the ports on the IPS Unit can have several possible roles. A port
can only be configured for one role at any given time and some ports have fixed roles.
2007 Top Layer Networks. All Rights Reserved. 15
Top Layer Networks Security Target April 10, 2009
In addition to port roles, the IPS unit supports the concept of Mission, Management, and
Maintenance ports to further classify ports based on their role type.
Mission ports are ports that handle internal and external network traffic. Two matched ports, one
with the role Internal and another port with the role External, are known as a Mission port-pair.
Management ports on the IPS unit are ports used to manage the IPS unit itself. By default, Port 8
on the IPS Unit is always configured to be a Management access port. All configured
Management ports are bridged together and flooding occurs between these ports. An internal
bridge logically connects Management ports. Packets received on Management ports are bridged
to other Management ports. Packets received on Mission ports can be bridged to other Mission
ports, but will never be forwarded to any Management port or to the management entity (e.g.
management station).
Maintenance ports are ports on the IPS unit that are used to manage events and mirror traffic on
the IPS unit. These ports can have the role of Capture, Mirror, or Discard. Traffic on
maintenance ports is handled using the Management Bridge.
The IPS Unit uses these roles and port types to determine how traffic passes through the IPS
Unit. The table below presents details of Roles, Port Types and traffic isolation.
Table 2-2 Port Types
Role Port Type Traffic Isolation Handled by
Internal or External Mission Port Mission Bridge
Management Management Port Management Bridge
Capture, Mirror, Discard Maintenance Management Bridge
High Availability HA Port Not Applicable
The table below presents details of each port speed, possible roles, and the default role for each
Port on the hardware models. Please note that the Port # in the first column in the table below
represents the physical port number and not the number of ports.
Table 2-3 Port Information
Default Role
Port Possible IPS 5500-150
Speed
# Roles IPS 5500-500
IPS 5500-1000
1 10/100 External, External
Mirror,
Unused
2 10/100 Internal, Internal
Mirror,
Unused
3 10/100 External, Capture
Mirror,
Capture,
2007 Top Layer Networks. All Rights Reserved. 16
Top Layer Networks Security Target April 10, 2009
Default Role
Port Possible IPS 5500-150
Speed
# Roles IPS 5500-500
IPS 5500-1000
Unused
4 10/100 Internal, Discard
Mirror,
Capture,
Discard,
Unused
5 10/100 Management, Unused
Mirror,
Capture,
Discard,
Unused
6 10/100 Management, Unused
Mirror,
Capture,
Discard,
Unused
7 10/100 Management, Unused
Capture,
Discard,
Unused
8 10/100 Management Management
9 1000 External External
Unused
10 1000 Internal Internal
Unused
11 1000 External, Unused
Capture,
Unused
12 1000 Internal, Unused
Capture,
Unused
R1 1000 HA HA
R2 1000 HA HA
2007 Top Layer Networks. All Rights Reserved. 17
Top Layer Networks Security Target April 10, 2009
The following table explains the port roles. Please note that the # of Ports in the second column
represents the number of ports, not the physical port number.
Table 2-4 Port Roles
Port Role # of Ports that Operating Description
can have this Speed
Role
Management 1,2,3,or 4 10/100 Use a port with the port role Management to manage
the IPS Unit and as an output port for reporting traffic
(using standard Syslog and SNMP traps).
Mirror 0,1,2,3,4,5, 10/100 Identify one or more Mirror ports to create a mirror
or 6 (copy) group. The IPS Unit copies all packets from
specific traffic applications to the ports in the mirror
group. It uses the Round Robin algorithm to balance
traffic among the Mirror ports.
All ports in the mirror group must be set to the same
speed.
No packets are received on a port with this role.
Discard 0 or 1 10/100 Use a port with the role Discard to send the dropped
packets that caused events to a collecting system in
the environment. Configure which packets go through
the Discard port to the collecting system in the
environment by configuring Policies
Capture 0 or 1 10/100/1000 Use a port with the role Capture as a single, mirroring
output port. One of the Mission ports can be chosen
to have all of its received and transmitted packets
mirrored to this port.
External 1,2,3, or 4 10/100/1000 Use a port with the role External to connect to the
(Outside) external network. The External port does not allow
management access. The External port receives
packets and forwards them (subject to policy checks)
to its paired Internal port (known as Port-pair
forwarding mode),
Internal 1,2,3, or 4 10/100/1000 Use a port with the role Internal to connect to the
(Inside) internal network. The Internal port does not allow
management access. The Internal port receives
packets and, either forwards them (subject to policy
checks) to its paired External port (known as Port-pair
forwarding mode), or bridges them according to their
destination MAC addresses.
High 0,1, or 2 1000 Use a port with the role High Availability (HA) as a
Availability Gigabit port that is directly connected to a redundant
IPS Unit. The HA port is used to balance traffic
between redundant IPS Units.
Unused Not 10/100/1000 A port with the role Unused is a port that is not
Applicable configured. The Unused port does not accept traffic
nor send any traffic. The IPS Unit will not recognize a
link to this port.
2007 Top Layer Networks. All Rights Reserved. 18
Top Layer Networks Security Target April 10, 2009
2.3.2 Evaluated Configuration
Figure 2-8 Evaluated Configuration below depicts the TOE in the evaluated configuration.
Figure 2-8 Evaluated Configuration
The IPS Unit is managed using a Graphical User Interface (GUI), which is a Java Web Start™
application that runs as a stand-alone application on the Management Station. The Java Web
Start application is also included in the TOE.
In addition to the evaluated configuration shown above where a single IPS unit is used between
networks, an additional configuration which includes two IPS units was used to test the
Protection Cluster capability. This configuration ensures that if the IPS unit fails or is taken off-
line, the second IPS unit takes the entire load, ensuring continued network operation.
Figure below depicts the TOE in the evaluated configuration with two IPS units.
2007 Top Layer Networks. All Rights Reserved. 19
Top Layer Networks Security Target April 10, 2009
Figure 2-9 Evaluated Configuration with High Availability Feature
Note: Customers who install only one IPS box (i.e., operating in the ―single IPS box‖ mode of
operation as shown in Figure 2-8 Evaluated Configuration) are also in the evaluated
configuration.
2.3.3 Security Functionality in the IT Environment
The TOE depends on the IT Environment for the following security functions:
- Web browser – Used to access TOE administrative interfaces and displays alerts, reports,
statistics, diagnostics and security logs
- SMTP, SNMP, Syslog servers – Used to receive audit events generated by the TOE
- NTP server – Used to set TOE hardware clock
The external IT entities send and receive network traffic through the TOE. Packet Capture
Systems receive packets from Capture, Discard and Mirror Ports.
2007 Top Layer Networks. All Rights Reserved. 20
Top Layer Networks Security Target April 10, 2009
2.3.4 Management Interfaces
The TOE supports a number of management interfaces:
Serial Console — The CONSOLE port on the front of the IPS Unit provides access to a limited
Command Line Interface that can be used to perform basic setup.
Command Line Interface over Telnet —An extended CLI can be accessed using a Telnet
session. The CLI provides access to nearly all the IPS Unit‘s configuration and management
commands.
Graphical User Interface Access using HTTP and HTTPS — The Graphical User Interface
(GUI) runs as a Java Web Start™ program over the World Wide Web. The GUI provides
interface windows for configuring and managing the IPS Unit and provides access to context
sensitive online help. The Java Web Start™ application, which communicates with the TOE to
manage the TOE, is also included in the TOE. The application is loaded from the IPS 5500 E
onto the client host and allows the administrator to affect the IPS 5500 E configuration and load
audit information off the IPS 5500 E.
SNMP — The IPS Unit‘s Simple Network Management Protocol interface provides read-only
access to many of the IPS Unit‘s settings.
IPS Controller — The IPS Controller is a separate product from Top Layer that allows for
central management of multiple IPS Units.
All of the management interfaces described above, except the serial console, can be used to
manage the TOE through a network interface port with management role.
In the evaluated configuration, management of the TOE, apart from the basic setup using the
serial console, is done using the Graphical User Interface (GUI), which connects to the TOE over
HTTPS.
2.4 Logical Boundaries
The security functions provided by the TOE include:
- Security audit
- User Data Protection
- Identification and authentication
- Security management
- Protection of TOE Security Functions
- Trusted Path /Channels
2007 Top Layer Networks. All Rights Reserved. 21
Top Layer Networks Security Target April 10, 2009
2.4.1 Security Audit
During the process of receiving and transmitting traffic, the TOE performs many checks and
operations. Some of these operations, system events, and user-related management interface
tasks produce event messages. The IPS Unit contains a message managing system that makes
these messages available to the user based on the message controls established. These messages
are collected as audit records in Alert logs and Event Log files. The TOE may also be configured
to send messages to remote Syslog and SNMP servers. Only human users with authorized
administrator or monitor privileges have the capability to view the audit data stored on the TOE.
See the corresponding section in the TSS for more detailed information.
2.4.2 User Data Protection
The TOE performs user data protection through the rate based security policy, the firewall
filtering security policy, and the intrusion prevention security policy. The TOE identifies external
IT entities and remote administrator systems by their presumed IP addresses. Only legitimate
external IT entities and authorized administrator systems are granted access to pass information
through the TOE or to the TOE.
See the corresponding section in the TSS for more detailed information.
2.4.3 Identification and Authentication
The TOE provides a password based authentication mechanism to users with the administrator
and monitor role. The TOE communicates with the remote web browser of the administrator
using the HTTPS protocol in order to encrypt the user id, password authentication data, and all
configuration information to maintain secrecy from an attacker. IT Entities are identified by their
presumed IP addresses. Access to security functions and data is prohibited until a user is
identified and authenticated.
See the corresponding section in the TSS for more detailed information.
2.4.4 Security Management
The TOE maintains administrator and monitor user management roles.
The TOE allows only authorized users with appropriate privileges to administer and manage the
TOE. An administrative user can connect through an encrypted web interface using SSL for
secrecy. Only authorized administrators may modify the TSF data related to the TSF, security
attributes, and authentication data.
See the corresponding section in the TSS for more detailed information.
2.4.5 Protection of TOE Security Functions
The TOE transfers all the packets passing through the TOE only after processing the traffic
based on the traffic attributes.
The TOE restricts management access to its interfaces by requiring users to log into the TOE
using its GUI. HTTPS is used to protect the connection between the web browser in the IT
2007 Top Layer Networks. All Rights Reserved. 22
Top Layer Networks Security Target April 10, 2009
Environment and the appliance. The TOE relies on Top Layer appliance hardware to ensure the
TSP is enforced and to provide for domain separation. The TOE hardware appliance includes its
own hardware clock, which provides reliable time stamps for use in audit and collected data
records.
See the corresponding section in the TSS for more detailed information
2.4.6 Trusted Path/Channels
The TOE, in conjunction with the IT environment, protects the TSF data from unauthorized
disclosure or modification of TSF data when it is being transmitted between the IPS Unit and the
management GUI on the remote management station.
See the corresponding section in the TSS for more detailed information.
2.5 Functionality Not Included in the TOE Scope
The following features do not contribute to meeting any of the Security Functional Requirements
(SFRs) and are not included in the TOE scope:
- VLAN Support
- Management of the IPS with an IPS Controller, Command Line Interface over Telnet
and SNMP (Get function)
- Usage of the TOE with other Top Layer supporting products (Network Security
Analyzer, IPS Controller, TopResponse Software)
- Note: The functionality/protocol used by the TopResponse product to automatically
update signatures is included in the scope of the evaluation. The TSFI for this
functionality is included in the scope of the evaluation, documented in the FSP and is
verified during testing. Hence the capability of the TOE to download latest set of
“TopLayer Protection Packs” is included in the Scope of the evaluation.
- Usage of Graphs, Reports and Statistics
2007 Top Layer Networks. All Rights Reserved. 23
Top Layer Networks Security Target April 10, 2009
3 TOE Security Environment
The TOE is intended to be used in environments in which sensitive information is processed.
This section contains assumptions regarding the security environment and the intended usage of
the TOE and threats to the TOE and the IT environment.
3.1 Assumptions
The assumptions are ordered into three categories: usage assumptions, personnel assumptions
and physical environment assumptions.
3.1.1 Usage Assumptions
A.CONNECT The TOE will separate the network on which it is installed and operates into
external, internal and management networks. Information cannot flow between
the external and internal networks without passing through the TOE.
A.BACKUP Administrators will back up the audit files, configuration files and monitor disk
usage to ensure audit information is not lost.
3.1.2 Personnel Assumptions
A.NOEVIL There will be one or more competent individuals assigned to manage the TOE and
the security of the information it contains. The authorized administrators are not
careless, willfully negligent, or hostile, and will follow and abide by the
instructions provided by the TOE documentation.
A.AUTH It is assumed that administrators will protect their authentication data.
3.1.3 Physical Environment Assumptions
A.PHYSICAL The TOE hardware and software critical to security policy enforcement will be
protected from unauthorized physical modification and the processing resources
of the TOE will be located within controlled access facilities, which will prevent
unauthorized physical access.
3.2 Threats
The TOE addresses the threats identified in this section. The threat agents are authorized
persons/processes, unauthorized persons/processes, or external IT entities not authorized to use
the TOE itself. The threats identified assume that the threat agent is a person with a low attack
potential who possesses an average expertise, few resources, and low to moderate motivation.
The assumed level of expertise of the attacker is unsophisticated, with access to only standard
equipment and public information about the product.
2007 Top Layer Networks. All Rights Reserved. 24
Top Layer Networks Security Target April 10, 2009
3.2.1 Threats Addressed by the TOE
The TOE addresses the threats discussed below.
T.NOAUTH An unauthorized person may attempt to bypass the security of the TOE so as to
access and use security functions and/or non-security functions provided by the
TOE.
T.MANAGE An unauthorized person or unauthorized external IT entity may be able to view,
modify, and/or delete TSF data on the TOE
T.PROCOM An unauthorized person or unauthorized external IT entity may be able to view,
modify, and/or delete security related information that is sent between a remotely
located authorized administrator and the TOE.
T.REPEAT An unauthorized person may repeatedly try to guess authentication data in order
to use this information to launch attacks on the TOE.
T.AUDIT Unauthorized attempts by users and external IT entities to access network
resources through the TOE, TOE data or TOE security functions may go
undetected because the actions they conduct are not audited or audit records are
not reviewed, thus allowing an attacker to escape detection.
T.RATEBASED
An External IT Entity may exhaust service resources of the TOE or systems by
passing information flows thorough the TOE.
T.ADDRESSSPOOF
An External IT Entity may illegitimately gain access to networks through the
TOE by spoofing source IP address.
T.UNDESIREDACCESS
An External IT Entity may send impermissible information through the TOE,
which results in the exploitation of resources.
T.CONTENTBASED
An External IT Entity may attack or tamper resources by sending information
flows through the TOE, which contain malicious data or malicious inclusion of
payloads that is otherwise well formed
3.3 Organisational Security Policies
There are no organizational security policies defined for this TOE.
2007 Top Layer Networks. All Rights Reserved. 25
Top Layer Networks Security Target April 10, 2009
4 Security Objectives
This chapter describes the security objectives for the TOE and the TOE‘s operating environment.
The security objectives are divided between TOE Security Objectives (i.e., security objectives
addressed directly by the TOE) and Security Objectives for the Operating Environment (i.e.,
security objectives addressed by the IT domain or by non-technical or procedural means).
4.1 Security Objectives For The TOE
This section defines the IT security objectives that are to be addressed by the TOE.
O.IDAUTH The TOE must uniquely identify and authenticate the claimed identity of all
administrative users, before granting an administrative user access to TOE
functions.
O.SELFPROTECTION
The TOE must protect itself against attempts by unauthorized users to bypass,
deactivate, or tamper with TOE security functions.
O.MANAGE
The TOE must protect stored TSF data from unauthorized disclosure,
modification, or deletion.
O.ADMINISTRATION
The TOE must provide all the functions necessary to support the authorized users
in their management of the security of the TOE. The TOE must provide the
capability to allow or disallow remote administration of the TOE.
O.AUDIT The TOE must provide a means to record, store and review security relevant
events in audit records to trace the responsibility of all actions regarding security.
O.ALERT The TOE must provide a record of the attacks detected and blocked by the TOE.
O.AUDITPROTECT
The TOE must provide the capability to protect audit information residing on the
TOE.
O.UNDESIREDACCESS
The TOE must control unauthorized information flow between internal and
external networks based on security policies.
O.RATEBASED
The TOE must limit resource usage to an acceptable level (stop legitimate clients
from overusing resources and stop DDoS and other network flooding attacks).
The TOE must be able to serve as a rate based controller and police both
malicious users who attempt to flood the network with DoS and DDoS attacks,
and authorized users who may overuse resources.
O.CONTENTBASED
2007 Top Layer Networks. All Rights Reserved. 26
Top Layer Networks Security Target April 10, 2009
The TOE must filter the content in the information flows through the TOE to
prevent malicious intruders from exploiting system vulnerabilities or network
based protocol weaknesses, as well as more direct attacks through e-mail based
worms and viruses.
O.TIME The TOE must provide a reliable clock to maintain the system time.
O.TRANSMISSION
The TOE must provide a HTTPS session for communication between the User
Management GUI on the Management Station and the TOE.
Application Note: A Management Station is a workstation on the management network that the
TOE administrator uses to access the TOE using an HTTPS enabled web browser. There can
be one or more Management stations.
4.2 Security Objectives For The Environment
The following are the IT security objectives that are to be addressed by Environment
OE.AUDIT The IT environment must provide a long term audit and alert store for the TOE.
OE.PROTECT
The IT environment must protect itself against attempts by unauthorized users to
bypass, de-activate, or tamper with its security functions.
OE.TIME The IT environment must be configured with an NTP server that is able to provide
reliable time to the TOE.
The following are the non technical IT security objectives that are to be addressed by the
Environment. The non-IT security objectives for the environment listed below are to be satisfied
without imposing technical requirements on the TOE. Thus, they will be satisfied through
application of procedural or administrative measures.
ON.CONNECT
Those responsible for the TOE must ensure that the TOE is installed and operated
on a network and separates the network into external, internal and management
networks. Information cannot flow between the networks without passing through
the TOE.
ON.BACKUP Those responsible for the TOE must ensure that the audit files, configuration files
are backed up and disk usage is monitored to ensure audit information is not lost.
ON.NOEVIL Those responsible for the TOE must ensure that there will be one or more
competent individuals assigned to manage the TOE and the security of the
information it contains and the authorized administrators are not careless,
willfully negligent, or hostile, and will follow and abide by the instructions
provided by the TOE documentation.
ON.AUTH Those responsible for the TOE must ensure that they protect their authentication
data.
2007 Top Layer Networks. All Rights Reserved. 27
Top Layer Networks Security Target April 10, 2009
ON.PHYSICAL Those responsible for the TOE must ensure that the TOE hardware and software
critical to security policy enforcement will be protected from unauthorized
physical modification and the processing resources of the TOE will be located
within controlled access facilities, which will prevent unauthorized physical
access.
2007 Top Layer Networks. All Rights Reserved. 28
Top Layer Networks Security Target April 10, 2009
5 IT Security Requirements
The security requirements that are levied on the TOE are specified in this section of the ST. This
ST does not define any security functional requirements to be levied on the IT environment. The
security requirements levied on the TOE are defined in Sections 5.1 - 5.2.
Table 5-1: Security Functional Requirements for the TOE
Item SFR ID SFR Title
1 FAU_GEN.1 Audit data generation
2 FAU_GEN.2 User identity association
3 FAU_SAA.1 Potential violation analysis
4 FAU_ARP.1 Security alarms
5 FAU_SAR.1 Audit review
6 FAU_SAR.3 Selectable Audit Review
7 FAU_SEL.1 Selective Audit
8 FAU_STG.1 Protected Audit Trail Storage
9 FDP_IFC.1(1) Subset information flow control (1)
10 FDP_IFF.1(1) Simple security attributes (1)
11 FDP_IFC.1(2) Subset information flow control (2)
12 FDP_IFF.1(2) Simple security attributes (2)
13 FIA_AFL.1 Authentication failure handling
14 FIA_ATD.1 User attribute definition
15 FIA_UAU.1 Timing of Authentication
16 FIA_UAU.7 Protected authentication feedback
17 FIA_UID.2 User identification before any action
18 FMT_MOF.1 Management of security functions behaviour
19 FMT_MSA.3 Static attribute initialisation
20 FMT_MSA.1 Management of security attributes
21 FMT_SMF.1 Specification of Management Functions
22 FMT_MTD.1 Management of TSF data
23 FMT_SMR.1 Security roles
24 FPT_TST.1 TSF Self-Testing
25 FPT_FLS.1 Failure with preservation of secure state
26 FPT_RVM_EXP.1 Partial Non-bypassability of the TSP
27 FPT_SEP_EXP.1 Partial TSF domain separation
28 FPT_STM_EXP.1 Reliable time stamps
29 FTP_TRP.1 Trusted Path
2007 Top Layer Networks. All Rights Reserved. 29
Top Layer Networks Security Target April 10, 2009
5.1 TOE Security Functional Requirements
The SFRs defined in this section are taken from Part 2 of the CC.
5.1.1 Security Audit (FAU)
5.1.1.1 FAU_GEN.1 Audit data generation
Hierarchical to: No other components
FAU_GEN.1.1 The TSF shall be able to generate an audit record of the following
auditable events:
a) Start-up and shut-down of the audit functions;
b) All auditable events for the [not specified] level of audit; and
c) [ Auditable events in Table below ]
FAU_GEN.1.2 The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity, and the outcome (success or
failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the functional
components included in the PP/ST, [information specified in table below ]
Dependencies: FPT_STM.1 Reliable time stamps
Table 5-2: Auditable Events
Functional Auditable Events Additional Information
Component ID
FAU_ARP.1 Actions taken due to imminent security
Type of Alarm Generated.
violations.
FAU_SAA.1 Enabling and disabling of any of the analysis Authorized administrator User
mechanism Identity
FAU_SEL.1 All modifications to the audit configuration that Authorized administrator User
occur while the audit collection function is Identity
operating.
FDP_IFF.1(1) Decision to permit requested information flows Information of the Packet,
FDP_IFF.1(2) severity the Rule Name of the
Rule that Triggered the
decision
FIA_AFL.1 Reaching the threshold of unsuccessful User Name presented to the
authentication attempts and the action taken TOE during Identification and
Authentication
2007 Top Layer Networks. All Rights Reserved. 30
Top Layer Networks Security Target April 10, 2009
Functional Auditable Events Additional Information
Component ID
FIA_UAU.1 Successful and Unsuccessful authentication User Name presented to the
attempt TOE during Identification and
Authentication
FIA_UID.2 Successful and Unsuccessful user identification User Name presented to the
TOE during Identification and
Authentication
FMT_SMF.1 Use of the security management functions User name of the authorized
administrator making the
change.
FMT_SMR.1 Modifications to the group of administrator that User name of the authorized
are part of a role administrator making the
change.
FPT_STM_EXP.1 Changes to the time
FMT_MSA.1 All modifications to security attributes Modified security attribute
values
FMT_MSA.3 Modifications to the basic setup of allowing Modified security attribute
rules or restriction rules All modifications to the values
default value of security attributes
FMT_MTD.1 All modifications to the TSF data Modified TSF data – values
before modification and after
modification
FPT_TRP.1 Failures of the trusted path functions.
5.1.1.2 FAU_GEN.2 User identity association
Hierarchical to: No other components
FAU_GEN.2.1 The TSF shall be able to associate each auditable event with the identity of the
user that caused the event.
Dependencies: FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
Application Note: When the user is a human user (administrator or monitor), the user identity is
associated with the event. When the event is associated with an IT entity the presumed source
IP address of the IT entity is associated with the event.
5.1.1.3 FAU_SAA.1 Potential violation analysis
Hierarchical to: No other components
FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and
2007 Top Layer Networks. All Rights Reserved. 31
Top Layer Networks Security Target April 10, 2009
based upon these rules indicate a potential violation of the TSP.
FAU_SAA.1.2 The TSF shall enforce the following rules for monitoring audited events:
a) Accumulation or combination of [
All Hardware and Software failures detected by the TSF
IPS Unit operational events crossing Event Thresholds
Other rules for the events defined in FAU_GEN.1, added by an authorized
administrator
] known to indicate a potential security violation
b) [none]
Dependencies: FAU_GEN.1 Audit data generation
5.1.1.4 FAU_ARP.1 Security alarms
Hierarchical to: No other components.
FAU_ARP.1.1 The TSF shall take [
one or more of the following actions:
generate SNMP Traps
Send Message via the IPS Console Port to an authorized administrator
Generate and Log Audit Records
Send Message to Syslog server
Block the attack
]
upon detection of a potential security violation.
Dependencies: FAU_SAA.1 Potential violation analysis
5.1.1.5 FAU_SAR.1 Audit review
Hierarchical to: No other component
FAU_SAR.1.1 The TSF shall provide [Administrator and Monitor] with the capability to read
[all audit data] from the audit records.
FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to
interpret the information.
Dependencies: FAU_GEN.1 Audit data generation
Application Note: Only Audit data that resides on the TOE can be reviewed by Administrators
and Monitors. Audit data collected by Syslog servers and SNMP servers can not be reviewed
2007 Top Layer Networks. All Rights Reserved. 32
Top Layer Networks Security Target April 10, 2009
using the local audit review GUI.
5.1.1.6 FAU_SAR.3 Selectable audit review
Hierarchical to: No other components
FAU_SAR.3.1 The TSF shall provide the ability to perform searching and sorting of audit data
based on [
All possible combinations of the following fields:
Severity
IP address of the IT identity
Protocol
Rule Name
Date and Time
Physical port that received this traffic
Type of event
Dependencies: FAU_SAR.1 Audit review
5.1.1.7 FAU_SEL.1 Selective audit
Hierarchical to: No other components
FAU_SEL.1.1 The TSF shall be able to include or exclude auditable events from the set
of audited events based on the following attributes:
a) [
Message Type i.e. Event type
]
b) [
The Rule that Triggered the Message
Severity
]
Dependencies: FAU_GEN.1 Audit data generation
FMT_MTD.1 Management of TSF data
5.1.1.8 FAU_STG.1 Protected audit trail storage
Hierarchical to: No other components
2007 Top Layer Networks. All Rights Reserved. 33
Top Layer Networks Security Target April 10, 2009
FAU_STG.1.1 The TSF shall protect the stored records from unauthorized deletion.
FAU_STG.1.2 The TSF shall be able to [ prevent ] unauthorized modifications to the audit
records in the audit trail.
Dependencies: FAU_GEN.1 Audit data generation
Application Note: Audit data resides on the TOE hardware appliance and can only be accessed
using the management GUI. The TOE does not allow unauthorized modifications to the audit
data residing on it through any of its management GUIs. The management GUI does not
provide an option for administrators and monitors to delete audit data. The TOE automatically
deletes old audit data when audit storage is exhausted.
5.1.2 User Data Protection (FDP)
5.1.2.1 FDP_IFC.1 (1) Subset information flow control (1)
Hierarchical to: FDP_IFC.1
FDP_IFC.1.1 The TSF shall enforce the [ Rate Based Security Policy ] on:
[
a) Subject:
Source Subjects: External IT Entities requesting Server TCP connections and
UDP flows through the TOE (Clients)
Destination Subjects: External IT Entities accepting TCP Client connections
and UDP flows through the TOE (Servers)
b) Information:
TCP Service Connections and UDP Service flows information on
the TOE between source subjects and destination subjects
c) Operation:
Establish a TCP connection through the TOE
Establish a UDP flow through the TOE
]
Dependencies: FDP_IFF.1 Simple security attributes
5.1.2.2 FDP_IFF.1 (1) Simple security attributes (1)
Hierarchical to: No other components.
FDP_IFF.1.1 The TSF shall enforce the [ Rate Based Security Policy ] based on the types of
subject and information security attributes: [
2007 Top Layer Networks. All Rights Reserved. 34
Top Layer Networks Security Target April 10, 2009
a) Subject security attributes:
Source Subjects: Presumed IP address of the Client
Destination Subject: Presumed IP address of the Server
b) Information security attributes:
Client ( IP address)
Client Group ( IP address range of a group of Clients)
Server (IP address)
Server Group ( IP address range of Server Group)
Service requested by each Client
Connection Limiting Attributes
- Total simultaneous TCP connections for each Client
- Total simultaneous TCP connections from each client Group
- Total simultaneous TCP connections to each Server
- Total Simultaneous TCP connections to each Server Group
Request Limiting Attributes
- Total Number of TCP connection requests or UDP flow requests
made by each client in any one minute period for each service
- Total Number of TCP connection requests or UDP flow requests
made by each client in any one minute period for all services
SYN Flood Limiting Attributes
- Total Number of incomplete SYN requests outstanding from each
client and client group
- Total Number of incomplete SYN requests outstanding for each
server and server group
Request Limit
Connection Limit
SYN flood Limit
]
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject
and another controlled subject via a controlled operation if the following rules hold:
2007 Top Layer Networks. All Rights Reserved. 35
Top Layer Networks Security Target April 10, 2009
[
All the three rules (a), (b) and (c) must be satisfied:
a) A TCP or UDP Service Information flow from a Client to a Server is allowed if
- Total Number of TCP connection requests or UDP flow requests
made by the client in any one minute period for that specific service
and
- Total Number of TCP connection requests and UDP flow requests
made by the client in any one minute period for all the services
are with in the Request Limit values.
b) A TCP Service Information flow from a Client to a Server is allowed if
- the number of simultaneous TCP connections for that client,
- the number of simultaneous TCP connections for the client in the
client group,
- the number of simultaneous TCP connections for the Server and
- The number of simultaneous TCP connections for the Server Group
of the Server
are with in the Connection Limit values.
c) A TCP Service Information flow from a Client to a Server is allowed if
o Number of incomplete SYN requests outstanding from the client
and
o Number of incomplete SYN requests outstanding to the Server
group
are with in the SYN Flood Limit values.
]
FDP_IFF.1.3 The TSF shall enforce the
[
None
].
FDP_IFF.1.4 The TSF shall provide the following
[
Capability to:
Copy the associated traffic of an information flow to the Discard port.
2007 Top Layer Networks. All Rights Reserved. 36
Top Layer Networks Security Target April 10, 2009
].
FDP_IFF.1.5 The TSF shall explicitly authorize an information flow based on the
following rules:
[ unidirectional information flow where the source is the TOE ].
FDP_IFF.1.6 The TSF shall explicitly deny an information flow based on the following rules:
[
None
]
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialisation
5.1.2.3 FDP_IFC.1 (2) Subset information flow control (2)
Hierarchical to: No other components
FDP_IFC.1.1 The TSF shall enforce the [ Firewall + IPS Security Policy ] on:
[
a) Subject:
Source Subjects: TOE interface on which information is received Destination
Subjects: TOE interface to which information is destined;
a) Information :
Network packets sent through the TOE from the subject
to another
b) Operation :
Pass information
]
Dependencies: FDP_IFF.1 Simple security attributes
5.1.2.4 FDP_IFF.1 (2) Simple security attributes (2)
Hierarchical to: No other components
FDP_IFF.1.1 The TSF shall enforce the [ Firewall + IPS Security Policy ] based on the
following types of subject and information security attributes:
2007 Top Layer Networks. All Rights Reserved. 37
Top Layer Networks Security Target April 10, 2009
[
a) Subject security attributes:
Source Subjects: set of source subject IP addresses;
Destination Subject: set of destination subject IP addresses;
b) Information security attributes:
FW Traffic Treatment Attributes:
Presumed IP address of the Source
Presumed IP address of the Destination
Service
IPS Traffic Treatment Attributes:
Datalink Layer (MAC) Protocol Header
Network Layer Protocol Header
Transport Layer Protocol Header
Application Protocol Header
Application Payload
]
FDP_IFF.1.2 The TSF shall permit an information flow between a controlled subject and
another controlled subject via a controlled operation if the following rules hold:
[
a) The Firewall Traffic Treatment information security attribute values are
unambiguously permitted by the information flow rules configured by the
administrator
b) The IPS Traffic Treatment information security attribute values are
unambiguously permitted by the information flow rules configured by the
administrator .
The rules are based on the following types of IPS traffic treatment checks:
Network Protocol Checks:
IP:
- IP option value
ICMP:
- Max Ping Length, Max ICMP Length, ICMP Rate
2007 Top Layer Networks. All Rights Reserved. 38
Top Layer Networks Security Target April 10, 2009
TCP:
- All non-SYN packets must be part of an established connection
Application Protocol Checks:
DNS:
- DNS Protocol Settings
FTP:
- FTP authentication settings
- FTP command setting
- FTP Path Settings
HTTP:
- HTTP Start Line Length
- HTTP Request Settings
- HTTP Method Settings
- HTTP URI Settings
- HTTP Header Length settings
- HTTP Host Filter name
-
MSNET (RPC and CIFS)
- CIFS Settings ( Protocol Version, Length of Account name)
- RPC Services (UUID, Stub length)
SSH
- SSH Protocol Version
- Client Message Length
- SSH Plain text message length
SMTP
- SMTP Command
- Attachment
Telnet
- Environment Variables
- Telnet Options
- Telnet User Account name
Attack Signatures:
- ASCII printable character strings
- Sequence of binary bytes
Packet Base Checks:
Mangled/Defective traffic based on:
IP/ARP Packet and Layer 2 (MAC) Header Checks
2007 Top Layer Networks. All Rights Reserved. 39
Top Layer Networks Security Target April 10, 2009
FDP_IFF.1.3 The TSF shall enforce the
[
Following rules:
a) prior to applying the information policy rule set, the TOE
statefully inspects, reorders and assembles packets for proper
analysis
]
Application Note: The IPS Unit records critical information about each packet in a flow record
stored in its Flow Table, an internal memory structure. Recording this information enables the
IPS Unit to statefully inspect each packet and to reorder packets for proper analysis. At the start
of each transaction, the IPS Unit creates or "sets up" the appropriate Flow Table entries. The
IPS Unit checks these entries when it receives subsequent packets of that transaction.
FDP_IFF.1.4 The TSF shall provide the following
[
Capability to:
Copy the associated traffic of an information flow to the Discard port.
Block IP Fragments
Block TCP Mid-flows
Reject an information flow by sending a TCP reset packet
Copy the associated traffic of an information flow to the ports in the mirror group.
Bypass the application of the information policy rule set during System Reset of
the TOE (Bypass During System Reset Mode)
Application notes:
IP Fragments:
When an incoming network packet is too large for the network equipment to handle, the
following may occur:
The packet can be fragmented and sent on to its destination within the network.
An ICMP error indication (MTU Exceeded) can be returned to the source and the source
can then send the information as smaller packets.
Because fragments are often used as sources of attacks, it is preferable to block fragments for
all applications. Instead of allowing fragments (since most networks support Path Max
Transmission Unit Discovery [MTU discovery]), send the packet back to the source for
repackaging. If an application must use fragments, it can be configured as an exception.
2007 Top Layer Networks. All Rights Reserved. 40
Top Layer Networks Security Target April 10, 2009
Mid-flows:
Many types of attacks use common scanning techniques, which create incomplete TCP
connections to locate vulnerabilities. Examples of such attacks include the FIN ACK Sweep,
Xmas Tree, and Null scans. The IPS Unit watches for proper TCP connection setup and tear-
down processes and when it identifies incomplete TCP connections, it categorizes this traffic as
mid-session (midflow) traffic. When configured, , the IPS Unit drops midflows, and, therefore,
prevents attacks that use incomplete TCP connections. If the IPS Unit is configured to drop
traffic when it does not detect a proper session setup, in most cases, the dropped traffic simply
causes the clients to retry the connection, often without any noticeable effect on end users.
Top Layer strongly recommends that the customer implement a security policy to drop TCP mid-
session traffic. Failing to do so can allow attacks to circumvent the mitigation features of the IPS
Unit.
Mirror Flow:
The mirror group uses the Round Robin algorithm to balance traffic among the Mirror ports.
Bypass during Reset:
The IPS Unit starts out performing in Never Bypass mode, checking and mitigating all
traffic, but performs in Always Bypass mode (passes all traffic) if there is a software failure
and the IPS Unit needs to reboot. Once the IPS Unit resumes normal operation, it returns to full
mitigation behavior. Bypass during System Reset mode is useful once the customer has
completed testing the IPS Unit and wants to mitigate traffic, but also wants to pass unchecked
traffic during a software failure rather than block unchecked traffic.
FDP_IFF.1.5 The TSF shall explicitly authorize an information flow based on the following rules:
[ unidirectional information flow where the source is the TOE ]
FDP_IFF.1.6 The TSF shall explicitly deny an information flow based on the following
Rules:
[
The rules described in FDP_IFF.1.2 do not exist.
]
Dependencies: FDP_IFC.1 Subset information flow control
FMT_MSA.3 Static attribute initialisation
2007 Top Layer Networks. All Rights Reserved. 41
Top Layer Networks Security Target April 10, 2009
5.1.3 Identification and Authentication (FIA)
5.1.3.1 FIA_AFL.1 Authentication failure handling
Hierarchical to: No other components
FIA_AFL.1.1 The TSF shall detect when [ an authorized administrator configurable positive
integer within the range 1 to 999 ] unsuccessful authentication attempts occur related to [
administrator authentication attempts ].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met
or surpassed, the TSF shall [ prevent authentication until an action is taken by the
authorized administrator to unlock the user account . The TSF shall not allow the last or
only user account to be completely locked out ].
Application Note: The TOE does not allow the last or only administrator account to be
completely locked out. This prevents the TOE from becoming completely unmanageable.
5.1.3.2 FIA_ATD.1 User attribute definition
Hierarchical to: No other components
FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to
individual authorized administrators:
[
User Name
User’s current Status (active, inactive, or locked)
Level of User Privileges
User password
Expiration time allowed for the user’s password
Group
]
Dependencies: No dependencies
5.1.3.3 FIA_UAU.1 Timing of Authentication
Hierarchical to: No other components.
FIA_UAU.1.1 The TSF shall allow [Receipt of information flows from external IT entities for
TSP enforcement] on behalf of the user to be performed before the user is authenticated.
FIA_UAU.1.2 The TSF shall require each user to be successfully authenticated before allowing
any other TSF-mediated actions on behalf of that user.
Dependencies: FIA_UID.1 Timing of identification
5.1.3.4 FIA_UAU.7 Protected authentication feedback
Hierarchical to: No other components
2007 Top Layer Networks. All Rights Reserved. 42
Top Layer Networks Security Target April 10, 2009
FIA_UAU.7.1 The TSF shall provide only [ user ID, “*” for each password character
provided, success or deny message ] to the administrator while the authentication is in
progress.
5.1.3.5 FIA_UID.2 User identification before any action
Hierarchical to: FIA_UID.1 Timing of identification
FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF-
mediated actions on behalf of the user.
Dependencies: No dependencies
Application Note: All users, whether authenticated or not, will always be identified. External IT
Entities will be identified by an IP address. Authorized administrators will be identified by “User
Name”.
5.1.4 Security Management (FMT)
5.1.4.1 FMT_MOF.1 Management of security functions behaviour
Hierarchical to: No other components
FMT_MOF.1.1 The TSF shall restrict the ability to [ behaviour specified in table below ] the
functions [specified in table below ] to [ specified in table below ].
Table 5-3: Management of security functions behaviour
Behaviour Functions Users
Auditing,
determine the behaviour of, Administrator
disable, enable, modify the Identification and
behaviour of Authentication
Reboot
Enable Administrator
Auditing
determine the behaviour of Monitor
Identification and
Authentication
Dependencies:FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
2007 Top Layer Networks. All Rights Reserved. 43
Top Layer Networks Security Target April 10, 2009
5.1.4.2 FMT_MSA.1 Management of security attributes
Hierarchical to: No other components
FMT_MSA.1.1 The TSF shall enforce the [ Rate Based Security Policy , Firewall + IPS
Security Policy] to restrict the ability to [ manipulate ] the security attributes [ listed in
FDP_IFF.1.1(1) and FDP_IFF.1.1(2) ] to [ administrator ].
Dependencies: [FDP_ACC.1 Subset access control or
FDP_IFC.1 Subset information flow control]
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
Application Note: The term “manipulate” is used to indicate that the security attributes in
FDP_IFF.1.1(1) and FDP_IFF.1.1(2) may be used to create additional “attributes” that can be used
in specifying information flow policy rules.
The administrators do not manage or change the packet attributes.
5.1.4.3 FMT_MSA.3 Static attribute initialisation
Hierarchical to: No other components.
FMT_MSA.3.1 The TSF shall enforce the [Rate Based Security Policy , Firewall + IPS
Security Policy ] to provide restrictive default values for security attributes that are used to
enforce the SFP.
FMT_MSA.3.2 The TSF shall allow the [administrator ] to specify alternative initial values to
override the default values when an object or information is created.
Dependencies:FMT_MSA.1 Management of security attributes
FMT_SMR.1 Security roles
5.1.4.4 FMT_MTD.1 Management of TSF data
Hierarchical to: No other components
FMT_MTD.1.1 The TSF shall restrict the ability to [ see operations specified in Table below ]
the [ TSF Data as specified in Table below] to [the authorized user as specified in the
Table below ].
Table 5-4 Management of TSF Data
2007 Top Layer Networks. All Rights Reserved. 44
Top Layer Networks Security Target April 10, 2009
Administrator/
Security Function Operation TSF data
Monitor
Security Audit View and Configure Security Logs and Administrator
Report settings
View Security Logs and Monitor
Report settings
Identification and Create, Modify and Users with User Administrator
Authentication Delete attributes defined in
FIA_ATD.1
View Users with User Monitor
attributes defined in
FIA_ATD.1 except
password
View, Modify Global User account Administrator
Security Settings:
Password Length,
Allowed Characters,
Expiration time
frame, History
Depth, Number of
allowed
unsuccessful login
attempts
View Global User account Monitor
Security Settings
View, Unlock Locked accounts Administrator
View Locked accounts Monitor
Security Configure HTTP Service, Administrator
Management HTTPS Service,
SNMP,
Telnet Service,
IPS Controller
View HTTP Service, Monitor
HTTPS Service,
SNMP,
Telnet Service,
IPS Controller
View and Configure Rate Based Security Administrator
Policy
View Rate Based Security Monitor
Policy
View and Configure FW + IPS Security Administrator
Policy
View FW + IPS Security Monitor
Policy
View, Configure Port Settings Administrator
View Port Settings Monitor
View, Configure Time Settings Administrator
Time Zone Settings
2007 Top Layer Networks. All Rights Reserved. 45
Top Layer Networks Security Target April 10, 2009
Administrator/
Security Function Operation TSF data
Monitor
View Monitor
Time Settings
Time Zone Settings
View System Information Administrator,
Port Statistics Monitor
MAC Address Table
ARP Table
Current Application
Connections
View Blocked and Administrator,
Detected Attacks Monitor
View Dropped Packet
Statistics
Reset SYN Flood and Administrator
Connection Counters
Reset to Factory Configuration Files Administrator
Defaults
Activate, upload and Configuration Files Administrator
download
Update IPS Units Software Administrator
View, Modify Port configuration, Administrator
including bypass
setting, port pairs,
speeds.
View Port configuration, Monitor
including bypass
setting, port pairs,
speeds.
Dependencies:FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
Application Note: Any logged on user will have at a minimum the Monitor Role privileges and
can perform all the Monitor functions.
5.1.4.5 FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components
FMT_SMF.1.1 The TSF shall be capable of performing the following security
management functions: [
a) Management of security function behaviour
Items specified in FMT_MOF.1
b) Management of security attributes
Items specified in FMT_MSA.1, FMT_MSA.3
2007 Top Layer Networks. All Rights Reserved. 46
Top Layer Networks Security Target April 10, 2009
c) Management of TSF data
Items specified in FMT_MTD.1
d) Management of security roles
Items specified in FMT_SMR.1
]
Dependencies: No Dependencies
5.1.4.6 FMT_SMR.1 Security roles
Hierarchical to: No other components
FMT_SMR.1.1 The TSF shall maintain the roles
[
Administrator
Monitor
]
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 Timing of identification
5.1.5 Protection of TSF (FPT)
5.1.5.1 FPT_TST.1 TSF self-testing
Hierarchical to: No other components
FPT_TST.1.1 The TSF shall run a suite of tests [during each start-up] to demonstrate the
correct operation of [the TSF].
Dependencies: No dependencies
5.1.5.2 FPT_FLS.1 Failure with preservation of secure state
Hierarchical to: No other components
FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of
failures occur: [
Power Failure
]
Dependencies: ADV_SPM.1 Informal TOE security policy model
Application Note:
Secure State for this product is defined as the state when the TOE (IPS Unit) inspects all traffic,
mitigates problem traffic, and records all information. All traffic flows through the IPS Unit’s
2007 Top Layer Networks. All Rights Reserved. 47
Top Layer Networks Security Target April 10, 2009
functions. If power fails, the IPS Unit acts as an open wire and does not forward any traffic. This
provides the most protection and ensures that, in case of failure, unchecked traffic will not pass.
This state is also known as “Fail Close” in firewall terminology (closes the door to all traffic).
The IPS Unit can support dual power supplies and will continue to function when its primary
power supply fails. However, the IPS Unit does not pass traffic if there is a failure of all power
to the unit, or other hardware-based failure.
5.1.6 Trusted Path/Channels (FTP)
5.1.6.1 FTP_TRP.1 Trusted Path
FTP_TRP.1.1 The TSF shall provide a communication path between itself and [remote] human
users on management network that is logically distinct from other communication paths and
provides assured identification of its end points and protection of the communicated data from
modification or disclosure.
FTP_TRP.1.2 The TSF shall permit [remote human users on management network ] to
initiate communication via the trusted path.
FTP_TRP.1.3 The TSF shall require the use of the trusted path for [initial human users on
management network authentication, [subsequent management of TOE]].
Dependencies: No dependencies
5.2 Explicitly Stated TOE Security Functional Requirements
5.2.1 Protection of TSF (FPT)
5.2.1.1 FPT_STM_EXP.1 Reliable time stamps
Hierarchical to: No other components
FPT_STM_EXP.1.1 The TSF with the support of an NTP Server in the IT environment shall be
able to provide reliable time stamps for its own use.
Dependencies: No dependencies
5.2.1.2 FPT_RVM_EXP.1 Partial Non-bypassability of the TSP
Hierarchical to: No other components
FPT_RVM_EXP.1.1 The IPS Unit appliance portion of the TSF shall ensure that the TSP
enforcement functions are invoked and succeed before each function within the IPS Unit
appliance portion’s scope is allowed to proceed.
FPT_RVM_EXP.1.2 The software portion of the TSF executing in the GUI on the Management
Station, when invoked by the underlying OS, shall ensure that TSP enforcement functions are
invoked and succeed before each function within the TSF software portion’s scope of control is
allowed to proceed.
2007 Top Layer Networks. All Rights Reserved. 48
Top Layer Networks Security Target April 10, 2009
Dependencies: No dependencies
5.2.1.3 FPT_SEP_EXP.1 Partial TSF domain separation
Hierarchical to: No other components
FPT_SEP_EXP.1.1 The IPS Unit appliance portion of the TSF shall maintain a security domain
for its own execution that protects it from interference and tampering by untrusted subjects.
FPT_SEP_EXP.1.2 The software portion of the TSF executing in the GUI on the Management
Station shall maintain a security domain that protects it from interference and tampering by
untrusted subjects initiating actions through its own TSFI.
FPT_SEP_EXP.1.3 The TSF shall enforce separation between the security domains of subjects
in the TSC.
Dependencies: No dependencies
5.3 Security Requirements for the IT Environment
Table below lists the Security Functional Requirements provided by the IT Environment. The
SFRs defined in this section are taken from Part 2 of the CC.
.
Table 5-5: Security Functional Requirements for the IT Environment
Component Component Name
1 1FAU_STG_ENV.1 Partial protected audit trail storage
2 FIA_UAU_ENV.1 User Authentication before any action
3 FIA_UID_ENV.1 User identification before any action
4 FPT_RVM_ENV.1 Partial non-bypassability of the TSP
5 FPT_SEP_ENV.1 Partial TSF domain separation
6 FPT_STM_ENV.1 Partial reliable time stamps
5.3.1 Class FAU: Security audit
FAU_STG_ENV.1 Protected Audit Trail Storage
FAU_STG_ENV.1.1 The remote log servers in the IT Environment shall protect the stored audit
records from unauthorized deletion.
FAU_STG_ENV.1.2 The remote log servers in the IT Environment shall be able to prevent
unauthorized modifications to stored audit records.
2007 Top Layer Networks. All Rights Reserved. 49
Top Layer Networks Security Target April 10, 2009
5.3.2 Class FIA: Identification and Authentication
5.3.2.1 FIA_UAU_ENV.1 User Authentication before Action
FIA_UAU_ENV.1.1 The IT Environment shall require each user to be successfully authenticated
before allowing any other IT Environment-mediated actions
5.3.2.2 FIA_UID_ENV.1 User Identification before any Action
FIA_UID_ENV.1.1 The IT Environment shall require each user to be successfully identified
before allowing any other IT Environment-mediated actions
5.3.3 Class FPT: Protection of the TOE Security Functions
5.3.3.1 FPT_RVM_ENV.1 Non-bypassibility of the IT Environment
FPT_RVM_ENV.1.1 The security functions of the IT environment shall ensure that IT
environment security policy enforcement functions are invoked and succeed before each function
within the scope of control of the IT environment is allowed to proceed.
5.3.3.2 FPT_SEP_ENV.1 Domain Separation in IT Environment
FPT_SEP_ENV.1.1 The security functions of the IT environment shall maintain a security
domain for its own execution that protects it from interference and tampering by untrusted
subjects in the scope and control of the IT environment.
FPT_SEP_ENV.1.2 The security functions of the IT environment shall enforce separation
between the security domains of subjects in the scope of control of the IT environment.
5.3.3.3 FPT_STM_ENV.1 Reliable Time Stamps
FPT_STM_ENV.1.1 The NTP server in the IT Environment shall be able to provide reliable time
stamps for the TOE‘s use.
5.4 TOE Strength of Function Claim
The TOE minimum strength of function is SOF-medium for the Identification and
Authentication security function. This is consistent with the SOF claim for FIA_UAU.1..
5.5 TOE Security Assurance Requirements
The assurance security requirements for this Security Target are taken from Part 3 of the CC.
These assurance requirements compose an Evaluation Assurance Level 4 as defined by the CC.
The assurance components are summarized in the following table.
Table 5-6 - Assurance Requirements: EAL4
2007 Top Layer Networks. All Rights Reserved. 50
Top Layer Networks Security Target April 10, 2009
Assurance Class Assurance Components
ACM: Configuration ACM_AUT.1 Partial CM automation
management
ACM_CAP.4 Generation support and acceptance procedures
ACM_SCP.2 Problem tracking CM coverage
ADO: Delivery and ADO_DEL.2 Detection of modification
operation
ADO_IGS.1 Installation, generation, and start-up procedures
ADV: Development ADV_FSP.2 Fully defined external interfaces
ADV_HLD.2 Security enforcing high-level design
ADV_IMP.1 Subset of the implementation of the TSF
ADV_LLD.1 Descriptive low-level design
ADV_RCR.1 Informal correspondence demonstration
ADV_SPM.1 Informal TOE security policy model
AGD: Guidance documents AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
ALC: Life cycle support ALC_DVS.1 Identification of security measures
ALC_LCD.1 Developer defined life-cycle model
ALC_TAT.1 Well-defined development tools
ATE: Tests ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: high-level design
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
AVA: Vulnerability AVA_MSU.2 Validation of analysis
assessment
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.2 Independent Vulnerability Analysis
2007 Top Layer Networks. All Rights Reserved. 51
Top Layer Networks Security Target April 10, 2009
6 TOE Summary Specification
6.1 TOE Security Functions
This section provides a high-level description of the security functions and assurance measures
provided by the TOE to meet the requirements specified in Section 5.
The following table identifies the TOE Security Functions and the Security Functional
Requirements to which they must conform.
Table 6-1: TSF Description
Sub- Sub-function
TSF function description SFR
Security Audit AU-1 Audit data generation FAU_GEN.1
AU-2 User identity association FAU_GEN.2
AU-3 Potential violation FAU_SAA.1
analysis
AU-4 Security alarms FAU_ARP.1
AU-5 Audit review FAU_SAR.1
AU-6 Selectable Audit Review FAU_SAR.3
AU-7 Selective Audit FAU_SEL.1
AU-8 Protected Audit Trail FAU_STG.1
Storage
User Data IFC-1 Rate Based Control FDP_IFC.1(1)
Protection
FDP_IFF.1(1)
IFC-2 Intrusion Prevention FDP_IFC.1(2)
FDP_IFF.1(2)
Identification IA-1 Authentication failure FIA_AFL.1
and handling
Authentication
IA-2 User attribute definition FIA_ATD.1
IA-3 Timing of Authentication FIA_UAU.1
IA-4 Protected authentication
FIA_UAU.7
feedback
IA-5 User identification before FIA_UID.2
any action
Security SM-1 Management of security FMT_MOF.1
Management functions behaviour
SM-2 Static attribute FMT_MSA.3
initialisation
2007 Top Layer Networks. All Rights Reserved. 52
Top Layer Networks Security Target April 10, 2009
Sub- Sub-function
TSF function description SFR
SM-3 Management of security FMT_MSA.1
attributes
SM-4 Specification of FMT_SMF.1
Management Functions
SM-5 Management of TSF FMT_MTD.1
Data
SM-6 Security Roles FMT_SMR.1
Protection of SP-1 TSF Self-Test FPT_TST.1
TSF SP-2 Failure with preservation FPT_FLS.1
of secure state
SP-3 Non-bypassability of the
TSP FPT_RVM_EXP.1
SP-4 TSF domain separation FPT_SEP_EXP.1
SP-5 Reliable time stamps FPT_STM_EXP.1
Trusted Path TC-1 Trusted Path FTP_TRP.1
6.1.1 Security Audit
Enabling Auditing
By default, detailed Alert, System, and Security Event auditing is enabled. Major Administrative
Events, such as logon and logoff, are enabled for auditing by default however detailed
Administrative Events relating to configuration changes are turned off by default. To enable full
Administrative Event auditing go to the IPS GUI and navigate to Configure System-
>Advanced System Configuration -> Audit Logging. In the Audit Logging Dialog Box, check
the Enable audit logging and Send audit data to syslog server(s) check boxes. Then press the
Ok button.
Alert, System, and Security Event auditing can be enabled and disabled by configuring the Event
Logging System. This process is documented in the IPS 5500 and IPS 5500E Configuration and
Management under the Understand Event Logging chapter. The administrator should use this
information to set the level of auditing that is required.
General Event Log Auditing
Administrative Events, System Events, and Alert Events are all audited using the System Log
Viewer. The viewer reads appropriate log file, Audit, Event, or Alert respectively, and allows
the log to be sorted or searched in an easy to use manner.
Because the IPS is a security appliance, all logs are rotated when they are 2 Megabytes in size.
The IPS, therefore, should not be used for long-term storage of audit records. Six versions of
2007 Top Layer Networks. All Rights Reserved. 53
Top Layer Networks Security Target April 10, 2009
each log, however, are kept on the IPS allowing for some degree of history and storage of audit
information locally. These three versions of a log file are identified as the Latest File,
<logtype>.LOG and <logtype>1.LO1, etc., where <logtype> is AUDIT, EVENT, and ALERT
for Administrative Events, System Events, and Alert Events respectively.
For all logs, the Detail section of the log message can be searched using the System Log Viewer
Search feature, which is present on the View Log File screen. This feature allows an
administrator to drill down into a selective view.
Auditing Administrative Events
Administrative Events can be audited by using the System Log Viewer to view, sort, or search
the Audit logs. Using the IPS GUI, navigate to Monitor System ->System Log Viewer. In the
View Log File dialog box, select the Log Type of Audit Log and then select the version of the
Audit log to be viewed.
All Audit logs can be sorted by Day, Time, Event ID, Device, Action, User, Table, or Details.
The Event ID is a Top Layer assigned Event ID associated with the Administrative
Event.
The User is the user that performed the action logged.
The Action is ADD, DELETE, POWER_ON, or UPDATE.
The Table is the MDB database table that was modified by the user.
The Details contain details about the actual modification that took place.
Auditing System Events
System Events can be audited by using the System Log Viewer to view, sort, or search the Event
logs. Using the IPS GUI, navigate to Monitor System ->System Log Viewer. In the View Log
File dialog box, select the Log Type of Event Log and then select the version of the Event log to
be viewed.
All Event logs can be sorted by ID, Day, Time, ID2, Device, or Details.
The ID is a Top Layer assigned Event ID associated with the System Event.
The ID2 is a Top Layer assigned Event ID associated with the System Event with a tln-
<rule-number> format.
The Details contain details about the actual system event that took place.
Auditing Alert Events
Alert Events can be audited by using the System Log Viewer to view, sort, or search the Alert
logs. Using the IPS GUI, navigate to Monitor System ->System Log Viewer. In the View Log
File dialog box, select the Log Type of Alert Log and then select the version of the Alert log to
be viewed.
All Alert logs can be sorted by ID, Day, Time, ID2, Device, or Details.
The ID is a Top Layer assigned Event ID associated with the Alert Event.
The ID2 is a Top Layer assigned Event ID associated with the Alert Event with a tln-
<rule-number> format.
The Details contain details about the actual alert that took place.
2007 Top Layer Networks. All Rights Reserved. 54
Top Layer Networks Security Target April 10, 2009
Auditing Security Events
Auditing of Security Events is described in detail in the IPS 5500 and IPS 5500E Configuration
and Management document under the Security Event Viewer chapter.
6.1.1.1 SA-1 Audit Data Generation (FAU_GEN.1)
Audit records are generated within the TOE by the TSF for the events listed in FAU_GEN.1.
Audit records contain a timestamp, the information of the entity triggering the event (e.g.
username, IP address of subject), and a summary of the event as well as the additional
information listed in Table listed in Section 5.1.1.1.
6.1.1.2 SA-2 User Identity Association (FAU_GEN.2)
For audit events resulting from actions of identified users, the TOE is able to associate each
auditable event with the identity of the user that caused the event. For audit events resulting from
information flows from external IT entities, the TOE is able to associate each auditable event
with the presumed IP address of the IT entity.
6.1.1.3 SA-3 Potential violation analysis (FAU_SAA.1)
The TOE maintains an internal representation of rules to monitor accumulated auditable events,
which determine potential violation of the TSP. For certain IPS Unit operational events,
thresholds can be set to determine when the IPS Unit should generate an event message. When
the IPS Unit crosses a set threshold, it indicates a potential security violation. An example of
event threshold would be very high TCP connection setup rate (35000 connections per sec). The
auditable events are listed in FAU_SAA.1.2 in section 5.1.1.3.
6.1.1.4 SA-4 Security alarms (FAU_ARP.1)
The administrator can configure various methods of generating alarms to indicate potential
security violations. An administrator can configure the TOE to take one or more actions as
specified in the SFR FAU_ARP.1 in section 5.1.1.4.
6.1.1.5 SA-5 Audit review (FAU_SAR.1)
From the administrative interface available through the GUI, an authorized administrator or
monitor can read all the audit data generated by the collection of events monitored by the TOE
components. All audit records are displayed in a manner suitable for the administrator or
monitor. Only Audit data that resides on the TOE can be reviewed by Administrators and
Monitors. Audit data collected by Syslog servers and SNMP servers can not be reviewed using
the local audit review GUI.
6.1.1.6 SA-6 Selectable Audit Review (FAU_SAR.3)
The TSF is able to perform searches and sorting of stored audit data based on various criteria
with logical relations so that they can be reviewed by an authorized administrator. Searching and
2007 Top Layer Networks. All Rights Reserved. 55
Top Layer Networks Security Target April 10, 2009
sorting of Audit data can be based on Severity, IP address of the IT identity, Protocol, Rule
Name, Date and Time, Physical port that received this traffic and Type of event.
6.1.1.7 SA-7 Selective Audit (FAU_SEL.1)
The TSF provides a capability for authorized administrators to include or exclude the generation
of auditable events related to event audit data of a selected type from the events screen of the
administrative interface.
6.1.1.8 SA-8 Protected Audit Trail Storage (FAU_STG.1)
The TSF protects the stored audit records on the TOE from unauthorized deletion and
modifications via the TSFI. The TSF retains log files on the local system. Log files are restricted
by size. When the maximum allowed size of a log file is reached, the log file is rotated and the
next log file is created by overwriting a previous log file. The TOE provides options for
administrators to configure Syslog servers to store log messages.
6.1.2 User Data Protection
The Rate based, Firewall and IPS rules are the logical constructions that guide the IPS Unit‘s
security decisions as it examines traffic flows. An IPS Unit security check is a logical definition
that says: if a given traffic flow meets the following conditions, treat it in this manner.
The figure below shows how all of the subsystem rules together make up the overall security
check that the IPS Unit follows when deciding how to handle the network traffic.
Figure 6-1 IPS Unit Security Checks
The IPS Unit contains hundreds of rules that it uses to check whether a given flow of traffic is
acceptable or not. A rule may be based on packet checks (for example, Illegal ICMP Header) or
protocol checks (for example, HTTP Unknown Method Name). The IPS Unit contains rules for
the following categories:
- Packet-based rules (global rules apply to all traffic, to check for IP/ARP bad packets and
L2 MAC filters)
- Firewall rules
- Intrusion protection system rules (IPS Rules)
- Rate based rules
2007 Top Layer Networks. All Rights Reserved. 56
Top Layer Networks Security Target April 10, 2009
Rules also have "treatments" associated with them that tell the IPS Unit what should happen
when a rule is triggered. Treatments include the action the IPS Unit should apply to the
traffic that triggers the rule (allow, drop, reject), and the type of logging that should be
performed. An administrator can modify the treatments for individual rules in these two sets. For
IPS rules, there are multiple copies of the IPS rules, called "rule sets," and new copies can be
created. An administrator can configure the treatment for the same rule differently in different
rule sets.
Rate Based Rules
Rate based security rules protect the resources from overuse by legitimate users, as well as
abusive denial-of-service attackers.
The rules provide limits for:
- Client requests:
Defines the maximum number of requests that any client within the host group
can make for specific services and all services during a one-minute period.
- Connections for both clients and servers:
Connection Limiting provides a way to limit the number of open connections
allowed at one time between Clients and Servers.
- SYN Flood controls:
Defines the number of incomplete TCP connections from Client to Servers.
Figure 6-2 Rate Based Security
FW Rule and IPS Rules
Provide classic firewall blocking for traffic, based on IP addresses, Layer 4 ports,
and segments (port pairs);
Provide the following types of checks:
2007 Top Layer Networks. All Rights Reserved. 57
Top Layer Networks Security Target April 10, 2009
- Protocol validation
- Attack Signatures
- Acceptable use of network application
The figure below shows how the subsystem policies together make up the overall FW + IPS
security policy that the IPS Unit follows when deciding how to handle the network traffic.
Figure 6-3 FW +IPS Security
Please also see the figure in section 2.2.
The IPS Unit‘s Security system is partitioned into logical subsystems to perform various security
checks. Each subsystem performs a set of specific checks. These specific checks, or rules, and
their associated actions, make up the subsystem‘s security policy. The IPS Unit organizes the
subsystems in a particular order so that traffic that is filtered by an earlier subsystem is never
seen by the later subsystems.
6.1.2.1 IFC-1 Rate Based Control (FDP_IFC.1 (1), FDP_IFF.1 (1))
DDos Filters Subsystem:
Analyzes traffic patterns and removes malicious traffic attempting to deliberately overwhelm the
resources of the TOE or internal networks (denial-of-service attacks), or to use computers in the
internal network to attack other companies (distributed denial-of-service attacks). The TSF SYN
Flood algorithms track the dynamic behavior of millions of individual IP addresses, classify
those sources according to their threat level, and manage the addresses to stop or prevent denial-
of-service attacks.
Resource Limit Filters Subsystem:
Protects resources from overuse by legitimate users as well as abusive denial-of-service
attackers. Provides limits for:
- Client requests for specific services, Client requests for all services
- Connections for clients and servers (both specific clients and servers, and all clients or
servers in a group)
2007 Top Layer Networks. All Rights Reserved. 58
Top Layer Networks Security Target April 10, 2009
- SYN flood controls
6.1.2.2 IFC-2 Intrusion Prevention (FDP_IFC.1 (2), FDP_IFF.1 (2))
IP/ARP Bad Packet Filters Subsystem:
Examines the IP headers of IP traffic and the payload of ARP packets. These checks look for
badly mangled packets that the IPS Unit cannot reliably parse or even categorize by host group
or application protocol. This reduces the load on other network appliances.
L2 Filters Subsystem:
Focuses on the MAC headers of network packets. Some of the checks look for malformed or
abused fields in the MAC headers.
Stateful Analysis Subsystem:
Stores and analyzes information about each traffic connection. A flow (TCP or UDP) is the
transfer of related packets over a TCP or UDP connection between a Client (source) and a Server
(destination). Both TCP and UDP flows, at a minimum, use source address, destination address,
protocol, source port and destination port as flow identifiers.
The IPS Unit records information about each packet in a flow record stored in its Flow Table
(connection table), an internal memory structure. Recording this information enables the IPS
Unit to statefully inspect each packet and to reorder packets for proper analysis. At the start of
each transaction, the IPS Unit creates or "sets up" the appropriate Flow Table entries. The IPS
Unit checks these entries when it receives subsequent packets of that transaction. This subsystem
provides this information to other subsystems of the IPS Unit.
Firewall Filters Subsystem:
Provides classic firewall blocking for traffic, based on IP addresses, Layer 4 ports, and circuits
(inside port versus outside port). The firewall‘s capabilities break down into the following
subcategories:
- Blocks clients from internal or external circuits.
- Performs spoof checking (that is, enforce allowed ingress circuits per IP address range).
- Enforces client access to services.
- Blocks packets from IP addresses deemed "malicious" by the SYN Flood mitigation
subsystem.
Protocol Validation Subsystem:
Examines the payload of application datagrams and application streams for specific network
protocols to ensure that the traffic conforms to the rules for a given protocol as well as the IPS
Unit‘s rules for reasonable usage. Stops attackers who abuse weaknesses in a protocol‘s defined
structure in order to attempt to pass malicious traffic. The protocols and checks are identified in
FDP_IFF.1 (2).
2007 Top Layer Networks. All Rights Reserved. 59
Top Layer Networks Security Target April 10, 2009
Content Inspection subsystem:
Checks for deliberate inclusion of malicious data or other malicious payloads into traffic that is
otherwise well formed. The Content Inspection subsystem inspects the transport layer header,
application layer header and application layer payloads. This feature provides the ability to
search the payloads of network protocols that are not natively parsed and decoded by the IPS
Unit. The patterns that are supported by the IPS Unit can be either case sensitive or insensitive
ASCII printable character strings or they can be a sequence of binary bytes. The IPS Unit's rules
that correspond to these content patterns are also referred to as ―signatures‖.
6.1.3 Identification and Authentication
6.1.3.1 IA-1 Authentication failure handling (FIA_AFL.1)
The TOE warns the user when, during the authentication process, the defined number of
unsuccessful authentication failures has been met. The TSF will prevent the user from
authentication until an action is taken by an authorized administrator to unlock the user account.
The TOE does not allow the last or only administrator account to be completely locked out. This
is to prevent the TOE from becoming completely unmanageable
6.1.3.2 IA-2 User attribute definition (FIA_ATD.1)
The TSF maintains the following user security attributes for administrators:
User Name
User‘s current Status (active, inactive, or locked)
Level of User Privileges
User password
Expiration time allowed for the user‘s password
Group
6.1.3.3 IA-3 Timing of Authentication (FIA_UAU.1)
The TSF requires an administrator to be successfully authenticated with a password before being
allowed any other management actions. An External IT entity may pass information flows
through the TOE without any authentication.
6.1.3.4 IA-4 Protected authentication feedback (FIA_UAU.7)
The TSF displays only the user ID, a ―*‖for each password character entered, and a success or
deny message to the administrator or monitor while the authentication is in progress.
6.1.3.5 IA-5 User identification before any action (FIA_UID.2)
The TSF requires each user to self identify before being allowed to perform any other actions.
All users, whether authenticated or not, will always be identified. External IT Entities will be
identified by an IP address. Authorized administrators are identified by ―User Name‖.
2007 Top Layer Networks. All Rights Reserved. 60
Top Layer Networks Security Target April 10, 2009
6.1.4 Security Management
The TSF provides several forms of management security:
Secure Architecture — The IPS Unit‘s architecture separates management traffic (traffic
entering the IPS Unit‘s on one of the management ports) from mission traffic (traffic entering the
IPS Unit‘s external and internal ports). The IPS Unit can bridge management traffic from one
management port to another management port, but does not forward management traffic to any
other IPS Unit mission port, nor does it forward non-management traffic to any management
port.
User Account Administration — Creates and manages user accounts, providing different sets
of privileges to individual users and groups of users.
User Authentication — Establishes a user‘s identity and privilege level.
Management Service Access Control — Provides overriding controls for each form of
management access.
The IPS Unit provides several management services. For added security, the following services
can be enabled and disabled:
HTTP or HTTPS – The IPS Unit provides persistent management sessions using HTTP (port
80) or HTTPS (port 443) allowing full management access through the firewall. The Graphical
User Interface is not dependant on a Web browser. Instead, it uses the Java Web Start technology
to provide a self-updating application that operates over the Web. The GUI is a Java WebStart
application, downloaded from the IPS 5500 E as a set of jar files and cached by the Java
WebStart application on the client host machine. After that, the GUI runs in a Java sandbox on
the client host. Before accessing any of the IPS 5500 E functionality, the GUI must be
authenticated by the IPS 5500 E. There is no authentication information in the IPS 5500 E GUI
code and the authentication relies on authentication over HTTP(S).
Telnet Session - Disabled in the evaluated configuration and
Serial Console - The CONSOLE port on the front of the IPS Unit provides access to a limited
Command Line Interface that can be used to perform basic setup. The serial console port
supports an authentication feature, which provides an extra layer of protection for IPS
deployments where the IPS Unit is deployed in an environment without physical security. In
the evaluated configuration, the authentication of the CLI is enabled and, only authorized
users are allowed to access the CLI.
IPS Controller - The IPS Controller is used to manage multiple IPS Units and runs on a separate
device. (Not included in the evaluated configuration)
Using the Management Port Control window, an authorized administrator can allow, deny, or
restrict access to each management form. The Telnet Session and HTTP are disabled in the
evaluated configuration.
The IPS Unit creates a management session whenever a successfully authenticated user connects
to the IPS Unit. The session continues until the user ends the session or there is a network
disruption that causes the session to time out. Any given user can have multiple simultaneous
management sessions over any management service. The CONSOLE port supports only one
management session.
2007 Top Layer Networks. All Rights Reserved. 61
Top Layer Networks Security Target April 10, 2009
The TSF maintains and reports all relevant information for each management session, which
includes:
User name
Session privileges
Login time (start of session)
Management access method (HTTP, HTTPS, Telnet, Console, etc.)
IP address of user
MAC address of user
Unique session ID
Logout time (end of session)
In addition to the Management session information, the TSF uses the following user account
information to grant or deny access to a particular security function:
User‘s current status (active or inactive)
Level of user privileges
• Administrator — Can perform all IPS Unit configuration tasks and view all
IPS Unit operations, statistics, and reports.
• Monitor — Can view all IPS Unit operations, statistics, and reports. Cannot
configure the IPS Unit, nor add or edit any user profiles.
User password
Expiration time allowed for the user‘s password.
The IPS Unit authenticates a user through a login name and password.
6.1.4.1 SM-1 Management of security functions (FMT_MOF.1)
The TOE's primary security management interface is the WebUI, which is a Java web
application loaded from the TOE onto the Management Station via an SSL channel. TOE
Administrators and Monitors interact with the applet, sending commands to the TSF.
The security management functions that can be modified are specified in 5.1.4.1 FMT_MOF.1
Management of security functions behaviour.
6.1.4.2 SM-2 Static attribute initialisation (FMT_MSA.3)
The TSF allows only authorized administrators to modify the initial value of the security
attributes of the subjects, objects and information of Rate based information flow policy and FW
+ IP information flow policy.
6.1.4.3 SM-3 Management of security attributes (FMT_MSA.1)
The TSF provides administrators the capability to manipulate the security attributes of subjects,
objects and information of Rate based information flow policy and FW + IP information flow
policy. The term ―manipulate‖ is used to indicate that the security attributes in FDP_IFF.1.1 (1)
and FDP_IFF.1.1(2) may be used to create additional ―attributes‖ that can be used in specifying
information flow policy rules. FMT_MSA.1 restricts such capabilities to the Security
Administrator. An example of this would be to group a set of service identifiers that are to have
the same rule applied, rather than having to specify a separate rule for each service identifier.
However, an administrator cannot change or manage the attributes associated with a packet.
2007 Top Layer Networks. All Rights Reserved. 62
Top Layer Networks Security Target April 10, 2009
6.1.4.4 SM-4 Specification of Management Functions (FMT_SMF.1)
The TSF is capable of performing the following security management functions:
a) Items specified in FMT_MOF.1
b) Management of security attributes
Items specified in FMT_MSA.1, FMT_MSA.3
c) Management of TSF data
Items specified in FMT_MTD.1
d) Management of security roles
Items specified in FMT_SMR.1
6.1.4.5 SM-5 Management of TSF Data (FMT_MTD.1)
The TSF restricts the ability to manage TSF data based on the Level of user privileges.
There are two User Level Privileges.
• Administrator — Can perform all IPS Unit configuration tasks and view all IPS Unit
operations, statistics, and reports.
• Monitor — Can view all IPS Unit operations, statistics, and reports. Cannot configure
the IPS Unit, nor add or edit any user profiles
The TSF restricts the ability to perform operations as specified in section 5.1.4.4 by restricting
the ability to operate on TSF data to the Authorized Administrator and Monitor
6.1.4.6 SM-6 Security Roles (FMT_SMR.1)
The TSF maintains two roles :
• Administrator — Can perform all IPS Unit configuration tasks and view all IPS Unit
operations, statistics, and reports.
• Monitor — Can view all IPS Unit operations, statistics, and reports. Cannot configure
the IPS Unit, nor add or edit any user profiles
For maintenance purposes, a user with ‗admin‘ (Administrator Role) privileges can authenticate
through the Serial Console with user name and password. There exists a default ‗admin‘ and
‗password‘, which must be changed after the basic setup.
6.1.5 Protection of TOE Security functions
6.1.5.1 SP-1 TSF Self-testing (FPT_TST.1)
The TSF can run a suite of tests during initial start-up to demonstrate the correct operation of the
TSF. The TSF can not start up if the expected results from the assumptions do not match the
actual result.
The TOE tests operation of the following list of components to ensure correct operation of the
TSF during initial start-up:
2007 Top Layer Networks. All Rights Reserved. 63
Top Layer Networks Security Target April 10, 2009
- Sandisk/code load valid (required for basic operations)
- The SC subsystem FLASH and SDRAM (required for audit functions)
- The FPGAs (required for all security functions of the TSF and basic
operations)
- Memory tests (required for basic operations)
- Processor tests (required for basic operations)
- Processor connectivity test (required for basic operations)
- Basic OS tests (required for basic operations)
6.1.5.2 SP-2 Failure with preservation of Secure State (FPT_FLS.1)
The Secure State for this product is defined as the state when the TOE (IPS Unit) inspects all
traffic, mitigates problem traffic, and records all information. All traffic flows through the IPS
Unit‘s functions. If power fails, the IPS Unit acts as an open wire and does not forward any
traffic. This provides the most protection and ensures that in case of failure, unchecked traffic
will not pass. This state is also known as ―Fail Close‖ in firewall terminology (closes the door to
all traffic). The IPS Unit can support dual power supplies and will continue to function when its
primary power supply fails. However, the IPS Unit does not pass traffic if there is a failure of all
power to the unit, or other hardware-based failures.
6.1.5.3 SP-3 Partial Non-bypassability of the TSF (FPT_RVM_EXP.1)
The TOE resides as a network perimeter device thus physically separating the external networks
from the protected networks. All network traffic flows from and to the internal networks flows
through the TOE only after inspection of the traffic based on the information flow control
policies. The TOE hardware and software ensure that all packets are forwarded to, and processed
through the filtering functions of the information flow control policies and that the filtering
functions are not bypassable
External users are not permitted to access the TOE management functions through the user GUI
without successful identification and authentication. The TOE enables the administrator to
restrict the access to TOE by enabling or disabling the HTTP, HTTPS, SNMP and Telnet
Session. The http and telnet management interfaces are disabled in the evaluated configuration.
The Serial Port Console interface is only accessible through a serial cable with DB-9 connectors
to the CONSOLE port on management PC. The TOE is assumed to be hosted in a secure facility.
All remote communications to the TOE are protected over secure HTTPS connections.
The GUI software on the Management Station is a software only TOE component. It relies upon
the protection mechanisms of the underlying operating system platform to protect itself against
untrusted subjects bypassing the security mechanisms offered by the GUI. The GUI is designed
to ensure that TSF policies are enforced when accessed through its own interfaces.
6.1.5.4 SP-4 TSF Domain Separation (FPT_SEP_EXP.1)
The TOE resides as a network perimeter device thus physically separating the external networks
from the protected networks. IPS Unit determines the list of ports to which the packet may be
forwarded. The IPS Unit never forwards a packet to the port on which the packet arrived.
2007 Top Layer Networks. All Rights Reserved. 64
Top Layer Networks Security Target April 10, 2009
The TSF creates a management session whenever a successfully authenticated user connects to
the IPS Unit. The session continues until the user ends the session or the session times out. The
IPS Unit enforces the concept of isolated management traffic. It does this by separating traffic
using two logical bridges, the Mission Bridge and the Management Bridge. Each bridge is a
logical device within the IPS Unit that enables traffic to flow between its source and destination.
The IPS Unit can bridge management traffic from one management port to another management
port, but does not forward management traffic to any other IPS Unit port, nor does it forward
non-management traffic to any management port. Separate bridges also help avoid the problem
of the IPS Unit itself being attacked by external entities. Packets received on Management ports
are bridged to other Management ports or terminated to the Management entity (if destined to the
management entity‘s IP address). Packets received on Mission ports can be bridged to another
Mission port, but will never be forwarded to any Management port or to the management entity.
The GUI software on the Management Station is a software only TOE component. It relies upon
the protection mechanisms of the underlying operating system platform to protect itself against
untrusted subjects tampering with TSF code or data through OS interfaces. The GUI is designed
to ensure that TSF policies are enforced when accessed through its own interfaces.
6.1.5.5 SP-5 Reliable Time Stamps (FPT_STM_EXP.1)
The TSF supports reliable time stamps for the use of the TSF. The TOE acquires the time from
an NTP server and maintains it for the use of TSF functions executing on the IPS Unit.
6.1.6 Trusted Path/Channels
6.1.6.1 TC-1 Trusted Path (FTP_TRP.1)
The TSF uses the HTTPS protocol to build a trusted path when communicating between the IPS
Unit and management GUI on the management station. A browser on the Management Station in
the IT environment initiates the SSL connection to the IPS Unit to establish a secure session. The
cipher suite used is RSA-RC4-SHA1. The RSA key is defined by the IPS Unit certificate and the
RC4 key is 128 bits.
The secure session is used for management communications.
6.2 Security Assurance Measures & Rationale
The assurance documents listed below were developed to meet the developer action and content
and presentation of evidence elements for each assurance required defined in the CC.
Table 6-2 - Assurance Measures & Rationale: EAL4
Assurance Assurance Measures Assurance Rationale
Requirement
2007 Top Layer Networks. All Rights Reserved. 65
Top Layer Networks Security Target April 10, 2009
Assurance Assurance Measures Assurance Rationale
Requirement
ACM_AUT.1 [ACM] The CM plan defines the automated tools used in
the CM system to ensure that only authorized
changes are made to the TOE implementation
representation and to generate the TOE. The CM
plan also describes how these tools are used in the
CM system
ACM_CAP.4 [ACM] The configuration management documents defines
the configuration items(CIs), provides measures for
ensuring that all changes to CIs are authorized and
contains the necessary information to demonstrate
that a CM system is used and that there is a unique
reference for the TOE. A CM plan describes how
the CM system is used and how it supports the
TOE generation. An acceptance plan includes
procedures to accept changes to the CIs. Evidence
that the CM system is operating in accordance with
the CM plan and that all configuration items are
under CM control is also provided.
ACM_SCP.2 [ACM] The CI list provided includes the implementation
representation, security flaws, and CC evaluation
evidence.
ADO_DEL.2 [ADO] The delivery document describes the steps
performed to deliver the TOE. It describes the
process used to create distribution copies of the
TOE software and the steps taken to ensure
consistent, dependable delivery of the TOE to the
customer, procedures for detecting modification or
discrepancies between the master copy and the
version received by the customer are described,
along with procedures for detecting attempts to
masquerade as the vendor (developer) when
communicating with the customer.
ADO_IGS.1 [ADO] The installation documents describe the steps
necessary for secure installation, generation and
start-up of the TOE.
ADV_FSP.2 [FSP] The informal functional specification (FSP)
document identifies the external interfaces that
completely represent the TSF and describes the
purpose and method of use of all external TSF
interfaces. It also describes details of all effects,
exceptions, and error messages for each of the
external TSF interfaces, as well as a rationale that
the TSF is completely represented by the FSP.
2007 Top Layer Networks. All Rights Reserved. 66
Top Layer Networks Security Target April 10, 2009
Assurance Assurance Measures Assurance Rationale
Requirement
ADV_HLD.2 [HLD] The security enforcing high-level design (HLD)
describes the complete TSF in terms of subsystems,
separating the TOE into TSP-enforcing and other
subsystems. The security functions for each
subsystem are described. The purpose and method
of use for all subsystem interfaces are described
and the externally visible interfaces are identified.
ADV_IMP.1 [IMP] A selected subset of the TSF implementation
representation is provided at a level such that the
TSF can be generated without further design
decisions.
ADV_LLD.1 [LLD] The descriptive low-level design describes the
complete TSF in terms of modules, separating the
TOE into TSP-enforcing and other subsystems. The
security functions for each subsystem are
described. The purpose and method of use for all
module interfaces are described and the externally
visible interfaces are identified
ADV_RCR.1 [RCR] The informal correspondence analysis
demonstrates that the security functionality as
described in the FSP and ST is correct and
complete. Likewise for the functionality described
in the FSP and HLD, in the HLD and LLD, and in
the LLD and implementation representation.
ADV_SPM.1 [SPM] The informal TOE security policy model describes
the rules and characteristics of all policies in the
TSP, including a rationale demonstrating its
consistency and correctness with the FSP.
AGD_ADM.1 [AGD] The administrator guidance documents provide
complete administrative guidance for the TOE,
including all security features and configuration
items.
AGD_USR.1 N/A The TOE is transparent to the entities sending data
through the TOE and as such, there is no User
Guide. Therefore, this SAR is implicitly satisfied.
ALC_DVS.1 [DVS] The identification of security measures document
describes the physical, procedural, personnel, and
other security measures used to protect the
confidentiality and integrity of the TOE design and
implementation. Evidence that these measures are
used will also be provided.
ALC_LCD.1 [LCD] The developer defined life-cycle model describes
the model used to provide control over the
development and maintenance of the TOE.
2007 Top Layer Networks. All Rights Reserved. 67
Top Layer Networks Security Target April 10, 2009
Assurance Assurance Measures Assurance Rationale
Requirement
ALC_TAT.1 [TAT] The well-defined development tools document will
define the development tools used to implement the
TOE, as well as all statements and options used to
develop the TOE
ATE_COV.2 [COV] The test coverage analysis document provides a
mapping of the test cases performed against the
TSF, demonstrating that the correspondence
between the TSF described in the FSP and the tests
is complete.
ATE_DPT.1 [DPT] The depth of testing document demonstrates that
the tests are sufficient to demonstrate that the TSF
operates in accordance with the HLD.
ATE_FUN.1 [FUN] The functional testing document includes the test
plans, test procedures, and associated test cases of
the TOE functional testing effort.
ATE_IND.2 [IND] The TOE hardware, software, guidance, and testing
documentation were made available to the CC
testing laboratory for independent testing.
AVA_MSU.2 [MSU] The misuse analysis document demonstrates that
the guidance documentation is complete.
AVA_SOF.1 [SOF] The TOE does not include any probabilistic or
permutational mechanisms, so this SAR is
vacuously satisfied (not applicable).
AVA_VLA.2 [VLA] The vulnerability analysis document identifies and
describes the process used to discover
vulnerabilities, the results of the vulnerability
analysis, and the mitigation of each identified
vulnerability. It also justifies that the TOE is
resistant to obvious penetration attacks.
6.3 Appropriate Strength of Function Claim
The TOE minimum strength of function is SOF-medium for the Identification and
Authentication security function. This is consistent with the claim of SOF-medium for the
FIA_UAU.1. The evaluated TOE is intended to operate in commercial and basic robustness
environments processing unclassified information. This security function is in turn consistent
with the security objectives described in section 4.
2007 Top Layer Networks. All Rights Reserved. 68
Top Layer Networks Security Target April 10, 2009
7 Protection Profile Claims
This Security Target does not claim conformance to any Protection Profiles.
2007 Top Layer Networks. All Rights Reserved. 69
Top Layer Networks Security Target April 10, 2009
8 Rationale
This Security Target does not claim conformance to any Protection Profiles.
8.1 Security Objectives Rationale
The following sections provide the security objectives rationale.
8.1.1 Rationale For Threat Coverage
This section provides a justification that for each threat, the security objectives counter the threat.
Table 8-1 -All Threats to Security Countered
Item Threat Security Objective(s) Rationale
Addressing Threat
1 O.IDAUTH This threat is mitigated by
T.NOAUTH
O.SELFPROTECTION O.IDAUTH, which provides for
O.MANAGE unique identification and
OE.PROTECT authentication of administrative
users. Also,
O.SELFPROTECTION defends
against attempts by unauthorized
users to bypass, deactivate, or
tamper with TOE security
functions.
O. MANAGE protects stored TSF
data from unauthorized
disclosure, modification, or
deletion.
OE.PROTECT defends against
attempts by unauthorized users to
bypass, deactivate or tamper with
the IT environment security
functions, thus preventing
modification TSF code and data
that resides in the IT
environment.
2007 Top Layer Networks. All Rights Reserved. 70
Top Layer Networks Security Target April 10, 2009
Item Threat Security Objective(s) Rationale
Addressing Threat
2 O.MANAGE This threat is mitigated by
T.MANAGE
O.ADMINISTRATION O.MANAGE, which requires that
O.SELFPROTECTION The TOE must protect stored TSF
data from unauthorized
disclosure, modification, or
deletion. O.ADMINISTRATION
provides all the functions
necessary to support the
authorized users in their
management of the security of the
TOE. O.SELFPROTECTION
defends against attempts by
unauthorized users to bypass,
deactivate, or tamper with TOE
security functions.
3 O.TRANSMISSION This threat is mitigated by
T.PROCOM
O.TRANSMISSION, which
requires that the TSF must
provide a HTTPS session for
communication between the User
Management GUI on the
Management Station and the
TOE, thus protecting the
communication between the GUI
and the TSF.
4 O.IDAUTH
T.REPEAT This threat is mitigated by
O.IDAUTH. The TOE must
prevent the administrative user
from authentication after an
administrator configured number
of unsuccessful authentication
attempts.
2007 Top Layer Networks. All Rights Reserved. 71
Top Layer Networks Security Target April 10, 2009
Item Threat Security Objective(s) Rationale
Addressing Threat
5 O.AUDIT This threat is mitigated by
T.AUDIT
O.ADMINISTRATION O.AUDIT which requires that the
O.ALERT TOE must provide a means to
O.TIME record, store and review security
O.AUDITPROTECT relevant events in audit records to
OE.TIME trace the responsibility of all
OE.AUDIT actions regarding security.
O.ALERT provides the alerting
required to warn administrators.
O.AUDITPROTECT requires
that the TOE must protect the
audit records stored internally on
the TOE.
O. ADMINISTRATION defends
against attempts by unauthorized
users to access and use security
functions.
OE.AUDIT requires that IT
environment must provide a long
term audit and alert store for the
TOE. O.TIME AND OE.TIME
ensure that Reliable time stamps
are applied to audit records and
allow the reconstruction of a
sequence of events at a later date.
6 T.RATEBASED O.RATEBASED This threat is mitigated by
O.RATEBASED, which requires
that the TOE must limit resource
usage to an acceptable level (stop
legitimate clients from overusing
resources and stop DDoS and
other network flooding attacks).
The TOE must also be able to
serve as a rate based controller
and police both malicious users
who attempt to flood your
network with DoS and DDoS
attacks, and authorized users who
may overuse resources.
2007 Top Layer Networks. All Rights Reserved. 72
Top Layer Networks Security Target April 10, 2009
Item Threat Security Objective(s) Rationale
Addressing Threat
7 O.UNDESIREDACCESS This threat is mitigated by
T.ADDRESSSPOOF
O.UNDESIREDACCESS, which
requires that the TOE must
control unauthorized information
flow from the external network to
the internal network based on
security policies. This objective
also prevents information flows
of from spoofed IP addresses
arriving at physical ports, which
do not match the address range,
associated with the ports.
8 O.UNDESIREDACCESS This threat is mitigated by
T.UNDESIREDACCE
SS O.UNDESIREDACCESS, which
requires that the TOE must
control unauthorized information
flow from the external network to
the internal network based on
security policies.
9 T.CONTENTBASED O.CONTENTBASED This threat is mitigated by
O.CONTENTBASED which
requires that the TOE must filter
the content in the information
flows through the TOE to prevent
malicious intruders from
exploiting system vulnerabilities
or network based protocol
weaknesses, as well as more
direct attacks through e-mail
based worms and viruses
8.1.2 Rationale For Organizational Policy Coverage
This ST has no Organizational Security Policies.
8.1.3 Rationale For Assumption Coverage
The non-IT security objectives for the environment are, in part, a re-statement of the security
assumptions and the rationale is self explanatory.
2007 Top Layer Networks. All Rights Reserved. 73
Top Layer Networks Security Target April 10, 2009
8.2 Security Requirements Rationale
8.2.1 Security Functional Requirements for the TOE
The table below shows that all of the security objectives for the TOE are satisfied by at least one
security functional requirement (SFR).
Table 8-2 - All Objectives for the TOE Met by Functional Requirements for the
TOE
Item Objective ID SFR(s) Rationale
1 FIA_UID.2, FIA_UAU.1, All users are successfully identified
O.IDAUTH
FIA_UAU.7, FIA_ATD.1, before allowing any other TSF-
mediated actions on behalf of that
FIA_AFL.1
user (FIA_UID.2)
FPT_RVM_EXP.1
All authorized users are successfully
authenticated before allowing any
management actions on behalf of that
user.(FIA_UAU.1)
The feedback during the
authentication is protected
(FIA_UAU.7)
User attributes required for
authentication are stored by the TOE
(FIA_ATD.1)
When the defined number of
unsuccessful authentication attempts
has been met or surpassed, the TOE
locks the user account until it is
unlocked by an administrator
(FIA_AFL.1)
This objective is also met by the
FPT_RVM_EXP.1 requirement,
which provides for non-bypassability
of the TOE
2007 Top Layer Networks. All Rights Reserved. 74
Top Layer Networks Security Target April 10, 2009
Item Objective ID SFR(s) Rationale
2 FPT_RVM_EXP.1, This objective is also met by the
O.SELFPROTECTION
FPT_SEP_EXP.1, FPT_RVM_EXP.1 and
FPT_TST.1, FPT_SEP_EXP.1 requirements,
FPT_FLS.1 which provides for domain
separation and non-bypassability of
the TOE.
FPT_TST.1 ensures the correct
operation of the TOE based on the
Self-Tests during initial startup to
ensure the correct operation of the
TSF.
FPT_FLS.1 ensures that the TOE
preserves a secure state when there is a
power failure.
3 FMT_MOF.1, This objective is met by supporting
O.MANAGE
FMT_MSA.3, multiple management roles
FMT_MSA.1, (FMT_SMR.1), and ensuring that the
FMT_SMF.1, TOE security attributes may only be
FMT_MTD.1, modified by an appropriate
FMT_SMR.1 administrator/monitor (FMT_MSA.1,
FMT_SMF.1). The TOE initializes
all security attributes enforcing the
SFP to default values
(FMT_MSA.3), and allows for the
appropriate management of functions
for each role (FMT_MOF.1), and
TSF data within each function
(FMT_MTD.1).
4 FIA_UID.2, FIA_UAU.1, All users are successfully identified
O.ADMINISTRATION
FMT_MTD.1, and authenticated before allowing
FMT_SMF.1, any other TSF-mediated actions on
behalf of that user (FIA_UID.2). An
authorized administrator must
successfully be authenticated before
performing any management
activities.(FIA_UAU.1)
TSF Data is managed by authorized
users ( FMT_MTD.1 and
FMT_SMF.1 ).
2007 Top Layer Networks. All Rights Reserved. 75
Top Layer Networks Security Target April 10, 2009
Item Objective ID SFR(s) Rationale
5 FAU_GEN.1, An audit record can be generated for
O.AUDIT
FAU_GEN.2, security-relevant events and a user is
FAU_SAR.1, FAU_SAR.3 associated with the audit events
FAU_SAA.1, (FAU_GEN.1 and FAU_GEN.2).
FAU_ARP.1, FAU_SEL.1, The TOE is able to protect audit
FAU_STG.1 records stored internally
(FAU_STG.1). The TOE is capable
of providing searching and sorting
capabilities of the audit records
(FAU_SAR.1) and selection
capabilities for auditing to include or
exclude auditable events from the set
of audited events (FAU_SAR.3). The
TOE is capable of analyzing the audit
records based on combination of
rules (FAU_SAA.1) and generating
alerts based on the analysis
(FAU_ARP.1).
6 FAU_SAA.1, FAU_ARP.1 The TOE is capable of analyzing the
O.ALERT
audit records based on combination
of rules (FAU_SAA.1) and
generating alerts based on the
analysis (FAU_ARP.1).
7 FAU_STG.1 The TOE is able to protect audit
O.AUDITPROTECT
records stored internally
(FAU_STG.1).
8 O.UNDESIREDACCESS FDP_IFF.1(2), The TOE mediates the flow of all
FDP_IFC.1(2) information between clients and
FPT_FLS.1 servers located on internal and
external networks governed by the
TOE and provides the firewall
functionality (FDP_IFF.1(2) and
FDP_IFF.1(2)).
FPT_FLS.1 ensures that the TOE
preserves a secure state when there is a
power failure.
2007 Top Layer Networks. All Rights Reserved. 76
Top Layer Networks Security Target April 10, 2009
Item Objective ID SFR(s) Rationale
9 FDP_IFF.1(1), The TOE enforces a Rate Based
O.RATEBASED
FDP_IFC.1(1) Security Policy based on request
limits, connection limits and SYN
flood limit parameters to ensure that
the TOE or any of the IT resources
on the internal network are not
overused. This also ensures that they
are not susceptible to DOS attacks
(FDP_IFF.1(1), FDP_IFC.1(1)).
10 FDP_IFF.1(2), The TOE enforces a Packet Filter +
O.CONTENTBASED
FAU_IFC.1(2) IPS Policy based on the information
flow characteristics, packet header
and payload information to ensure
that the TOE detects and prevents
any intrusion. The TOE checks for
both protocol anomaly and signature
matching attacks and prevents them.
(FDP_IFF.1(2), FDP_IFC.1(2)).
11 FPT_STM_EXP.1 This objective is met by
O.TIME
FPT_STM_EXP.1, which requires
that the TSF acquire time from an
NTP Server in the IT environment
and maintain the time reliably for its
own use.
12 FTP_TRP.1 FTP_TRP.1 requires cryptographic
O.TRANSMISSION
based communications protocols
between the Management station in
the IT environment and the TOE.
8.2.2 Security Functional Requirements for the IT Environment
The table below shows that all of the security objectives for the IT Environment are satisfied.
Table 8-3 - All Objectives for the IT Environment Met by SFRs for IT Environment
Item Objective ID SFR(s) Rationale
1 FAU_STG_ENV.1 This objective is met by FAU_STG_ENV.1,
OE.AUDIT
which specifies that the operating
environment be provided with a log
repository.
2007 Top Layer Networks. All Rights Reserved. 77
Top Layer Networks Security Target April 10, 2009
Item Objective ID SFR(s) Rationale
2 FPT_SEP_ENV.1, This objective is met by
OE.PROTECT
FPT_RVM_ENV.1, FPT_RVM_ENV.1, which provides for
FIA_UID_ENV.1, non-bypassability of security functions, and
FIA_UAU_ENV.1 FPT_SEP_ENV.1, which specifies
protection of the TSF code and data.
FIA_UAU_ENV.1 and FIA_UID_ENV.1
require that the IT environment does
identification and authentication of users
before accessing TSF data.
3 FPT_STM_ENV.1 This objective is met by FPT_STM_ENV.1,
OE.TIME
which requires that the IT environment to
supply time stamps to the TOE.
8.2.3 Explicitly Stated Requirements Rationale
FPT_STM_EXP.1 is explicitly stated because the functionality is provided partially by the TOE
and partially by the IT environment. The TOE obtains the time from an NTP server in the IT
environment.
FPT_RVM_EXP.1 and FPT_SEP_EXP.1 are explicitly stated because the functionality is
provided partially by the TOE and partially by the IT environment. The TOE component running
on the Management Station ( Java Web Start Application) is software only and cannot protect
itself or enforce non-bypassability without the support of the underlying platform
8.2.4 Rationale for TOE Security Assurance Requirements
EAL4 was chosen to provide a moderate level of independently assured security. The chosen
assurance level is consistent with the threat environment. Specifically, that the threat of
malicious attacks is low and the product will have undergone a search for flaws. Please see
section 6.2.
8.2.5 Rationale For IT Security Requirement Dependencies
This section includes a table of all the security functional requirements, their dependencies, and a
rationale for any dependencies that are not satisfied.
Table 8-4 – SFR Dependencies
Item SFR ID Dependencies Reference
1 FAU_GEN.1 FPT_STM_EXP.1 28
2 FAU_GEN.2 FAU_GEN.1, FIA_UID.2 1, 17
3 FAU_SAA.1 FAU_GEN.1 1
4 FAU_ARP.1 FAU_SAA.1 3
5 FAU_SAR.1 FAU_GEN.1 1
2007 Top Layer Networks. All Rights Reserved. 78
Top Layer Networks Security Target April 10, 2009
Item SFR ID Dependencies Reference
6 FAU_SAR.3 FAU_SAR.1 5
7 FAU_SEL.1 FAU_GEN.1, FMT_MTD.1 1 , 22
8 FAU_STG.1 FAU_GEN.1 1
9 FDP_IFC.1(1) FDP_IFF.1(1) 10
10 FDP_IFF.1(1) FDP_IFC.1(1), FMT_MSA.3 9, 19
11 FDP_IFC.1(2) FDP_IFF.1(2) 12
12 FDP_IFF.1(2) FDP_IFC.1(2), FMT_MSA.3 11, 19
13 FIA_AFL.1 FIA_UAU.1 15
14 FIA_ATD.1 None
15 FIA_UAU.1 FIA_UID.1 17
16 FIA_UAU.7 FIA_UAU.1 15
17 FIA_UID.1 None
18 FMT_MOF.1 FMT_SMR.1, FMT_SMF.1 21 , 23
19 FMT_MSA.3 FMT_MSA.1, FMT_SMR.1 20 , 23
20 FMT_MSA.1 FDP_IFC.1(1), 9, 11 , 21, 23
FDP_IFC.1(2),FMT_SMF.1,
FMT_SMR.1
21 FMT_SMF.1 None
22 FMT_MTD.1 FMT_SMF.1, FMT_SMR.1 21 , 23
23 FMT_SMR.1 FIA_UID.1 17
24 FPT_TST.1 None
25 FPT_FLS.1 ADV_SPM.1
26 FPT_RVM_EXP.1 None
27 FPT_SEP_EXP.1 None
28 FPT_STM_EXP.1 None
29 FTP_TRP.1 None
8.3 TOE Summary Specification Rationale
8.3.1 Rationale for TOE Security Functions
This section provides a table demonstrating the tracing of TOE security functions back to aspects
of the security functional requirements (SFRs).
A justification that the security functions are suitable to cover the SFRs can be found in Section
6.1.
Table 8-5 – TOE Security Function to SFR Mapping
Sub- Sub-function
SFR TSF function description
2007 Top Layer Networks. All Rights Reserved. 79
Top Layer Networks Security Target April 10, 2009
Sub- Sub-function
SFR TSF function description
FAU_GEN.1 Security Audit AU-1 Audit data
generation
FAU_GEN.2 AU-2 User identity
association
FAU_SAA.1 AU-3 Potential
violation analysis
FAU_ARP.1 AU-4 Security alarms
FAU_SAR.1 AU-5 Audit review
FAU_SAR.3 AU-6 Selectable Audit
Review
FAU_SEL.1 AU-7 Selective Audit
FAU_STG.1 AU-8 Protected Audit
Trail Storage
FDP_IFC.1(1) User Data IFC-1 Rate Based
Protection information flow
control
FDP_IFF.1(1)
FDP_IFC.1(2) IFC-2 Intrusion
FDP_IFF.1(2) Prevention
FIA_AFL.1 Identification IA-1 Authentication
and failure handling
Authentication
FIA_ATD.1 IA-2 User attribute
definition
FIA_UAU.1 IA-3 Timing of
Authentication
FIA_UAU.7 IA-4 Protected
authentication
feedback
FIA_UID.2 IA-5 User
identification
before any action
FMT_MOF.1 Security SM-1 Management of
FMT_MSA.3 Management security
functions
behaviour
FMT_MSA.1 SM-2 Static attribute
initialization
FMT_SMF.1 SM-3 Management of
security
attributes
FMT_MTD.1 SM-4 Specification of
Management
Functions
2007 Top Layer Networks. All Rights Reserved. 80
Top Layer Networks Security Target April 10, 2009
Sub- Sub-function
SFR TSF function description
SM-5 Management of
TSF Data
FMT_SMR.1 SM-6 Security roles
FPT_TST.1 Protection of SP-1 TSF self testing
FPT_FLS.1 TSF SP-2 Failure with
preservation of
secure state
FPT_RVM_EXP. SP-3 Partial Non-
1 bypassability of
the TSP
FPT_SEP_EXP.1 SP-4 Partial TSF
domain
separation
FPT_STM_EXP.1 SP-5 Reliable time
stamps
FTP_TRP.1 Trusted TC-1 Trusted Path
Path/Channels
8.4 Rationale For Strength of Function Claim
The TOE minimum strength of function is SOF-medium for the Identification and authentication
security function and is consistent with the claim of SOF-medium for the FIA_UAU.1 SFR that
maps to that security function. The evaluated TOE is intended to operate in commercial and
medium robustness environments processing unclassified information. This security function is
in turn consistent with the security objectives described in section 4.
8.5 Protection Profile Claims Rationale
This Security Target does not claim conformance to any Protection Profiles.
2007 Top Layer Networks. All Rights Reserved. 81
Top Layer Networks Security Target April 10, 2009
9 References
This section contains descriptions of documents pertaining to this ST and or subject TOE.
Table 9-1 References
Document Title ID
Common Criteria for Information Technology Security Evaluation, CCMB-2005-08-002, [CC]
Version 2.3, August 2005.
IPS 5500 E-Series: Functional Specification For Common Criteria EAL4 Evaluation Version [FSP]
1.2
IPS 5500 E-Series:High Level Design Low Level Design For Common Criteria EAL4 [HLD]
Evaluation Version 1.6
IPS 5500 E-Series:High Level Design Low Level Design For Common Criteria EAL4 [LLD]
Evaluation Version 1.6
Source Code Implementation [IMP]
IPS 5500 E-Series:High Level Design Low Level Design For Common Criteria EAL4 [RCR]
Evaluation Version 1.6
Top Layer Networks IPS 5500 E Security Target, Version 1.1 [SPM]
IPS 5500 E Configuration and Management Guide Part number 990-0188-09 [AGD]
IPS Hardware Installation Guide Part Number 990-0183-07
IPS 5500 E-Series: Configuration Management For Common Criteria EAL4 Evaluation Version [ACM]
0.8
IPS 5500 E-Series: Delivery and Modification Detection For Common Criteria EAL4 [ADO]
Evaluation Version 0.7
IPS 5500 E-Series: Development Security Procedures For Common Criteria EAL4 Evaluation [DVS]
Version 0.6
IPS 5500 E-Series: Developer Life Cycle Model For Common Criteria EAL4 Evaluation [LCD]
Version 0.6
IPS 5500 E-Series: Development Tools For Common Criteria EAL4 Evaluation Version 0.2 [TAT]
IPS 5500 E-Series: Test Coverage (ATE_COV.2) And Depth of Coverage (ATE_DPT.1) For [COV]
Common Criteria EAL4 Evaluation Version 0.7
IPS 5500 E-Series: Test Coverage (ATE_COV.2) And Depth of Coverage (ATE_DPT.1) For [DPT]
Common Criteria EAL4 Evaluation Version 0.7
IPS 5500 E-Series: Test Plan For Common Criteria EAL4 Evaluation Version 1.0 [FUN]
IPS 5500 E-Series: Common Criteria Analysis Guidance For Common Criteria EAL4 [MSU]
Evaluation Version 0.4
IPS 5500 E-Series: Strength of Function For Common Criteria EAL4 Evaluation Version 0.2 [SOF]
IPS 5500 E-Series: Vulnerability Analysis For Common Criteria EAL4 Evaluation Version 0.5 [VLA]
2007 Top Layer Networks. All Rights Reserved. 82
You might also like
- IT ICS Security Architecture Assessment - QuestionnaireNo ratings yetIT ICS Security Architecture Assessment - Questionnaire24 pages
- Fireeye HX Series Appliances: Fireeye, Inc. Common Criteria Security Target Document Version: 1.0No ratings yetFireeye HX Series Appliances: Fireeye, Inc. Common Criteria Security Target Document Version: 1.035 pages
- Securewave Sanctuary Device Control V3.2 Security Target: 15 March 2007No ratings yetSecurewave Sanctuary Device Control V3.2 Security Target: 15 March 200749 pages
- Foundry Networks IronShield (BigIron, NetIron, and FastIron) Switches and Routers Security TargetNo ratings yetFoundry Networks IronShield (BigIron, NetIron, and FastIron) Switches and Routers Security Target41 pages
- Fuji Xerox Apeosport-Ii C4300/C3300/C2200 Series Security Kit For Asia Pacific Security TargetNo ratings yetFuji Xerox Apeosport-Ii C4300/C3300/C2200 Series Security Kit For Asia Pacific Security Target57 pages
- Fortinet FortiGate - EAL4 - ST - V1.5.pdf (320893) - TMPNo ratings yetFortinet FortiGate - EAL4 - ST - V1.5.pdf (320893) - TMP82 pages
- Huawei Imanager U2000 Version 1 Release 6 Security Target v1.6No ratings yetHuawei Imanager U2000 Version 1 Release 6 Security Target v1.639 pages
- Hindoh MF2000 MF3000 MF4000 N610 N410 Series Security Target Lite V1.0No ratings yetHindoh MF2000 MF3000 MF4000 N610 N410 Series Security Target Lite V1.075 pages
- CA Siteminder Web Access Manager R12 SP1-CR3 Security TargetNo ratings yetCA Siteminder Web Access Manager R12 SP1-CR3 Security Target133 pages
- Netnumen™ U31: Network Element ManagementNo ratings yetNetnumen™ U31: Network Element Management43 pages
- Lancope StealthWatch Version 5.6.1 Security TargetNo ratings yetLancope StealthWatch Version 5.6.1 Security Target50 pages
- ECI LightSOFT-EMS-NPT-NPT Security Target v1.3No ratings yetECI LightSOFT-EMS-NPT-NPT Security Target v1.338 pages
- Assurance Activity Report for Ciena 6500 Packet Optical Platform Version 15.6No ratings yetAssurance Activity Report for Ciena 6500 Packet Optical Platform Version 15.6301 pages
- Ricoh Aficio MP c4501 Users Manual 121113No ratings yetRicoh Aficio MP c4501 Users Manual 12111394 pages
- Keysight Network Packet Broker v5.3.0 CC Guide 1.0No ratings yetKeysight Network Packet Broker v5.3.0 CC Guide 1.020 pages
- ECI LightSoft-EMS-APT-NPT Security Targetv1.8No ratings yetECI LightSoft-EMS-APT-NPT Security Targetv1.836 pages
- AhnLab TrusGuard V2.2 Security Target V1.8No ratings yetAhnLab TrusGuard V2.2 Security Target V1.8165 pages
- CAN Bus for Beginners: A Practical Guide to Automotive NetworkingFrom EverandCAN Bus for Beginners: A Practical Guide to Automotive NetworkingNo ratings yet
- Cybersecurity for Executives: A Guide to Protecting Your BusinessFrom EverandCybersecurity for Executives: A Guide to Protecting Your BusinessNo ratings yet
- Konica Minolta Bizhub 450i/360i/300i With FK514No ratings yetKonica Minolta Bizhub 450i/360i/300i With FK51471 pages
- ZTE Access Systems Series ZXA10 C300 C300M C350M v1 0 PDFNo ratings yetZTE Access Systems Series ZXA10 C300 C300M C350M v1 0 PDF26 pages
- Webmethods Fabric 6.5 Eal2 Common Criteria Evaluation Security Target V1.0 12 December 2005No ratings yetWebmethods Fabric 6.5 Eal2 Common Criteria Evaluation Security Target V1.0 12 December 200569 pages
- ZTE Access Systems Series ZXA10 C300 C300M C350M v1.0 PDFNo ratings yetZTE Access Systems Series ZXA10 C300 C300M C350M v1.0 PDF26 pages
- Issued On: June 24, 2013 Created By: KONICA MINOLTA, INCNo ratings yetIssued On: June 24, 2013 Created By: KONICA MINOLTA, INC54 pages
- ECI LightSOFT-STMS-Apollo Security Target v1.3No ratings yetECI LightSOFT-STMS-Apollo Security Target v1.338 pages
- Security Target: Author: Roger French 1.2 Date: 2009-01-23No ratings yetSecurity Target: Author: Roger French 1.2 Date: 2009-01-2356 pages
- 384-4-474 AhnLab EPP Security Target_1.2No ratings yet384-4-474 AhnLab EPP Security Target_1.235 pages
- CompTIA ActualTests N10-006 v2016-06-08 by Navi 289qNo ratings yetCompTIA ActualTests N10-006 v2016-06-08 by Navi 289q145 pages
- 9.advanced CheckPoint Interview Questions and Answers 2017No ratings yet9.advanced CheckPoint Interview Questions and Answers 20174 pages
- Starz University: College of Science and TechnologyNo ratings yetStarz University: College of Science and Technology11 pages
- Enterprise_Firewall_7.4_Administrator_Study_Guide-Online-4-52No ratings yetEnterprise_Firewall_7.4_Administrator_Study_Guide-Online-4-5249 pages
- Analysing EDR Logs With SIEM IntegrationNo ratings yetAnalysing EDR Logs With SIEM Integration45 pages
- 90281-IPv4 Firewall Rule Configuration On Cisco SA540 Security ApplianceNo ratings yet90281-IPv4 Firewall Rule Configuration On Cisco SA540 Security Appliance6 pages
- Estimating Log Generation White Paper PDFNo ratings yetEstimating Log Generation White Paper PDF6 pages
- SECPDS - 013 - EN 1804 NETSCOUT Arbor Edge Defense - 0 PDFNo ratings yetSECPDS - 013 - EN 1804 NETSCOUT Arbor Edge Defense - 0 PDF4 pages
- Routing Segmentation - SD-WAN Orchestrator DocsNo ratings yetRouting Segmentation - SD-WAN Orchestrator Docs1 page
