8. Supplemental Information
8.1. Conventions
8.1.3. Other Notations
Footnotes7 are used to provide further clarification for a statement, without breaking the flow of the text.
8.1.4. Highlighting Conventions
The conventions for SFRs described above in section 8.1.2 are expressed in chapter 6 by using combinations of bolded, italicized, and underlined text as specified in Table 8-1 below.
Table 8-1- SFR Highlighting Conventions
Convention Purpose Operation
Boldface Boldface text denotes completed component assignments.
7
Chapter 8. Supplemental Information 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved.
Convention Purpose Operation
Example:
6.2.5.9 Security roles (FMT_SMR.1)
FCS_SMR.1.1 The TSF shall maintain the roles Administrator, Remote User, VPN Gateway.
(completed) Assignment
Underline Underlined text denotes completed component selections (out of a set of selection options provided in the original CC requirement).
Example:
6.2.7.2 Trusted path (FTP_TRP.1)
FTP_TRP.1.1 The TSF shall provide a communication path between itself and local users that is logically distinct from other communication paths and provides as- sured identification of its end points and protection of the communicated data from modification or disclosure.
(completed) Selection
Boldface Underline
Underlined boldface text highlights component refinements.
Example:
FDP_ITC.2.2 The TSF shall use the media authorization security
attributes associated with the imported user data. Refinement Slash
(iteration)
A slash following the component name and a textual iteration modifier inform the reader that the requirement component will be used multiple times.
Examples:
6.2.2.4 Cryptographic key access (FCS_CKM.3) / Disk
FCS_CKM.3.1 The TSF shall perform password-based key wrapping of full disk encryption keys...
6.2.2.5 Cryptographic key access (FCS_CKM.3) / Smart Card
FCS_CKM.3.1 The TSF shall perform smart card-based key wrapping of full disk encryption keys...
8.2.
Terminology
In the Common Criteria, many terms are defined in Section 4 of CC Part 1. The following sections are a refined subset of those definitions, listed here to aid the user of this ST. The glossary is augmented with terms that are specific to the Check Point Endpoint Security product.
8.2.1. Glossary
Administrator An entity that has complete trust with respect to all policies implemented by the TSF.
Assets Entities that the owner of the TOE presumably places value upon.
Chapter 8. Supplemental Information 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved.
Authentication data Information used to verify the claimed identity of a user.
Authorisation Permission, granted by an entity authorised to do so, to perform functions and access data.
Authorised user A user who may, in accordance with the SFRs, perform an operation.
Compromise Violation of a security policy.
Confidentiality A security policy pertaining to disclosure of data.
External entity Any entity (human or IT) outside the TOE that interacts (or may interact) with the TOE.
Identity A representation (e.g. a string) uniquely identifying an authorised user, which can either be the full or abbreviated name of that user or a pseudonym.
Integrity A security policy pertaining to the corruption of data and TSF mechanisms.
Interface A means of interaction with a component or module.
Malware Software developed and distributed for malicious purposes.
Network Two or more machines interconnected for communications.
Object A passive entity in the TOE, that contains or receives information, and upon which subjects perform operations.
Operation A specific type of action performed by a subject on an object.
Operational Environment The environment in which the TOE is operated.
Packet A block of data sent over the network transmitting the identities of the sending and receiving stations, error-control information, and message.
Role a predefined set of rules establishing the allowed interactions between a user and the TOE.
Security attribute A property of subjects, users (including external IT products), objects, information, sessions and/or resources that is used in de- fining the SFRs and whose values are used in enforcing the SFRs.
Security objective A statement of intent to counter identified threats and/or satisfy identified organisation security policies and/or assumptions.
Spyware Malware intended to leak information from the TOE.
Subject An active entity in the TOE that performs operations on objects.
Threat The potential adverse action of a threat agent on an asset.
Threat Agent Entities that can adversely act on assets.
Target of evaluation A set of software, firmware and/or hardware possibly accompanied by guidance.
TOE security functionality A set consisting of all hardware, software, and firmware of the TOE that must be relied upon for the correct enforcement of the SFRs.
Chapter 8. Supplemental Information 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved.
Trusted channel A means by which a TSF and a remote trusted IT product can communicate with necessary confidence.
Trusted IT product An IT product other than the TOE which has its security functional requirements administratively coordinated with the TOE and which is assumed to enforce its security functional requirements correctly (e. g. by being separately evaluated).
Trusted path A means by which a user and a TSF can communicate with necessary confidence.
TSF data Data created by and for the TOE, that might affect the operation of the TOE.
User See external entity.
Vulnerability A weakness in the TOE that can be used to violate the SFRs in some environment.
Chapter 8. Supplemental Information 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved. 8.2.2. Abbreviations
Abbreviation Description
AES Advanced Encryption Standard
API Application Programming Interface
CA Certificate Authority
CC Common Criteria
CD Compact Disk
DES Data Encryption Standard
DEK Device Encryption Key
DH Diffie-Hellman
DLP Data Leak Prevention
ESP Encrypted Security Payload
EAL Evaluation Assurance Level
EPM Encryption Policy Manager
FDE Full Disk Encryption
FIPS Federal Information Processing Standards
FIPS PUB FIPS Publications
GUI Graphical User Interface
HFA Hot Fix Accumulator
HMAC Hashed Message Authentication Code
HTTP Hypertext Transfer Protocol
IKE Internet Key Exchange
IP Internet Protocol
IPSec Internet Protocol Security
IT Information Technology
KEK Key Encryption Key
LAN Local Area Network
MAC Message Authentication Code
ME Media Encryption
NAC Network Access Control
NIC Network Interface Card
Chapter 8. Supplemental Information 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved.
Abbreviation Description
PBE Pre-Boot Environment
PP Protection Profile
RFC Request for Comment
RSA Rivest, Shamir and Adleman
SFR Security Functional Requirement
SFP Security Function Policy
SHA-1 Secure Hash Algorithm 1
SSL Secure Sockets Layer
ST Security Target
TCP Transmission Control Protocol
TLS Transport Layer Security
TOE Target of Evaluation
TSF TOE Security Functionality
TSS TOE Summary Specification
UDP User Datagram Protocol
USB Universal Serial Bus
Chapter 8. Supplemental Information 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved.
8.3.
References
The following external documents are referenced in this Security Target. Identifier Document
[SP#770] Check Point, Security Policy Check Point Crypto Core version 1.3, Document Version 1.9, June 23, 2008, FIPS 140-2 Security Policy #770
[SP#784] Check Point, Reflex Magnetics Cryptographic Library v.1.0 Security Policy, Version 1.44, May 15, 2007, FIPS 140-2 Security Policy #784
[PKCS#1] RFC 3447 – Public Key Cryptography Standards (PKCS) #1: RSA Cryptography Specifications Version 2.1, February 2003
[PKCS#5] RSA Laboratories, PKCS #5 v2.1: Password-Based Cryptography Standard, October 5, 2006
[FIPS46-3] NIST FIPS PUB 46-3, Specifications for the Data Encryption Standard (DES), October 25, 1999
[FIPS140-2] NIST FIPS PUB 140–2, Security Requirements for Cryptographic Modules, December 3, 2002
[FIPS180-2] NIST FIPS PUB 180-2, Secure Hash Standard, August 1, 2002
[FIPS197] NIST FIPS PUB 197, Specification for the Advanced Encryption Standard (AES), November 26, 2001
[FIPS198] NIST FIPS PUB 198, Keyed-Hash Message Authentication Code (HMAC), March 6, 2002
[RFC 1321] RFC 1321 – The MD5 Message-Digest Algorithm, April 1992
[RFC2104] RFC 2104 – HMAC: Keyed-Hashing for Message Authentication, February 1997 [RFC2246] RFC 2246 – The TLS Protocol Version 1.0, January 1999
[RFC2401] RFC 2401 – Security Architecture for the Internet Protocol, November 1998 [RFC2404] RFC 2404 – The Use of HMAC-SHA-1-96 within ESP and AH, November 1998 [RFC2406] RFC 2406 – Encapsulating Security Payload (ESP), November 1998
[RFC2409] RFC 2409 - The Internet Key Exchange (IKE), November 1998
[X9.31] American Bankers Association, Digital Signatures Using Reversible Public Key Cryptography for the Financial Services Industry (rDSA), ANSI X9.31-1998
Appendix A - Supported Antivirus Solutions 1/22/2014
Copyright 2013-14, Check Point Software Technologies Ltd. All Rights Reserved.
Appendix A - Supported Antivirus Solutions
The vendor has tested TOE invocation of the following third party anti-virus software: McAfee VirusScan and Kaspersky Antivirus. Invocation of other anti-virus products was not covered by this evaluation; Check Point’s support website provides solution id sk68080 that provides a current list of AntiVirus products the vendor claims this product supports. New releases of those products are supported through the Flaw Remediation process. Due to the dynamic nature of AV products TOE users should contact Check Point Support for integration of new AV versions into the TOE.