Security management

The factory default configuration of the TOE has a single administrative account ('root') with all privileges on the device. To place the TOE in the evaluated configuration, the administrator uses this root account to configure three accounts, corresponding to the Security, Cryptographic and Audit administrative roles. The TOE also recognizes non-administrative users who may require authentication prior to permitting their traffic to traverse the firewall. The only other form of entity recognized by the TOE is an external IT entity. An external IT entity may be either authorized or not authorized. Authorized IT entities are those external IT entities for which the TOE has been configured to utilize the external functionality (e.g., an external NTP server can be an authorized IT entity).

When each new account is created, an attribute must be assigned to that account indicating the role associated with that account. An attribute exists for each of the Security, Cryptographic and Audit administrative roles. Once the three accounts have been created, there is no overlap between the privileges available to them, except the ability to review the audit trail and invoke self-tests.

Administrators in any of these roles can login to the TOE either locally or remotely. Because of FIPS level 3 cryptographic ports and interfaces requirements, local administration is permitted only for the purpose of placing the TOE into the evaluated configuration. Use of the serial console for administration is not included in the evaluated configuration, - the console is only allowed for the receipt of alarms, given it is directly connected via a dedicated connection, and given that this connection is physically protected against tampering as is the TOE itself. Use of the web interface is not included in the evaluated configuration. Remote administration utilizes an SSH protected communication pathway to present a command line interface.

The security administrator is allowed to perform the following:

1) specify the interval at which the TSF self tests periodically run

2) enable, disable, determine and modify the set of rules that indicates potential violations (FAU_SAA) 3) enable, disable, determine and modify the set of audited events (FAU_SEL)

4) perform searches and sorting of audit data (FAU_SAR)

5) manipulate the security attributes referenced in the TRANSPARENT MODE VPN SFP, ROUTE MODE VPN SFP, TRANSPARENT MODE FIREWALL SFP, ROUTE MODE FIREWALL SFP and

UNAUTHENTICATED TOE SERVICES SFP policies

6) query, modify, delete, clear all TSF data, except cryptographic security data and audit data 7) enable or disable the audible alarm mechanism on alarm messages (FAU_ARP)

8) acknowledge alarm messages (FAU_ARP) 9) enable, disable the ICMP functions

10) determine and modify the administrator-specified network identifier or set of identifiers that are used for the monitoring of resource utilization quotas (FRU_RSA)

11) determine and modify the administrator-specified period of time that is used for the monitoring of resource utilization quotas (FRU_RSA)

12) specify alternative initial values to override the default values for the TRANSPARENT and ROUTE MODE VPN SFPs

13) specify alternative initial values to override the default values for the TRANSPARENT and ROUTE MODE FIREWALL SFPs

14) specify alternative initial values to override the default values for the UNAUTHENTICATED TOE SERVICES SFP and

15) set the time and date used to form the time stamps.

The cryptographic administrator is allowed to perform the following:

 enable or disable the cryptographic and key generation self-tests;  perform searches and sorting of audit data;

 modify cryptographic security data;  acknowledge alarm messages (FAU_ARP);  execute TSF self tests.

The audit administrator is allowed to perform the following:  perform searches and sorting of audit data;  acknowledge alarm messages (FAU_ARP);  delete audit log entries;

 execute TSF self tests.

The Security management function is designed to satisfy the following security functional requirements:  FMT_MOF.1(1): The security administrator can specify the interval at which the TSF self-tests run.  FMT_MOF.1(2): The cryptographic administrator can enable or disable the cryptographic and key

generation self-tests,

 FMT_MOF.1(3): All administrators are allowed to perform searches and sorting of audit data.

 FMT_MOF.1(4): The security administrator can enable, disable, determine and modify the set of rules that indicates potential violations and the set of audited events.

 FMT_MOF.1(5): The security administrator can enable or disable the audible alarm mechanism on alarm messages.

 FMT_MOF.1(6): The security administrator can enable and disable the ICMP functions.

 FMT_MOF.1(7): The security administrator determines and modifies the administrator-specified network identifier or set of identifiers that are used for the monitoring of resource utilization quotas. The security administrator determines and modifies the administrator-specified period of time that is used for the monitoring of resource utilization quotas. Also, the security administrator configures the quotas for controlled connection-oriented resource allocation (FRU_RSA.1(2)).

 FMT_MSA.1: The security administrator manipulates the security attributes referenced in the TRANSPARENT MODE VPN SFP, ROUTE MODE VPN SFP, TRANSPARENT MODE FIREWALL SFP, ROUTE MODE FIREWALL SFP and UNAUTHENTICATED TOE SERVICES SFP policies.  FMT_MSA.3 (1): By default, a security appliance denies all traffic in all directions.

 FMT_MSA.3 (2): By default, the UNAUTHENTICATED TOE SERVICES SFP denies all services. If the security administrator enables a service, it will remain enabled across a device reset.

 FMT_MTD.1(1): Only administrators that are given accounts are permitted to login (either locally or remotely) to the TOE.

 FMT_MTD.1(2): The cryptographic administrator is allowed to modify cryptographic data within the TOE.  FMT_MTD.1(3): Only the security administrator can use the 'set time' command to modify the time used

by the TOE. An authorized NTP Server can also affect the time used by the TOE.

 FMT_MTD.1(4): Only the Security Administrator is allowed to query, modify, delete and create the VPN Policy rules. The command line interface functions used by the security administrator are the 'set vpn' and 'get vpn' commands.

 FMT_MTD.2(1): The TSF restricts the specification of the limits for quotas on transport-layer connections, i.e. TCP Synflood protection, to the Security Administrator. The TSF drops traffic exceeding the limits, logging that it does so.

 FMT_MTD.2(2): The TSF restricts the specification of the limits for quotas on controlled connection- oriented resources to the Security Administrator. The SA may configure the TSF to either deny and log the traffic, or allow and log. The default behavior is to deny and log.

 FMT_REV.1: All configuration changes made to the TOE become effective immediately after the command has succeeded. This occurs even though the configuration change itself may not yet have been saved to permanent storage. This includes revocation of an administrative role, changes to the information flow policy ruleset, disabling a service to unauthenticated users and changes to security associations.  FMT_SMF.1: The TSF provides all of the management operations specified by the FMT_SMF.1

requirement as shown in the lists above.

 FMT_SMR.2: The TSF defines the roles Cryptographic, Audit and Security Administrator with duties as described above. Users in these roles may login to the TOE remotely. As mentioned above, administration via local console is not permitted by FIPS 140-2 level 3 cryptographic ports and interfaces requirements. However, the local console may be used for monitoring alarms.