DOCSLIB.ORG

F5 BIG-IP 12.1.3.4 for LTM+APM Security Target

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
F5 BIG-IP 12.1.3.4 for LTM+APM Security Target F5 BIG-IP 12.1.3.4 for LTM+APM Security Target Release Date: January 15, 2019 Version: 1.3 Prepared By: Saffire Systems PO Box 40295 Indianapolis, IN 46240 Prepared For: F5 Networks, Inc. 401 Elliott Avenue West Seattle, WA 98119 ã 2018 F5 Networks. All Rights Reserved. F5 BIG-IP APM 12.1.3.4 APM ST January 15, 2019 Table of Contents 1 INTRODUCTION ...............................................................................................................................................1 1.1 SECURITY TARGET IDENTIFICATION .................................................................................................................1 1.2 TOE IDENTIFICATION ........................................................................................................................................1 1.3 DOCUMENT TERMINOLOGY ...............................................................................................................................3 1.3.1 ST Specific Terminology .........................................................................................................................3 1.3.2 Acronyms .................................................................................................................................................4 1.4 TOE TYPE .........................................................................................................................................................5 1.5 TOE OVERVIEW ................................................................................................................................................5 1.6 TOE DESCRIPTION ............................................................................................................................................6 1.6.1 Introduction .............................................................................................................................................6 1.6.2 Architecture Description .........................................................................................................................7 1.6.3 Physical Boundaries .............................................................................................................................10 1.6.3.1 Physical boundaries .......................................................................................................................................... 10 1.6.3.2 Guidance Documentation .................................................................................................................................. 11 1.6.4 Logical Boundaries ...............................................................................................................................12 1.6.4.1 Security Audit ................................................................................................................................................... 13 1.6.4.2 Cryptographic Support ...................................................................................................................................... 13 1.6.4.3 Identification and Authentication ..................................................................................................................... 14 1.6.4.4 Security Management ....................................................................................................................................... 14 1.6.4.5 Protection of the TSF ........................................................................................................................................ 15 1.6.4.6 TOE access ........................................................................................................................................................ 15 1.6.4.7 Trusted Path/Channels ...................................................................................................................................... 15 2 CONFORMANCE CLAIMS ...........................................................................................................................17 2.1 CC CONFORMANCE CLAIMS ...........................................................................................................................17 2.2 PP AND PACKAGE CLAIMS ..............................................................................................................................17 2.3 CONFORMANCE RATIONALE ...........................................................................................................................20 3 SECURITY PROBLEM DEFINITION ..........................................................................................................21 3.1 THREAT ENVIRONMENT ..................................................................................................................................21 3.2 THREATS .........................................................................................................................................................22 3.3 ORGANISATIONAL SECURITY POLICIES ...........................................................................................................23 3.4 ASSUMPTIONS .................................................................................................................................................23 4 SECURITY OBJECTIVES ..............................................................................................................................25 4.1 SECURITY OBJECTIVES FOR THE ENVIRONMENT ............................................................................................25 5 EXTENDED COMPONENTS DEFINITION ................................................................................................26 6 SECURITY REQUIREMENTS ......................................................................................................................27 6.1 CONVENTIONS .................................................................................................................................................28 6.2 SECURITY FUNCTIONAL REQUIREMENTS ........................................................................................................29 6.2.1 Security Audit (FAU) ............................................................................................................................29 6.2.1.1 FAU_GEN.1 Audit Data Generation ................................................................................................................ 29 6.2.1.2 FAU_GEN.2 User Identity Association ........................................................................................................... 31 6.2.1.3 FAU_STG.1 Protected Audit Trail Storage ...................................................................................................... 31 6.2.1.4 FAU_STG_EXT.1 Protected Audit Event Storage .......................................................................................... 31 6.2.1.5 FAU_STG_EXT.3 Display Warning for Local Storage Space ........................................................................ 32 6.2.2 Cryptographic Operations (FCS) .........................................................................................................32 6.2.2.1 FCS_CKM.1 Cryptographic Key Generation ................................................................................................... 32 6.2.2.2 FCS_CKM.2 Cryptographic Key Establishment .............................................................................................. 32 6.2.2.3 FCS_CKM.4 Cryptographic Key Destruction .................................................................................................. 32 6.2.2.4 FCS_COP.1(1) Cryptographic operation (AES Data Encryption/Decryption) ................................................ 33 ã 2018,2019 F5 Networks. All Rights Reserved. i F5 BIG-IP APM 12.1.3.4 APM ST January 15, 2019 6.2.2.5 FCS_COP.1(2) Cryptographic operation (Signature Generation and Verification) ......................................... 33 6.2.2.6 FCS_COP.1(3) Cryptographic operation (Hash Operation) ............................................................................. 33 6.2.2.7 FCS_COP.1(4) Cryptographic operation (Keyed Hash Algorithm) ................................................................. 33 6.2.2.8 FCS_HTTPS_EXT.1 HTTPS Protocol ............................................................................................................. 33 6.2.2.9 FCS_RBG_EXT.1 Random Bit Generation ..................................................................................................... 34 6.2.2.10 FCS_SSHS_EXT.1 SSH Server Protocol ................................................................................................... 34 6.2.2.11 FCS_TLSC_EXT.2[1] TLS Client Protocol with authentication (TLS 1.1) ............................................... 35 6.2.2.12 FCS_TLSC_EXT.2[2] TLS Client Protocol with authentication (TLS 1.2) ............................................... 35 6.2.2.13 FCS_TLSS_EXT.1[1] TLS Server Protocol (Data Plane Server - TLS 1.1) .............................................. 36 6.2.2.14 FCS_TLSS_EXT.1[2] TLS Server Protocol (Data Plane Server - TLS 1.2) .............................................. 36 6.2.2.15 FCS_TLSS_EXT.1[3] TLS Server Protocol (Control Plane Server - TLS 1.1) .......................................... 37 6.2.2.16 FCS_TLSS_EXT.1[4] TLS Server Protocol (Control Plane Server - TLS 1.2) .......................................... 38 6.2.3 Identification and Authentication (FIA) ................................................................................................38
Load more

Recommended publications
  • Administration Guide Administration Guide SUSE Linux Enterprise High Availability Extension 15 SP1 by Tanja Roth and Thomas Schraitle
    SUSE Linux Enterprise High Availability Extension 15 SP1 Administration Guide Administration Guide SUSE Linux Enterprise High Availability Extension 15 SP1 by Tanja Roth and Thomas Schraitle This guide is intended for administrators who need to set up, congure, and maintain clusters with SUSE® Linux Enterprise High Availability Extension. For quick and ecient conguration and administration, the product includes both a graphical user interface and a command line interface (CLI). For performing key tasks, both approaches are covered in this guide. Thus, you can choose the appropriate tool that matches your needs. Publication Date: September 24, 2021 SUSE LLC 1800 South Novell Place Provo, UT 84606 USA https://documentation.suse.com Copyright © 2006–2021 SUSE LLC and contributors. All rights reserved. Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version 1.2 or (at your option) version 1.3; with the Invariant Section being this copyright notice and license. A copy of the license version 1.2 is included in the section entitled “GNU Free Documentation License”. For SUSE trademarks, see http://www.suse.com/company/legal/ . All other third-party trademarks are the property of their respective owners. Trademark symbols (®, ™ etc.) denote trademarks of SUSE and its aliates. Asterisks (*) denote third-party trademarks. All information found in this book has been compiled with utmost attention to detail. However, this does not guarantee complete accuracy. Neither SUSE
    [Show full text]
  • Scibian 9 HPC Installation Guide
    Scibian 9 HPC Installation guide CCN-HPC Version 1.9, 2018-08-20 Table of Contents About this document . 1 Purpose . 2 Structure . 3 Typographic conventions . 4 Build dependencies . 5 License . 6 Authors . 7 Reference architecture. 8 1. Hardware architecture . 9 1.1. Networks . 9 1.2. Infrastructure cluster. 10 1.3. User-space cluster . 12 1.4. Storage system . 12 2. External services . 13 2.1. Base services. 13 2.2. Optional services . 14 3. Software architecture . 15 3.1. Overview . 15 3.2. Base Services . 16 3.3. Additional Services. 19 3.4. High-Availability . 20 4. Conventions . 23 5. Advanced Topics . 24 5.1. Boot sequence . 24 5.2. iPXE Bootmenu Generator. 28 5.3. Debian Installer Preseed Generator. 30 5.4. Frontend nodes: SSH load-balancing and high-availability . 31 5.5. Service nodes: DNS load-balancing and high-availability . 34 5.6. Consul and DNS integration. 35 5.7. Scibian diskless initrd . 37 Installation procedure. 39 6. Overview. 40 7. Requirements . 41 8. Temporary installation node . 44 8.1. Base installation . 44 8.2. Administration environment . 44 9. Internal configuration repository . 46 9.1. Base directories . 46 9.2. Organization settings . 46 9.3. Cluster directories . 48 9.4. Puppet configuration . 48 9.5. Cluster definition. 49 9.6. Service role . 55 9.7. Authentication and encryption keys . 56 10. Generic service nodes . 62 10.1. Temporary installation services . 62 10.2. First Run. 62 10.3. Second Run . 64 10.4. Base system installation. 64 10.5. Ceph deployment . 66 10.6. Consul deployment.
    [Show full text]
  • Separating Protection and Management in Cloud Infrastructures
    SEPARATING PROTECTION AND MANAGEMENT IN CLOUD INFRASTRUCTURES A Dissertation Presented to the Faculty of the Graduate School of Cornell University in Partial Fulfillment of the Requirements for the Degree of Doctor of Philosophy by Zhiming Shen December 2017 c 2017 Zhiming Shen ALL RIGHTS RESERVED SEPARATING PROTECTION AND MANAGEMENT IN CLOUD INFRASTRUCTURES Zhiming Shen, Ph.D. Cornell University 2017 Cloud computing infrastructures serving mutually untrusted users provide se- curity isolation to protect user computation and resources. Additionally, clouds should also support flexibility and efficiency, so that users can customize re- source management policies and optimize performance and resource utiliza- tion. However, flexibility and efficiency are typically limited due to security requirements. This dissertation investigates the question of how to offer flexi- bility and efficiency as well as strong security in cloud infrastructures. Specifically, this dissertation addresses two important platforms in cloud in- frastructures: the containers and the Infrastructure as a Service (IaaS) platforms. The containers platform supports efficient container provisioning and execut- ing, but does not provide sufficient security and flexibility. Different containers share an operating system kernel which has a large attack surface, and kernel customization is generally not allowed. The IaaS platform supports secure shar- ing of cloud resources among mutually untrusted users, but does not provide sufficient flexibility and efficiency. Many powerful management primitives en- abled by the underlying virtualization platform are hidden from users, such as live virtual machine migration and consolidation. The main contribution of this dissertation is the proposal of an approach in- spired by the exokernel architecture that can be generalized to any multi-tenant system to improve security, flexibility, and efficiency.
    [Show full text]
  • Virtually Linux Virtualization Techniques in Linux
    Virtually Linux Virtualization Techniques in Linux Chris Wright OSDL [email protected] Abstract ware1 or software [16, 21, 19], may include any subset of a machine’s resources, and has Virtualization provides an abstraction layer a wide variety of applications. Such usages mapping a virtual resource to a real resource. include machine emulation, hardware consol- Such an abstraction allows one machine to be idation, resource isolation, quality of service carved into many virtual machines as well as resource allocation, and transparent resource allowing a cluster of machines to be viewed redirection. Applications of these usage mod- as one. Linux provides a wealth of virtual- els include virtual hosting, security, high avail- ization offerings. The technologies range in ability, high throughput, testing, and ease of the problems they solve, the models they are administration. useful in, and their respective maturity. This It is interesting to note that differing virtual- paper surveys some of the current virtualiza- ization models may have inversely correlated tion techniques available to Linux users, and proportions of virtual to physical resources. it reviews ways to leverage these technologies. For example, the method of carving up a sin- Virtualization can be used to provide things gle machine into multiple machines—useful such as quality of service resource allocation, in hardware consolidation or virtual hosting— resource isolation for security or sandboxing, looks quite different from a single system im- transparent resource redirection for availability age (SSI) [15]—useful in clustering. This pa- and throughput, and simulation environments per primarily focuses on providing multiple for testing and debugging. virtual instances of a single physical resource, however, it does cover some examples of a sin- 1 Introduction gle virtual resource mapping to multiple phys- ical resources.
    [Show full text]
  • X-Containers: Breaking Down Barriers to Improve
    Session: Cloud II ASPLOS’19, April 13–17, 2019, Providence, RI, USA X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers Zhiming Shen Zhen Sun Gur-Eyal Sela∗ Cornell University Cornell University University of California, Berkeley Eugene Bagdasaryan Christina Delimitrou Robbert Van Renesse Cornell University Cornell University Cornell University Hakim Weatherspoon Cornell University Abstract CCS Concepts • Security and privacy → Virtualiza- “Cloud-native” container platforms, such as Kubernetes, have tion and security; • Software and its engineering → become an integral part of production cloud environments. Operating systems. One of the principles in designing cloud-native applica- Keywords Containers; X-Containers; Cloud-Native; Li- tions is called Single Concern Principle, which suggests that brary OS; exokernel each container should handle a single responsibility well. In this paper, we propose X-Containers as a new security ACM Reference Format: paradigm for isolating single-concerned cloud-native con- Zhiming Shen, Zhen Sun, Gur-Eyal Sela, Eugene Bagdasaryan, tainers. Each container is run with a Library OS (LibOS) Christina Delimitrou, Robbert Van Renesse, and Hakim Weath- that supports multi-processing for concurrency and compat- erspoon. 2019. X-Containers: Breaking Down Barriers to Improve Performance and Isolation of Cloud-Native Containers. In 2019 Ar- ibility. A minimal exokernel ensures strong isolation with chitectural Support for Programming Languages and Operating Sys- small kernel attack surface. We show an implementation tems (ASPLOS ’19), April 13–17, 2019, Providence, RI, USA. ACM, New of the X-Containers architecture that leverages Xen para- York, NY, USA, 15 pages. https://doi.org/10.1145/3297858.3304016 virtualization (PV) to turn Linux kernel into a LibOS.
    [Show full text]
  • Research Report XEN Based HA Backup Environment
    Research Report XEN based HA backup environment Research Report for RP1 University of Amsterdam MSc in System and Network Engineering Class of 2006-2007 Peter Ruissen, Marju jalloh {pruissen,mjalloh}@os3.nl February 5, 2007 RP1: XEN based HA backup environment Abstract In this paper we will investigate the possibilities for High Availability (HA) failover mecha- nisms using the XEN virtualization technology and the requirements necessary for implementation on technical level. Virtualization technology is becoming increasingly popular in server environ- ments because it adds a layer of transparency and flexibility on top of a hardware layer, reduces recovery time and utilizes hardware resources more efficiently. Back in the 1960s, IBM developed virtualization support on a mainframe. Since then, many virtualization projects have become available for UNIX/Linux and other operating systems. The XEN project offers a novel technique known as paravirtualisation which brings a whole new range of possibilities to the table. Our tests showed that it is possible to use XEN in combination with Hearbeat to provide a HA environment. Even though combining XEN virtualization technology and High Availability software is still in the beginning stages at this moment, our research showed that XEN can be used with Heartbeat to realize a flexible, reliable and efficient HA environment.5.1 2 Contents 1 Project information 5 1.1 Assignment formulation . 5 1.2 Project Description . 5 1.3 Scope .............................................. 5 2 Virtualization technology 7 2.1 Forms of VT . 7 3 High availability concepts 9 3.1 Service availability . 10 3.2 Linux High Availability projects . 10 3.3 High Available Storage .
    [Show full text]
  • What's New in SUSE® Linux Enterprise 11
    Technical White Paper www.novell.com What’s New in SUSE® Linux Enterprise 11 Table of Contents Table of Contents ................................................................................................................................................... 2 Summary ................................................................................................................................................................ 3 Manageability and Supportability ............................................................................................................................ 6 Serviceability ......................................................................................................................................................... 11 Virtualization ......................................................................................................................................................... 13 Security ................................................................................................................................................................. 15 Storage ................................................................................................................................................................. 17 Performance and Scalability ................................................................................................................................. 19 Network ................................................................................................................................................................
    [Show full text]
  • Deploying the BIG-IP System V11 with Apache HTTP Server
    IMPORTANT: This guide has been archived. While the content in this guide is still valid for the products and version listed in the document, it is no longer being updated and may refer to F5 or 3rd party products or versions that have reached end-of-life or end-of-support. See https://support.f5.com/csp/article/K11163 for more information. Deploying F5 with Apache HTTP Server Welcome to the F5® and Apache web server (httpd) deployment guide. Use this guide to configure the BIG-IP® system version 11 and later for use with Apache web servers, with emphasis on providing security, performance, and availability. This document provides guidance both on complementing Apache functionality, and on moving functionality from Apache servers to a BIG-IP system. The BIG-IP system can assume the role of reverse proxy, and can also perform functions such as compression, encryption, caching, security, and URL rewriting that would otherwise need to be performed by Apache modules. As a result, you can simplify and improve the security of your Apache deployment while simultaneously providing higher performance. Products and versions Product Versions 11.0. - 12.1 (manual configuration) BIG-IP system 11.4 - 12.1 (using the HTTP iApp template) Apache Web Server 2.2.x, 2.4.x Deployment Guide version 2.2 (see Document Revision History on page 50) 05-18-2016 Last updated Important: Make sure you are using the most recent version of this deployment guide, available at http://www.f5.com/pdf/deployment-guides/apache-dg.pdf. If you are looking for older versions of this or other deployment guides, check the Deployment Guide Archive tab at: https://f5.com/solutions/deployment-guides/archive-608 Archived To provide feedback on this deployment guide or other F5 solution documents, contact us at [email protected].
    [Show full text]
  • IBM Cloud Private System Administrator S Guide
    Front cover IBM Cloud Private System Administrator’s Guide Ahmed Azraq Wlodek Dymaczewski Fernando Ewald Luca Floris Rahul Gupta Vasfi Gucer Anil Patil Sanjay Singh Sundaragopal Venkatraman Dominique Vernier Zhi Min Wen In partnership with IBM Academy of Technology Redbooks IBM Redbooks IBM Cloud Private System Administrator’s Guide April 2019 SG24-8440-00 Note: Before using this information and the product it supports, read the information in “Notices” on page ix. First Edition (April 2019) This edition applies to IBM Cloud Private Version 3.1.2. © Copyright International Business Machines Corporation 2019. All rights reserved. Note to U.S. Government Users Restricted Rights -- Use, duplication or disclosure restricted by GSA ADP Schedule Contract with IBM Corp. Contents Notices . ix Trademarks . .x Preface . xi Authors. xii Now you can become a published author, too . .xv Comments welcome. xvi Stay connected to IBM Redbooks . xvi Part 1. IBM Cloud Private overview, architecture, and installation . 1 Chapter 1. Introduction to IBM Cloud Private. 3 1.1 IBM Cloud Private overview . 4 1.2 IBM Cloud Private node types. 6 1.2.1 Boot node . 6 1.2.2 Master node . 7 1.2.3 Worker node . 7 1.2.4 Management node . 8 1.2.5 Proxy node . 8 1.2.6 VA (Vulnerability Advisor) node . 9 1.2.7 An etcd node. 10 1.3 IBM Cloud Private architecture . 10 1.4 IBM Cloud Private features and benefits. 12 1.4.1 A unified installer. 12 1.4.2 Robust logging with ELK stack . 12 1.4.3 Monitoring and alerts .
    [Show full text]
  • Cilium Documentation Release 1.0.0-Rc9
    Cilium Documentation Release 1.0.0-rc9 Cilium Authors Apr 18, 2018 Getting Started 1 Introduction to Cilium 2 1.1 What is Cilium?.............................................2 1.2 Why Cilium?...............................................2 1.3 Functionality Overview.........................................3 2 Getting Started Guides 5 2.1 Getting Started Using Minikube.....................................5 2.2 Getting Started Using Istio........................................ 18 2.3 Getting Started Securing Kafka..................................... 33 2.4 Getting Started Securing gRPC..................................... 42 2.5 Getting Started Using Mesos/Marathon................................. 49 2.6 Getting Started Using Docker Compose................................. 56 3 Concepts 64 3.1 Component Overview.......................................... 64 3.2 Terminology............................................... 67 3.3 Address Management.......................................... 70 3.4 Multi Host Networking.......................................... 71 3.5 Security.................................................. 73 3.6 Datapath................................................. 76 4 Getting Help 77 5 Kubernetes 78 5.1 Quick Start................................................ 78 5.2 Introduction............................................... 79 5.3 Installation Guide............................................ 80 5.4 Network Policy.............................................. 87 5.5 Troubleshooting............................................
    [Show full text]
  • Green Cluster of Low-Power Embedded Hardware Server Accelerators
    GREEN CLUSTER OF LOW-POWER EMBEDDED HARDWARE SERVER ACCELERATORS NAVID MOHAGHEGH A DISSERTATION SUBMITTED TO THE FACULTY OF GRADUATE STUDIES IN FULFILMENT OF THE REQUIREMENTS FOR THE DEGREE OF MASTERS OF APPLIED SCIENCE AND ENGINEERING GRADUATE PROGRAM IN COMPUTER SCIENCE AND ENGINEERING YORK UNIVERSITY, TORONTO, ONTARIO NOVEMBER 2011 Library and Archives Bibliotheque et Canada Archives Canada Published Heritage Direction du 1+1 Branch Patrimoine de I'edition 395 Wellington Street 395, rue Wellington Ottawa ON K1A0N4 Ottawa ON K1A 0N4 Canada Canada Your file Votre reference ISBN: 978-0-494-88639-7 Our file Notre reference ISBN: 978-0-494-88639-7 NOTICE: AVIS: The author has granted a non­ L'auteur a accorde une licence non exclusive exclusive license allowing Library and permettant a la Bibliotheque et Archives Archives Canada to reproduce, Canada de reproduire, publier, archiver, publish, archive, preserve, conserve, sauvegarder, conserver, transmettre au public communicate to the public by par telecommunication ou par I'lnternet, preter, telecommunication or on the Internet, distribuer et vendre des theses partout dans le loan, distrbute and sell theses monde, a des fins commerciales ou autres, sur worldwide, for commercial or non­ support microforme, papier, electronique et/ou commercial purposes, in microform, autres formats. paper, electronic and/or any other formats. The author retains copyright L'auteur conserve la propriete du droit d'auteur ownership and moral rights in this et des droits moraux qui protege cette these. Ni thesis. Neither the thesis nor la these ni des extraits substantiels de celle-ci substantial extracts from it may be ne doivent etre imprimes ou autrement printed or otherwise reproduced reproduits sans son autorisation.
    [Show full text]
  • (LISA '08) Reports
    LISA ’08: 22nd Large Installation System Administration Conference San Diego, CA November 9–14, 2008 Summarized by Rik Farrow Mario Obejas led off with thanks to the program com- mittee members and USENIX staff for putting together another successful LISA. Then the SAGE award was given conference reports to the SAMBA group for its work on interoperability. SAMBA Team member (and USENIX Board Member) Jerry Carter accepted the award. The Chuck Yerkes award was given to Dustin Puryear for his helpful posts thaNks tO Our summarIzers to sage-members. The Best Student Paper award went to Xiaoning Ding LISA ’08: 22nd Large Installation System of Ohio State University, Hai Huang, Yaoping Ruan, Administration Conference . 59. and Anees Shaikh of IBM T.J. Watson Research Center, Ben Allen and Xiaodong Zhang of The Ohio State University for Kyrre Begnum “Automatic Software Fault Diagnosis by Exploiting Ap- Alex Boster plication Signatures.” The Best Paper award went to Qi Leah Cardaci Liao, Andrew Blaich, Aaron Striegel, and Douglas Thain Marc Chiarini of the University of Notre Dame for “ENAVis: Enterprise Andrew Hoblitzell Network Activities Visualization.” Qi Liao Rowan Littell keynote address Will Nowak Patrick Ntawuyamara n Implementing Intellipedia Within a “Need to Know” David Plonka C u l t u r e Matthew Sacks Sean Dennehy, Chief of Intellipedia Development, Directorate Andrew Seely of Intelligence, U.S. Central Intelligence Agency Josh Simon Summarized by Andrew Hoblitzell ([email protected]) Sean Dennehy discussed technical and cultural chal- CHIMIT ’08: Symposium on Computer lenges being introduced by the introduction of Web Human Interaction for the Management of 2.0 tools in the United States intelligence community.
    [Show full text]