F5 BIG-IP 12.1.3.4 for LTM+APM Security Target Release Date: January 15, 2019 Version: 1.3 Prepared By: Saffire Systems PO Box 40295 Indianapolis, IN 46240 Prepared For: F5 Networks, Inc. 401 Elliott Avenue West Seattle, WA 98119 ã 2018 F5 Networks. All Rights Reserved. F5 BIG-IP APM 12.1.3.4 APM ST January 15, 2019 Table of Contents 1 INTRODUCTION ...............................................................................................................................................1 1.1 SECURITY TARGET IDENTIFICATION .................................................................................................................1 1.2 TOE IDENTIFICATION ........................................................................................................................................1 1.3 DOCUMENT TERMINOLOGY ...............................................................................................................................3 1.3.1 ST Specific Terminology .........................................................................................................................3 1.3.2 Acronyms .................................................................................................................................................4 1.4 TOE TYPE .........................................................................................................................................................5 1.5 TOE OVERVIEW ................................................................................................................................................5 1.6 TOE DESCRIPTION ............................................................................................................................................6 1.6.1 Introduction .............................................................................................................................................6 1.6.2 Architecture Description .........................................................................................................................7 1.6.3 Physical Boundaries .............................................................................................................................10 1.6.3.1 Physical boundaries .......................................................................................................................................... 10 1.6.3.2 Guidance Documentation .................................................................................................................................. 11 1.6.4 Logical Boundaries ...............................................................................................................................12 1.6.4.1 Security Audit ................................................................................................................................................... 13 1.6.4.2 Cryptographic Support ...................................................................................................................................... 13 1.6.4.3 Identification and Authentication ..................................................................................................................... 14 1.6.4.4 Security Management ....................................................................................................................................... 14 1.6.4.5 Protection of the TSF ........................................................................................................................................ 15 1.6.4.6 TOE access ........................................................................................................................................................ 15 1.6.4.7 Trusted Path/Channels ...................................................................................................................................... 15 2 CONFORMANCE CLAIMS ...........................................................................................................................17 2.1 CC CONFORMANCE CLAIMS ...........................................................................................................................17 2.2 PP AND PACKAGE CLAIMS ..............................................................................................................................17 2.3 CONFORMANCE RATIONALE ...........................................................................................................................20 3 SECURITY PROBLEM DEFINITION ..........................................................................................................21 3.1 THREAT ENVIRONMENT ..................................................................................................................................21 3.2 THREATS .........................................................................................................................................................22 3.3 ORGANISATIONAL SECURITY POLICIES ...........................................................................................................23 3.4 ASSUMPTIONS .................................................................................................................................................23 4 SECURITY OBJECTIVES ..............................................................................................................................25 4.1 SECURITY OBJECTIVES FOR THE ENVIRONMENT ............................................................................................25 5 EXTENDED COMPONENTS DEFINITION ................................................................................................26 6 SECURITY REQUIREMENTS ......................................................................................................................27 6.1 CONVENTIONS .................................................................................................................................................28 6.2 SECURITY FUNCTIONAL REQUIREMENTS ........................................................................................................29 6.2.1 Security Audit (FAU) ............................................................................................................................29 6.2.1.1 FAU_GEN.1 Audit Data Generation ................................................................................................................ 29 6.2.1.2 FAU_GEN.2 User Identity Association ........................................................................................................... 31 6.2.1.3 FAU_STG.1 Protected Audit Trail Storage ...................................................................................................... 31 6.2.1.4 FAU_STG_EXT.1 Protected Audit Event Storage .......................................................................................... 31 6.2.1.5 FAU_STG_EXT.3 Display Warning for Local Storage Space ........................................................................ 32 6.2.2 Cryptographic Operations (FCS) .........................................................................................................32 6.2.2.1 FCS_CKM.1 Cryptographic Key Generation ................................................................................................... 32 6.2.2.2 FCS_CKM.2 Cryptographic Key Establishment .............................................................................................. 32 6.2.2.3 FCS_CKM.4 Cryptographic Key Destruction .................................................................................................. 32 6.2.2.4 FCS_COP.1(1) Cryptographic operation (AES Data Encryption/Decryption) ................................................ 33 ã 2018,2019 F5 Networks. All Rights Reserved. i F5 BIG-IP APM 12.1.3.4 APM ST January 15, 2019 6.2.2.5 FCS_COP.1(2) Cryptographic operation (Signature Generation and Verification) ......................................... 33 6.2.2.6 FCS_COP.1(3) Cryptographic operation (Hash Operation) ............................................................................. 33 6.2.2.7 FCS_COP.1(4) Cryptographic operation (Keyed Hash Algorithm) ................................................................. 33 6.2.2.8 FCS_HTTPS_EXT.1 HTTPS Protocol ............................................................................................................. 33 6.2.2.9 FCS_RBG_EXT.1 Random Bit Generation ..................................................................................................... 34 6.2.2.10 FCS_SSHS_EXT.1 SSH Server Protocol ................................................................................................... 34 6.2.2.11 FCS_TLSC_EXT.2[1] TLS Client Protocol with authentication (TLS 1.1) ............................................... 35 6.2.2.12 FCS_TLSC_EXT.2[2] TLS Client Protocol with authentication (TLS 1.2) ............................................... 35 6.2.2.13 FCS_TLSS_EXT.1[1] TLS Server Protocol (Data Plane Server - TLS 1.1) .............................................. 36 6.2.2.14 FCS_TLSS_EXT.1[2] TLS Server Protocol (Data Plane Server - TLS 1.2) .............................................. 36 6.2.2.15 FCS_TLSS_EXT.1[3] TLS Server Protocol (Control Plane Server - TLS 1.1) .......................................... 37 6.2.2.16 FCS_TLSS_EXT.1[4] TLS Server Protocol (Control Plane Server - TLS 1.2) .......................................... 38 6.2.3 Identification and Authentication (FIA) ................................................................................................38