Check Point VSX Security Target Version 1.1 May 20, 2012 Prepared for: 5 Ha’Solelim St. Tel Aviv, Israel 67897 Prepared by: Metatron Security Services Ltd. 66 Yosef St., Modiin, Israel 71724 All marks, trademarks, and logos mentioned in this material are the property of their respective owners. ©2012 Check Point Software Technologies Ltd. All Rights Reserved. Classification: [Unrestricted]—For everyone Check Point VSX Security Target Version 1.1 2 Prologue 5/20/2012 Document Version Control Log Version Date Author Description 0.1 June 11, 2009 Nir Naaman Initial CCv3.1 version. 0.7 October 15, 2009 Nir Naaman Post-iVOR validator-requested updates. 0.95 November 9, 2011 Nir Naaman Updated TOE software version to VSX R67.10.20 in combination with Provider-1 R71 with R7x hotfix. Added supported VSX appliances. 1.0 February 15, 2012 Nir Naaman Updated list of supported Open Servers. Referenced updated evaluated configuration guidance. 1.1 May 20, 2012 Nir Naaman Referenced final evaluated configuration guidance. ©2012 Check Point Software Technologies Ltd. All Rights Reserved. 2 Classification: [Unrestricted]—For everyone Check Point VSX Security Target Version 1.1 3 Prologue 5/20/2012 Table of Contents 1. ST Introduction ........................................................................................................................... 9 1.1. ST Reference .................................................................................................................. 9 1.2. TOE Reference ............................................................................................................... 9 1.3. Document Organization ............................................................................................... 10 1.4. TOE Overview ............................................................................................................. 11 1.4.1. Usage and Major Security Features of the TOE ....................................................... 11 1.4.2. TOE Type.................................................................................................................. 12 1.4.3. Non-TOE Hardware/Software/Firmware Required by the TOE .............................. 13 1.5. TOE Description .......................................................................................................... 14 1.5.1. Physical Scope of the TOE ....................................................................................... 15 1.5.2. TOE Guidance .......................................................................................................... 20 1.5.3. Logical Scope of the TOE......................................................................................... 21 1.5.4. Check Point Services ................................................................................................ 37 1.5.5. Example Deployment Strategies ............................................................................... 39 2. Conformance Claims ................................................................................................................ 42 2.1. CC Conformance .......................................................................................................... 42 2.2. Assurance Package Conformance ................................................................................ 42 2.3. PP Conformance ........................................................................................................... 42 2.4. Conformance Rationale ................................................................................................ 42 2.4.1. Introduction ............................................................................................................... 42 2.4.2. Consistency of the Security Problem Definition ...................................................... 42 2.4.3. Security Objectives Conformance ............................................................................ 43 2.4.4. Security Functional Requirements Conformance ..................................................... 46 2.4.5. Security Assurance Requirements Conformance...................................................... 51 3. Security Problem Definition ..................................................................................................... 52 3.1. Threats .......................................................................................................................... 52 3.1.1. Firewall-related Threats ............................................................................................ 52 3.1.2. IDS-related Threats ................................................................................................... 53 3.1.3. Virtualization-related Threats ................................................................................... 54 ©2012 Check Point Software Technologies Ltd. All Rights Reserved. 3 Classification: [Unrestricted]—For everyone Check Point VSX Security Target Version 1.1 4 Prologue 5/20/2012 3.1.4. VPN-related Threats ................................................................................................. 54 3.1.5. Fault-related Threats ................................................................................................. 54 3.2. Assumptions ................................................................................................................. 54 3.3. Organizational Security Policies .................................................................................. 55 3.3.1. Virtualization OSPs .................................................................................................. 55 3.3.2. IDS System PP OSPs ................................................................................................ 55 4. Security Objectives ................................................................................................................... 56 4.1. Security Objectives for the TOE .................................................................................. 56 4.1.1. Firewall PP Objectives .............................................................................................. 56 4.1.2. IDS PP Objectives..................................................................................................... 57 4.1.3. Virtualization Objectives .......................................................................................... 57 4.1.4. VPN Objectives ........................................................................................................ 58 4.1.5. Fault Tolerance Objectives ....................................................................................... 58 4.2. Security Objectives for the Operational Environment ................................................. 58 4.2.1. Security Objectives for the Environment Upholding Assumptions .......................... 58 4.2.2. Authentication Security Objectives for the IT Environment .................................... 59 4.2.3. VPN Security Objectives for the IT Environment .................................................... 59 4.2.4. VLAN Security Objectives for the IT Environment ................................................. 59 4.3. Security Objectives Rationale ...................................................................................... 61 4.3.1. Security Objectives Countering Threats ................................................................... 61 4.3.2. Security Objectives Upholding OSPs ....................................................................... 67 4.3.3. Security Objectives Upholding Assumptions ........................................................... 69 5. Extended Components Definition ............................................................................................. 70 5.1. Class IDS: Intrusion Detection ..................................................................................... 70 5.1.1. IDS data analysis (IDS_ANL) .................................................................................. 71 5.1.2. IDS reaction (IDS_RCT) .......................................................................................... 71 5.1.3. IDS data review (IDS_RDR) .................................................................................... 72 5.1.4. IDS data collection (IDS_SDC) ................................................................................ 73 5.1.5. IDS data storage (IDS_STG) .................................................................................... 74 6. Security Requirements .............................................................................................................. 76 6.1. Definitions .................................................................................................................... 76 6.1.1. Objects and Information ........................................................................................... 76 ©2012 Check Point Software Technologies Ltd. All Rights Reserved. 4 Classification: [Unrestricted]—For everyone Check Point VSX Security Target Version 1.1 5 Prologue 5/20/2012 6.1.2. Subjects ..................................................................................................................... 76 6.1.3. Users ......................................................................................................................... 77 6.1.4. Security Function Policies ........................................................................................ 78 6.2. Security Functional Requirements