haltdos mitigation platform - common criteria · 17/09/2018 · april 10, 2017 1.0 anshul saxena...

Security Target: HaltDos Mitigation Platform version 1.1 (Haltdos.com Private Limited)

of 91

HaltDosMitigationPlatform

Version1.1

SecurityTarget

Version1.4

September17,2018

PreparedFor

Haltdos.comPrivateLimitedE–52,Sector-3,

NOIDA,UP,India–201301Ph:0120-4545911Fax:0120-4243669

www.haltdos.com


of 91

RevisionHistory

Date Version Author DescriptionApril10,2017 1.0 AnshulSaxena FirstDraftJan03,2017 1.1 AnshulSaxena SecondDraftasper

recommendationsApril25,2018 1.2 AnshulSaxena Thirddraftasper

recommendationJune22,2018 1.3 AnshulSaxena Fourthdraftasper

recommendationSeptember17,2018 1.4 AnshulSaxena Finaldraft


of 91

TableofContents1SecurityTargetIntroduction 9

1.1SecurityTargetReference 9

1.2TOEReference 9

1.3TOEOverview 9

1.3.1TOEType 10

1.3.2TOEBuildNumber 10

1.3.2.1IdentificationMethod: 10

1.3.2.2PlatformVersioning: 11

1.4TOEDescription 11

1.4.1Acronyms 11

1.4.2Description 12

1.4.2.1TOEDependencies 14

1.4.3UserDescription 15

1.4.4UserInterfaces 16

1.4.4.1WebbasedUserInterface(GUI) 16

1.4.4.2CommandLineInterface(CLI) 17

1.4.5TOEDataDescription 18

1.4.6ProductGuidance 18

1.4.7BusinessViewoftheTOE 18

1.4.8PhysicalScopeoftheTOE 19

1.4.8.1IncludedintheTOE: 20

1.4.8.2ExcludedfromtheTOE: 20

1.4.9LogicalScopeoftheTOE 20

1.4.10EnvironmentoftheTOE 22

1.4.11DeliveryMethod 22

2ConformanceClaims 23

2.1CommonCriteriaConformance 23

2.2ProtectionProfileClaim 23

2.3PackageClaim 23

3SecurityProblemDefinition 24

3.1Threats 24

3.2Assumptions 24

3.3OrganizationalSecurityPolicies 25

4SecurityObjectives 26

4.1SecurityObjectivesfortheTOE 26

4.2SecurityObjectivesfortheOperationalEnvironment 26


of 91

4.3SecurityObjectivesRationale 27

5ExtendedComponentsDefinition 32

5.1DDoS_DEF_EXT.1DDoSDefence 32

5.1.1Class:DDoS:DistributedDenialofService 32

5.1.2Family:DDoSDefence(DDoS_DEF) 32

5.1.2.1FamilyBehaviour 32

5.1.2.2Componentlevelling 32

5.1.2.3Management 32

5.1.2.4Audit 33

5.1.3Definition 33

5.1.4Rationale 33

5.2DDoS_NOT_EXT.1Explicit:SecurityNotifications 34

5.2.1Class:DDoS:DistributedDenialofService 34

5.2.2Family:SecurityNotifications(DDoS_NOT) 34




5.2.2.4Audit 34

5.2.3Definition 34

5.2.4Rationale 36

5.3FIA_UAU_EXT.2Userauthenticationbeforeanyaction 36

5.3.1ClassFIA:Identificationandauthentication 36

5.3.2Family:Userauthentication(FIA_UAU) 36




5.3.2.4Audit 36

5.3.3Definition 37

5.3.4Rationale 37

6SecurityRequirements 38

6.1SecurityFunctionalRequirementsfortheTOE 38

6.1.1ClassFAU:SecurityAudit 40

6.1.1.1FAU_GEN.1AuditDataGeneration 40

6.1.1.2FAU_GEN.2UserIdentityAssociation 41

6.1.1.3FAU_SAR.1AuditReview 41

6.1.1.4FAU_SAR.3SelectableAuditReview 42

6.1.1.5FAU_STG.1Protectedaudittrailstorage 42


of 91

6.1.2ClassFIA:Identificationandauthentication 42

6.1.2.1FIA_ATD.1UserAttributeDefinition 42

6.1.2.2FIA_SOS.1VerificationofSecrets 43

6.1.2.3FIA_UAU.5MultipleAuthenticationMechanisms 43

6.1.2.4FIA_UAU_EXT.2UserAuthenticationBeforeanyAction 44

6.1.2.5FIA_UID.1TimingofIdentification 44

6.1.2.6FIA_UID.2UserIdentificationBeforeanyAction 44

6.1.3ClassFMT:SecurityManagement 45

6.1.3.1FMT_MTD.1ManagementofTSFdata 45

6.1.3.2FMT_SMF.1SpecificationofManagementFunctions 46

6.1.3.3FMT_SMR.1SecurityRoles 47

6.1.3.4FMT_MSA.1ManagementofSecurityAttributes 47

6.1.3.5FMT_MSA.3StaticAttributeInitialization 47

6.1.4ClassFPT:ProtectionofTSF 48

6.1.4.1FPT_FLS.1FailurewithPreservationofSecureState 48

6.1.4.2FPT_STM.1ReliableTimeStamps 48

6.1.5ClassDDoS:DistributedDenialofService 48

6.1.5.1DDoS_DEF_EXT.1DDoSDefence 48

6.1.5.2DDoS_NOT_EXT.1Explicit:SecurityNotifications 49

6.1.6ClassFTP:TrustedPath/Channels 50

6.1.6.1FTP_ITC.1Inter-TSFTrustedChannel 50

6.1.6.2FTP_TRP.1TrustedPath 50

6.1.7ClassFDP:UserDataProtection 50

6.1.7.1FDP_IFC.1SubsetInformationFlowControl 50

6.1.7.2FDP_IFF.1SimpleSecurityAttributes 51

6.1.7.3FDP_ITC.1ImportofUserDatawithoutSecurityAttributes 52

6.1.7.4FDP_ITT.1BasicInternetTransferProtection 52

6.1.8ClassFCS:CryptographicSupport 52

6.1.8.1FCS_COP.1CryptographicOperation(a) 52

6.1.8.2FCS_COP.1CryptographicOperation(b) 53

6.1.8.3FCS_COP.1CryptographicOperation(c) 53

6.2SecurityAssuranceRequirementsfortheTOE 53

6.2.1ADV_ARC.1SecurityArchitectureDescription 54

6.2.2ADV_FSP.2Security-enforcingfunctionalspecification 55

6.2.3ADV_TDS.1Basicdesign 55

6.2.4AGD_OPE.1Operationaluserguidance 56

6.2.5AGD_PRE.1Preparativeprocedures 57


of 91

6.2.6ALC_CMC.3Authorisationcontrols 57

6.2.7ALC_CMS.3ImplementationrepresentationCMcoverage 58

6.2.8ALC_DEL.1Deliveryprocedures 58

6.2.10ALC_DVS.1Identificationofsecuritymeasures 59

6.2.11ALC_LCD.1Developerdefinedlife-cyclemodel 59

6.2.12ASE_CCL.1Conformanceclaims 59

6.2.13ASE_ECD.1Extendedcomponentsdefinition 60

6.2.14ASE_INT.1STintroduction 61

6.2.15ASE_OBJ.2Securityobjectives 62

6.2.16ASE_REQ.2Derivedsecurityrequirements 62

6.2.17ASE_SPD.1Securityproblemdefinition 63

6.2.18ASE_TSS.1TOEsummaryspecification 64

6.2.19ATE_COV.1Evidenceofcoverage 64

6.2.20ATE_FUN.1Functionaltesting 64

6.2.21ATE_IND.2Independenttesting-sample 65

6.2.22AVA_VAN.2Vulnerabilityanalysis 65

6.3SecurityRequirementsRationale 65

6.3.1AssuranceRationale 65

6.3.2DependenciesSatisfactionRationale 66

6.3.3FunctionalRequirementsvsObjectivesSatisfactionRationale 67

7TOESummarySpecification 72

7.1SecurityAudit 73

7.1.1SA-1:AuditGeneration 73

7.1.2SA-2:AuditReview 73

7.1.3SA-3:AuditProtection 73

7.2ProtectionofTSF 74

7.2.1FPT-1:Failurewithpreservationofsecurestate 74

7.2.2FPT-2:ReliableTimeStamps 74

7.3IdentificationandAuthentication 75

7.3.1IA-1:UserAttributes 75

7.3.2IA-2:UserI&A 75

WARNING:Defaultusernameandpassword 76

7.4SecurityManagement 76

7.4.1SM-1:ManagementofTSFData 76

7.4.2SM-2:SpecificationofManagementFunctions 76

7.4.3SM-3:SecurityRoles 77

7.5TrustedCommunications 78


of 91

7.5.1TC-1:TrustedChannelforAuthentication 78

7.5.2TC-2:TrustedChannelforIPReputation,TorIP&SoftwareUpdates 78

7.5.3TC-3:TrustedPathforCLIAccess 78

7.5.4TC-4:TrustedPathforhdDeviceUI 78

7.6ResourceUtilization(DDoSProtection) 78

7.6.1DDoS-1:DDoSDetect 78

7.6.2DDoS-2AdditionalFilterControl 80

7.6.3DDoS-3Notification 83

8GlossaryofTerms 85


of 91

ListofTablesandFiguresTABLE1-1:PRODUCTSPECIFICACRONYMS................................................................................................................................................12TABLE1-2:CCSPECIFICACRONYMS............................................................................................................................................................12FIGURE1-1:OFF-LINEMODEDEPLOYMENT...............................................................................................................................................13FIGURE1-2:IN-LINEMODEDEPLOYMENT..................................................................................................................................................14TABLE1-3:HALTDOSAPPLIANCECOMMONFEATURES...........................................................................................................................14FIGURE1-3:BACKPANELOFTHEHALTDOSAPPLIANCEWITH1GCOPPERINTERFACES....................................................................15FIGURE1-4:PROTECTIONINTERFACES........................................................................................................................................................15TABLE1-4:PREDEFINEDUSERAUTHORITY...............................................................................................................................................16TABLE1-5:MENUBAROFHDDEVICEUI.....................................................................................................................................................17FIGURE1-5:OPTIONSFORCONNECTINGTOTHECLI................................................................................................................................17TABLE1-6:CONNECTIONOPTIONS...............................................................................................................................................................17TABLE1-7:TOEUSERGUIDANCEDOCUMENTS........................................................................................................................................18FIGURE1-6:TOEPHYSICALBOUNDARY.....................................................................................................................................................19FIGURE1-7:TOEENVIRONMENT.................................................................................................................................................................19TABLE3-1:TOETHREATS.............................................................................................................................................................................24TABLE3-2:ASSUMPTIONS..............................................................................................................................................................................25TABLE4-1:TOESECURITYOBJECTIVES......................................................................................................................................................26TABLE4-2:SECURITYOBJECTIVESFORTHEOPERATIONALENVIRONMENT.........................................................................................27TABLE4-3:MAPPINGOFTOESECURITYOBJECTIVESTOTHREATS/POLICIES....................................................................................27TABLE4-4:MAPPINGOFSECURITYOBJECTIVESFORTHEOPERATIONALENVIRONMENTTOTHREATS/POLICIES/ASSUMPTIONS

..................................................................................................................................................................................................................27TABLE4-5:ALLTHREATSTOSECURITYCOUNTERED...............................................................................................................................29TABLE4-6:ALLASSUMPTIONSUPHELD......................................................................................................................................................31TABLE5-1:EXTENDEDCOMPONENTS..........................................................................................................................................................32TABLE6-1:FUNCTIONALCOMPONENTS......................................................................................................................................................39TABLE6-2:FUNCTIONALCOMPONENTS......................................................................................................................................................40TABLE6-3:AUDITRECORDINFORMATION.................................................................................................................................................41TABLE6-4:TOEPASSWORDPOLICYRULES..............................................................................................................................................43TABLE6-5:MANAGEMENTOFTSFDATA...................................................................................................................................................46TABLE6-6:SECURITYNOTIFICATIONS.........................................................................................................................................................49TABLE6-7:EAL2ASSURANCECOMPONENTS............................................................................................................................................54TABLE6-8:TOEDEPENDENCIESSATISFIED..............................................................................................................................................67TABLE6-9:MAPPINGOFTOESFRSTOTOESECURITYOBJECTIVES....................................................................................................68TABLE6-10:ALLTOEOBJECTIVESMETBYSECURITYFUNCTIONALREQUIREMENTS.......................................................................71TABLE7-1:SECURITYFUNCTIONALREQUIREMENTSMAPPEDTOSECURITYFUNCTIONS..................................................................72TABLE7-2:AUDITSEARCHFIELDS...............................................................................................................................................................73TABLE7-4:AUTHENTICATIONSCENARIOEXAMPLES................................................................................................................................75TABLE7-6:ALERTTYPES...............................................................................................................................................................................84


of 91

1SecurityTargetIntroduction

1.1SecurityTargetReference

STTitle:

HaltDosMitigationPlatform

STVersion:

v1.4

STAuthor:

Haltdos.comPrivateLimited

STDate: September17,2018

1.2TOEReferenceTOE Identification: HaltDos Mitigation Platform version 1.1 comprising of hdInspector version 1.0,hdDeviceUIversion2.0,hdDetectionServiceversion1.0andhdCLIversion2.0.Refersection1.4.8.2forthelistofdependencies(hardware/software/firmware)neededbytheTOEbutexcludedfromevaluation.TOEVendor:Haltdos.comPrivateLimited

1.3TOEOverview The Target of Evaluation (TOE) is HaltDos Mitigation Platform version 1.1. It is a software solutioncomprisingofhdInspectorversion1.0,hdDeviceUIversion2.0,hdDetectionServiceversion1.0andhdCLIversion2.0.TheTOEcanbe installedonasingle, stand-aloneappliancetoprotect InternetProtocol (IP)networksfromthreatsagainstDistributedDenialofService(DDoS)attacks.TheTOEprovidesLayer3toLayer7DDoSdetectionandmitigation(filtering)capabilitythatminimizeapplicationdowntimeintheeventofaDDoSattack.TheapplianceinstalledwiththeTOEisusuallydeployedatingresspointsofanenterprise(beforeoraftertheingressrouter)todetect,block,andreportonvariouscategoriesofDDoSattacks.TheTOEcontinuouslymonitorsallincomingandoutgoingtrafficandcanautomaticallydetectandmitigatevarioustypesofDDoSattackstargetingonlineservices.FollowingisthelistofsecurityfeaturesoftheTOE:

• Auditdatageneration• Useridentityassociation• Auditreview• Selectableauditreview• Protectedaudittrailstorage• Userattributedefinition• Verificationofsecrets• Multipleauthenticationmechanism


of 91

• Userauthenticationbeforeanyaction• Useridentificationbeforeanyaction• ManagementofTSFdata• Specificationofmanagementfunctions• Securityroles• FailurewithPreservationofSecureState• ReliableTimeStamps• DDoSDefence• SecurityNotifications• Inter-TSFtrustedChannel• TrustedPath/Channel

Furtherdetailsaboutthesecurityrequirementsarementionedinsection6.Allthefeaturesmentionedaboveareunderevaluation.ThisSecurityTarget(ST)definestheInformationTechnology(IT)securityrequirementsfortheTOE.TheTOEisbeingevaluatedatassurancelevelEAL2+.Refer section 1.4.8.1 for the lists of the software components that describe the TOE and are underevaluation. Also refer to section 1.4.8.2 for the list of dependencies (hardware/software/firmware)neededbytheTOEbutareexcludedfromtheevaluation.

1.3.1TOEType

TheTOEisaDistributedDenialofService(DDoS)detectionandmitigationplatform.

1.3.2TOEBuildNumber

TheTOEhasthefollowingidentificationdetails:• BuildNumber:1.0-2.0-1.0-2.0• BuildDate:2018-04-20• VersionNumber:1.1

1.3.2.1 Identification Method: TheTOEusesthefollowingmechanismtouniquelyidentifyeachplatformversionreleaseanditsassociatedcomponents:

• ComponentVersioning:Each component (hdInspector, hdUI, hdCLI, hdDetectionService) has a version of its own.Wheneveracomponent ischangedandreadyforrelease, itsversion is incrementedby1.Forexample,ifhdCLIhasacurrentversionofv1.0,thenextversionreleasedwillbev2.0.

• BuildNumbering:Buildnumberhasthefollowingformat:<hdInspectorVersion>-<hdUIVersion>-<hdDetectionServiceVersion>-<hdCLIVersion>


of 91

1.3.2.2 Platform Versioning: TheTOEcanbeidentifiedbytheuniquereferenceprovidedastheplatformversion.VersionsoftheTOE(HaltDosMitigationPlatform)isclassifiedintothefollowingreleases:

• Major Releases: These are themajor updates of the platform provided by the developmentteam.Versionsv1.0,v2.0,v3.0andsoonareassignedtothemajorreleases.

• Minorreleases:Thesearetheminorupdateswithinamajorreleaseprovidedbythedevelopmentteam. Versionsv1.1,v1.2,v1.3andsoonareassignedtotheminorreleases,overall9minorreleasesareprovidedrangingfrom1to9i.e.v1.1tov1.9

• Developmentreleases:Thesearethedevelopmentupdateswithinaminorreleaseprovidedbythe development team. Versions v1.1101, v1.1102, v1.1103 and so on are assigned to thedevelopmentreleases.

1.4TOEDescription

1.4.1Acronyms

Table1-1andTable1-2defineproductspecificandCCspecificacronymsrespectively.

Acronym DefinitionAAA Authentication,Authorization,&AccountingAPI ApplicationProgrammingInterfaceCDN ContentDeliveryNetworkCIDR ClasslessInter-DomainRoutingCLI CommandLineInterfaceCSV CommaSeparatedValueDDoS DistributedDenialofServiceDNS DomainNameServerFCAP FlowCapturefingerprintexpressionlanguageFQDN FullyQualifiedDomainNameGUI GraphicalUserInterfaceHTTP HypertextTransferProtocolHTTPS HypertextTransferProtocolSecureICMP InternetControlMessageProtocolISP InternetServiceProviderLAN LocalAreaNetworkMSSP ManagedSecurityServiceProviderNIC NetworkInterfaceCardNTP NetworkTimeProtocolPPS PacketsPerSecondRDN RegisteredDomainNameRADIUS RemoteAuthenticationDial-inUserServiceforAuthentication,Authorizationand

AuditingSIP StandardInitiationProtocolSMTP SimpleMailTransportProtocol


of 91

SNMP SimpleNetworkManagementProtocolSSH SecureShellSSL SecureSocketLayerTCP/IP TransmissionControlProtocol/InternetProtocolTLS TransportSecurityLayerUDP UserDatagramProtocolUI UserInterfaceURL UniformResourceLocatorVoIP VoiceoverInternetProtocolVPN VirtualPrivateNetworkWAN WideAreaNetwork

TABLE0-1:PRODUCTSPECIFICACRONYMSAcronym DefinitionCC CommonCriteria[forITSecurityEvaluation]EAL EvaluationAssuranceLevelIT InformationTechnologyOSP OrganizationalSecurityPolicyPP ProtectionProfileSAR SecurityAssuranceRequirementSFP SecurityFunctionPolicySFR SecurityFunctionalRequirementST SecurityTargetTOE TargetofEvaluationTSC TSFScopeofControlTSF TOESecurityFunctionsTSFI TOESecurityFunctionsInterfaceTSP TOESecurityPolicy

TABLE1-2:CCSPECIFICACRONYMS

1.4.2Description

TheTargetofEvaluation(TOE)isHaltDosMitigationPlatformversion1.1comprisesofhdInspectorversion1.0,hdDeviceUIversion2.0,hdDetectionServiceversion1.0andhdCLIversion2.0.TheTOEsecuresdatacentrefromnetworkandapplicationlayer,distributeddenialofservice(DDoS)attacks.TheTOEcanbeinstalledonasingle,stand-aloneappliancethatcanbedeployedinanenterpriseITnetworktodetect,block,andreportonvariouscategoriesofDistributedDenialofService(DDoS)attacks.ItisrecommendedthattheappliancerunningtheTOEbehardwarebypasscapable.Thisensuresthattheenvironmentfactorssuchaspowerfailures,hardwarefailures,orsoftwarefailuresaffectingtheproperfunctioningoftheTOEwillresultinbypassingallnetworktrafficalbeitunmitigated.


of 91

TheTOEisflexibletoruninmultipleoperationalmodes.Thefollowingoperationalmodesofdeploymentaresupported:

• In-lineMode§ Active:Withfilteringenabled(Activemode)§ Bypass:Withfilteringdisabled(Bypassmode)

• Off-lineModethroughspanportornetworktap,withfilteringdisabledInoff-linemode,theTOEmonitorstrafficfromaspanportornetworktap,whichcollectivelyarereferredtoasmonitorports.TherouterorswitchsendsthetrafficalongitsoriginalpathandalsomirrorstotheappliancerunningtheTOE.TheTOEanalysesthemirrortrafficanddetectspossibleDDoSattacks,andbutdoesnotperformanyDDoSmitigation.Only the traffic coming from external network (usually the internet) should be sent to the appliancerunningtheTOEontheEXT#interface.Thetrafficcomingfromprotectednetwork(usuallytheinternaltraffic)canoptionallybesenttotheINT#interfaces.TheTOEinoff-linemodeneverforwardstrafficfromEXT#portstoINT#portsorvice-versa.

Off-linemodeismostcommonlyusedintrialimplementations.Forexample,beforedeployingTheTOEinin-linemodeandallowingittoaffecttheenterprisenetworktraffic,itcanbedeployedinoff-linemodeforfinetuningaspertheenterpriseITnetwork.

FIGURE1-1:OFF-LINEMODEDEPLOYMENT

Inin-linemodedeployment,theappliancerunningtheTOEactsasaphysicalcablebetweentheexternalnetwork (usually the internet) and the protected network (usually internal network). In in-linedeploymentallofthetrafficbetweenexternalandprotectednetworkflowsthroughtheTOE.

During deployment an ethernet cable from the external network (an upstream router or the serviceprovider's equipment) is connected to an EXT# interface of the appliance running the TOE. Thecorresponding INT# interfaceon the sameappliance is connected to the equipment in theprotectednetwork(usuallyafirewallorarouteroraswitch).


of 91

WheninActivemode,theTOEanalysesthetraffic,detectsDDoSattacks(ifany),andappliesappropriatemitigations(trafficfiltering)beforeforwarding.WheninBypassmode,theTOEanalysesthetrafficbutonlydetectsDDoSattacks(ifany).Nomitigations(trafficfiltering)isperformedinBypassmode.

Bypassmodeofoperationgeneratesinformationthatcanbeusedtoset/customizetheTOEsettingsforaccurate attack detection and mitigation. When policy is ready for operational implementation inproductionenvironment,theadministratorcanchangetheprotectionmodeto“Active”.

FIGURE1-2:IN-LINEMODEDEPLOYMENT

1.4.2.1TOEDependencies

TheTOEisasoftwaresolutioncomprisingofvarioussoftwarecomponents(refersection1.2)thatcanbeinstalledonasinglestand-aloneappliance.TheTOErequiresalinuxoperatingsystemwithUbuntu16.04LTSastheofficiallysupportedoperatingsystem.MySQLv5.7databaseisusedasadatastorebytheTOEand Intel DPDK framework is used for receiving and sending packets. All the dependencies are opensourcesoftwareand(exceptforthelinuxoperatingsystem)alldependenciesaremanaged,maintainedandcompiledbythedeveloper.ThetablebelowpresentscommonenvironmentalconsiderationsfortheappliancerunningtheTOE:

PowerOptions 550W(1+1)RedundanthotplugPSUAC:100to127VAC,50to60Hz,6Amax200to240VAC,50to60Hz,3AmaxDC:-48to-60VDC,13AMax

Environment Temperature,operating:60ºto95ºF(0ºto35ºC)Humidity,operating:8%to90%Humidity,non-operating:95%,non-condensingattemperaturesof73ºto104ºF(23ºto40ºC)

PhysicalDimensions Chassis:1U/2UrackheightHeight:0.28cmWidth:48.2cm

MonitoringCompatibility Optional integrationwithmanagement consolessupportingSNMPv2orSNMPV3

TABLE1-3:HALTDOSAPPLIANCECOMMONFEATURES


of 91

FIGURE1-3:BACKPANELOFTHEHALTDOSAPPLIANCEWITH1GCOPPERINTERFACES

1 PowerSupply(ACmodule). 2 Serialport(optional)3 USB0andUSB1(1onthetop,0onthebottom) 4 USB2andUSB3(3onthetop,2onthebottom)5 Managementport,MGT(GbENIC1connector) 6 IPMIport(GbENIC1connector)

7 VGAporttoconnectmonitor. 8 Protectionports(1Gcopperisshown)1G.Theprotectionportsareconfiguredasportpairs.Eachpairconsistsofanexternal(EXT)portandaninternal(INT)port.

*MinimumconfigurationneededtoruntheTOE.Thefollowingdiagramsshowhowtheprotectionportsarenumberedforeachoftheavailableinterfaces:

FIGURE1-4:PROTECTIONINTERFACES

Thenetworkpathtobeprotectedisconnectedtoanytwolike-numberedinterfaces.The“EXT#”interfacealways connects to the external network, and the “INT#” interface always connects to the protectednetwork,asshowninFigure1-2:In-linemodeDeployment.

1.4.3UserDescription

UserauthoritiesprovidethemeanstoorganizetheTOEusersintodifferentlevelsofpermittedsystemaccess.Whenauseraccountiscreated,itmustbeassignedtoauserauthority.Theuseraccountinheritsthe access levels that are assigned to that authority. The TOE contains the followingpredefineduserauthorities.


of 91

Authority AccessADMINISTRATOR Userswiththisauthorityhavefullreadandwriteaccess

onallpagesoftheWebGUI.NETWORK_ANALYST Userswiththisauthorityhavefullreadandwriteaccessonall

networkrelatedaspectsintheWebGUI.VISITOR Userswiththisauthorityhaveread-onlyaccesstomost

oftheWebGUIpagesandcaneditandupdatetheirownuseraccountsettings.Usersinthisgroupcannotchangeanyconfigurationsettings.

SECURITY_ANALYST UserswiththisauthorityhavefullreadandwriteaccessonallsecurityrelatedaspectsandhavereadonlyaccesstootherpagesinWebGUI.

SYSTEMADMINISTRATOR TheseareLinuxOSusersontheTOEappliancethathaveadministratorprivileges.TheseuserscanlogontotheapplianceviaSSHtorunsystemcommandsandaccesstheCLItomaintainandconfiguretheTOE.SomeoftheCLIcommandsmakeAPIcallstoWebGUI.Forsuchcommand,thisusermustalsobeADMINISTRATORonWebGUI

TABLE1-4:PREDEFINEDUSERAUTHORITY

Thisgroupingofusersintoauthoritiesthatrestricts/permitsTSFfunctionalityforanyuserisreferredinCommonCriteriaas“roles”.

1.4.4UserInterfaces

1.4.4.1WebbasedUserInterface(GUI) ThemainadministrativeinterfaceaftertheTOEhasbeeninstalledisawebbasedGUIthatisaccessedbyconnectingtotheIPaddressoftheMGTinterfaceoftheTOE.ThisisprovidedbyhdDeviceUIsoftwarethat iswritten in Javaand is capableof showingnetwork statistics via graphsanddashboards, trafficmonitoring,attackalarmnotifications,attacksummaries,realtimeandhistorictrafficdetails,audittrailandconfigurationmanagement.hdDeviceUIusesHTTPSprotocolforsecuresessionsovertheMGTinterface.ThisinterfaceisnotavailablethroughtheINT#orEXT#interfaces.ThefirsttimeGUIisaccessed,theusermustaccepttheSSLcertificatetocompletethesecureconnection.TheGUImenubarindicateswhichmenuisactiveandprovidestheabilitytonavigatetheGUImenusandpages. The menus that are available depend on the user authority to which the authorized user isassigned.Themenubarisdividedintothefollowingmenus:

Menu DescriptionHome DisplaysthekeypointsoftrafficmonitoredbytheTOEEvents DisplaystheinformationabouttherecenteventsthatoccurredintheTOEDashboard DisplaysinformationaboutthetrafficthattheTOEmonitorsandmitigates.


of 91

Action Providesabilitytoview,configureandmanagesecuritysettingsoftheTOE.Alarms Providesabilitytoview,setalarmsfortrafficpassingthroughtheTOE.WebAnalytics ProvidestheabilitytoviewandconfigurerulesforWebAnalyticsdonebytheTOE.Report ProvidesthefunctionstoviewreportandstatisticsofthetrafficthattheTOE

monitors.Settings ProvidesthefunctionstoconfigureandmaintainsystemsettingsoftheTOEappliance.

TABLE1-5:MENUBAROFHDDEVICEUI 1.4.4.2CommandLineInterface(CLI)ThecommandlineinterfaceisprovidedthroughhdCLI.Itallowsauthenticatedusertoentercommandsontheterminal.Typically,theCLIisusedforinstallingandupgradingthesoftwareandcompletingtheinitialconfiguration.However,someadvancedfunctionscanonlybeconfiguredbyusingtheCLI.TheHaltDosCLIcanbeaccessedeitherdirectlyorremotely.ThefollowingfigureshowstheoptionsandportsthatcanbeusedtoconnecttotheapplianceinordertoaccesstheCLI.

FIGURE1-5:OPTIONSFORCONNECTINGTOTHECLI Thefollowingtabledescribestheconnectionsinthefigure:

Item Connection1 Serialportforconsoleaccessonserver2 USBportwithkeyboardandVGAconnectorwithmonitor(directconnection)3 ManagementportMGTwithSSH

TABLE1-6:CONNECTIONOPTIONSTheCLIfunctionalityislimitedto:

• Installingandreinstallingthesolution• RetrievingandUpdatingconfiguration• BackupandRestoration• Settinghardwarebypasssettings• Downloadingupdates• Generatingreports


of 91

1.4.5TOEDataDescription

TSFDataincludesinformationusedbytheTSFinmakingdecisions.Itincludesthesystemsparameterssetbyadministratorstoconfigurethesecurityof theTOEsecurityattributes,authenticationdataandtrafficcontrolattributes.ExamplesofTSFDataincludeadministrativerolesandauditloggingparameters.

UserDataincludestheDatacreatedbyexternalandinternalITentitiesthatdoesnotaffecttheoperationoftheTOE.UserDataisseparatefromtheTSFdata.TheinformationflowscreatedbyClientsandServersareexamplesofUserData.

1.4.6ProductGuidance

ThefollowingproductguidancedocumentsareprovidedwiththeTOE:ReferenceTitle IDHaltDosUserGuide [ADMIN]HaltDosReleaseNotes [RELEASE]

TABLE1-7:TOEUSERGUIDANCEDOCUMENTS

1.4.7BusinessViewoftheTOE

TheTOEisahighthroughput,highperformancesoftware-basedDDoSdetectionandmitigationplatformthatcanrunofqualifyinghardwareandcanstayupdatedwithevolvingtechnologyandthreatsthroughsoftwareupdateswithoutrequiringanyhardwarereplacements.Withitsmulti-layeredandmulti-vectorapproach,itcandefendagainstawiderangeofDDoSattackswithinsecondstoensurehighuptimeofprotectedonlineservicessuchaswebsiteandwebservices.

Ithasfollowingfeatures:

• Providesmulti-layeredsecurity(Layer3toLayer7)• Alwaysonprotectionwithrealtimemetricsandanalytics• Alertsonattack,attacksignature,customermisbehaviourandaudittrails


of 91

1.4.8PhysicalScopeoftheTOE

ThephysicalboundaryoftheTOEistheentireappliancerunningtheTOE.TheTOEwillbeevaluatedinthe“in-linemode”deploymentscenario.

FIGURE1-6:TOEPHYSICALBOUNDARY

FIGURE1-7:TOEENVIRONMENT


of 91

1.4.8.1IncludedintheTOE:

Thescopeoftheevaluationincludesthefollowingproductcomponentsand/orfunctionality(markedinyellowinFigure1-7):

TOEanditsuserinterfaces:

• HaltDosWebInterface(hdDeviceUI)• HaltDosCommandLineInterface(hdCLI)• HaltDosDetectionService(hdDetectionService)• HaltDosInspector(hdInspector)

TOEconfigurationconditionsforevaluation:

• In-lineMode• Defaultpasswordsmustbechangedduringinstallation.• UseofCLIsarescopedtothosefunctionsdescribedinSection1.4.4.2

1.4.8.2ExcludedfromtheTOE: ThefollowingassetsareincludedintheITEnvironmentandarenotpartoftheTOE:

• OptionalNTPServer(highlyrecommendedforenterprisetimesyncing)• OptionalSMTPServer(fornotifications)• OptionalRADIUSServer(forAAA)• OperatingSystem(Ubuntu16.04LTS)• Database(MySQLv5.7.17)• WebServer(ApacheTomcatv8.0)• IntelDPDKplatformv17.02• ApplianceonwhichtheTOEruns• Webbrowser(anditshostplatform)isnotincludedintheTOEboundary• ThenetworkassetscommunicatingonthenetworkprovingdataflowthroughtheTOE

Thefollowingfunctionalityisnotincludedinthescopeoftheevaluation:

• HaltDosProgrammableAPI

1.4.9LogicalScopeoftheTOE

TOEprovidesthefollowingsecurityfunctionality:

• SecurityAudit:TheTOE’sauditingcapabilitiesincluderecordinginformationaboutsystemprocessingandaccesstotheTOE.Subjectidentity(userloginname)andoutcomearerecordedforeacheventaudited.TheauditrecordsgeneratedbytheTOEareprotectedbytheTOE.TheaudittrailiscomprisedoftheTOEchangelogandthesyslog.Theauditrecordscanbeoffloadedforlongtermstorage.


of 91

• IdentificationandAuthentication:Eachusermustbesuccessfullyidentifiedandauthenticatedwithausernameandpasswordbythe TSF. The TOE provides a password-based authentication mechanism to administrators.Accesstosecurityfunctionsanddataisprohibiteduntilauserisidentifiedandauthenticated.

• SecurityManagement:TheTOEallowsonlyauthorizeduserswithappropriateprivilegestoadministerandmanagetheTOE.OnlyauthorizedadministratorswithappropriateprivilegesmaymodifytheTSFdatarelatedto the TSF, security attributes, and authentication data. The TOE maintains 4 default roles(authorities):Administrator(Read,Write,&Executeall),Visitor(read-onlyaccessfromWebUI),Network analyst (Read,Write and Execute only network configurations) and Security Analyst(Read,WriteandExecuteonlysecurityconfigurations).ThereisalsoasystemadministratorwhoistheLinuxOSadministratoruser.OnlysystemadministratorcanoperatetheCLI.

• ResourceUtilization(DDoSProtection):TheTOEsitsattheperimeterofthenetwork,referredtoastheedge,toprotectInternetProtocol(IP)networksagainstDDoSattacksbysuccessfully identifyingandfilteringDDoSattacks,whileforwardinglegitimatetraffictothenetworkwithoutimpactingservice.TheTOEcanfunctioninin-lineactive (monitoringandfiltering), in-lineBypass (monitoringwithout filtering)oroff-linemodes. TheTOEprovides capabilities to filter trafficbymultiplemeans. Thesemeans includefilteringonWhitelist, Blacklist, Rate Limits,malformedHTTP, andTCPSYNRate configurationspecificationstonameafew.VisualalertsforWebGUIusersandalarmscanbeconfiguredtowarntherecipientofaneventoractionthathastakenplace.Theformatscantaketheformofanemailorsyslogmessage.

• ProtectionofTSF:TheTOEtransfersallpacketspassingthroughtheTOEonlyafterprocessingthetrafficbasedontrafficattributes.IfahardwarefailureoccursandtheTOEdoesnotrepairitself,theTOEforcesthe appliance to go into a hardware bypassmode. This shunts the “EXT#” and “INT#” ports,maintaining all traffic flow through the equipment. Thus, the DDoS filtering functionmay beunavailable,buttheflowoftrafficwillnotbeimpeded.ThecommunicationbetweentheremotemanagerandtheTOEareprotectedfromdisclosureandmodification.TheTOEprovidesreliabletimestampsonitsownorwiththesupportofanNTPServerintheITenvironment.TheTSFisprotected because the hardware, theOS and the application the logical access to the TOE iscontrolledbytheidentificationandauthenticationfunctionalityprovidedbytheTOE.

• TrustedChannel/Path:The TOE requires the establishment of HTTPS (SSL/TLS) connection from the remoteadministrator’sbrowser.TheTOEalsorequirestheestablishmentofSSHconnectioninordertoaccess the TOE remotely to use theCLI. The TOE communicateswith external authenticationmechanismsviatrustedchannel.TheTOEprovidesacommunicationchannelbetweenitselfandthe external authentication mechanisms that is logically distinct from other communicationchannelsandprovidesassuredidentificationofitsendpointsandprotectionofthechanneldatafrommodificationordisclosure.


of 91

1.4.10EnvironmentoftheTOE

TOEisrunningonthetopoftheUbuntu16.04operatingsystem.Ithasfourcomponents–• hdDeviceUIisrunningontomcatserver.• hdDetectionServiceisrunningontomcatserver.• hdInspectorisrunningonIntelDPDKtointercepttrafficbetween#INTand#EXT.• hdCLItoaccesssystemfromremotesystemovertrustedpath(SSH).

ToaccessTOE,thefollowinginterfacesareexposed:

• INT#:NetworkinterfaceconnectingtheTOEwithinternalnetwork • EXT#:NetworkinterfaceconnectingWAN/RoutertotheTOE • MGT#:Networkinterfacethatisconfiguredforaccesstoorganization’ssecurityadministrator/

analyst. FollowingarethecomponentsoftheTOEenvironment:

• OptionalNTPServer(highlyrecommendedforenterprisetimesyncing)• OptionalSMTPServer(fornotifications)• OptionalRADIUSServer(forAAA)• OperatingSystem(Ubuntu16.04LTS)• Database(MySQLv5.7.17)• WebServer(ApacheTomcatv8.0)• IntelDPDKplatformv17.02• ApplianceonwhichtheTOEruns• Webbrowser(anditshostplatform)isnotincludedintheTOEboundary• ThenetworkassetscommunicatingonthenetworkprovingdataflowthroughtheTOE

1.4.11DeliveryMethod

Beforethecomponentsarescheduledfordelivery,theappliancealongwiththeplatformgoesthroughverification and acceptance testing at the developer premise. Once verification is completed, thehardwareisresetwithabareminimumsoftwareinstallationincluding:

• Ubuntu16.04operatingsystem• TOEinstallationscript

Theapplianceisthepackedinashippingboxandoncetheshipmentisdone,thefollowingaresharedwiththeenduserovertheregisteredemail:

• Shipmentdetails• PurchaseOrder• DeliveryChallan(containingtheserialno.andmodelno.)ofhardware• TheTOElicense• HardwareManualandUserGuidancedocuments

The delivered appliance can be identified by the unique identifier serial number assigned by thedevelopers.Followingistheformatusedforgeneratingtheserialnumber:Format:hd-<haltdos-model>-numberExample:hd-swift-01


of 91

2ConformanceClaims 2.1CommonCriteriaConformance

TheTOEisPart2extended,Part3conformant,andmeetstherequirementsofEvaluationAssuranceLevel(EAL)2+byaddingALC_CMC.3andALC_CMS.3fromtheCommonCriteriaVersion3.1R5.

ThisdocumentconformstotheCommonCriteria(CC)forInformationTechnology(IT)SecurityEvaluation,Version3.1,Revision5,datedApril2017.

2.2ProtectionProfileClaim

ThisSTdoesnotclaimconformancetoanyexistingProtectionProfile.

2.3PackageClaim

ThisSTclaimsconformancetotheassurancerequirementspackage:EvaluationAssuranceLevel(EAL)2+.

● hdInspectorclaimsconformancetotheassurancerequirementspackage:EvaluationAssuranceLevel(EAL)2.

● hdDeviceUIclaimsconformancetotheassurancerequirementspackage:EvaluationAssuranceLevel(EAL)2.

● hdDetectionService claims conformance to the assurance requirements package: EvaluationAssuranceLevel(EAL)2.

● hdCLIclaimsconformancetotheassurancerequirementspackage:EvaluationAssuranceLevel(EAL)2.

TheEvaluationAssuranceLevelisaugmentedtoEAL2+byaddingALC_CMC.3andALC_CMS.3fromtheCommonCriteriaVersion3.1R5.


of 91

3SecurityProblemDefinition 3.1ThreatsTheTOEmustcounterthethreatstosecuritylistedinTable3-1.Theassumedlevelofexpertiseoftheattacker isunsophisticated,withaccesstoonlystandardequipmentandpublic informationabouttheproduct.

Item ThreatID ThreatDescription1 T.AUDIT Unauthorized attempts by users and external IT entities to access network

resources through the TOE, TOE data or TOE security functions may goundetectedbecausetheactionstheyconductarenotauditedorauditrecordsarenotreviewed,thusallowinganattackertoescapedetection.

2 T.DDoSATTACK An External IT Entity or group of External IT Entities may exhaust serviceresourcesoftheTOEorInternalITEntitiesbypassinginformationflowsthroughtheTOEbyDDoSattacksthusmakingtheresourcesunavailabletoitsintendedusers.

3 T.FAILURE AHardware,Softwareand/orPowerfailureoftheTOEmayinterrupttheflowoftrafficbetweennetworksthusmakingthemunavailable.

4 T.MANAGE AnunauthorizedpersonorunauthorizedITentitymaybeabletoview,modify,and/ordeleteTSFdataontheTOE

5 T.NOAUTH AnunauthorizedpersonmayattempttobypassthesecurityoftheTOEsoastoaccessandusesecurityfunctionsand/ornon-securityfunctionsprovidedbytheTOE.

6 T.PROCOM AnunauthorizedpersonorunauthorizedITentitymaybeabletoview,modify,and/or delete security related information that is sent between a remotelylocatedauthorizedadministratorandtheTOE.

TABLE3-1:TOETHREATS

3.2Assumptions TheassumptionsregardingthesecurityenvironmentandtheintendedusageoftheTOEarelistedinTable3-2.

Item AssumptionID AssumptionDescription1 A.BACKUP Administratorswillbackuptheauditfiles,configurationfilesandmonitordisk

usagetoensureauditinformationisnotlost.2 A.CONNECT TheTOEwillseparatethenetworkonwhichitisinstalledandoperatesinto

externalandinternalnetworks.InformationcannotflowbetweentheexternalandinternalnetworkswithoutpassingthroughtheTOEunlesstheTOEissetintobypassmode

3 A.NOEVIL TherewillbeoneormorecompetentindividualsassignedtomanagetheTOEandthesecurityoftheinformationitcontains.Theauthorizedadministratorsarenotcareless,wilfullynegligent,orhostile,andwillfollowandabidebytheinstructionsprovidedbytheTOEdocumentation.


of 91

4 A.PHYSICAL TheTOEhardwareandsoftwarecriticaltosecuritypolicyenforcementwillbeprotected from unauthorized physical modification and the processingresourcesoftheTOEwillbelocatedwithincontrolledaccessfacilities,whichwillpreventunauthorizedphysicalaccess.

TABLE3-2:ASSUMPTIONS

3.3OrganizationalSecurityPolicies

TherearenoOrganizationalSecurityPoliciesdefinedfortheTOE.


of 91

4SecurityObjectives 4.1SecurityObjectivesfortheTOE ThesecurityobjectivesfortheTOEarelistedinTable4-1.

Item ObjectiveID Description1 O.AUDIT The TOE must provide a means to record, store and review security

relevanteventsinauditrecordstotracetheresponsibilityofallactionsregardingsecurity.

2 O.DDoSALERT TheTOEwill provide the capability to alert administratorswhenDDoSattacks are detected and other customizable events, conditions, andsystemerrors.

3 O.DDoSMITIGATE The TOE must limit resource usage to an acceptable level (stoplegitimate/illegitimate clients fromoverusing resources and stopDDoSattacks).TheTOEmustbeabletoserveasaratebasedcontrollerandpolicebothmalicioususerswhoattempttofloodthenetworkwithDDoSattacks,andauthorizeduserswhomayoveruseresources.

4 O.FAILSAFE ThefailureoftheTOEmustnotinterrupttheflowoftrafficthroughtheTOEbetweennetworks.

5 O.IDAUTH TheTOEmustuniquelyidentifyandauthenticatetheclaimedidentityofalladministrativeusers,beforegrantinganadministrativeuseraccesstoTOEfunctions.

6 O.MANAGE TheTOEwillprovideallthefunctionsandfacilitiesnecessarytosupporttheadministratorsintheirmanagementofthesecurityoftheTOE,andrestrictthesefunctionsandfacilitiesfromunauthorizeduse.

7 O.PROCOM TheTOEwill providea secure session for communicationbetween theTOEandtheremoteadministrator’sbrowsertryingtoaccesstheWebGUIorremoteaccesstotheCLITABLE4-1:TOESECURITYOBJECTIVES

4.2SecurityObjectivesfortheOperationalEnvironmentThesecurityobjectivesfortheOperationalEnvironmentarelistedinTable4-2.

Item EnvironmentObjective

Description

1 OE.AUDIT TheITenvironmentmustprovidealongtermauditandalertstorefortheTOE.2 OE.BACKUP ThoseresponsiblefortheTOEmustensurethattheauditfiles,configuration

filesarebackedupanddiskusageismonitoredtoensureauditinformationisnotlost.

3 OE.CONNECT Those responsible for the TOE must ensure that the TOE is installed andoperatedonanetworkandseparatesthenetworkintoexternal,internalandmanagement networks. Information cannot flow between the networkswithoutpassingthroughtheTOEunlesstheTOEissetintohardwarebypass


of 91

4 OE.NOEVIL Those responsible for theTOEmustensure that therewillbeoneormorecompetent individualsassigned tomanage theTOEand the securityof theinformation it contains and the authorizedadministrators arenot careless,wilfully negligent, or hostile, and will follow and abide by the instructionsprovidedbytheTOEdocumentation.

5 OE.PHYSICAL Those responsible for the TOE must ensure that the TOE hardware andsoftware critical to security policy enforcement will be protected fromunauthorizedmodificationand theprocessing resourcesof theTOEwill belocatedwithin controlled access facilities, whichwill prevent unauthorizedphysicalaccess.

TABLE4-2:SECURITYOBJECTIVESFORTHEOPERATIONALENVIRONMENT

4.3SecurityObjectivesRationaleItem TOEObjective Threat1 O.AUDIT T.AUDIT2 O.DDoSALERT T.MANAGE3 O.DDoSMITIGATE T.DDoSATTACK4 O.FAILSAFE T.FAILURE5 O.IDAUTH T.NOAUTH6 O.MANAGE T.MANAGE7 O.PROCOM T.PROCOM

TABLE4-3:MAPPINGOFTOESECURITYOBJECTIVESTOTHREATS/POLICIES Item EnvironmentObjective Threat/Policy/Assumption8 OE.AUDIT T.AUDIT9 OE.BACKUP A.BACKUP10 OE.CONNECT A.CONNECT11 OE.NOEVIL A.NOEVIL12 OE.PHYSICAL A.PHYSICALTABLE4-4:MAPPINGOFSECURITYOBJECTIVESFORTHEOPERATIONALENVIRONMENTTOTHREATS/POLICIES/ASSUMPTIONS


of 91

Table4-5showsthatalltheidentifiedThreatstosecurityarecounteredbySecurityObjectives.RationaleisprovidedforeachThreatinthetable.

Item ThreatID Objective Rationale

1

O.AUDIT

TheTOEmustprovideameanstorecord,storeandreviewsecurityrelevant events in audit recordsto trace the responsibility of allactionsregardingsecurity.

ThisthreatismitigatedbyO.AUDITwhich requires that theTOE must provide a means torecord, storeandreviewsecurityrelevanteventsinauditrecordstotrace the responsibility of allactions regarding security thusproviding administrators theabilitytoinvestigateincidents.

OE.AUDIT

TheITenvironmentmustprovidealongtermauditfortheTOE.

OE.AUDIT requires that ITenvironmentmustprovidealongtermauditstorefortheTOEthusproviding administrators with alonger history to investigateincidentswith.

2

T.DDoSATTACK

An External IT Entity or groupofExternal IT Entities may exhaustservice resources of the TOE orInternal IT Entities by passinginformation flows through theTOEbyDDoSattacksthusmakingthe resources unavailable to itsintendedusers.

O.DDoSMITIGATE

The TOE must limit resourceusage to an acceptable level(stop legitimate/illegitimateclientsfromoverusingresourcesandstopDDoSattacks).TheTOEmust be able to serve as a ratebasedcontrollerandpolicebothmalicious userswho attempt toflood the network with DDoSattacks, and authorized userswhomayoveruseresources.

This threat is mitigated byO.DDoSMITIGATE,whichrequires that the TOEmust limitresource usage to an acceptablelevel(stopclientsfromoverusingresourcesandstopDDoSattacks).The TOE must also be able toserve as a rate based controllerand police both malicious userswhoattempttofloodthenetworkwith DOS andDDoS attacks, andauthorized users who mayoveruseresources.

3

T.FAILURE

A Hardware, Software and/orPower failure of the TOE mayinterrupt the flow of trafficbetween networks thus makingthemunavailable.

O.FAILSAFE

The failure of the TOEmust notinterrupt the flow of trafficthrough the TOE betweennetworks.

ThisthreatismitigatedbyO.FAILSAFE which ensures thattheflowoftrafficthroughtheTOEis not interrupted during TOEfailurecreatingaDDoSscenario.


of 91

4

T.MANAGE

An unauthorized person orunauthorized IT entity may beable to view, modify, and/ordeleteTSFdataontheTOE

O.MANAGE

The TOE will provide all thefunctionsandfacilitiesnecessarytosupport theadministrators intheir management of thesecurityof theTOE,and restrictthese functions and facilitiesfromunauthorizeduse.

ThisthreatismitigatedbyO.MANAGE, which requires thatTheTOEmustprotectstoredTSFdata from unauthorizeddisclosure, modification, ordeletion. The TOE provides rolebased access control tomanagementfunctions.

O.DDoSALERT

ThisthreatismitigatedbyO.DDoSALERTwhichprovidesthealertingrequiredtowarn

The TOE will provide thecapability toalertadministratorswhenDDoSattacksaredetectedand other customizable events,conditions,andsystemerrors.

administrators about events thathappened or are happening thatmayrequirefurthermanagementintervention.

5

T.NOAUTH

An unauthorized person mayattempttobypassthesecurityofthe TOE so as to access and usesecurity functions and/or non-securityfunctionsprovidedbytheTOE.

O.IDAUTH

The TOE must uniquely identifyand authenticate the claimedidentity of all administrativeusers, before granting anadministrativeuseraccesstoTOEfunctions.

This threat is mitigated byO.IDAUTH, which provides forunique identification andauthentication of administrativeusers.

6

T.PROCOM

An unauthorized person orunauthorized IT entity may beable to view, modify, and/ordelete security relatedinformationthat issentbetweena remotely located authorizedadministratorandtheTOE.

O.PROCOM

The TOE will provide a securesession for communicationbetweentheTOEandtheremoteadministrator’sbrowsertryingtoaccess theGUIor remoteaccesstotheCLI.

ThisthreatismitigatedbyO.PROCOM which requires thatthe TSF must provide a securesession for communicationbetweentheTOEandtheremoteadministrator’s web browsertrying to access theWebGUI orremotelyaccessingtheCLI.

TABLE4-5:ALLTHREATSTOSECURITYCOUNTERED


of 91

Table4-6 shows that the securityobjectives for theoperationalenvironmentupholdall assumptions.RationaleisprovidedforeachAssumptioninthetable.

Item AssumptionID Objective Rationale1 A.BACKUP

Administrators will back up theauditfiles,configurationfilesandmonitor disk usage to ensureauditinformationisnotlost.

OE.BACKUPThose responsible for the TOEmustensure that the audit files,configuration files are backed upand disk usage is monitored toensure audit information is notlost.

This objective provides for thebackup of the TOE audit andconfiguration files byadministrators to ensure dataloss minimization due tohardwareorsoftwareerrors.

2 A.CONNECTThe TOE will separate thenetwork on which it is installedand operates into external andinternal networks. Informationcannot flow between theexternal and internal networkswithoutpassingthroughtheTOE.

OE.CONNECTThose responsible for the TOEmust ensure that the TOE isinstalled and operated on anetwork and separates thenetworkintoexternal,internalandmanagement networks.Informationcannot flowbetweenthe networks without passingthroughtheTOE.

This objective provides forplacingtheTOEatthenetworkperimeter and ensuring thatinformation flow cannot flowbetween internal and externalnetworks without TOEinspectionunlesstheTOEissetintohardwarebypassmode

3 A.NOEVILThere will be one or morecompetent individuals assignedto manage the TOE and thesecurity of the information itcontains. The authorizedadministrators are not careless,wilfullynegligent,orhostile,andwill follow and abide by theinstructionsprovidedbytheTOEdocumentation.

OE.NOEVILThose responsible for the TOEmustensurethattherewillbeoneor more competent individualsassigned tomanage the TOE andthe security of the information itcontains and the authorizedadministrators are not careless,wilfully negligent, or hostile, andwill follow and abide by theinstructions provided by the TOEdocumentation.

This objective provides forcompetent and non-hostilepersonnel to administer theTOE.ThisobjectiveensurestheTOE is delivered, installed,managed, and operated bycompetentindividuals.

4 A.PHYSICALTheTOEhardwareandsoftwarecritical to security policyenforcementwillbeprotected from unauthorizedmodification and the processingresources of the TOE will belocatedwithin controlled accessfacilities, which will preventunauthorizedphysicalaccess.

OE.PHYSICALThose responsible for the TOEmust ensure that the TOEhardware and software critical tosecuritypolicyenforcementwillbeprotected from unauthorizedmodification and the processingresources of the TOE will belocatedwithincontrolledaccess

Thisobjectiveprovides for theprotection of the TOE fromuntrusted software and users.Thisobjectiveprovides for thephysicalprotectionof theTOEsoftware.


of 91

facilities, which will preventunauthorizedphysicalaccess.

TABLE4-6:ALLASSUMPTIONSUPHELD


of 91

5ExtendedComponentsDefinition

AllofthecomponentsdefinedbelowhavebeenmodelledoncomponentsfromPart2oftheCCVersion3.1.Theextendedcomponentsaredenotedbyadding“_EXT”inthecomponentname.

Item SFRID SFRTitle1 DDoS_DEF_EXT.1 DDoSDefence2 DDoS_NOT_EXT.1 SecurityNotifications3 FIA_UAU_EXT.2 UserAuthenticationbeforeanyaction

TABLE5-1:EXTENDEDCOMPONENTS

5.1DDoS_DEF_EXT.1DDoSDefence

5.1.1Class:DDoS:DistributedDenialofService

Thisclasswasexplicitlycreated.Thefamiliesinthisclassspecifythefunctionalrequirementsthatpertainto the security featuresofaDDoSdetectionandmitigationproduct.While thisSFRwasmodelledonexistingFRUrequirementsintheCCPart2,theserequirementsneededfurthermodificationtomeetthespecificneedsofDDoSdetectionandmitigationimplementationratherthanintrusiondetection.

5.1.2Family:DDoSDefence(DDoS_DEF)

5.1.2.1FamilyBehaviour ThisfamilyprovidesrequirementsfortheTSFenforcementofdetectionandmitigationofDDoSattacks.TherequirementsofthisfamilyensurethattheTOEwillprotectnetworksagainstDDoSattacks.

5.1.2.2Componentlevelling

DDoS_DEF_EXT.1DDoSdefenceprovidesamechanismtomitigateDDoSattacks.Componentdefinitionandrationaleareprovidedinsection5.1.3and5.1.4.

5.1.2.3Management ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

• ManagementofTSFdata.


of 91

5.1.2.4Audit ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

• Minimal:DetectionandActionstakenduetodetectedpotentialattacks.

5.1.3Definition

DDoS_DEF_EXT.1DDoSDefence

• Hierarchicalto:Noothercomponents• Dependencies:Noothercomponents

DDoS_DEF_EXT.1.1TheTSFshallbeabletodetectthefollowingtypesofDDoSattacks

• SYNFlood• TCPFlood• HTTPFlood• ICMPFlood• UDPFlood• DNSQueryFlood• DNSAmplificationFlood• TCPConnectionFlood

DDoS_DEF_EXT.1.2TheTSFshallbeabletomitigatethedetectedDDoSattacks

DDoS_DEF_EXT.1.3TheTSFshallbeprovidethefollowingadditionalinformationflowcontrolcapabilities

• GeoIPbasedfiltering• CustomRules

5.1.4Rationale

DDoS_DEF_EXT.1hadtobeexplicitlystatedbecausetheCCPart2doesnothaveanyDDoSmitigationrelatedSFRsthatcandescribethefunctionsoftheTOE.DDoS_DEFismodelledasaFamilyofthestandardclass FRU (ResourceUtilization) as it is the only class that dealswith availability and prioritization ofresources.


of 91

5.2DDoS_NOT_EXT.1Explicit:SecurityNotifications 5.2.1Class:DDoS:DistributedDenialofServiceThisclasswasexplicitlycreated.Thefamiliesinthisclassspecifythefunctionalrequirementsthatpertainto the security featuresofaDDoSdetectionandmitigationproduct.While thisSFRwasmodelledonexisting IDS requirements that have been used in validated Protection Profiles, these requirementsneededfurthermodificationtomeetthespecificneedsofDDoSdetectionandmitigationimplementationratherthanintrusiondetection.5.2.2Family:SecurityNotifications(DDoS_NOT)5.2.2.1FamilyBehaviourThisfamilydefinesthenotificationsgeneratedbytheTSFasaresultoftriggereventsthathappenwhilethe TSF is detecting and mitigating DDoS attacks. This family also defines the destination(s) of thenotificationsthataregenerated.Thescannerswouldgenerallycollectstaticconfiguration informationandsendthatontoananalyticalcomponentwhichwouldcausethenotificationstobegenerated.5.2.2.2Componentlevelling

DDoS_NOT_EXT.1SecuritynotificationprovidesamechanismfordetectingDDoSAttacksandNotifytheusersaccordingly.Componentdefinitionandrationaleareprovidedinsection5.2.3and5.2.4.5.2.2.3Management

ThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

• Configurationofthenotificationdestinationbyanadministrator

5.2.2.4Audit

ThefollowingactionsshouldbeauditableifFAU_GENsecurityauditdatagenerationisincludedinthePP/ST:

• Basic:timenotificationgenerated,sourceanddestinationofnotification,notificationtype

5.2.3Definition

DDoS_NOT_EXT.1Explicit:SecurityNotifications

Hierarchicalto:NoothercomponentsDependencies:DDoS_DEF_EXT.1 DDoSDefence


of 91

DDoS_NOT_EXT.1.1TheTSFshallsendavisualnotificationwheneventsoccurduringtheassessment. TheeventsgeneratedfromTOEcomponentscontainsthefollowinginformation:

• CreatedDate:Thetimestampatwhichtheeventwascreated• CreatedBy:usernameforusergeneratedeventsorsystemforsystemgeneratedevents• Status:statusoftheevent(ENDED/ONGOING/NULL)• Category:categoryoftheevent• Sub-category:refinementofcategoryoftheevent.• Direction:trafficflowforwhichtheeventwascreated(INBOUND/OUTBOUND/NULL).• Message:messagetobedisplayedtotheuser.

Visualnotificationsareavailableat:

• WebGUI:hdDeviceUI• Emailaddressesoftheregisteredusers

ListofEvents(Categories):

• Attackevents• Alarmevents• Systemevents

DDoS_NOT_EXT.1.2TheTSFshallsendanotificationwheneventsoccurduringtheassessmentprocess.Followingarethenotificationtypes.

• WebbasedUInotification:listofeventsdisplayedinhdDeviceUI.• Emailnotification:emailsenttotheregisteredusersoneventgeneration.

Listofnotificationrecipients:

• AllregisteredusersonhdDeviceUI

Listofevents/alertcategories:

• System• Configuration• Attack• Alarm• User• Report• Operational• DiskUsage

Furtherdescriptionofthealertcategoriescanbereferredfromsection6.1.5.2.


of 91

5.2.4Rationale

DDoS_NOT_EXT.1 ismodelled on IDS_RCT.1Analyser react (EXP) as defined in IDS SystemProtectionProfile Version 1.7 July 25, 2007. This SFR wasmodified to apply to the various events that can begeneratedbyanydetectionandmitigationtypesystemratherthanonlythedetectionofanintrusion.ThisSFRusestheterm“notification”ratherthan“alert”becausethereisnoguaranteethattherecipientwillacknowledgeorreadtheeventinformationinatimelymanner.Forexample,iftheTOEsendsthisinformationviaemail(SMTPServerornativemessagingwithintheproduct)thereisnoguaranteethattherecipientwillacknowledgeorreadtheeventinformationinatimelymanner.NoristheTOEexpectedtohandleincomingresponsessuchasanacknowledgedreceiptorread.

5.3FIA_UAU_EXT.2Userauthenticationbeforeanyaction

5.3.1ClassFIA:Identificationandauthentication

SeeSection12oftheCommonCriteriaforInformationTechnologySecurityEvaluationPart2:SecurityfunctionalcomponentsApril2017Version3.1Revision5.

5.3.2Family:Userauthentication(FIA_UAU)

5.3.2.1FamilyBehaviourThisfamilydefinesthetypesofuserauthenticationmechanismssupportedbytheTSF.Thisfamilyalsodefinestherequiredattributesonwhichtheuserauthenticationmechanismsmustbebased.5.3.2.2Componentlevelling

FIA_UAU_EXT.2Thepassword-basedauthenticationmechanismprovidesadministrativeusersa locallybasedauthenticationmechanism.Componentdefinitionandrationaleareprovidedinsection5.3.3and5.3.4.Refertosection6.1.2forlistofuserattributes,managementofdataandpasswordpolicy.5.3.2.3ManagementThefollowingactionscouldbeconsideredforthemanagementfunctionsinFMT:

- Managementoftheauthenticationdatabyanadministrator- Managementoftheauthenticationdatabytheuserassociatedwiththisdata

5.3.2.4Audit ThefollowingactionsshouldbeauditableifFAU_GENSecurityauditdatagenerationisincludedinthePP/ST:

• Minimal:Unsuccessfuluseoftheauthenticationmechanism• Basic:Alluseoftheauthenticationmechanism


of 91

5.3.3Definition

FIA_UAU_EXT.2UserauthenticationbeforeanyactionHierarchicalto:FIA_UAU.1TimingofauthenticationDependencies:FIA_UID.1TimingofidentificationFIA_UAU_EXT.2.1Hierarchicalto:FIA_UAU_EXT.2UserauthenticationbeforeanyactionTheTSFshallrequireeachusertobesuccessfullyauthenticatedeitherbytheTSForbyanauthenticationservice in the Operational Environment invoked by the TSF before allowing any other TSF-mediatedactionsonbehalfofthatuser.

5.3.4Rationale

FIA_UAU_EXT.2ismodelledcloselyonthestandardcomponentFIA_UAU.2:Userauthenticationbeforeany action. FIA_UAU_EXT.2 needed to be defined as an extended component because the standardcomponentwasbroadenedbyaddingthetext“eitherbytheTSForbyanauthenticationserviceintheOperationalEnvironmentinvokedbytheTSF”.


of 91

6SecurityRequirementsThissectionprovidesthesecurityfunctionalandassurancerequirementsfortheTOE.6.1SecurityFunctionalRequirementsfortheTOE FormattingConventions

Thenotation,formatting,andconventionsusedinthissecuritytarget(ST)areconsistentwithversion3.1oftheCommonCriteriaforInformationTechnologySecurityEvaluation.

TheCCpermitsfourfunctionalcomponentoperations:assignment,iteration,refinement,andselectiontobeperformedonfunctionalrequirements.Theseoperationsaredefinedas:

• Iteration:allowsacomponenttobeusedmorethanoncewithvaryingoperations• Assignment:allowsthespecificationofparameters• Selection:allowsthespecificationofoneormoreitemsfromalist• Refinement:allowstheadditionofdetails

ThisSTindicateswhichtextisaffectedbyeachoftheseoperationsinthefollowingmanner:

• AssignmentsandSelectionsspecifiedbytheSTauthorarein[italicizedboldtext]. • Refinementsareidentifiedwith"Refinement:"rightaftertheshortname.AdditionstotheCC

textarespecifiedinitalicizedboldandunderlinedtext. • Iterationsareidentifiedwithadashnumber"-#".Thesefollowtheshortfamilynameandallow

componentstobeusedmorethanoncewithvaryingoperations.“*”referstoalliterationsofacomponent.

• Applicationnotesprovideadditionalinformationforthereader,butdonotspecifyrequirements.Applicationnotesaredenotedbyitalicizedtext.

• ExtendedcomponentsdefinedinSection5havebeendenotedwiththesuffix“_EXT”followingthefamilyname.


of 91

ThefunctionalsecurityrequirementsfortheTOEconsistofthefollowingcomponentstakendirectlyfromPart2oftheCCandtheextendedcomponentsdefinedinSection5andsummarizedinTable6-1below.

SecurityAuditFAU_GEN.1 AuditdatagenerationFAU_GEN.2 UseridentityassociationFAU_SAR.1 AuditreviewFAU_SAR.3 SelectableauditreviewFAU_STG.1 Protectedaudittrailstorage

IdentificationandAuthenticationFIA_ATD.1 UserattributedefinitionFIA_SOS.1 VerificationofSecretsFIA_UAU.5 MultipleauthenticationmechanismFIA_UAU_EXT.2 UserauthenticationbeforeanyactionFIA_UID.2 Useridentificationbeforeanyaction

SecurityManagementFMT_MTD.1 ManagementofTSFdataFMT_SMF.1 SpecificationofmanagementfunctionsFMT_SMR.1 SecurityrolesFMT_MSA.1 ManagementofSecurityAttributesFMT_MSA.3 StaticAttributeInitialization

SecurityFPT_FLS.1 FailurewithPreservationofSecureStateFPT_STM.1 ReliableTimeStamps

DistributedDenialofServiceDDoS_DEF_EXT.1 DDoSDefenceDDoS_NOT_EXT.1 SecurityNotifications

TrustedPath/ChannelsFTP_ITC.1 Inter-TSFtrustedChannelFTP_TRP.1 TrustedPath/Channel

UserDataProtectionFDP_IFC.1 SubsetInformationFlowControlFDP_IFF.1 SimpleSecurityAttributesFDP_ITC.1 ImportofUserDatawithoutSecurityAttributesFDP_ITT.1 TransferofUserData

CryptographicSupportFCS_COP.1a CryptographicoperationFCS_COP.1b CryptographicoperationFCS_COP.1c Cryptographicoperation

TABLE6-1:FUNCTIONALCOMPONENTS


of 91

6.1.1ClassFAU:SecurityAudit

6.1.1.1FAU_GEN.1AuditDataGeneration Hierarchicalto:Noothercomponents.Dependencies:FPT_STM.1 Reliabletimestamps

FAU_GEN.1.1

TheTSFshallbeabletogenerateanauditrecordofthefollowingauditableevents:

• Start-upandshutdownoftheauditfunctions;• Allauditableeventsforthe[notspecified]levelofaudit;and • [thefollowingauditableevents:eventslistedincolumn3ofTable6-2]

SFRID SFRTitleFAU_GEN.1 NoneFAU_GEN.2 NoneFAU_SAR.1 NoneFAU_SAR.3 NoneFAU_STG.1 Diskusageisgettingfull.FIA_ATD.1 NoneFIA_SOS.1 NoneFIA_UAU.5 NoneFIA_UAU_EXT.2 UserloginandlogoutFIA_UID.2 Userloginandlogout

FMT_MTD.1 ConfigurationorupdatestoanyoftheTOESettings

FMT_SMF.1 AllActionsdefinedinFMT_MTD.1FMT_SMR.1 NoneFPT_FLS.1 FailurewithPreservationofSecureStateFPT_STM.1 NoneDDoS_NOT_EXT.1 SecurityNotificationsFTP_ITC.1 NoneFTP_TRP.1 None

TABLE6-2:FUNCTIONALCOMPONENTS*ApplicationNote:TheTOErecordsDDoSeventsinaseparatelogfile,BlockedHostLog,whichisnotpartoftheaudittrailandisavailabletoviewviaadifferentfunctionintheWebGUI.


of 91

FAU_GEN.1.2

TheTSFshallrecordwithineachauditrecordatleastthefollowinginformation:

• Date and time of the event, type of event, subject identity (if applicable), and the outcome(successorfailure)oftheevent

• Foreachauditeventtype,basedontheauditableeventdefinitionsofthefunctionalcomponentsincludedinthePP/ST:[theadditionalinformationidentifiedinTable6-3].

Information DescriptionUsername Theuserwhomadethechange,or“system”ifitisasystem-generated

change.Sub-System The sub-system that made the change. CLI, hdDeviceUI,

hdDetectionService,hdInspector

LogPrioritylevels There are four priority levels for logs-DEBUG, WARN, ERROR ANDINFO.

Description A description of the change. For example, if a protection group iscreated,thedescriptiondisplaysthesettingsthatareconfigured.TABLE6-3:AUDITRECORDINFORMATION

ApplicationNote:The“…outcome(successorfailure)oftheevent”willonlybeincludedifapplicable.

6.1.1.2FAU_GEN.2UserIdentityAssociation Hierarchicalto:Noothercomponents.Dependencies:FAU_GEN.1 AuditDataGenerationFIA_UID.1 Timingofidentification

FAU_GEN.2.1

Forauditeventsresultingfromactionsofidentifiedusers,theTSFshallbeabletoassociateeachauditableeventwiththeidentityoftheuserthatcausedtheevent.6.1.1.3FAU_SAR.1AuditReview Hierarchicalto:Noothercomponents.Dependencies:FAU_GEN.1 AuditDataGeneration

FAU_SAR.1.1

TheTSFshallprovide[Administrators]withthecapabilitytoread[followingauditdata]fromtheauditrecords:

• CLIlogs• Sysloglogs• Haltdoslogs


of 91

• Accesslogs• websitelogs• DetectionServicelogs

FAU_SAR.1.2

TheTSFshallprovidetheauditrecordsinamannersuitablefortheusertointerprettheinformation.

6.1.1.4FAU_SAR.3SelectableAuditReview Hierarchicalto:Noothercomponents.Dependencies:FAU_SAR.1 AuditReview

FAU_SAR.3.1

TheTSFshallprovidetheabilitytoapply[searching]ofauditdatabasedon:

Allpossiblecombinationsofthefollowingfields:

• Username• Timestamp• Sub-system

6.1.1.5FAU_STG.1Protectedaudittrailstorage Hierarchicalto:Noothercomponents.Dependencies:FAU_GEN.1 AuditDataGeneration

FAU_STG.1.1

TheTSFshallprotectthestoredrecordsfromunauthorizeddeletion.

FAU_STG.1.2

TheTSFshallbeableto[prevent]unauthorizedmodificationstotheauditrecordsintheaudittrail.

6.1.2ClassFIA:Identificationandauthentication

6.1.2.1FIA_ATD.1UserAttributeDefinition Hierarchicalto:Noothercomponents.Dependencies:Nodependencies.


of 91

FIA_ATD.1.1

TheTSFshallmaintainthefollowinglistofsecurityattributesbelongingtoindividualusers:

• Username• Email• Password• AccessRights(role)

6.1.2.2FIA_SOS.1VerificationofSecrets Hierarchicalto:Noothercomponents.Dependencies:Nodependencies.FIA_SOS.1.1TheTSFshallprovideamechanismtoverifythatsecretsmeet[theparametersoftheTOEPasswordPolicy(SeeTable6-4)].PasswordCriteriamustbeatleast8characterslongmustbenomorethan72characterslongcanincludespecialcharacters,spaces,andquotationmarkscannotbealldigitsmustconsistofatleastonedigitmustconsistofatleastoneuppercaseandonelowercaselettercannotbeonlylettersfollowedbyonlydigits(forexample,abcd123)cannotbeonlydigitsfollowedbyonlyletters(forexample,123abcd)cannotconsistofalternatingletter-digitcombinations(forexample,1a3A4c1ora2B4c1d)

TABLE6-4:TOEPASSWORDPOLICYRULES6.1.2.3FIA_UAU.5MultipleAuthenticationMechanismsHierarchicalto:Noothercomponents.Dependencies:Nodependencies.FIA_UAU.5.1

The TSF shall provide [Local Password Authentication and ability to invoke external authenticationmechanismwhenconfigured]tosupportuserauthentication.

FIA_UAU.5.2

TheTSFshallauthenticateanyuser'sclaimedidentityaccordingtothe[Followingrules]:

• TOE invoke authentication mechanism in the following precedence order: RADIUS, LOCAL. IfauthenticationfromRADIUSsucceeds=LoginSuccess.IfauthenticationfromRADIUSfails,LOCALauthentication is invoked. If local authentication succeeds = Login Success. If the localauthenticationfails=LoginFailure.


of 91

• If RADIUS server is not configured or down, LOCAL authentication is attempted. If LOCALauthenticationfails:Loginfailure.

ApplicationNote:TheTOEonlyclaimscompatibilitywithRADIUSservers.

6.1.2.4FIA_UAU_EXT.2UserAuthenticationBeforeanyActionHierarchicalto:FIA_UAU.1 Timingofauthentication

Dependencies:FIA_UID.1 Timingofidentification

FIA_UAU_EXT.2.1

TSFshall requireeachuser tobesuccessfullyauthenticatedeitherby theTSForbyanauthenticationservice in the Operational Environment invoked by the TSF before allowing any other TSF-mediatedactionsonbehalfofthatuser.6.1.2.5FIA_UID.1TimingofIdentificationHierarchicalto:Noothercomponents.Dependencies:Nodependencies.FIA_UID.1.1TheTSFshallallowlistofTSF-mediatedactionsonbehalfoftheusertobeperformedbeforetheuserisidentified.FollowingisthelistofTSF-mediatedactions:

• ForgotPassword:usercanrequestforresettingtheirpasswords.Anemailvalidationlinkwillbesenttotheregisteredemailaddressed.

• Iamafirsttimeuser:usercanrequestforcreatingtheirpasswords.Anemailvalidationlinkwillbesenttotheregisteredemailaddressed.

FIA_UID.1.2TheTSFshallrequireeachusertobesuccessfullyidentifiedbeforeallowinganyotherTSF-mediatedactionsonbehalfofthatuser.6.1.2.6FIA_UID.2UserIdentificationBeforeanyActionHierarchicalto:FIA_UID.1 Timingofidentification

Dependencies:Nodependencies.


of 91

FIA_UID.2.1

The TSF shall require each user to be successfully identified before allowing any other TSFmediatedactionsonbehalfofthatuser.

6.1.3ClassFMT:SecurityManagement

6.1.3.1FMT_MTD.1ManagementofTSFdataHierarchicalto:Noothercomponents.Dependencies:FMT_SMR.1 SecurityrolesFMT_SMF.1 SpecificationofManagementFunctions

FMT_MTD.1.1TheTSFshallrestricttheabilityto[changedefault,query,modify,delete,and[otheroperationsasspecifiedinTable6-5]the[TSFDataasspecifiedinTable6-5]to[theroleasspecifiedinTable6-5].Operations TSFDataorobject RoleLogintoCLI(Access) hdCLI SystemAdministrator**LogintoWebGUI(Access) hdDeviceUI Administrator,SecurityAnalyst,

NetworkAnalyst,VisitorCapture thenetworkpacketsinrealtime Administrator,SecurityAnalyst,

NetworkAnalystChange theglobalprotectionlevel Administrator,SecurityAnalystConfigure,Run,Restore thebackupandrestoredata SystemAdministratorEdit theuseraccountsattributes Administrator,SecurityAnalyst*

,NetworkAnalyst*,Visitor*Edit theIPinterfaceconfigurationsettings SystemAdministratorEdit thelocaluserandauthentication AdministratorEdit theauthorizationconfiguration

settingsSystemAdministrator,Administrator

Edit theaccountingAAAconfigurationsettings

SystemAdministrator

Edit theDNSconfigurationsettings AdministratorEdit theHTTPconfigurationsettings AdministratorEditandView thelogging,configurationsettings AdministratorView theserverlog SystemAdministratorEdit theNTPconfigurationsettings SystemAdministratorEdit theSSHconfigurationsettings SystemAdministratorEdit thesystemattributes SystemAdministratorEditandApply theIPaccessrules(Policy) SystemAdministrator,

AdministratorExplore historicalblockedhostslog SystemAdministrator


of 91

Installanduninstall softwarepackages Administrator,SystemAdministrator

Edit theTOEsystemfiles SystemAdministratorManage theGeneralConfigurationSettings AdministratorManage theIn-lineActiveStateSetting AdministratorManage thenotificationconfigurationsettings Administrator,SecurityAnalyst,

NetworkAnalystManage thesystemeventsconfiguration

settingsAdministrator,SecurityAnalyst,NetworkAnalyst

Manage theSSHkeys SystemAdministratorManage thesystemdisks SystemAdministratorView theTOEsystemfiles SystemAdministratorRestore Restoredevicestatefrombackup SystemAdministratorSet thesystemclock SystemAdministratorShow therunningorsavedconfiguration

settingsAdministrator,SecurityAnalyst,NetworkAnalyst

Shutdown theTOEsystem SystemAdministratorStartandStop theTOEservices SystemAdministratorView Accessrightsconfigurationsettings Administrator

TABLE6-5:MANAGEMENTOFTSFDATA*VISITORcanonlyeditownaccountattributesforupdatingpasswordorusernameattributes.AVISITORcannotchangehisownauthorityassignmentorhisregisteredemailid.

*SECURITYANALYSTcanonlyeditownaccountattributesforupdatingpasswordorusernameattributes.ASECURITYANALYSTcannotchangehisownauthorityassignmentorhisregisteredemailid.

*NETWORKANALYSTcanonlyeditownaccountattributesforupdatingpasswordorusernameattributes.ANETWORKANALYSTcannotchangehisownauthorityassignmentorhisregisteredemailid.

**SYSTEMADMINISTRATORisLINUXOSuserswithrootprivilegesontheTOEappliance.TheseuserscanlogontotheapplianceviaSSHtorunsystemcommandsandaccesstheCLItomaintainandconfiguretheTOE.SomeCLIcommandmakesAPIcallstoGUI.

6.1.3.2FMT_SMF.1SpecificationofManagementFunctionsHierarchicalto:Noothercomponents.Dependencies:Nodependencies. FMT_SMF.1.1

TheTSFshallbecapableofperformingthefollowingsecuritymanagementfunctions:

• OperationsasspecifiedinTable6-5ontheTSFDataasspecifiedinTable6-5(SeeFMT_MTD.1)


of 91

6.1.3.3FMT_SMR.1SecurityRolesHierarchicalto:Noothercomponents.Dependencies:FIA_UID.1 TimingofIdentification

FMT_SMR.1.1

TheTSFshallmaintaintheroles[ADMINISTRATOR,SECURITYANALYST,NETWORKANALYST,VISITORANDSYSTEMADMINISTRATOR].

FMT_SMR.1.2

TheTSFshallbeabletoassociateuserswithroles.

6.1.3.4FMT_MSA.1ManagementofSecurityAttributesHierarchicalto:Noothercomponents.Dependencies:FDP_IFC.1 SubsetofInformationFlowControlFMT_SMR.1 SecurityRolesFMT_SMF.1 SpecificationofManagement

FMT_MSA.1.1

TheTSFshallenforcethe[PacketFilterSFP]torestricttheabilityto[modify,[nootheroperations]]thesecurityattributes[networktrafficfilterrulesandconfigurationdata]to[theroleadministrator].

6.1.3.5FMT_MSA.3StaticAttributeInitializationHierarchicalto:Noothercomponents.Dependencies:FMT_MSA.1 ManagementofSecurityAttributesFMT_SMR.1 SecurityRoles

FMT_MSA.3.1

TheTSFshallenforcethe[PacketFilterSFP]toprovide[restrictive]defaultvaluesforsecurityattributesthatareusedtoenforcetheSFP.

FMT_MSA.3.2

TheTSFshallallowthe[noroles]tospecifyalternativeinitialvaluestooverridethedefaultvalueswhenanobjectorinformationiscreated.


of 91

6.1.4ClassFPT:ProtectionofTSF

6.1.4.1FPT_FLS.1FailurewithPreservationofSecureStateHierarchicalto:Noothercomponents.Dependencies:Nodependencies.

FPT_FLS.1.1

TheTSFshallpreserveasecurestatewhenthefollowingtypesoffailuresoccur:

• PowerFailure• HardwareFailure• SoftwareFailure

6.1.4.2FPT_STM.1ReliableTimeStampsHierarchicalto:Noothercomponents.Dependencies:Nodependencies.

FPT_STM.1.1TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.

6.1.5ClassDDoS:DistributedDenialofService

6.1.5.1DDoS_DEF_EXT.1DDoSDefenceHierarchicalto:Noothercomponents.Dependencies:Nodependencies. DDoS_DEF_EXT.1.1

TheTSFshallbeabletodetectthefollowingtypesofDDoSattacks

• Botnet• GenericBandwidth• SlowHTTP• MalformedHTTP

DDoS_DEF_EXT.1.2

TheTSFshallbeabletomitigatethedetectedDDoSattacks.


of 91

DDoS_DEF_EXT.1.3

TheTSFshallprovidethefollowingadditionalinformationflowcontrolcapabilities

Capabilityto:

• Configure TOE to function in inline active (with filtering), off-line (onlymonitoring) or in-linebypassmodes

• ConfigurableDetectionLevel(low,medium,high).

Note: See Section 8 for terminology and more details on inline active (with filtering), off-line (onlymonitoring)orin-linebypassmodesWhitelist,Blacklist,ServiceDefinitionsandTCPSYNRateConfigetc.

ForadditionaldetailsondescriptionofDDoSattacktypesandmitigationmechanisms,seeSection7.6.

6.1.5.2DDoS_NOT_EXT.1Explicit:SecurityNotifications Hierarchicalto:Noothercomponents.Dependencies:DDoS_DEF_EXT.1 DDoSDefence

DDoS_NOT_EXT.1.1

TheTSFshallsendavisualnotificationto[hdDeviceUI]when[theevents)listedinTable6-6]occursduringtheassessmentprocess.DDoS_NOT_EXT.1.2TheTSFshallsenda[emailandlogmessage]notificationto[theassignedeventnotificationrecipient’sEmailId,configuredSNMPmanager,configuredsyslogserver]when[theAlerttype(s)listedinTable6-6]occursduringtheassessmentprocess.AlertType Causes UIEvent Log Email

System Systemsettingsarechanged Yes Yes No

Configuration Someonechangesthesecuritysettings. Yes Yes No

Attack DDoSattackdetected Yes Yes Yes

Alarm Userdefinedrulesgettriggered Yes Yes Yes

User Userpermissions,roleoradditionorremovalofusers

Yes Yes No

Report Systemreportisgenerated Yes Yes Yes

Operational Licenseexpiryorsystemfailurenotifications

Yes Yes Yes

DiskUsage Diskusagerunninghigh Yes Yes Yes

TABLE6-6:SECURITYNOTIFICATIONS


of 91

6.1.6ClassFTP:TrustedPath/Channels

6.1.6.1FTP_ITC.1Inter-TSFTrustedChannel Hierarchicalto:Noothercomponents.Dependencies:Nodependencies.

FTP_ITC.1.1

TheTSF shallprovidea communicationchannelbetween itself andanother trusted ITproduct that islogicallydistinctfromothercommunicationchannelsandprovidesassuredidentificationofitsendpointsandprotectionofthechanneldatafrommodificationordisclosure.

FTP_ITC.1.2

TheTSFshallpermit[theTSF]toinitiatecommunicationviathetrustedchannel.

FTP_ITC.1.3

TheTSFshallinitiatecommunicationviathetrustedchannelfor[authenticationdecisionhandling].

6.1.6.2FTP_TRP.1TrustedPath Hierarchicalto:Noothercomponents.Dependencies:Nodependencies.

FTP_TRP.1.1

TheTSFshallprovideacommunicationpathbetweenitselfand[remote]usersthatislogicallydistinctfromothercommunicationpathsandprovidesassuredidentificationofitsendpointsandprotectionofthecommunicateddatafrom[modificationanddisclosure].

FTP_TRP.1.2

TheTSFshallpermit[remoteusers]toinitiatecommunicationviathetrustedpath.

FTP_TRP.1.3TheTSFshallrequiretheuseofthetrustedpathfor[initialuserauthentication,[andallremoteuseractions]].

6.1.7ClassFDP:UserDataProtection

6.1.7.1FDP_IFC.1SubsetInformationFlowControl Hierarchicalto:Noothercomponents.Dependencies:FDP_IFF.1 SimpleSecurityAttributes


of 91

FDP_IFC.1.1

TheTSFshallenforcethe[PacketFilterSFP]on[Subjects:users(externalentities)thatsendand/orreceiveinformationthroughtheTOEtooneanother;Information:datasentfromonesubjectthroughtheTOEtooneanother;Operation:passthedata].ApplicationNote:ThePacketFilterSFPisgiveninFDP_IFF.ThesubjectdefinitioninFDP_IFC.1.1belongstoaformerCCversion.Thusthesubjectsareidenticaltotheusersdefinedintheexternalentitiesdefinitioninchap.3.3.

6.1.7.2FDP_IFF.1SimpleSecurityAttributes Hierarchicalto:Noothercomponents.Dependencies:FDP_IFC.1 SubsetInformationFlowControlFMT_MSA.3 StaticAttributeInitialization

FDP_IFF.1.1

TheTSFshallenforce the [PacketFilterSFP]basedon the following typesof subjectand informationsecurityattributes:[Subjects:users(externalentities)thatsendand/orreceiveinformationthroughtheTOEtooneanother;Subjectsecurityattributes:none;Information:datasentfromonesubjectthroughtheTOEtooneanother;Informationsecurityattributes:sourceaddressofsubject,destinationaddressofsubject,transportlayerprotocol,interfaceonwhichthetrafficarrivesanddeparts,port,time]. FDP_IFF.1.2

TheTSFshallpermitaninformationflowbetweenacontrolledsubjectandcontrolledinformationviaacontrolledoperationifthefollowingruleshold:[SubjectsonanetworkconnectedtotheTOEcancauseinformationtoflowthroughtheTOEtoasubjectonanotherconnectednetworkonlyifalltheinformationsecurityattributevaluesarepermittedbyallinformationpolicyrules].FDP_IFF.1.3

TheTSFshallenforcethe[reassemblyoffragmentedIPdatagramsbeforeinspection]. FDP_IFF.1.4

TheTSFshallexplicitlyauthoriseaninformationflowbasedonthefollowingrules:[none].FDP_IFF.1.5

TheTSFshallexplicitlydenyaninformationflowbasedonthefollowingrules:• TheTOEshallrejectrequestsofaccessorserviceswheretheinformationarrivesonanetwork

interfaceandthesourceaddressoftherequestingsubjectisfoundmaliciousaccordingtoconfiguredpolicyrulesontheTOE.

ApplicationNote:ThesubjectdefinitioninFDP_IFF.1.1belongstoaformerCCversion.Thusthesubjectsareidenticaltotheusersdefinedintheexternalentitiesdefinitioninchap.3.3.


of 91

6.1.7.3FDP_ITC.1ImportofUserDatawithoutSecurityAttributes Hierarchicalto:Noothercomponents.Dependencies:FDP_IFC.1 SubsetInformationFlowControlFMT_MSA.3 StaticAttributeInitialization

FDP_ITC.1.1

TheTSFshallenforcethe[UserDataSFP]whenimporting[GeoIPdatabase,TORIPfeeds,IPReputationandSoftwareUpdates]fromoutsideoftheTOE.FDP_ITC.1.2

TheTSFshallignoreanysecurityattributesassociatedwiththeuserdatawhenimportedfromoutsidetheTOE.FDP_ITC.1.3

TheTSFshallenforcethefollowingruleswhenimportinguserdatacontrolledundertheSFPfromoutsidetheTOE:[none].6.1.7.4FDP_ITT.1BasicInternetTransferProtection Hierarchicalto:Noothercomponents.Dependencies:FDP_IFC.1 SubsetInformationFlowControl

FDP_ITT.1.1

TheTSFshallenforcethe[UserDataSFP]topreventthemodificationofuserdatawhenitistransmittedbetweenphysically-separatedpartsoftheTOE.

6.1.8ClassFCS:CryptographicSupport

6.1.8.1FCS_COP.1CryptographicOperation(a) Hierarchicalto:Noothercomponents.Dependencies:FDP_ITC.1 ImportofUserDatawithoutSecurityAttributes

FCS_COP.1.1a

TheTSFshallperformsymmetricencryptionanddecryptioninaccordancewithaspecifiedcryptographicalgorithmAESandcryptographickeysizes256bitsthatmeetthefollowing:FIPS197.


of 91

6.1.8.2FCS_COP.1CryptographicOperation(b) Hierarchicalto:Noothercomponents.Dependencies:FDP_ITC.1 ImportofUserDatawithoutSecurityAttributes

FCS_COP.1.1b

TheTSFshallperformasymmetricencryptionanddecryptioninaccordancewithaspecifiedcryptographicalgorithmRSAandcryptographickeysizesupto2048bitsthatmeetthefollowing:PKCS#1v2.1.6.1.8.3FCS_COP.1CryptographicOperation(c) Hierarchicalto:Noothercomponents.Dependencies:FDP_ITC.1 ImportofUserDatawithoutSecurityAttributes

FCS_COP.1.1c

TheTSFshallperformcryptographichashinginaccordancewithaspecifiedcryptographicalgorithmSHA1andcryptographickeysizesnotapplicablethatmeetthefollowing:FIPS180-36.2SecurityAssuranceRequirementsfortheTOE TheSecurityAssuranceRequirementsfortheTOEaretheassurancecomponentsofEvaluationAssuranceLevel2+ taken fromPart3of theCommonCriteria. Noneof theassurance componentsare refined,ALC_CMC.3andALC_CMS.3areaddedinsteadofALC_CMC.2andALC_CMS.2foraugmentingEAL2.TheassurancecomponentsarelistedinTable6-7.

AssuranceClass Assurancecomponents

ADV:Development

ADV_ARC.1Securityarchitecturedescription

ADV_FSP.2Security-enforcingfunctionalspecificationADV_TDS.1Basicdesign

AGD:Guidancedocuments AGD_OPE.1OperationaluserguidanceAGD_PRE.1Preparativeprocedures

ALC:Life-cyclesupport

ALC_CMC.3AuthorisationcontrolsALC_CMS.3ImplementationrepresentationCMcoverageALC_DEL.1DeliveryproceduresALC_DVS.1IdentificationofsecuritymeasuresALC_LCD.1Developerdefinedlife-cyclemodel

ASE:SecurityTarget ASE_CCL.1Conformanceclaims


of 91

evaluation ASE_ECD.1ExtendedcomponentsdefinitionASE_INT.1STintroductionASE_OBJ.2SecurityobjectivesASE_REQ.2DerivedsecurityrequirementsASE_SPD.1SecurityproblemdefinitionASE_TSS.1TOEsummaryspecification

ATE:Tests

ATE_COV.1EvidenceofcoverageATE_FUN.1FunctionaltestingATE_IND.2Independenttesting-sample

AVA:VulnerabilityassessmentAVA_VAN.2Vulnerabilityanalysis

TABLE6-7:EAL2ASSURANCECOMPONENTSFurtherinformationontheseassurancecomponentscanbefoundintheCommonCriteriaforInformationTechnologySecurityEvaluation(CCITSE)Part3.

6.2.1ADV_ARC.1SecurityArchitectureDescription

Developeractionelements:ADV_ARC.1.1DThedevelopershalldesignand implement theTOEsothat thesecurity featuresof theTSFcannotbebypassed.ADV_ARC.1.2DThedevelopershalldesignandimplementtheTSFsothatitisabletoprotectitselffromtamperingbyuntrustedactiveentities.ADV_ARC.1.3DThedevelopershallprovideasecurityarchitecturedescriptionoftheTSF.Contentandpresentationelements:ADV_ARC.1.1CThesecurityarchitecturedescriptionshallbeatalevelofdetailcommensuratewiththedescriptionoftheSFR-enforcingabstractiondescribedintheTOEdesigndocument.ADV_ARC.1.2CThe security architecture description shall describe the security domain maintained by the TSFconsistentlywiththeSFRs.ADV_ARC.1.3CThesecurityarchitecturedescriptionshalldescribehowtheTSFinitializationprocessissecure.ADV_ARC.1.4CThesecurityarchitecturedescriptionshalldemonstratethattheTSFprotectsitselffromtampering.ADV_ARC.1.5CThesecurityarchitecturedescriptionshalldemonstratethattheTSFpreventsbypassoftheSFR-enforcingfunctionality.


of 91

6.2.2ADV_FSP.2Security-enforcingfunctionalspecification

Developeractionelements:ADV_FSP.2.1DThedevelopershallprovideafunctionalspecification.ADV_FSP.2.2DThedevelopershallprovideatracingfromthefunctionalspecificationtotheSFRs.Contentandpresentationelements:ADV_FSP.2.1CThefunctionalspecificationshallcompletelyrepresenttheTSF.ADV_FSP.2.2CThefunctionalspecificationshalldescribethepurposeandmethodofuseforallTSFI.ADV_FSP.2.3CThefunctionalspecificationshallidentifyanddescribeallparametersassociatedwitheachTSFI.ADV_FSP.2.4CFor each SFR-enforcing TSFI, the functional specification shall describe the SFR-enforcing actionsassociatedwiththeTSFI.ADV_FSP.2.5CForeachSFR-enforcingTSFI, the functional specificationshalldescribedirecterrormessages resultingfromprocessingassociatedwiththeSFR-enforcingactions.ADV_FSP.2.6CThetracingshalldemonstratethattheSFRstracetoTSFIsinthefunctionalspecification.

6.2.3ADV_TDS.1Basicdesign

Developeractionelements:ADV_TDS.1.1DThedevelopershallprovidethedesignoftheTOE.ADV_TDS.1.2DThedevelopershallprovideamappingfromtheTSFIofthefunctionalspecificationtothelowestlevelofdecompositionavailableintheTOEdesign.Contentandpresentationelements:ADV_TDS.1.1CThedesignshalldescribethestructureoftheTOEintermsofsubsystems.ADV_TDS.1.2CThedesignshallidentifyallsubsystemsoftheTSF.


of 91

ADV_TDS.1.3CThedesignshalldescribethebehaviourofeachSFR-supportingorSFR-non-interferingTSFsubsysteminsufficientdetailtodeterminethatitisnotSFR-enforcing.ADV_TDS.1.4CThedesignshallsummarizetheSFR-enforcingbehaviouroftheSFR-enforcingsubsystems.ADV_TDS.1.5CThedesignshallprovideadescriptionoftheinteractionsamongSFR-enforcingsubsystemsoftheTSF,andbetweentheSFR-enforcingsubsystemsoftheTSFandothersubsystemsoftheTSF.ADV_TDS.1.6CThemappingshalldemonstratethatallTSFIstracetothebehaviourdescribedintheTOEdesignthattheyinvoke.

6.2.4AGD_OPE.1Operationaluserguidance

Developeractionelements:AGD_OPE.1.1DThedevelopershallprovideoperationaluserguidance.Contentandpresentationelements:AGD_OPE.1.1CThe operational user guidance shall describe, for each user role, the user-accessible functions andprivilegesthatshouldbecontrolledinasecureprocessingenvironment,includingappropriatewarnings.AGD_OPE.1.2CThe operational user guidance shall describe, for each user role, how to use the available interfacesprovidedbytheTOEinasecuremanner.AGD_OPE.1.3CTheoperationaluserguidanceshalldescribe,foreachuserrole,theavailablefunctionsandinterfaces,inparticularallsecurityparametersunderthecontroloftheuser,indicatingsecurevaluesasappropriate.AGD_OPE.1.4CTheoperationaluser guidance shall, for eachuser role, clearlypresenteach typeof security-relevanteventrelativetotheuser-accessiblefunctionsthatneedtobeperformed,includingchangingthesecuritycharacteristicsofentitiesunderthecontroloftheTSF.AGD_OPE.1.5CThe operational user guidance shall identify all possible modes of operation of the TOE (includingoperation following failureoroperationalerror), their consequencesand implications formaintainingsecureoperation.AGD_OPE.1.6CTheoperationaluserguidanceshall,foreachuserrole,describethesecuritymeasurestobefollowedinordertofulfilthesecurityobjectivesfortheoperationalenvironmentasdescribedintheST.


of 91

AGD_OPE.1.7CTheoperationaluserguidanceshallbeclearandreasonable.

6.2.5AGD_PRE.1Preparativeprocedures

Developeractionelements:AGD_PRE.1.1DThedevelopershallprovidetheTOEincludingitspreparativeprocedures.Contentandpresentationelements:AGD_PRE.1.1CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureacceptanceofthedeliveredTOEinaccordancewiththedeveloper'sdeliveryprocedures.AGD_PRE.1.2CThepreparativeproceduresshalldescribeallthestepsnecessaryforsecureinstallationoftheTOEandforthesecurepreparationoftheoperationalenvironmentinaccordancewiththesecurityobjectivesfortheoperationalenvironmentasdescribedintheST. 6.2.6ALC_CMC.3Authorisationcontrols

Developeractionelements:ALC_CMC.3.1DThedevelopershallprovidetheTOEandareferencefortheTOE.ALC_CMC.3.2DThedevelopershallprovidetheCMdocumentation.ALC_CMC.3.3DThedevelopershalluseaCMsystem.Contentandpresentationelements:ALC_CMC.3.1CTheTOEshallbelabelledwithitsuniquereference.ALC_CMC.3.2CTheCMdocumentationshalldescribethemethodusedtouniquelyidentifytheconfigurationitems.ALC_CMC.3.3CTheCMsystemshalluniquelyidentifyallconfigurationitems.ALC_CMC.3.4CTheCMsystemshallprovidemeasuressuchthatonlyauthorisedchangesaremadetotheconfigurationitems.


of 91

ALC_CMC.3.5CTheCMdocumentationshallincludeaCMplan.ALC_CMC.3.6CTheCMplanshalldescribehowtheCMsystemisusedforthedevelopmentoftheTOE.ALC_CMC.3.7CTheevidenceshalldemonstratethatallconfigurationitemsarebeingmaintainedundertheCMsystem.ALC_CMC.3.8CTheevidenceshalldemonstratethattheCMsystemisbeingoperatedinaccordancewiththeCMplan.

6.2.7ALC_CMS.3ImplementationrepresentationCMcoverage

Developeractionelements:ALC_CMS.3.1DThedevelopershallprovideaconfigurationlistfortheTOE.Contentandpresentationelements:ALC_CMS.3.1CTheconfigurationlistshallincludethefollowing:theTOEitself;theevaluationevidencerequiredbytheSARs;thepartsthatcomprisetheTOE;andtheimplementationrepresentation.ALC_CMS.3.2CTheconfigurationlistshalluniquelyidentifytheconfigurationitems.ALC_CMS.3.3CForeachTSFrelevantconfigurationitem,theconfigurationlistshallindicatethedeveloperoftheitem.

6.2.8ALC_DEL.1Deliveryprocedures

Developeractionelements:ALC_DEL.1.1DThe developer shall document and provide procedures for delivery of the TOE or parts of it to theconsumer.ALC_DEL.1.2DThedevelopershallusethedeliveryprocedures.Contentandpresentationelements:ALC_DEL.1.1CThedeliverydocumentationshalldescribeallproceduresthatarenecessarytomaintainsecuritywhendistributingversionsoftheTOEtotheconsumer.


of 91

6.2.10ALC_DVS.1Identificationofsecuritymeasures

Developeractionelements:ALC_DVS.1.1DThedevelopershallproduceandprovidedevelopmentsecuritydocumentation.Contentandpresentationelements:ALC_DVS.1.1CThedevelopmentsecuritydocumentationshalldescribeallthephysical,procedural,personnel,andothersecuritymeasuresthatarenecessarytoprotecttheconfidentialityandintegrityoftheTOEdesignandimplementationinitsdevelopmentenvironment.6.2.11ALC_LCD.1Developerdefinedlife-cyclemodel

Developeractionelements:ALC_LCD.1.1DThedevelopershallestablishalife-cyclemodeltobeusedinthedevelopmentandmaintenanceoftheTOE.ALC_LCD.1.2DThedevelopershallprovidelife-cycledefinitiondocumentation.Contentandpresentationelements:ALC_LCD.1.1CThelife-cycledefinitiondocumentationshalldescribethemodelusedtodevelopandmaintaintheTOE.ALC_LCD.1.2CThelife-cyclemodelshallprovideforthenecessarycontroloverthedevelopmentandmaintenanceoftheTOE.

6.2.12ASE_CCL.1Conformanceclaims

Developeractionelements:ASE_CCL.1.1DThedevelopershallprovideaconformanceclaim.ASE_CCL.1.2DThedevelopershallprovideaconformanceclaimrationale.Contentandpresentationelements:ASE_CCL.1.1CTheconformanceclaimshallcontainaCCconformanceclaimthatidentifiestheversionoftheCCtowhichtheSTandtheTOEclaimconformance.


of 91

ASE_CCL.1.2CTheCCconformanceclaimshalldescribe theconformanceof theST toCCPart2aseitherCCPart2conformantorCCPart2extended.ASE_CCL.1.3CTheCC conformance claim shall describe the conformanceof the ST toCCPart 3 as eitherCCPart 3conformantorCCPart3extended.ASE_CCL.1.4CTheCCconformanceclaimshallbeconsistentwiththeextendedcomponentsdefinition.ASE_CCL.1.5CTheconformanceclaimshallidentifyallPPsandsecurityrequirementpackagestowhichtheSTclaimsconformance.ASE_CCL.1.6CThe conformance claim shall describe any conformance of the ST to a package as either package-conformantorpackage-augmented.ASE_CCL.1.7CTheconformanceclaimrationaleshalldemonstratethattheTOEtypeisconsistentwiththeTOEtypeinthePPsforwhichconformanceisbeingclaimed.ASE_CCL.1.8CTheconformanceclaimrationaleshalldemonstratethatthestatementofthesecurityproblemdefinitionisconsistentwiththestatementofthesecurityproblemdefinitioninthePPsforwhichconformanceisbeingclaimed.ASE_CCL.1.9CTheconformanceclaimrationaleshalldemonstratethatthestatementofsecurityobjectivesisconsistentwiththestatementofsecurityobjectivesinthePPsforwhichconformanceisbeingclaimed.ASE_CCL.1.10CThe conformance claim rationale shall demonstrate that the statement of security requirements isconsistent with the statement of security requirements in the PPs for which conformance is beingclaimed.

6.2.13ASE_ECD.1Extendedcomponentsdefinition

Developeractionelements:ASE_ECD.1.1DThedevelopershallprovideastatementofsecurityrequirements.ASE_ECD.1.2DThedevelopershallprovideanextendedcomponentsdefinition.


of 91

Contentandpresentationelements:ASE_ECD.1.1CThestatementofsecurityrequirementsshallidentifyallextendedsecurityrequirements.ASE_ECD.1.2CTheextendedcomponentsdefinition shalldefineanextendedcomponent foreachextended securityrequirement.ASE_ECD.1.3CThe extended components definition shall describe how each extended component is related to theexistingCCcomponents,families,andclasses.ASE_ECD.1.4CThe extended components definition shall use the existing CC components, families, classes, andmethodologyasamodelforpresentation.ASE_ECD.1.5CTheextendedcomponentsshallconsistofmeasurableandobjectiveelementssuchthatconformanceornon-conformancetotheseelementscanbedemonstrated.

6.2.14ASE_INT.1STintroduction

Developeractionelements:ASE_INT.1.1DThedevelopershallprovideanSTintroduction.Contentandpresentationelements:ASE_INT.1.1CTheSTintroductionshallcontainanSTreference,aTOEreference,aTOEoverviewandaTOEdescription.ASE_INT.1.2CTheSTreferenceshalluniquelyidentifytheST.ASE_INT.1.3CTheTOEreferenceshallidentifytheTOE.ASE_INT.1.4CTheTOEoverviewshallsummarizetheusageandmajorsecurityfeaturesoftheTOE.ASE_INT.1.5CTheTOEoverviewshallidentifytheTOEtype.ASE_INT.1.6CTheTOEoverviewshallidentifyhardware/software/firmwarerequiredbytheTOE.


of 91

ASE_INT.1.7CTheTOEdescriptionshalldescribethephysicalscopeoftheTOE.ASE_INT.1.8CTheTOEdescriptionshalldescribethelogicalscopeoftheTOE.

6.2.15ASE_OBJ.2Securityobjectives

Developeractionelements:ASE_OBJ.2.1DThedevelopershallprovideastatementofsecurityobjectives.ASE_OBJ.2.2DThedevelopershallprovideasecurityobjectivesrationale.Contentandpresentationelements:ASE_OBJ.2.1CThestatementofsecurityobjectivesshalldescribethesecurityobjectivesfortheTOEandthesecurityobjectivesfortheoperationalenvironment.ASE_OBJ.2.2CThesecurityobjectivesrationaleshalltraceeachsecurityobjectivefortheTOEbacktothreatscounteredbythatsecurityobjectiveandOSPsenforcedbythatsecurityobjective.ASE_OBJ.2.3CThesecurityobjectivesrationaleshalltraceeachsecurityobjectivefortheoperationalenvironmentbacktothreatscounteredbythatsecurityobjective,OSPsenforcedbythatsecurityobjective,andassumptionsupheldbythatsecurityobjective.ASE_OBJ.2.4CThesecurityobjectivesrationaleshalldemonstratethatthesecurityobjectivescounterallthreats.ASE_OBJ.2.5CThesecurityobjectivesrationaleshalldemonstratethatthesecurityobjectivesenforceallOSPs.ASE_OBJ.2.6CThe security objectives rationale shall demonstrate that the security objectives for the operationalenvironmentupholdallassumptions.

6.2.16ASE_REQ.2Derivedsecurityrequirements

Developeractionelements:ASE_REQ.2.1DThedevelopershallprovideastatementofsecurityrequirements.


of 91

ASE_REQ.2.2DThedevelopershallprovideasecurityrequirementsrationale.Contentandpresentationelements:ASE_REQ.2.1CThestatementofsecurityrequirementsshalldescribetheSFRsandtheSARs.ASE_REQ.2.2CAllsubjects,objects,operations,securityattributes,externalentitiesandothertermsthatareusedintheSFRsandtheSARsshallbedefined.ASE_REQ.2.3CThestatementofsecurityrequirementsshallidentifyalloperationsonthesecurityrequirements.ASE_REQ.2.4CAlloperationsshallbeperformedcorrectly.ASE_REQ.2.5CEach dependency of the security requirements shall either be satisfied, or the security requirementsrationaleshalljustifythedependencynotbeingsatisfied.ASE_REQ.2.6CThesecurityrequirementsrationaleshalltraceeachSFRbacktothesecurityobjectivesfortheTOE.ASE_REQ.2.7CThesecurityrequirementsrationaleshalldemonstratethattheSFRsmeetallsecurityobjectivesfortheTOE.ASE_REQ.2.8CThesecurityrequirementsrationaleshallexplainwhytheSARswerechosen.ASE_REQ.2.9CThestatementofsecurityrequirementsshallbeinternallyconsistent.

6.2.17ASE_SPD.1Securityproblemdefinition

Developeractionelements:ASE_SPD.1.1DThedevelopershallprovideasecurityproblemdefinition.Contentandpresentationelements:ASE_SPD.1.1CThesecurityproblemdefinitionshalldescribethethreats.ASE_SPD.1.2CAllthreatsshallbedescribedintermsofathreatagent,anasset,andanadverseaction.


of 91

ASE_SPD.1.3CThesecurityproblemdefinitionshalldescribetheOSPs.ASE_SPD.1.4CThesecurityproblemdefinitionshalldescribetheassumptionsabouttheoperationalenvironmentoftheTOE.

6.2.18ASE_TSS.1TOEsummaryspecification

Developeractionelements:ASE_TSS.1.1DThedevelopershallprovideaTOEsummaryspecification.Contentandpresentationelements:ASE_TSS.1.1CTheTOEsummaryspecificationshalldescribehowtheTOEmeetseachSFR.

6.2.19ATE_COV.1Evidenceofcoverage

Developeractionelements:ATE_COV.1.1DThedevelopershallprovideevidenceofthetestcoverage.Contentandpresentationelements:ATE_COV.1.1CThe evidence of the test coverage shall show the correspondence between the tests in the testdocumentationandtheTSFIsinthefunctionalspecification.

6.2.20ATE_FUN.1Functionaltesting

Developeractionelements:ATE_FUN.1.1DThedevelopershalltesttheTSFanddocumenttheresults.ATE_FUN.1.2DThedevelopershallprovidetestdocumentation.Contentandpresentationelements:ATE_FUN.1.1CThetestdocumentationshallconsistoftestplans,expectedtestresultsandactualtestresults.


of 91

ATE_FUN.1.2CThetestplansshall identifytheteststobeperformedanddescribethescenariosforperformingeachtest.Thesescenariosshallincludeanyorderingdependenciesontheresultsofothertests.ATE_FUN.1.3CTheexpectedtestresultsshallshowtheanticipatedoutputsfromasuccessfulexecutionofthetests.ATE_FUN.1.4CTheactualtestresultsshallbeconsistentwiththeexpectedtestresults.

6.2.21ATE_IND.2Independenttesting-sample

Developeractionelements:ATE_IND.2.1DThedevelopershallprovidetheTOEfortesting.Contentandpresentationelements:ATE_IND.2.1CTheTOEshallbesuitablefortesting.ATE_IND.2.2CThedevelopershallprovideanequivalentsetofresourcestothosethatwereused inthedeveloper'sfunctionaltestingoftheTSF.

6.2.22AVA_VAN.2Vulnerabilityanalysis

Developeractionelements:AVA_VAN.2.1DThedevelopershallprovidetheTOEfortesting.Contentandpresentationelements:AVA_VAN.2.1CTheTOEshallbesuitablefortesting.6.3SecurityRequirementsRationale

6.3.1AssuranceRationale

EAL 2+ was chosen to provide a low to moderate level of assurance that is consistent with goodcommercialpractices.Assuch,minimaladditionaltasksareplaceduponthevendorassumingthevendorfollowsreasonablesoftwareengineeringpracticesandcanprovidesupporttotheevaluationfordesignand testing efforts. The chosen assurance level is appropriate with the threats defined for theenvironment.While theTOEmaymonitorahostileenvironment, it isexpectedtobe inanon-hostile


of 91

positionandprotectedbyotherproductsdesignedtoaddressthreatsthatcorrespondwiththeintendedenvironment.

HaltdoshaschosentoaugmentEAL2byaddingtheassurancecomponentALC_CMC.3andALC_CMS.3,toassurethatallthecomponentsoftheTOEareunderasecureandreliableprocessfortherefinementandmodification, this provides an assurance that the functionalworking of the components are notcompromisedduringdeployment/updating.

6.3.2DependenciesSatisfactionRationale

Table 6-8 shows the dependencies between the functional requirements including the extendedcomponentsdefinedinSection5.

SFRID SFRTitle DependenciesSecurityAudit

FAU_GEN.1 Auditdatageneration FPT_STM.1FAU_GEN.2 Useridentityassociation FAU_GEN.1

FIA_UID.1FAU_SAR.1 Auditreview FAU_GEN.1FAU_SAR.3 Selectableauditreview FAU_GEN.1FAU_STG.1 Protectedaudittrailstorage FAU_SAR.1

IdentificationandAuthenticationFIA_ATD.1 Userattributedefinition NoneFIA_SOS.1 VerificationofSecrets NoneFIA_UAU.5 Multipleauthenticationmechanism NoneFIA_UAU_EXT.2 Userauthenticationbeforeanyaction FIA_UID.1FIA_UID.2 Useridentificationbeforeanyaction None

SecurityManagementFMT_MTD.1 ManagementofTSFdata FMT_SMF.1

FMT_SMR.1FMT_SMF.1 Specificationofmanagementfunctions NoneFMT_SMR.1 Securityroles FIA_UID.1FMT_MSA.1 ManagementofSecurityAttributes FDP_IFC.1

FMT_SMF.1FMT_SMR.1

FMT_MSA.3 StaticAttributeInitialization FMT_MSA.1FMT_SMR.1

SecurityFPT_FLS.1 FailurewithPreservationofSecureState NoneFPT_STM.1 ReliableTimeStamps None

DistributedDenialofServiceDDoS_DEF_EXT.1 DDoSDefence NoneDDoS_NOT_EXT.1 SecurityNotifications DDoS_DEF_EXT.1

TrustedPath/ChannelsFTP_ITC.1 Inter-TSFtrustedChannel None


of 91

FTP_TRP.1 TrustedPath/Channel NoneUserDataProtection

FDP_IFC.1 SubsetInformationFlowControl FDP_IFF.1FDP_IFF.1 SimpleSecurityAttributes FDP_IFC.1

FMT_MSA.3FDP_ITC.1 ImportofUserDatawithoutSecurityAttributes FDP_IFC.1

FMT_MSA.3FDP_ITT.1 TransferofUserData FDP_IFC.1

CryptographicSupportFCS_COP.1a Cryptographicoperation FDP_ITC.1FCS_COP.1b Cryptographicoperation FDP_ITC.1FCS_COP.1c Cryptographicoperation FDP_ITC.1

TABLE6-8:TOEDEPENDENCIESSATISFIED 6.3.3FunctionalRequirementsvsObjectivesSatisfactionRationale

Table6-9traceseachSFRbacktothesecurityobjectivesfortheTOEdemonstratingthatALLSFRsmaptoALLsecurityobjectivesfortheTOE.

SFRID SFRTitle ObjectivesSecurityAudit

FAU_GEN.1 Auditdatageneration O.AUDITFAU_GEN.2 Useridentityassociation O.AUDITFAU_SAR.1 Auditreview O.AUDITFAU_SAR.3 Selectableauditreview O.AUDITFAU_STG.1 Protectedaudittrailstorage O.AUDIT

IdentificationandAuthenticationFIA_ATD.1 Userattributedefinition O.IDAUTHFIA_SOS.1 VerificationofSecrets O.IDAUTHFIA_UAU.5 Multipleauthenticationmechanism O.IDAUTHFIA_UAU_EXT.2 Userauthenticationbeforeanyaction O.IDAUTHFIA_UID.2 Useridentificationbeforeanyaction O.IDAUTH

SecurityManagementFMT_MTD.1 ManagementofTSFdata O.MANAGEFMT_SMF.1 Specificationofmanagementfunctions O.MANAGEFMT_SMR.1 Securityroles O.MANAGEFMT_MSA.1 ManagementofSecurityAttributes O.MANAGEFMT_MSA.3 StaticAttributeInitialization O.DDoSMITIGATE

SecurityFPT_FLS.1 FailurewithPreservationofSecureState O.FAILSAFEFPT_STM.1 ReliableTimeStamps O.AUDIT

DistributedDenialofServiceDDoS_DEF_EXT.1 DDoSDefence O.DDoSMITIGATEDDoS_NOT_EXT.1 SecurityNotifications O.DDoSALERT


of 91

TrustedPath/ChannelsFTP_ITC.1 Inter-TSFtrustedChannel O.PROCOM

O.IDAUTHFTP_TRP.1 TrustedPath/Channel O.PROCOM

O.MANAGEUserDataProtection

FDP_IFC.1 SubsetInformationFlowControl O.DDoSMITIGATEFDP_IFF.1 SimpleSecurityAttributes O.DDoSMITIGATEFDP_ITC.1 ImportofUserDatawithoutSecurityAttributes O.MANAGEFDP_ITT.1 TransferofUserData O.AUDIT

CryptographicSupportFCS_COP.1a Cryptographicoperation O.PROCOMFCS_COP.1b Cryptographicoperation O.PROCOMFCS_COP.1c Cryptographicoperation O.PROCOM

O.MANAGETABLE6-9:MAPPINGOFTOESFRSTOTOESECURITYOBJECTIVES

TheTable6-10providestherationaleforhoweachobjectiveissatisfiedbytheTOE.

ObjectiveID SFRID/Title Rationale

O.AUDIT

The TOE must provide a means torecord, store and review securityrelevanteventsinauditrecordstotracethe responsibility of all actionsregardingsecurity.

FAU_GEN.1Auditrecordsaregeneratedforsecurity-relevantevents.

FAU_GEN.2Theuser/sourceisassociatedwiththeauditeventsisrecorded.

FAU_SAR.1TheTOEprovidestheabilitytoreviewandmanagetheaudittrailofthesystem.

FAU_SAR.3

TheTOEiscapableofprovidingsearchingcapabilitiesoftheauditrecords.TheTOEiscapableofprovidingselectioncapabilitiesforauditingtoincludeorexcludeauditableeventsfromthesetofauditedevents.

FAU_STG.1TheTOEisabletoprotectauditrecordsstoredinternally.

FPT_STM.1

TheTOEprovidesthetimestamprequiredfortheauditrecord.TheTOEsupportsthesettingofthetimemanuallyorconfiguringanexternalNTPserver.

FDP_ITT.1

TheTOEvalidatesunauthorizedmodificationofuserdatasuchasGeoIP,TORIP,IPReputationfeedsandsoftwareupdateswhenitisdownloadedfromexternalenvironment.


of 91

O.DDoSALERT

TheTOEwillprovidethecapabilitytoalertadministratorswhenDDoSattacksaredetectedandothercustomizableevents,conditions,andsystemerrors.

DDoS_NOT_EXT.1

TheTOEiscapableofgeneratingnotificationsbased upon administratively defined set ofevents, conditions, or system errors. Thenotificationscanbesentviaemailor loggingmessage.

O.DDoSMITIGATE

TheTOEmustlimitresourceusagetoanacceptablelevel(stoplegitimate/illegitimateclientsfromoverusingresourcesandstopDDoSattacks).TheTOEmustbeabletoserveasaratebasedcontrollerandpolicebothmalicioususerswhoattempttofloodthenetworkwithDDoSattacks,andauthorizeduserswhomayoveruseresources.

DDoS_DEF_EXT.1

The TOE protects Internet Protocol (IP)networksagainstDDoSattacksbysuccessfullyidentifying and mitigating attacks viamechanisms such as filtering, Whitelists,Blacklists,TCPSYNratemonitoring,etc.

FDP_IFC.1

TheTOEprotectsthenetworkbyfilteringoutmalicious DDoS attack packets therebyensuringavailabilityofnetwork resources tolegitimateusers.

FDP_IFF.1

The TOE protects the network from filteringout known malicious IP addresses, andpackets thatmatch configuredpolicy on theTOE.

FMT_MSA.3

TheTOEallowslegitimateuserswithsufficientprivilegestoupdatesecuritypolicyontheTOEto adjust the type of traffic to be allowed /disallowedinandoutofthenetwork.

O.FAILSAFE

The failure of the TOE must notinterrupttheflowoftrafficthroughtheTOEbetweennetworks.

FPT_FLS.1

FPT_FLS.1ensuresthattheTOEpreservesasecurestatewhenthereisahardware,softwareorpowerfailure.

O.IDAUTH

The TOE must uniquely identify andauthenticatetheclaimedidentityofalladministrativeusers,beforegrantinganadministrative user access to TOEfunctions.

FIA_ATD.1UserattributesrequiredforidentificationandauthenticationarestoredbytheTOE.

FIA_UAU.5

Providesforlocalauthenticationandtheinvocationofanexternalauthenticationmechanism(onlyclaimingtheabilitytointerfacewithRADIUSservers).

FIA_UAU_EXT.2All authorized users are successfullyauthenticated before allowing anymanagementactionsonbehalfofthatuser.

FIA_UID.2All users are successfully identified beforeallowing any other TSF-mediated actions onbehalfofthatuser.

FIA_SOS.1Provides the enforced password policy fornativepasswordauthentication.


of 91

FTP_ITC.1

Provides trusted communications to theexternalauthenticationmechanismsthatcanoptionally be used to identify andauthenticatetherequestinguser.

O.MANAGE

The TOE will provide all the functionsand facilities necessary to support theadministratorsintheirmanagementofthe security of the TOE, and restrictthese functions and facilities fromunauthorizeduse.

FMT_MTD.1The TOE allows for the appropriatemanagement TSF data within each Securityfunction.

FMT_SMF.1Ensures that the TOE security Function datamayonlybemodifiedbyanauthorizeduser.

FMT_SMR.1

This objective is met by supporting multiplemanagement roles (ADMINISTRATOR,VISITOR, SECURITY ANALYST, NETWORKANALYSTandSYSTEMADMINISTRATOR).

FMT_MSA.1

The TOE provides a set of default securitypolicy which can be configured only byauthorizedusersof theTOEwithsufficientprivileges.

FTP_TRP.1Provides for the trusted path required forremotemanagementoftheTOE.

FDP_ITC.1

TheTOEperiodicallydownloadsupdates(GeoIP, TOR IP, IP Reputation feeds & softwareupdates)fromtrusteddeveloperrepositoryatupdate.haltdos.com. This periodic updateallows the TOE to be up to date with latestmalicious IPs and enables continuousprotectionagainstknownattacksources.

FCS_COP.1c

TheTOEvalidatesperiodicupdates(TORIP,IPReputation feeds & software updates) byvalidating its hash value to detectunauthorizedmodificationduringtransit.

O.PROCOM

The TOEwill provide a secure sessionfor communication between the TOEand the remote administrator’sbrowser trying to access thehdDeviceUIorremoteaccesstotheCLI.

FTP_ITC.1

TheTOErequirestheestablishmentofanSSL/TLSconnectionfromtheTOEusers’browserwhenconnectingtohdUIoverHTTPS.

FTP_TRP.1

TheTOErequirestheestablishmentofanSSHconnectioninordertoaccesstheTOEremotelytousetheCLI.

FCS_COP.1a

TheTOErequirestheestablishmentofanSSL/TLSconnectionfromtheTOEusers’browserwhenconnectingtohdUIover


of 91

HTTPS.HTTPSusesasymmetric&symmetricencryptionforcreatingSSLtunnel.

FCS_COP.1b

TheTOErequirestheestablishmentofanSSL/TLSconnectionfromtheTOEusers’browserwhenconnectingtohdUIoverHTTPS.HTTPSusesasymmetric&symmetricencryptionforcreatingSSLtunnel.

FCS_COP.1c

TheTOEvalidatesperiodicupdates(GeoIP,TORIPandIPReputationfeeds)byvalidatingitshashvaluetodetectunauthorizedmodificationduringtransit.

TABLE6-10:ALLTOEOBJECTIVESMETBYSECURITYFUNCTIONALREQUIREMENTS


of 91

7TOESummarySpecification

Section 7 describes the specific Security Functions of the TOE that meet the criteria of the securityfeaturesthataredescribedinSection1.4.9LogicalScopeoftheTOE.

ThefollowingsubsectionsdescribehowtheTOEmeetseachSFRlistedinSection6.

SecurityClass SFRs SecurityFunctionsSecurityaudit FAU_GEN.1

SA-1FAU_GEN.2FAU_SAR.1

SA-2FAU_SAR.3FAU_STG.1 SA-3

ProtectionofTSF

FPT_FLS.1 FPT-1FPT_STM.1 FPT-2

Identificationandauthentication

FIA_ATD.1 IA-1FIA_SOS.1

IA-2

FIA_UAU.5FIA_UAU_EXT.2

FIA_UID.2SecurityManagement

FMT_MTD.1SM-1FMT_MSA.3

FMT_MSA.1FMT_SMF.1 SM-2FMT_SMR.1 SM-3

TrustedCommunication FTP_ITC.1TC-1

FCS_COP.1aFCS_COP.1c

TC-2FDP_ITC.1FDP_ITT.1FCS_COP.1a TC-3FTP_TRP.1

TC-4FCS_COP.1aFCS_COP.1b

ResourceUtilization(DDoSProtection)

DDoS_DEF_EXT.1DDoS-1DDoS-2FDP_IFC.1

FDP_IFF.1 DDoS_NOT_EXT.1 DDoS-3

TABLE7-1:SECURITYFUNCTIONALREQUIREMENTSMAPPEDTOSECURITYFUNCTIONS


of 91

7.1SecurityAudit

7.1.1SA-1:AuditGeneration

TheTOE’saudit trailequates to theTOEaudit logsandsyslog (2different fileswithoverlap)which isstoredontheappliance.

AuditrecordsaregeneratedwithintheTOEbytheTSFfortheeventslistedinFAU_GEN.1.Auditrecordscontainatimestamp,theinformationoftheentitytriggeringtheevent(usernameorsystem),theevent(e.g. Configuration changes,CLI commandusage,Deploymentmode changes), anda summaryof theeventaswellastheadditionalinformationlistedinTable6-2andTablelistedinSectionTable6-3.

7.1.2SA-2:AuditReview

AnauthorizedSYSTEMADMINISTRATORusercanreadallthelogs(auditdata)generated.TheWebGUIADMINISTRATOR user can also view events on the event page with the ability to search on variousinformationisprovided.

FollowingisthelistoffiltersthatcanbeappliedontheWebGUI(hdDeviceUI)forviewingtheeventsontheeventspage(inWebGUIeventscannotbefilteredbasedonsub-systemsdefinedinsection6.1.1.1):

Information DescriptionUsername Theuserwhomadethechange,or“system”ifitisasystem-generatedchange.

CreatedAfter ThedateafterwhichthechangehashappenedCreatedbefore Thedatebeforewhichchangewasmade

Eventtype Typeoftheevent

Searchbox Allowsusertosearchondatafromanycolumnonthepageexceptthedate.

TABLE7-2:AUDITSEARCHFIELDSTheTOEdisplayssearchresultsinchronologicalorderwiththemostrecenteventdisplayedfirst.Auditlogsintheapplianceareavailablein/var/log/haltdos/folder.Thesub-systemsdefinedinsection6.1.1.1generate their respective logswith the assigned name and timestamp in the folder /var/log/haltdos.TheselogscanbeviewedandfilteredbyusingstandardUNIXcommandssuchasgrep/tail/less.

Sub-System CommandhdCLI less/var/log/haltdos/website.<yyyy-MM-dd>.log

hdDeviceUI less/var/log/haltdos/website.<yyyy-MM-dd>.loghdDetectionService less/var/log/haltdos/detection.<yyyy-MM-dd>.log

hdInspector less/var/log/haltdos/haltdos.log

TABLE7-3:SUB-SYSTEMLOGS 7.1.3SA-3:AuditProtection

TheTSFprotectsthestoredauditrecordsontheTOEfromunauthorizeddeletionandmodificationsviatheTSFIs.TheAuditdataresidesontheTOEPlatformandcanonlybeaccessedusingtheWebGUIorif


of 91

theuserisaSYSTEMADMINISTRATORontheTOEappliance.TheWebGUIdoesnotprovideanoptionforuserstodeleteormodifythechangeLog(akaauditlog)butallowsuserstosearchandviewlogsonly.TheTOEdoesautomaticallydeleteoldestauditdatalogfile(syslogandchangelog)whenthemaximumnumberofrotatedsyslogfilestoberetainedismet(i.e.maxlimitissetto5thenon6throllovertheoldestrotatedfileisdeleted.ThemaxlimitisconfigurableviaWebGUItoamaxlimitof6months.ItishighlyrecommendedthattheTOEbeconfiguredtouseanexternalftpservertocontinuallyoffloadtheauditfor long termstorage.TheTOEsupports themanualexportingof the syslog files via theCLI / serviceloggingremote<IPaddress>.

TheTOEalsosupportsthemanualexportingofthesyslogfilesviaremoteaccess.TheTOEdoesnotallowforthemodificationordeletionofanyoftheTOE’sauditdata(ChangeLogorsyslog)viatheCLIcommandsortheWebGUI.

7.2ProtectionofTSF

7.2.1FPT-1:Failurewithpreservationofsecurestate

SecureStateforthisproductisdefinedasthestatewhentheTOEPlatformprovidesuninterruptedaccessto resources on the Internal Network to intended users. The failure of the TOEmust not make theresourcesunavailable.

Theflowofnetworktrafficisnotinterferedwith,monitored,orfiltered,duringthebootcycleastheTOEisinbypassmode.TheTOEmustinitializesuccessfullyinorderfortheTOEtobeplacedoutofbypassmodeforoperationaluse.

TheappliancerunningtheTOEmustbebypasscapable.Ifpowerfailures,hardwarefailures,orsoftwareissuesaffecttheTOEduringoperationaluse,theTOEisplacedinbypassmodeandthenetworktrafficispassedthroughtheapplianceunaffectedthuspreventingresourcesbeingmadeunavailable.

Inthecaseofapowersupplyfailure,theredundantpowerarchitecture(ifconfigured)willtakeoverandmaintainsafeoperation. Incaseofcompletepowersupplyfailure,theTOEpassestrafficwithoutanymonitoringorfilteringinanuninterruptedmanner.

7.2.2FPT-2:ReliableTimeStamps

AnadministratorcansetorresettheclockinappliancerunningtheTOEbyremotelyaccessingitusingSSH.

AnadministratorcanoptionallyconfiguretheappliancerunningtheTOEtouseanNTPserverusingtheSSH.TheTOEcanprovideitsowntimestampthroughasystemcalltothesupportingoperatingsystemwhichispartoftheappliance.ItishighlyrecommendedthattheenterprisenetworkbeingprotectedhaveitstimesynchronizedwithaNTPserver.TheTOEsupportstheuseofanNTPservertoupdatethesystem’stimeclock.


of 91

7.3IdentificationandAuthentication

7.3.1IA-1:UserAttributes

TheTSFmaintainsthefollowingsecurityattributesforeachindividualTOEuserforusewithlocalpasswordauthenticationonly:

• Username• Password• Authority• Email

7.3.2IA-2:UserI&A

TheTSFrequireseachusertoself-identifybeforebeingallowedtoperformanyotheractions.TheTSFrequiresanadministrator tobe successfullyauthenticatedwithapasswordbeforebeingallowedanyothermanagementactions.AuthenticationishandledvialocalpasswordprotectionortheTOEinvokesan external authentication mechanism (RADIUS) for the authentication decision. The TOE tries eachmethodaccordingtothefollowingprecedenceorder:RADIUS(ifconfigured),LOCAL.Belowisatableofscenariostohelpinunderstandingtheauthenticationenforcementdescribedabove.

Thetopleftcornersetsthescenario.TheMethodStatusisindicatingwhetheranyexternalauthenticationmechanismsareAvailable(operationalandnetworkreachable)orareNOTavailable(notreachableonnetwork).Theprecedenceordersetshowstheorderinwhichauthenticationmethodmaybecalled.TheFinalOutcome/MethodrowshowsthefinaldecisiontheTOEwouldenforceandwhichauthenticationserverwasthefinaldecisionmaker.

MethodStatus:AvailablePrecedenceOrderSet:R,L Scenario1 Scenario2 Scenario3

1 RADIUS Success Stops Failure Next Failure Next2 LOCAL Success Stops Failure Stops

OverallOutcome/Method Success RADIUS Success LOCAL Failure LOCAL

MethodStatus:NOTAvailablePrecedenceOrderSet:R,L Scenario1 Scenario2

Scenario3

1 RADIUSNetworkError

NetworkError N/A

2 LOCAL Success Stops Failure Stops

OverallOutcome/Method Success LOCAL Failure LOCAL

TABLE7-4:AUTHENTICATIONSCENARIOEXAMPLES


of 91

TOEPasswordPolicyLocal passwords have a software enforced password policy. The password policy is within the usermanual.Therequirementsare:

• mustbeatleast8characterslong• mustbenomorethan72characterslong• canincludespecialcharacters,spaces,andquotationmarks• cannotbealldigits• mustconsistofatleastoneuppercaseandonelowercaseletter• Mustconsistofatleastonedigit• cannotbeonlylettersfollowedbyonlydigits(forexample,abcd123)• cannotbeonlydigitsfollowedbyonlyletters(forexample,123abcd)• cannot consist of alternating letter-digit combinations (for example, 1a3A4c1 or a2B4c1d)

Additionallyinformation:

WARNING:DefaultusernameandpasswordForaccessingtheCLIfortheveryfirsttime,onemustusethedefaultusernameandpassword.Thedefaultusernameishaltdos.ThedefaultpasswordisH@ltd0s#1.Itisimperativeforsecuritypurposesthatthispasswordbechangedafterthefirst-timeloggingintothesystem.

7.4SecurityManagement 7.4.1SM-1:ManagementofTSFData

TheallowedoperationsonTSFDataandtheadministrativerolesrequiredtoexecutethemaredefinedinTable6-5:ManagementofTSFData(SeeSection6.1.3.1FMT_MTD.1ManagementofTSFdata).

7.4.2SM-2:SpecificationofManagementFunctions

The TOE is capable of performing the security management functions as defined in Table 6-5:ManagementofTSFDataofSection6.1.3.1FMT_MTD.1ManagementofTSFdata.ThefunctionsdefinedforFMT_SMFareexactlythesameasthefunctionsdefinedintheFMT_MTDrequirement.

Allmanagementfunctionsandaccessrightsarelimitedbyrole-basedmanagementasdefinedinSection7.4.3SM-3:SecurityRolesbelow.

WhenaccessingthemanagementfunctionsviatheWebGUI:

Asuccessfullyauthenticatedusercannavigatemenusandpagesbyusingtypicalnavigationalcontrols.TheWebGUImenubarindicateswhichmenuisactiveorinactiveandonlyallowstheusertoaccessthosemenusbasedontheprivilegesinheritedfromtheuser’sassignedgroup.

The menu bar is divided into the following menus: Home, Events, Dashboard, Action, Alarms, WebAnalyticsandSettings(detailsofwhichweregivenintheintroductionsection).AnADMINISTRATORhas


of 91

accesstoallthewebmenus.AVISITORonlyhasaccesstotheAdministrationmenufunctionsthatallowtheusertochangehis/herownpasswordandemailaddress.Auserwithoutloggingwon’thaveaccesstoanyofthemenusandispushedbacktotheloginpage.ThefunctionsdefinedintheFMT_MTD.1Table6-5aredividedamongstthe7webmenus(predominantlyintheAdministration)andareeithersubmenus(providefurtherdivision)orpagesthatdisplaytheactualdatasuchaslistofusersorapageofaparticularuser’sattributes.

Additionally,therearesomeadministrativefunctionsthatcanonlybehandledbyusingCLIs.Typically,theCLIisusedforinstallingandupgradingthesoftwareandcompletingtheinitialconfiguration.However,thereareadditionaladvancedfunctionsthatcanonlybeconfiguredusingtheCLI.

7.4.3SM-3:SecurityRoles

TheTOEsupportsthefollowing4userauthorities(roles):

• ADMINISTRATOR:UsersinthisgrouphavefullreadandwriteaccessonallpagesoftheWebGUI.OnehavingADMINISTRATORrightscanaddotherusers.

• VISITOR:Usersinthisgrouphaveread-onlyaccesstomostoftheWebGUIpagesandcaneditandupdatetheirownuseraccountsettings.Usersinthisgroupcannotchangeanysettings.

• NETWORKANALYST:UsersinthisgrouphavereadandwriteaccesstoallthenetworksettingsoftheTOE.TheyhavereadandwriteaccesstoAlarmsettings,Dashboards,andWebsiteanalytics.

• SECURITYANALYST:UsersinthisgrouphavereadandwriteaccesstoallthesecuritysettingsoftheTOE.TheyhavereadandwriteaccesstoAlarmsettings,DashboardsandActionsettings.

• SYSTEMADMINISTRATOR: this is a Linux root user for appliance running the TOE. This user cannot login to the hdDeviceUI since the user is not registered with hdDeviceUI in the database.

The TOE runs on LinuxOS platform and therefore also supports LinuxOS users. LinuxOS userswithadministrative privileges have access to run CLI commands to manage and configure the TOE. ThisdocumentrefersadministrativeLinuxOSusersasSYSTEMADMINISTRATOR

See Section 6.1.3.1 FMT_MTD.1 Management of TSF data table for details on the specific functionavailabletoeachrole.


of 91

7.5TrustedCommunications

7.5.1TC-1:TrustedChannelforAuthentication

CommunicationbetweentheTOEandRADIUSServerrequirethattheentiredatapayloadofthepacketisencrypted, leavingonly thestandardRADIUSheader inclear textandencrypts theuser’spasswordbetweentheTOEandRADIUSServer.

7.5.2TC-2:TrustedChannelforIPReputation,TorIP&SoftwareUpdates

DuringanIPReputationandTorIPUpdates,HaltDosWebServiceusesHTTPS(Port443)todownloadthelatest IPReputationandTor IP lists threat feedbycommunicationwithHaltDosUpdateRepositoryatupdates.haltdos.com.Thehashofeachdownloadedfileisvalidatedtoensurethatthefileshavenotbeenmodifiedduringtransit.Bydefault,thisupdaterunautomaticallyevery24hours.

7.5.3TC-3:TrustedPathforCLIAccess

TheTOEalsorequirestheestablishmentofanSSHconnectioninordertoaccesstheTOEremotelytouse theCLI. The remoteplatformconnects to theTOEusing the standard SSH-2protocol throughOpenSSHversion7.2whichprovidesconfidentialityandintegrityofdataoveraninsecurenetwork.Theremoteuser’shostplatformmustthereforebeonanetworkwhereitcanaccessTCPPort22,oracustomconfiguredportsuchas8022.ThecryptociphersuitessupportedbyOpenSSHaredefaultcryptosuitesintheOpenSSHutilityandcanbecustomizedasnecessary.

7.5.4TC-4:TrustedPathforhdDeviceUI

The TOE also requires the establishment of a HTTPS connection in order to access the TOE frommanagementinterfaceonawebbrowser.hdDeviceUIrunsontheTomcatserverwhichlistensonTCPport8443.Communicationbetweentheuser (browser)andtheTOEhappensoverencryptedpathoverSSLprotocol.

7.6ResourceUtilization(DDoSProtection)

7.6.1DDoS-1:DDoSDetect

BOTNETattacksADDoSbotnet isa largesetofcompromisedcomputersthatarecontrolledremotelybyaserver.ThecontrollingserverisknownasaCnC(command-and-control)server.Usually,thecomputersinabotnet,whichareknownasbots,becomecompromisedwithouttheirusers’knowledge.Thebotsareinfectedwithmalware thatenables themtogenerateahigh-volumetrafficattack that targetsavictimserver.VictimserverscanincludeWeb,DNS,andSMTPservers.The bots can use a variety of protocols, including HTTP, IRC, and other proprietary protocols, tocommunicatewiththeCnCserverandotherbots.Forexample,abotcansendinformationaboutitself,receiveattackcommandsfromtheCnCserver,orshare"hello"messagesbetweenitselfandotherbots.


of 91

Dependingonthebotnetfamily,themessagesthemselvescanbeinplaintextorencoded.Thebotnetfamilyalsodeterminesthetypeofattacksthataresupported.Theseattackscanincludeoneormoreofthefollowingtypesoffloods:HTTP,UDP,TCP,andICMP.WhenthebotsreceivecommandsfromtheCnCserver,suchastheattackmethodandtargetIPaddresses,theycollectivelyengageinDDoSattacksagainstthespecifiedtargets.Somebotnetsareavailableforhire,wherebyanindividualcanpurchasetheservicesofabotnetforaspecific period. The service allows the individual to chooseoneormore target servers for the entirebotnettoattack.Avoluntarybotnetisoneinwhichusersallowtheircomputerstobecomepartofthebotnetwiththeintentionofattackingavictimserver.Whenacomputerbecomesamemberof thebotnet, itacceptscommandsfromtheCnCserver;forexample,theattackmethodandtargetIPaddress.Thebotjoinstherestofthebotnettofloodthevictimserverwithtraffic.Some of the tools that attackers use contains a featurewhereby users can allow their computers tobecomepartofabotnet.Topreventbotnetattacks,theTOEperformsthefollowingtests:

• BasicBotnetPreventionfiltering:Whenenabled,theTOEchecksthepacketheadersforincompletefields,knownasmalformedpackets.IncaseofHTTPtraffic,theHTTPheaderscanalsobeincomplete.TheTOEblockspacketsthat are malformed (not conforming to RFC) packets. For certain types of malformed orincompletepackets,theTOEtemporarilyblocksthesourcehostiftheconfiguredthresholdsarebreached.

• BotnetSignaturesfiltering

Whenenabled,theTOEusestheIPreputationandTORIPFeedtodetectDDoSbotnetattacks,voluntarybotnetattacksandattacksfrommalicious IPaddresses. It isessentialtokeeptheIPreputationandTORIPfeedsupdatedinordertomitigateanddetectemergingDDoSattacks.TheTOEalsoimplementfeatureoftrafficshaping.TheTOEanalysesallthetrafficassignthemsuspicion score based on their various fields like source port, destination port and other andbasedonthesuspicionscorerelevantactionsaretaken.

• PreventSlowRequestAttacksfilteringDuring a slowHTTP attack, the attackermakes several connections and, on each connection,sendsapartialrequestfordatatothevictimserver.Inresponse,theserverallocatesresourcessuchasmemorytoeachconnectionandwaitsforsubsequentrequeststoarrive.Theattackersendsaverysmallportionoftherequestataratealmostequalto,but lessthan,theserver’stimeoutsetting.Therefore,theserverstaysbusyprocessingthesmallrequestsbutittakesalongtimetotimeout.Eventually,theserverstartstodenylegitimateconnectionrequestsfromotherclients.


of 91

Forexample,iftheserver’stimeoutperiodis300seconds,theattackersends5bytesofa500byterequestevery299seconds(justbeforetheservertimesout).Theattackoccupiestheserver'sresourcesonthatconnectionfor29,900seconds(299*500/5).Whenenabled,theTOEchecksforHTTPrequeststhatcontainlessthanconfigurableTCPpayloadfields(inbytes).TheTOEblocksthoserequeststhatbreachthislimitandtemporarilyblocksthesourcehostofanyrequeststhatmatchthesecriteriabecausetheyarelikelytobepartofaslowHTTPattack.The Prevention of Slow Request Attacks is enhanced when it works in conjunction with theaggressiveagingsettingswhichtracksestablishedTCPconnectionsandblocksthetrafficwhenaconnectionremainsidlefortoolong.TrafficisalsoblockedwhenthebitrateforasinglerequestdropsbelowaconfiguredminimumwithminimumTCPpayloadsetting.

• GenericBandwidthFloodAttacks

HTTP flood is a continuous submission of the same HTTP request or a set of HTTP requestmessagestoavictimWebserver’sresources.Typically,theattackersendstherequestsatahighrateandforcestheWebservertorespondtoeachrequest.Asaresult,theWebserverremainsbusyanddeniesservicetolegitimaterequests.

Floodscanoriginatefrommalwareorfromanattacktoolthatusesunderlyingoperatingsystemfacilities toconnect to thevictim,createHTTPrequests,andperformtheattack.Someattackmethodscanprovideflexibilityincreatingatrafficpattern(forexample,randomizedpayloads),whileotherscanprovidebetterperformanceintermsofspeed.Themethodthattheattackerusestoconstructtherequestsdeterminesthenatureoftheattack,whichinturnaffectshowtheDDoStrafficismitigated.

Manyoftheprotectionsettingshelptopreventthistypeofattack.Examplesofthesesettingsareasfollows:• TheICMPFloodDetectionsettingsdetectICMP(ping)floodattacks.• TheRate-basedBlockingsettingsprotectagainstfloodsbyenforcingtrafficthresholds.• The Connection Proxy settings and the TCP SYN Flood Detection settings detect certain

connectionfloodattacks.

7.6.2DDoS-2AdditionalFilterControl

The TOE monitors the network traffic and mitigates attacks by using the configurational settingsconfiguredbyuseranddetectionprofiles.Detection profile helps user to configure different sensitivity levels for different protocols and theirrespectivetriggershelpingtheTOEtoidentifyvariousfloodattacks.The TOE canbeput into 3differentmodes In-line active(with filtering), In-linebypass(In-linewithoutfiltering)andoff-line.TheIn-lineactivemodeisastatewithinthein-linedeploymentmode,inwhichTheTOEmonitorstraffic,detectsandmitigatesDDoSattacks.TheIn-linebypassmodeisastatewithinthein-linedeploymentmode,inwhichtheTOEmonitorstrafficanddetectsDDoSattackbutdoesnotmitigate


of 91

(filter) them. The off-line mode is a deployment mode, in which the TOE analyses traffic withoutforwardingitandonlydetectsDDoSattacks.Keypointsforthetrafficfiltering:

a) TheTOEsupportALLprotocolonEthernet-theyeithergetforwardedordropped.b) ProductinspectsforDDoSinthefollowing:TCP,UDP,ICMPandDNS.c) PacketsinspectedmustbeIPv4.d) ARParealwaysforwarded.e) Allothertrafficcanbedroppedorforwardedbasedonconfiguration.f) ThereisnofilteringfromtheLANtotheWANnetworktraffic.

Thefollowingtabledescribesthefiltertypes,settings,andDDoSclassificationthatthefiltersupports.SettingsList Setting:Description

BlacklistCountries

Countrybox:TypethenameorselectoneormultipleCountrieswhoseIPistobeblacklist.IntheBlacklistedCountriesselectionlist,thecountriesarelistedalphabetically.

Blacklist IntheBlacklistedPrefixbox,anadministratorcantypeaIPprefixormultiplesourceIPprefixes.AllthetrafficwiththissourceIPorDestinationIPwillbedropped.AllowedPrefixesare8–32Ex.-192.168.1.0/24

Whitelist IntheWhitelistHostsbox,anadministratorcantypeanIPprefixormultiplesourceIPprefixes.AllthetrafficwiththissourceIPorDestinationIPwillbebypassesdirectlytoserverwithoutpassingthroughrestofthemitigationsevenifitwasblacklisted.AllowedPrefixare24–32Ex.-192.168.1.3/25

OnlineIPReputationFeed

NOACTION:-DisableCheckingforMaliciousIPs.ADDSUSPICION:-AddSuspiciontotrafficwhosesourceIPispresentintheIPReputationfeed.DROP:-DropthetrafficwhosesourceIPispresentintheIPReputationfeed.

BlacklistTorsIP EnabledandDisabledbuttons:Clickoneofthesebuttonstoenableordisablethiscategory.IfEnabledallthetrafficwhosesourceIPispresentinthetorIPfeedwillbedropped.

MinimumTCPPayloadLength

PayloadLengthbox:TypetheminimumTCPpayloadlengthtobeallowed.Todisablethissetting,putvalueas0.ConsecutiveThresholdbox:-IftheMinimumpayloadlengthisbreachedconsecutivetimesforthespecifiedthresholdthenthesourcewillbetemporarilysuspended.

MinimumHTTPincompleteheaderlength

Minimumincompleteheaderlengthbox:SettheminimumincompletehttpheaderlengthoftheincomingTCPPacket,belowwhichtheconnectionwillbedropped.Todisablethissetting,enterthevalue0.


of 91

NXdomainpersource

Thresholdbox:SetthemaximumnumberofNXDomainDNSqueriespersourceIPtobeallowed.Todisablethissetting,putvalueas0.Durationbox:-Iftheabovethresholdisbreachedforasourcewithinthespecifieddurationthenthesourcewillbetemporarilysuspended

DNSQueryLockDown

EnabledandDisabledbuttons:Clickoneofthesebuttonstoenableordisablethiscategory.IfEnabledonlyvalidquerieswillbeallowedandrestwillbedropped.

Maxconcurrentconnections

Valuebox:SetsthemaximumconcurrentTCPconnections,protectedapplicationserverscanhandle.

Concurrentconnectionspersource

Valuebox:LimitsthemaximumnumberofsimultaneousTCPconnectionsanysourceIPcanestablishwithprotectedapplicationserverswhennotunderattack.Set0todisablemitigation.

Concurrentconnectionspersource(underattack)

Valuebox:LimitsthemaximumnumberofsimultaneousTCPconnectionsanysourceIPcanestablishwithprotectedapplicationserverswhenunderattack.Set0todisablemitigation.

AggressiveAging EnabledandDisabledbuttons:Clickoneofthesebuttonstoenableordisablethiscategory.IfEnabledstaleconnectionsolderthanConnectionExpiryDurationwillbeterminated.

Connectionexpiryduration

Valuebox:TimeafterwhichtheTCPconnectionwillbeconsideredstaleandwillbescheduledfordeletion.DisableAggressiveAgingtodisablethismitigation.

Connectionproxy

EnabledandDisabledbuttons:Clickoneofthesebuttonstoenableordisablethiscategory.IfEnabledprovidesprotectionagainstTCPFloodattackssuchasTCPSYNFlood,etc.

Connectionproxytriggerthreshold

Valuebox:IfConnectionProxyisenabled,specifythenumberofactiveconnectionsafterwhichtheproxywillbeenabledforallsubsequentconnectionrequests.DisableConnectionProxytodisablethismitigationorsetitsvalueas0.

HTTPrequestspersource

Valuebox:SetthenumberofHTTPrequestspersecondpersourcetobeallowed.Ifanysourceexceedsthisthreshold,thenthatsourceistemporarilysuspended.Set0todisablemitigation.

Progressivechallengethreshold

Valuebox:SetthenumberofHTTPrequestspersecondpersourcetobeallowedbeforetheprogressivechallengeissent.Ifthechallengeisnotsuccessfulthensourceissuspended.Set0todisablemitigation.

HTTPfloodprotection

EnabledandDisabledbuttons:Clickoneofthesebuttonstoenableordisablethiscategory.IfEnableditturnsonprotectionagainstHTTPFloods.

HTTPrequestlimitbyURL

ValueBox:EnterthenumberofHTTPrequestsperparticularURLtobeallowedpersecond.AHTTPrequestisanytypeofrequestsuchasGET,POST,HEAD,orOPTIONS.Todisablethissetting,disableHTTPFloodProtection

DefaultHTTPrequestspersecond

Method:SelectamethodoutofGET,POST,PUT,DELETE,orHEADforwhichyouwanttoenableHTTPFloodProtectionHost:EntertheHTTPHostforwhichyouwanttoenableHTTPFloodProtection


of 91

URL:EnterthespecificURLtoenabletheHTTPFloodProtectionforit

Threshold:EnterthethresholdwhichifbreachedbyasourceforthespecifiedURL,HostandMethodwillbetemporarilysuspended.

TrafficShapingOverallLimits

MaximumInboundbpsbox(inmbps):Typethemaximumamountofinboundtraffic(inmbps)toallowMaximumOutboundbpsbox(inmbps):Typethemaximumamountofoutboundtraffic(inmbps)toallow

TrafficShapingTCPLimits

MaximumTCPInboundbpsbox(inmbps):TypethemaximumamountofinboundTCPtraffic(inmbps)toallowSet0todisablethismitigationMaximumTCPOutboundbpsbox(inmbps):TypethemaximumamountofoutboundTCPtraffic(inmbps)toallowSet0todisablethismitigation

TrafficShapingUDPLimits

MaximumUDPInboundbpsbox(inmbps):TypethemaximumamountofinboundUDPtraffic(inmbps)toallowSet0todisablethismitigationMaximumUDPOutboundbpsbox(inmbps):TypethemaximumamountofoutboundUDPtraffic(inmbps)toallowSet0todisablethismitigation

TrafficShapingICMPLimits

MaximumICMPInboundbpsbox(inmbps):TypethemaximumamountofinboundICMPtraffic(inmbps)toallowSet0todisablethismitigationMaximumICMPOutboundbpsbox(inmbps):TypethemaximumamountofoutboundICMPtraffic(inmbps)toallowSet0todisablethismitigation

TrafficShapingDNSLimits

MaximumDNSInboundbpsbox(inmbps):TypethemaximumamountofinboundDNStraffic(inmbps)toallowSet0todisablethismitigationMaximumDNSOutboundbpsbox(inmbps):TypethemaximumamountofoutboundDNStraffic(inmbps)toallowSet0todisablethismitigation

TABLE7-5:AVAILABLEPROTECTIONSETTINGSFOREACHSTANDARDSERVERTYPE

7.6.3DDoS-3Notification

WhentheTOEdetectsevents,attacks,changeinconfiguration,addingauseroreditingauseraccess,triggerofalarmsinthesystem,itcreatesalertstoinformtheuser.TheTOEcanbeconfiguredtosendnotificationmessagestospecificdestinationstocommunicatecertainalerts.Thealerttypespecifiestheeventcategorythatcantriggeraspecificnotification.Anadministratorcanassociateeachnotificationdestinationwithoneormoreofthesealerttypes.


of 91

AlertType Causes

SystemHardwareorsystemcomponenteventsandothereventsthataffectthesystem’shealth.Forexample,changeinconfiguration,addinganewuser,generationofreport,editingauseraccess

Attack AlertsaregeneratediftheTOEdetectsanyattack

Alarm Alertsaregeneratedifusercreatedalarmsaretriggered

TABLE7-6:ALERTTYPESTheTOEsupportsfollowingtypesofnotifications:

• Email:TheTOEsendsemailnotificationstotheuserswiththeauthorizedaccessdecidedbytheadministrator.Thenotificationsappeartocomefromthesenderaddressthatisspecified.

• NotificationAlerts:UseralsogetanotificationalertinitsprofilepageinWEBGUITheTOEalsovisuallydisplaysthealerteventon2differentlocationsintheWebGUI.ThefirstvisualalertisontheEventspage.TheEventspagedisplaysalltheeventsallowingusertofilteramongthoseeventsaccordingtoitsneed.


of 91

8GlossaryofTerms

aAAA (Authentication, Authorization, & Accounting) — An acronym that describes the process ofauthorizingaccesstoasystem,authenticatingtheidentityofusers,andloggingtheirbehaviours.activemode— A state within the in-line deploymentmode, in which the TOEmitigates attacks inadditiontomonitoringtrafficanddetectingattacks.address—Acodedrepresentationthatuniquelyidentifiesaparticularnetworkidentity.alert—Amessage informing theuser that certainevents, conditions, or errors in the systemhaveoccurred.anomaly—Aneventorconditioninthenetworkthatisidentifiedasanabnormalitywhencomparedtoapredefinedillegaltrafficpattern.API (Application Programming Interface) — A well-defined set of function calls providing high-levelcontrolsforunderlyingservices.ASCII (American Standard Code for Information Interchange)—A coded representation for standardalphabetic,numeric,andpunctuationcharacters,alsoreferredtoas“plaintext”.authentication—Anidentityverificationprocess.

bblacklist—Alistofhostsanddestinationsblock—Topreventtrafficfrompassingtothenetwork,ortopreventahostfromsendingtraffic.bot—AprogramthatrunsrunautomatedtasksovertheInternet.botnet—Asetofcompromisedcomputers(bots)thatrespondtoacontrollingservertogenerateattacktrafficagainstavictimserver.bps—Bitspersecond.bypassmode—AstateinwhichtheTOEjustdetectsandanalysethetrafficandnotmitigateit.

cCA(CertificateAuthority)—Athirdpartythatissuesdigitalcertificatesforusebyotherparties.CAsarecharacteristicofmanypublickeyinfrastructure(PKI)schemes.CDN(ContentDeliveryNetwork)—AcollectionofWebserversthatcontainduplicatedcontentandaredistributedacrossmultiplelocationstodelivercontenttousersbasedonproximity.CIDR(ClasslessInter-DomainRouting)—MethodforclassifyingandgroupingInternetaddresses.CLI(commandlineinterface)—Auserinterfacethatusesacommandline,suchasaterminalorconsole(asopposedtoagraphicaluserinterface).client—Thecomponentofclient/servercomputingthatusesaserviceofferedbyaserver.cloud—AmetaphorfortheInternet.CSV(comma-separatedvalues)file—Afilethatstoresspreadsheetordatabaseinformationinplaintext,withonerecordoneachline,andeachfieldwithintherecordseparatedbyacomma.customeredge—Thelocationatthecustomerpremisesoftherouterthatconnectstotheprovideredgeofoneormoreserviceprovidernetworks.customeredgerouter—Arouterwithinacustomer'snetworkthatisconnectedtoanISP'scustomerpeeringedge.


of 91

dDarkIP—RegionsoftheIPaddressspacethatarereservedorknowntobeunused.data center — A centralized facility that houses computer systems and associatedcomponents,suchastelecommunicationsandstoragesystems,andisusedforprocessingortransmittingdata.DDoS(DistributedDenialofService)—Aninterruptionofnetworkavailabilitytypicallycausedbymany,distributedmalicioussources.Deploymentmode—IndicateshowtheTOEisinstalledinthenetwork:in-lineoroff-linethroughaspanportornetworktap(monitor).DNS(DomainNameSystem)—AsystemthattranslatesnumericIPaddressesintomeaningful,humanconsumablenamesandvice-versa.DNSserver—AserverthatusestheDomainNameSystem(DNS)totranslateorresolvehuman-readabledomainnamesandhostnamesintothemachine-readableIPaddresses.DoS(DenialofService)—Aninterruptionofnetworkavailabilitytypicallycausedbymalicioussources.eedge—Theouterperimeterofanetwork.encryption—Theprocessbywhichplaintextisscrambledinsuchawayastohideitscontent.Ethernet—Aseriesoftechnologiesusedforcommunicationonlocalareanetworks.exploit— Tools intended to take advantage of security holes or inherent flaws in the design of networkapplications,devices,orinfrastructures.

ffailover—Aconfigurationoftwodevicessothatifonedevicefails,theseconddevicetakesoverthedutiesofthefirst,ensuringcontinuedservice.FCAP—Afingerprintexpressionlanguagethatdescribesandmatchestrafficinformation.FibreChannel—Gigabit-speednetworktechnologyprimarilyusedforstoragenetworking.fingerprint—Apatternorprofileoftrafficthatsuggestsorrepresentsanattack.Alsoknownasasignature.firewall— A securitymeasures thatmonitors and controls the types of packets allowed in and out of anetwork,basedonasetofconfiguredrulesandfilters.FQDN(FullyQualifiedDomainName)—Acompletedomainname,includingboththeregistereddomainnameandanyprecedingnodeinformation.FTP(FileTransferProtocol)—ATCP/IPprotocolfortransferringfilesacrossanetwork.gGb—Gigabit.GB—Gigabyte.Gbps—Gigabitspersecond.globalprotectionlevel—Determineswhichprotectionsettingsareinusefortheentiresystem.GMT(GreenwichMeanTime)—AworldtimestandardthatisdeprecatedandreplacedbyUTC.GRE(GenericRoutingEncapsulation)—Aprotocolthatisusedtotransportpacketsfromonenetworkthroughanothernetwork.


of 91

GREtunnel — A logical interface whose endpoints are the tunnel source address and tunnel destinationaddress.

hhandshake — The process or action that establishes communication between two telecommunicationsdevices.header—Thedata thatappearsat thebeginningofapacket toprovide informationabout the fileor thetransmission.heartbeat—Aperiodicsignalgeneratedbyhardwareorsoftwaretoindicatethatitisstillrunning.host—Anetworkedcomputer(clientorserver);incontrasttoarouterorswitch.HTTP(HyperTextTransferProtocol)—AprotocolusedtotransferorconveyinformationontheWorldWideWeb.ItsoriginalpurposewastoprovideawaytopublishandretrieveHTMLpages.HTTPS (HyperText Transfer Protocol over SSL)— The combination of a normal HTTP interaction over anencryptedSecureSocketsLayer(SSL)orTransportLayerSecurity(TLS)transportmechanism.

iICMP(InternetControlMessageProtocol)—AnIPprotocolthatdeliverserrorandcontrolmessagesbetweenTCP/IPenablednetworkdevices,forexample,pingpackets.IMAP(InternetMessageAccessProtocol)—AnapplicationlayerInternetprotocolthatallowsalocalclienttoaccessemailonaremoteserver.(AlsoknownasInternetMailAccessProtocol,InteractiveMailAccessProtocol,andInterimMailAccessProtocol.)interface—Aninterconnectionbetweenrouters,switches,orhosts.IP(InternetProtocol)—AconnectionlessnetworklayerprotocolusedforpacketdeliverybetweenhostsanddevicesonaTCP/IPnetwork.IPaddress—AuniqueidentifierforahostordeviceonaTCP/IPnetwork.IPS (Intrusion Prevention System)— A computer security device that exercises access control to protectcomputersfromexploitation.ISP(InternetServiceProvider)—AbusinessororganizationthatprovidestoconsumersaccesstotheInternetandrelatedservices.

lLAN(LocalAreaNetwork)—Atypicallysmallnetworkthatisconfinedtoasmallgeographicspace.

kKbps—Kilobitspersecond.

mmalformed—ReferstorequestsorpacketsthatdonotconformtotheRFCstandardsforInternetprotocol.SuchrequestsorpacketsareoftenusedinDDoSattacks.Mbps—Megabitspersecond.MBps—Megabytespersecond.


of 91

MIB (Management Information Base)— A database used by the SNMP protocol to manage devices in anetwork.mitigation—Theprocessofusingrecommendationstoapplypoliciestothenetworktoreducetheeffectsofanattack.monitormode—AdeploymentmodeinwhichtheTOEisdeployedout-of-linethroughaspanportornetworktap.theTOEmonitorstrafficanddetectsattacksbutdoesnotmitigatetheattacks.MSSP(ManagedSecurityServiceProvider)—AnInternetserviceprovider(ISP)thatprovidesanorganizationwithnetworksecuritymanagement,multicast—ProtocolsthataddressmultipleIPaddresseswithasinglepacket(asopposedtounicastandbroadcastprotocols).

nnetmask—Adottedquadnotationnumberthatroutersusetodeterminewhichpartoftheaddressisthenetworkaddressandwhichpartisthehostaddress.networktap—Ahardwaredevicethatsendsacopyofnetworktraffictoanotherattacheddeviceforpassivemonitoring.NIC (Network Interface Card)—A hardware component thatmaintains a network interface connection.notification—Anemailmessage, SNMP trap,or syslogmessage that is sent to specifieddestinations tocommunicatecertainalerts.NXDomain—AresponsethatresultswhenDNSisunabletoresolveadomainname.NTP (Network Time Protocol)— A protocol that synchronizes clock times in a network ofcomputers.

ooff-linemode—Astatewithinthein-linedeploymentmode,inwhichtheTOEanalysestrafficanddetectsattackswithoutperformingmitigations. In-linemode—Adeploymentmode inwhichtheTOEactsasaphysicalconnectionbetweentwoendpoints.AllofthetrafficthattraversesthenetworkflowsthroughtheTOE.out-of-band—Communicationsignalsthatoccuroutsideofthechannelsthatarenormallyusedfordata.

ppacket—Aunitofdatatransmittedacrossthenetworkthatincludescontrolinformationalongwithactualcontent.password—Asecretcodeusedtogainaccesstoacomputersystem.payload—ThedatainapacketthatfollowstheTCPandUDPheaderdata.PCAP(packetcapture)file—Afilethatconsistsofdatapacketsthathavebeensentoveranetwork.pps—Packetspersecond.ping—AnICMPrequesttodetermineifahostisresponsive.policy—Thesetofrulesthatnetworkoperatorsdeterminetobeacceptableorunacceptablefortheirnetwork.POP(PostOfficeProtocol)—ATCP/IPemailprotocolforretrievingmessagesfromaremoteserver.PoP(PointofPresence)—Aphysicalconnectionbetweentelecommunicationsnetworks.port—A field inTCPandUDPpacketheaders thatcorresponds toanapplication level service (forexampleTCPport80correspondstoHTTP).prefix—Theinitialpartofanetworkaddress,whichisusedinaddressdelegationandrouting.protectioncategory—Agroupofrelatedprotectionsettingsthatdetectaspecifictypeofattacktraffic.


of 91

protectiongroup—Acollectionofoneormoreprotectedhoststhatareassociatedwithaspecifictypeofserver.protectionlevel—Definesthestrengthofprotectionagainstanetworkattackandtheassociatedintrusivenessandriskofblockinglegitimatetraffic.Theprotectionlevelcanbesetgloballyorforspecificprotectiongroups.protectionmode—Astatewithinthein-linedeploymentmode,inwhichthemitigationsareeitherin-liveactiveoroff-line.protocol—Awell-definedlanguageusedbynetworkingentitiestocommunicatewithoneanother.

rradius—RemoteAuthenticationDial-InUserServiceisaclient/serverprotocolandsoftwarethatenablesremoteaccessserverstocommunicatewithacentralservertoauthenticatedial-inusersandauthorizetheiraccesstotherequestedsystemorservice.ratelimit—Thenumberofrequests,packets,bits,orothermeasurementofdatathatahostisallowedtosendwithinaspecifiedamountoftime.RDN(RegisteredDomainName)—Adomainnameasregistered,withoutanyprecedingnodeinformationrealtime—Whensystemsrespondordataissuppliedaseventshappen.redundancy—Theduplicationofdevices, services,orconnectionsso that, in theeventofa failure, theduplicate item can perform thework of the item that failed. refinement— The process of continuallygatheringinformationaboutanomalousactivitythatisobservedonanetwork.regularexpression—Astandardsetofrulesformatchingaspecifiedpatternintext.Oftenabbreviatedasregexorregexp.report—Aninformationalpagethatpresentsdataaboutatraffictypeorevent.route—Apaththatapackettakesthroughanetwork.router—Adevicethatconnectsonenetworktoanother.Packetsareforwardedfromoneroutertoanotheruntiltheyreachtheirultimatedestination.ssecretkey—Asecretthatissharedonlybetweenasenderandreceiverofdata.servertype—AclassofserversthattheTOEprotectsandthatisassociatedwithoneormoreprotectiongroups.SIP(StandardInitiationProtocol)—AnIPnetworkprotocolthatisusedforVoIP(VoiceOverIP)telephony.signature—Apatternorprofileoftrafficthatsuggestsorrepresentsanattack.Alsoknownasafingerprint.SMTP(SimpleMailTransferProtocol)—ThedefactostandardprotocolforemailtransmissionsacrosstheInternet.SNMP (Simple NetworkManagement Protocol)— A standard protocol that allows routers and othernetworkdevicestoexportinformationabouttheirroutingtablesandotherstateinformation.spanport—Adesignatedportonanetworkswitchontowhichtrafficfromotherportsismirrored.spoofing—Asituationinwhichonepersonorprogramsuccessfullymasqueradesasanotherbyfalsifyingdata(usuallyanIPaddress)andtherebygainsanillegitimateadvantage.SSH(SecureShell)—Acommandlineinterfaceandprotocolforsecurelyaccessingaremotecomputer.SSHisalsoknownasSecureSocketShell.SSL(SecureSocketsLayer)—AprotocolforsecurecommunicationsontheInternetforsuchthingsasWebbrowsing,email,instantmessaging,andotherdatatransfers.SSLcertificate—AfilethatisinstalledonasecureWebservertoidentifyaWebsiteandverifythattheWebsiteissecureandreliable.syslog—Afilethatrecordscertaineventsoralloftheeventsthatoccurinaparticularsystem.Also,aserviceforloggingdata.


of 91

ttarget—Avictimhostornetworkofamaliciousdenialofservice(DoS)attack.TCP(TransmissionControlProtocol)—Aconnection-based,transportprotocolthatprovidesreliabledeliveryofpacketsacrosstheInternet.TCP/IP—AsuiteofprotocolsthatcontrolsthedeliveryofmessagesacrosstheInternet.throughput—Thedatatransferrateofanetworkordevice.TLS(TransportLayerSecurity)—AnencryptionprotocolforthesecuretransmissionofdataovertheInternet.TLSisbasedon,andhassucceeded,SSL.uUDP(UserDatagramProtocol)—Anunreliable,connectionless,communicationprotocol.unblock— To remove a source or destination from the temporarily blocked list without adding it to thewhitelist.UNC(UniversalNamingConvention)—AstandardwhichoriginatedfromUNIXforidentifyingservers,printers,andotherresourcesinanetwork.URI (UniformResource Identifier)—A protocol, login, host, port, path, etc. in a standard format used toreferenceanetworkresource,(forexamplehttp://haltdos.com).URL(UniformResourceLocator)—UsuallyasynonymforURI.UTC (UniversalTimeCoordinated)—Thetimezoneatzerodegrees’ longitude,whichreplacesGMTastheworldtimestandard.vVLAN(VirtualLocalAreaNetwork)—Hostsconnectedinaninfrastructurethatsimulatesalocalareanetwork,whenthehostsareremotelylocated,ortosegmentaphysicallocalnetworkintosmaller,virtualpieces.VoIP (Voice over Internet Protocol)— Routing voice communications (such as phone calls) through an IPnetwork.volumetricattack—AtypeofDDoSattackthatisgenerallyhighbandwidthandthatoriginatesfromalargenumberofgeographicallydistributedbots.VPN(VirtualPrivateNetwork)—Aprivatecommunicationsnetworkthatisoftenusedwithinacompany,orbyseveralcompaniesororganizations,tocommunicateconfidentiallyoverapublicnetworkusingencryptedtunnels.vulnerability—Asecurityweaknessthatcouldpotentiallybeexploited.wWAN (WideAreaNetwork)—Acomputernetworkthatcoversabroadarea.(AlsoWirelessAreaNetwork,meaningawirelessnetwork.)WebUI(UserInterface)—AWeb-basedinterfaceforusinganHaltDosNetworksproduct.whitelist—Alistofhostswhosetrafficispassedwithoutfurtherinspection.Toaddahosttothewhitelist.

widget—Agraphicalelementinauserinterfacethatdisplaysinformationaboutanapplicationandallowstheusertointeractwiththeapplication.


of 91

xXML(eXtensibleMarkupLanguage)—AmetalanguagewritteninStandardGeneralizedMarkupLanguage(SGML)thatallowsonetodesignamarkuplanguageforeasyinterchangeofdocumentsontheWorldWideWeb.

haltdos mitigation platform - common criteria · 17/09/2018 · april 10, 2017 1.0 anshul saxena...

Documents