NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - SonicWall SonicOS Enhanced V6.5.2 with VPN and IPS on TZ, SOHOW, NSA, and SM Appliances

Certificate Date:  2019.03.11

Validation Report Number:  CCEVS-VR-VID10914-2019

Product Type:    Firewall
   Virtual Private Network
   Wireless Monitoring

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0 + Errata 20180314
  Extended Package for Intrusion Prevention Systems Version 2.11
  Extended Package for VPN Gateways Version 2.1

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The TOE is a software and hardware TOE. It is a combination of a particular NSA, SOHO, SM, or TZ hardware appliance and the SonicOS v6.5.2 software. The following table lists all the instances of the TOE that operate in the evaluated configuration. All listed TOE instances offer the same core functionality but vary in number of processors, physical size, and supported connections.

 

Appliance Series

Appliance Model

TZ

TZ 300, TZ 300W, TZ 400, TZ 400W, TZ 500, TZ 500W, TZ 600

SOHO

SOHOW

NSa

NSa 2650, NSA 3600, NSa 3650, NSA 4600, NSa 4650, NSA 5600, NSa 5650, NSA 6600, NSa 6650, NSa 9250, NSa 9450, NSa 9650

SM

SM 9200, SM 9400, SM 9600, SM 9800

 

In the evaluated configuration, the devices are placed in Network Device Protection Profile (NDPP) mode. NDPP mode is a configuration setting.

The SonicWall appliances are designed to filter traffic based on a set of rules created by a system administrator. The audit server provides a platform for sorting and viewing the log files that are produced by the appliance.


Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the SonicWall SonicOS Enhanced V6.5.2 with VPN and IPS on TZ, SOHOW, NSA, and SM Appliances is evaluated as described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  Acumen Security determined that the evaluation is a Network Device Collaborative Protection Profile (NDcPP)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package VPN Gateway v2.1 [VPNEP] and, Network Device Collaborative Protection Profile (NDcPP)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package for Intrusion Prevention Systemsv2.11 [IPSEP].  The product, when delivered configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in March 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The logical boundary of the TOE includes those security functions implemented exclusively by the TOE. The TOE provides the security functionality required by [FWcPP], [VPNEP] and [IPSEP]].

Security Audit

The TOE generates audit records for administrative activity, security related configuration changes, cryptographic key changes and startup and shutdown of the audit functions. The audit events are associated with the administrator who performs them, if applicable. The audit records are transmitted over an IPsec VPN tunnel to an external audit server in the IT environment for storage.

 

Cryptographic Support

The TOE provides cryptographic functions (key generation, key establishment, key destruction, cryptographic operation) to secure remote administrative sessions over Hypertext Transfer Protocol Secure (HTTPS)/Transport Layer Security (TLS), and to support Internet Protocol Security (IPsec) to provide VPN functionality and to protect the connection to the audit server.

 

Identification and Authentication

The TOE provides a password-based logon mechanism. This mechanism enforces minimum strength requirements and ensures that passwords are obscured when entered. The TOE also validates and authenticates X.509 certificates for all certificate use.

 

Security Management

The TOE provides management capabilities via a Web-based GUI, accessed over HTTPS. Management functions allow the administrators to configure and update the system, manage users and configure the Virtual Private Network (VPN) and Intrusion Prevention System (IPS) functionality.

 

Protection of the TSF

The TOE prevents the reading of plaintext passwords and keys. The TOE provides a reliable timestamp for its own use. To protect the integrity of its security functions, the TOE implements a suite of self-tests at startup and shuts down if a critical failure occurs. The TOE verifies the software image when it is loaded. The TOE ensures that updates to the TOE software can be verified using a digital signature.

 

TOE Access

The TOE monitors local and remote administrative sessions for inactivity and either locks or terminates the session when a threshold time-period is reached. An advisory notice is displayed at the start of each session. The TOE also terminates VPN sessions for inactivity and can deny establishment of a session based on day, time or location. VPN clients are assigned private IP addresses.

 

Trusted Path/Channels

The TSF provides IPsec VPN tunnels for trusted communication between itself and an audit server. The TOE implements HTTPS for protection of communications between itself and the Management Console.

 

Intrusion Prevention

The TOE performs analysis of IP-based network traffic and detects violations of administratively-defined IPS policies. The TOE inspects each packet header and payload for anomalies and known signature-based attacks and determines whether to allow traffic to traverse the TOE.

 

Stateful Traffic Filtering

The TOE restricts the flow of network traffic between protected networks and other attached networks based on addresses and ports of the network nodes originating (source) and/or receiving (destination) applicable network traffic, as well as on established connection information.

 

Packet Filtering

The TOE performs packet filtering on network packets.


Vendor Information

Logo
SonicWall Inc
Usha Sanagala
4089626248
usanagala@sonicwall.com

http://www.sonicwall.com/
Site Map              Contact Us              Home