Compliant Product - Check Point Software Technologies Ltd. Security Gateway Appliances R80.30
Certificate Date: 2019.11.25CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10990-2019
Product Type: Firewall
Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0 + Errata 20180314
collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
Extended Package for VPN Gateways Version 2.1
CC Testing Lab: Gossamer Security Solutions
The Target of Evaluation (TOE) is Check Point Software Security Gateway Appliances running software version R80.30. The product family is a set of VPN Gateway and packet filtering firewall appliances, a management appliance, and management software. The product provides controlled connectivity between two or more network environments. It mediates information flows between clients and servers located on internal and external networks governed by the firewalls.
The TOE is Check Point software Security Gateway Appliances running software version R80.30. The TOE includes the following components:
All platforms are x86 based hardware. These platforms can be installed as a Security Gateway or a Standalone (i.e., a combination of a Security Management Server and a Security Gateway on a single hardware platform) and all are running the Check Point version R80.30 software.
• Check Point 3100, 3200
The following Check Point security appliance models are included in the evaluated configuration for the Security Management Server, running the R80.30 software. These platforms are just for Security Management Server functions.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Check Point Check Point Software Technologies LTD. Security Gateway Appliances R80.30 Common Criteria Supplement, Version 1.0, September 5, 2019 and the Check Point Software Technologies LTD. R80.30 Installation Guide, Version 1.1, September 5, 2019 documents, satisfies all of the security functional requirements stated in the Check Point Security Gateway Appliances (FWcPP20E/VPNGWEP21) Security Target, Version 1.1, 11/22/2019. The project underwent CCEVS Validator review. The evaluation was completed in November 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit logs and has the capability to store them internally or to send them to an external audit server. The connection between the TOE and remote audit server is protected with IPsec. The TOE has a disk cleanup procedure where it removes old audit logs to allow space for new ones. When disk space falls below a predefined threshold (the cleanup procedure cannot keep up with the audit collection), the TOE stops collecting audit records.
The TOE is a distributed solution consisting of Security Gateway Appliances and Security Management Server. The Security Management Server can manage one or more Security Gateway Appliances.
The TOE uses the Check Point Cryptographic Library version 1.0 that has received Cryptographic Algorithm Validation Program (CAVP) certificates for all cryptographic functions claimed in this ST. Cryptographic services include key management, random bit generation, encryption/decryption, digital signature and secure hashing.
User data protection:
The TOE ensures that residual information is protected from potential reuse in accessible objects such as network packets.
Stateful Traffic Filtering Firewall:
The TOE supports many protocols for packet filtering including icmpv4, icmpv6, ipv4, ipv6, tcp and udp. The firewall rules implement the SPD rules (permit, deny, bypass). Each rule can be configured to log status of packets pertaining to the rule. All codes under each protocol are implemented. The TOE supports FTP for stateful filtering.
Routed packets are forwarded to a TOE interface with the interface’s MAC address as the layer-2 destination address. The TOE routes the packets using the presumed destination address in the IP header, in accordance with route tables maintained by the TOE.
IP packets are processed by the Check Point Security Gateway Appliances software, which associates them with application-level connections, using the IP packet header fields: source and destination IP address and port, as well as IP protocol. Fragmented packets are reassembled before they are processed.
The TOE mediates the information flows according to an administrator-defined policy. Some of the traffic may be either silently dropped or rejected (with notification to the presumed source).
The TOE's firewall and VPN capabilities are controlled by defining an ordered set of rules in the Security Rule Base. The Rule Base specifies what communication will be allowed to pass and what will be blocked. It specifies the source and destination of the communication, what services can be used, at what times, whether to log the connection and the logging level.
Identification and authentication:
The TOE implements a password-based authentication mechanism for authenticating users and requires identification and authentication before allowing access. Only the banner may be presented before authentication is complete. The TOE supports passwords of varying length and allows an administrator to specify a minimum password length between 8 and 100 characters long. The password composition can contain all special characters as required by FIA_PMG_EXT.1.1.
Internally, the TOE keeps track of failed login attempts and if the configured number of attempts is met, the administrator is either locked out for a period of time or until the primary administrator unlocks the account. The local CLI remains available when the remote account is locked out.
The TOE’s IPsec implementation supports Pre-Shared Keys (PSKs) and X.509 certificates (both RSA and ECDSA) for IKE authentication.
The TOE allows both local and remote administration for management of the TOE’s security functions. The TOE creates and maintains roles for configured administrators. An administrator can log in locally to the TOE using a serial connection. The local login operates in a Command Line Interface (CLI). There is one remote administration interface that can be used once the TOE is in its evaluated configuration. The remote administration interface is executed through a Graphical User Interface program named SmartConsole using a connection protected by IPsec.
See Stateful Traffic Filtering Firewall above.
Protection of the TSF:
The TOE includes capabilities to protect itself from unwanted modification as well as protecting its persistent data.
The TOE does not store passwords in plaintext; they are obfuscated. The TOE does not support any command line capability to view any cryptographic keys generated or used by the TOE.
The TOE only allows updates after their signature is successfully verified. The TOE update mechanism uses ECDSA with SHA-512 and P-521 to verify the signature of the update package.
The TOE’s FIPS executables and libraries are signed using ECDSA with SHA-512 and P-521.
During power-up the integrity of all executables is verified. If an integrity test fails in the cryptographic module, the system will enter a kernel panic and will fail to boot up. If an integrity test fails due to a non-matching hash, a log is written. Also, during power-up, algorithms are tested in the kernel and user-space. If any of these test fail, the TOE is not operational for users.
The TOE protects all communications among its distributed parts with IPsec.
The TOE provides a timestamp for use with audit records, timing elements of cryptographic functions, and inactivity timeouts.
The TOE is able to terminate interactive sessions if the session is inactive for an administrator configured period of time. The TOE also allows a session to be disconnected via a logout command. An administrator can configure a login banner to be displayed before authentication is completed.
The TOE protects all communications with outside entities using IPsec communications only. The TOE employs IPsec when it sends audit data to an audit server, when communicating with an NTP server, and when allowing remote administration connections. Any protocol that is part of the distributed TOE must be protected in an IPsec connection.
Check Point Software Technologies Ltd.