Compliant Product - WatchGuard Fireware OS v12.6.2 on Firebox NGFWs
Certificate Date: 2020.10.01CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11051-2020
Product Type: Firewall
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
collaborative Protection Profile Module for Stateful Traffic Filter Firewalls v1.3
PP-Module for Virtual Private Network (VPN) Gateways, Version 1.0
CC Testing Lab: Gossamer Security Solutions
The TOE is a suite of hardware devices that provide all-in-one network and content security solutions. These devices (known as Firebox Security Appliances) are equipped with a WatchGuard proprietary operating system (OS) called Fireware v12.6.2. Most platform variants of the TOE run different images, however some families of the TOE run on the same image.
Firebox appliances (running the Fireware OS) separate the organization’s internal networks from external network connections to decrease the risk of an external attack. It protects the internal, private networks from unauthorized users on the Internet. Traffic that enters and leaves the protected networks is examined by the Firebox appliances. They use access policies to identify and filter different types of information and can also control which policies or ports the protected computers can use on the Internet (outbound access).
The TOE is composed of both hardware and firmware comprising the following models, all running firmware version 12.6.2:
· Firewalls: T35, T40, T20, T80, T55, T70, M270, M370, M470, M570, M670, M4600, and M5600
· Expansion Modules: WG8592 (8x1G), WG8593 (8x1G), WG8594 (4x10G), and WG8023 (2x40G)
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Firebox Common Criteria Deployment Guide, Version 1.0, 10 August 2020 document, satisfies all of the security functional requirements stated in the WatchGuard Fireware OS v12.6.2 on Firebox NGFWs (NDcPP21/STFFW13/VPNGWM10) Security Target, Version 0.4, 01 October 2020. The project underwent CCEVS Validator review. The evaluation was completed in October 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11051-2020) prepared by CCEVS.
The logical boundaries of the WatchGuard Fireware OS 12.6.2 on Firebox NGFWs are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit logs and has the capability to store them internally and can configure the TOE to send them to an external audit server. The connection between the TOE and the remote audit server is protected with IPsec. The TOE has a disk cleanup procedure where it removes old audit logs to allow space for new ones. When disk space falls below a predefined threshold, the TOE deletes the oldest set of records so it can continue collecting audit records.
The TOE depends on CAVP certified cryptographic algorithms as a part of the WatchGuard Crypto module. Additionally, certain platforms rely on CAVP certified cryptographic algorithms used for hardware acceleration. The TOE protects the confidentiality and integrity of all information as it passes between the TOE and the remote management workstation (via TLS) and also when it passes between the TOE and the local management workstation (via a private, direct serial connection). The TOE achieves this by using validated cryptographic algorithms to perform encryption and the decryption of data according to the TLS protocol. Additionally, all communications with external IT entities are similarly protected using the IPsec protocol.
The TOE ensures that residual information is protected from potential reuse in accessible objects such as network packets.
Stateful Traffic Filtering Firewall
The TOE supports many protocols for packet filtering including icmpv4, icmpv6, ipv4, ipv6, tcp and udp. The firewall rules implement the SPD rules (permit, deny, bypass). Each rule can be configured to log status of packets pertaining to the rule. All codes under each protocol are implemented. The TOE supports FTP for stateful filtering.
Routed packets are forwarded to a TOE interface with the interface’s MAC address as the layer-2 destination address. The TOE routes the packets using the presumed destination address in the IP header, in accordance with route tables maintained by the TOE.
IP packets are processed by the WatchGuard’s FirewareOS software, which associates them with application-level connections, using the IP packet header fields: source and destination IP address and port, as well as IP protocol. Fragmented packets are reassembled before they are processed.
The TOE mediates the information flows according to an administrator-defined policy. Some of the traffic may be either silently dropped or rejected (with notification to the presumed source).
The TOE's firewall and VPN capabilities are controlled by defining an ordered set of rules in the Security Rule Base. The Rule Base specifies what communication will be allowed to pass and what will be blocked. It specifies the source and destination of the communication, what services can be used, at what times, and whether to log the connection.
Identification and authentication
The TOE authenticates all administrative users. The TOE requires that users associated with these accounts be identified and authenticated before permitted access to the TOE and TOE security functions. Users may authenticate using either local password authentication or remote password authentication.
The TOE provides local management capabilities via a local serial connection and remote management capabilities via Web-Based GUI (TLS/HTTPS). Management functions allow the administrators to configure users, roles, and security policy attributes.
Please see Stateful Traffic Filtering Firewall for a description of the TOE’s packet filtering mechanism.
Protection of the TSF
The TOE does not store passwords in plaintext; they are obfuscated. The TOE does not support any command line capability to view any cryptographic keys generated or used by the TOE.
The TOE provides a timestamp for use with audit records, timing elements of cryptographic functions, and inactivity timeouts. The operating system clock inside the TOE can be used to provide time information, or the TOE can be configured to rely on up to three NTP servers for its time.
The TOE only allows updates after their signature is successfully verified. The TOE update mechanism uses ECDSA with SHA-512 and P-521 to verify the signature of the update package.
The TOE’s FIPS executables are signed using ECDSA with SHA-512 and P-521. For all other executables a hash is computed during system installation and configuration and during updates.
During power-up the integrity of all executables is verified. If an integrity test fails in the cryptographic module, the system displays an error message and pause boot, requiring a power cycle to restart the device. Also, during power-up, algorithms are tested in the kernel and user-space. If any of these test fail, the TOE is not operational for users.
The TOE protects all communications outside of the TOE with an approved connection method. Administrative configuration is protected by HTTPS/TLS while NTP and Audit Server communications are protected by IPsec.
The TOE can be configured to display a message of the day banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated.
The TOE protects all communications outside of the physical boundary of the TOE. The TOE utilizes HTTPS/TLS for administrative configuration, while using IPsec to protect communications with Syslog and NTP servers.
WatchGuard Technologies, Inc.