The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE generates audit records for all security-relevant events. For each audited events, the TOE records the date and time, the type of event, the subject identity, and the outcome of the event. The resulting records are stored locally and can be sent securely to a designated audit server for archiving. Security Administrators, using the appropriate CLI commands, can also view audit records locally. The TOE provides a reliable timestamp relying on the appliance’s built-in clock or using an NTP server.

Cryptographic support:

The TOE performs the following cryptographic functionality:

·       Encryption, decryption, hashing, keyed-hash message authentication, random number generation, signature generation and verification utilizing a dedicated cryptographic library

·       Cryptographic functionality is utilized to implement secure channels

o   SSHv2

o   TLS v1.2

·       Entropy is collected and used to support seeding with full entropy

·       Critical Security Parameters (CSPs) internally stored and cleared when no longer in use

·       X509 Certificate authentication integrated with TLS protocol.

The TOE uses a dedicated cryptographic module to manage CSPs and implements deletion procedures to mitigate the possibility of disclosure or modification of CSPs. Additionally, the TOE provides commands to on-demand clear CSPs (e.g. host RSA keys), that can be invoked by a Security Administrator with appropriate permissions.

Identification and authentication:

The TOE supports Role-Based Access Control (RBAC) managed by an Authentication, Authorization, and Accounting (AAA) module that stores and manages permissions of all users and their roles. The TOE requires users to provide their assigned unique username and password before any administrative access to the system is granted. Each authorized user is associated with an assigned role and role-specific permissions that determine their access to TOE features. The AAA module stores the assigned role of each user along with all other information required for that user to access the TOE.

The TOE supports X509v3 certificate validation during negotiation of TLS protected syslog. Certificates are validated as part of the authentication process when they are presented to the TOE and when they are loaded into the TOE.

Security management:

The TOE allows remote administration using an SSHv2 session, and local administration using a console. Both remote and local administration are conducted over a Command Line Interface (CLI) terminal that facilitates access to all of the management functions used to administer the TOE.

There are two types of administrative users within the system: Security Administrator and User. All of the management functions are restricted to Security Administrators, including managing user accounts and roles, rebooting and applying software updates, administering the system configuration, and reviewing audit records. The term “Security Administrator” is used to refer to any administrative user with the appropriate role to perform the relevant functions

Protection of the TSF:

The TOE implements a number of measures to protect the integrity of its security features.

·       The TOE protects CSPs, including stored passwords and cryptographic keys, so they are not directly viewable or accessible in plaintext.

·    The TOE ensures that reliable time information is available for both log accountability and synchronization with the operating environment.

·       The TOE performs self-tests to detect internal failures and protect itself from malicious updates.

TOE access:

The TOE will display a customizable banner when an administrator initiates an interactive local or remote session. The TOE also enforces an administrator-defined inactivity timeout after which any inactive session is automatically terminated. Once a session (local or remote) has been terminated, the TOE requires the user to re-authenticate.

Trusted path/channels:

The TOE protects remote sessions by establishing a trusted path secured using SSH between itself and the administrator. The TOE prevents disclosure or modification of audit records by establishing a trusted channel using TLS between itself and the audit server. Mutual authentication using client-side x.509v3 certificates is supported by the TOE’s TLS client for syslog over TLS.