{"product_id":10408,"v_id":10408,"product_name":"F5 Networks BIG-IP Local Traffic Manager Release 10.2.2 Build 763.3 Hotfix 2 with the Advanced Client Authentication and Protocol Security Modules running on Model 11050, 8900, or 6900 redundant pair hardware platform","certification_status":"Not Certified","certification_date":"2013-04-21T00:04:00Z","tech_type":"Router","vendor_id":{"name":"F5 Networks, Inc.","website":"http://www.f5.com"},"vendor_poc":"Dan Gilbert","vendor_phone":"206-272-6497","vendor_email":"D.Gilbert@F5.com","assigned_lab":{"cctl_name":"UL Verification Services"},"product_description":"

The BIG-IP device is a port-based, multilayer switch with multiple ports and a host system for advanced processing.  The system reduces the need for routers and IP routing by managing traffic at the data-link layer (Layer 2).  The multilayer capability of the BIG-IP system provides the ability for the system to process traffic at OSI layers 2 and above.  The BIG-IP system performs basic Layer 4 load balancing and is fully capable of managing traffic at Layer 7.  The system performs IP routing at Layer 3 when needed, and manages TCP and application traffic at Layers 4 and 7.  The BIG-IP (TOE) also includes the Advanced Client Authentication and Protocol Security Modules which are included in appliance software and are enabled through licensing for the CC Evaluated configuration.

\r\n

The BIG-IP device provides the ability to monitor the devices for which it manages traffic and to provide audit trails relating to the use of network resources.  BIG-IP information flow control rules ensure that critical connections using IP protocols reach the correct destination server.  The BIG-IP appliance supports HTTP, SMTP, and FTP routing and analysis and can be configured to perform analysis on all other Ethernet/IP based protocols using the iRules scripting feature. Using packet filtering and profile based routing provided by the Protocol Security Module (PSM), the TOE protects backend servers from unsolicited traffic and potentially malicious traffic flows.  The PSM also performs security related checks and validations for HTTP, SMTP, and FTP traffic.

\r\n

The BIG-IP device provides SSL offloading, server and client authentication, protocol sanitization, and customized traffic handling through the use of iRules™ scripts. BIG-IP also provides DoS mitigating features that manage TCP connections using maximum thresholds, throttling of traffic based on memory usage, and use of SYN cookies to guard against resource exhaustion attacks.

\r\n

Note: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation.  All cryptography has only been asserted as tested by the vendor.

","evaluation_configuration":"

Hardware:

\r\n

Model: 6900
SKU: F5-BIG-LTM-6900-8G-R
PN: 200-0300-01

\r\n

Model: 8900
SKU: F5-BIG-LTM-8900-R
PN: 200-0308-01

\r\n

Model: 11050
SKU: F5-BIG-LTM-11050-R
PN: 200-0299-00

\r\n

Software:

\r\n
    \r\n
  1. BIG-IP® Local Traffic Manager Release 10.2.2 Build 763.3 with Hotfix-BIGIP-10.2.2-911.0-HF2.
    2. \r\n
\r\n

Licenses:

\r\n
    \r\n
  1. Protocol Security Module (PSM) (F5-ADD-BIG-PSM)
    2. \r\n
  2. Advanced Client Authentication (ACA) module (F5-ADD-BIG-ACA)
    3. \r\n
  3. BIG-IP ADD-ON: Appliance Mode License (restricts the CLI to tmsh only; no bash access and no ability to login as root) (F5-ADD-BIG-MODE)
    4. \r\n
\r\n

Security Relevant Exclusions

\r\n

This section identifies any security relevant items that are specifically excluded from the TOE. Administrators of BIG-IP Common Criteria configurations must not include or use these modules and features, and must disregard all mention of use or configuration in the guidance documents.

\r\n
    \r\n
  1. Application templates. Configurations are restricted to manual approaches (procedurally enforced)
    2. \r\n
  2. The following modules, as they are separately licensed and not included in the CC Evaluated Configuration:
      \r\n
    1.                                             i.            BIG-IP Global Traffic Manager.
      2. \r\n
    2.                                           ii.            BIG-IP Link Controller.
      3. \r\n
    3.                                         iii.            BIG-IP Application Security Manager.
      4. \r\n
    4.                                         iv.            BIG-IP WebAccelerator System.
      5. \r\n
    5.                                           v.            BIG-IP WAN Optimization Module.
      6. \r\n
    6.                                         vi.            BIG-IP Access Policy Manager.
      7. \r\n
    7.                                       vii.            BIG-IP Message Security Module.
      8. \r\n
    3. \r\n
  3. Application Security Policy Editor role. This role is not included in a BIG-IP configuration except as part of the Application Security Module.
    4. \r\n
  4. Always-On Management (AOM). SSH access to AOM is disabled unless configured, and the Common Criteria evaluated configuration does not configure SSH for AOM.  Serial console access to AOM is procedurally excluded from the Common Criteria Evaluated Configuration.
    5. \r\n
  5. bash shell. This is disabled by Appliance mode.
    6. \r\n
  6. Bigpipe Utility Command Line Interface (CLI) and Bigpipe Shell (bpsh). These are deprecated in this release and procedurally excluded. Note that:
      \r\n
    1.                                             i.            Users must not be created with the capability to access the bigpipe shell, either through the GUI or tmsh.
      2. \r\n
    2.                                           ii.            The bigpipe shell must not be accessed through the tmsh “run /util bigpipe shell“ command.
      3. \r\n
    3.                                         iii.            The bigpipe utility commands must not be accessed through the “run /util bigpipe ” command.
      4. \r\n
    7. \r\n
  7. SNMP for Remote Management of BIG-IP. This is disabled via configuration script; therefore references to SNMP in the environment do not apply. However, email notification of alerts relies on modifying the alertd configuration file, which uses the snmptrap statement format to define the alert. References to snmptrap in that context do apply.
    8. \r\n
  8. FIPS hardware, including hardware-based SSL offloading.
    9. \r\n
  9. iSessions (relates to data center to data center deployment models). This requires the BIG-IP® WAN Optimization Module, which is not included in TOE.
    10. \r\n
  10. Editing the configuration files specified in the TMOS Management Guide. The GUI or tmsh must be used for all system configurations.
    11. \r\n
  11. IMI and VTY shells.
    12. \r\n
  12. Configuration of the TOE via the appliance LCD display. This is disabled except during initial configuration.
    13. \r\n
  13. Serial port.
    14. \r\n
  14. Kerberos server. This is not enabled unless configured, and the Common Criteria evaluated configuration does not configure Kerberos. Note that the default Kerberos profile says that it is enabled, but without fully configuring the profile and attaching it to a virtual server, Kerberos itself is not configured and not usable. Thus, by default, Kerberos itself is not enabled.
    15. \r\n
  15. iControl interface. This is procedurally excluded since all of the function it provides is also provided with the GUI and tmsh interfaces.
    16. \r\n
  16. Use of CRLs and CRLDPs. As CRLs can quickly become outdated, their use and that of CRLDPs is excluded from the TOE. Therefore, an OCSP server is required in the Operational Environment for certificate revocation checks.
    17. \r\n
  17. The following profiles (based on the list in the Configuration Guide for BIG-IP Local Traffic Manager, Chapter 5 (Understanding Profiles), section “Profile Types”):
      \r\n
    1.                                             i.            Services profiles: RTSP, Diameter, and iSession.
      2. \r\n
    2.                                           ii.            Persistence profiles: Microsoft Remote Desktop.
      3. \r\n
    3.                                         iii.            Protocol profiles: SCTP.
      4. \r\n
    4.                                         iv.            SSL profiles: (No SSL profiles are excluded)
      5. \r\n
    5.                                           v.            Authentication profiles: Kerberos Delegation.
      6. \r\n
    6.                                         vi.            Other profiles: NTLM and Stream.
      7. \r\n
    18. \r\n
  18. Protocol sanitization for protocols other than HTTP, FTP, and SMTP.
    19. \r\n
  19. Ciphers other than those specified in Appendix A of the Security Target. Note that the CCMODE script described in Section 3.9 changes the cryptographic defaults as they are described in guidance documents and supersedes those documents. The CCMODE script enforces the algorithm restrictions and the symmetric key length restrictions; however, the administrator must procedurally enforce the RSA key lengths in X.509 certificates used to authenticate to the TOE.
    20. \r\n
  20. Cryptographic-related protocols other than SSHv2, SSLv3, and TLSv1.0.
    21. \r\n
  21. Any features requiring root access to configure. This is because access to root is disabled via Appliance Mode. This includes, for example, remote encrypted logging since Appliance Mode precludes the ability to configure the SSH tunnel required for that function.
    22. \r\n
  22. The gencert utility. This is excluded since it is only accessible through excluded shells. Key and certificate generation should be accomplished through the GUI instead.
    23. \r\n
  23. CORBA, which is not used in BIGIP.
    24. \r\n
  24. TACACS+. This is excluded as a remote authentication server.
    25. \r\n
  25. Network boot.
    26. \r\n
  26. Software updates to the Common Criteria evaluated configuration.
    27. \r\n
  27. Batch mode tmsh transactions.
    28. \r\n
\r\n

Non-Security Relevant Exclusions

\r\n

This section identifies aspects of the TOE that were not evaluated as part of the Common Criteria Evaluation. With the exception of those items listed as “separately licensed and not included with the TOE”, items in this category include those features which may provide significant functional capability within the TOE and may be used by customers but are not security relevant.

\r\n

Those items listed as “separately licensed and not included with the TOE” may have security-relevant aspects and should not be used with a Common Criteria evaluated configuration without careful review.

\r\n
    \r\n
  1. WebAccelerator™ Module (WAM) - separately licensed and not included with the TOE.
    2. \r\n
  2. Link Controller (LC) - separately licensed and not included with the TOE.
    3. \r\n
  3. Global Traffic Manager (GTM) - separately licensed and not included with the TOE.
    4. \r\n
  4. Application Policy Module (APM) - separately licensed and not included with the TOE.
    5. \r\n
  5. Enterprise Manager – separately licensed and not included with the TOE.
    6. \r\n
  6. F5 Management Pack – separately licensed and not included with the TOE.
    7. \r\n
  7. Advanced Routing – separately licensed and not included with the TOE.
    8. \r\n
  8. Optimization of network and application traffic; load balancing.
    9. \r\n
  9. HTTP compression.
    10. \r\n
  10. Caching.
    11. \r\n
  11. Aggregation of client requests.
    12. \r\n
  12. Routing around slower or degraded routes.
    13. \r\n
  13. Selective data compression.
    14. \r\n
  14. Windows NT LAN Manager authentication protocol (NTLM). The BIG-IP passes this protocol through, but does not itself perform NTLM authentication.
    15. \r\n
  15. Network resource monitoring.
    16. \r\n
  16. Trunk (link aggregation).
    17. \r\n
  17. Spanning Tree Protocols
    18. \r\n
  18. Network Tunnels
    19. \r\n
  19. Bigtop utility – this utility provides statistical monitoring only.
    20. \r\n
  20. SNAT – “Source NAT”. BIG-IP implements SNAT as mapping a source client IP address to a translation address defined on the BIG-IP system.
    21. \r\n
  21. Booting from different volumes. The BIG-IP may be configured with multiple volumes but only booting from the slot containing the Common Criteria-evaluated configuration is recommended.
    22. \r\n
\r\n

Environment Dependencies

\r\n

The BIG-IP requires an NTP server and an OCSP server in the operational environment.  F5 recommends the use of a mail server, syslog server, and an authentication server (LDAP or RADIUS) in the operational environment.  If a syslog server is used, the environment must provide physical protections for the management network, because the TOE does not encrypt audit logs.

\r\n

The operational environment must also provide the backend HTTP, FTP, and/or SMTP servers. BIG-IP creates virtual servers that support these protocols and forward data to the backend content servers, but BIG-IP does not host content itself.

\r\n

The operational environment must provide physical protection for the TOE and the TOE administrators must be appropriately trained and trustworthy.

","security_evaluation_summary":"

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme.  The evaluation demonstrated that BIG-IP Local Traffic Manager appliance meets the security requirements contained in the Security Target.  The criteria against which BIG-IP was assessed are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3 and National and International Interpretations effective 18 June 2010.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. InfoGard Laboratories determined that the F5 Networks BIG-IP appliance provides the security assurance required by Evaluation Assurance Level 2 (EAL2) and ALC_FLR.2.

\r\n

The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target.  Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by InfoGard. The evaluation was completed in March of 2013.

","environmental_strengths":"

The BIG-IP Local Traffic Manager is a commercial network appliance designed to protect backend content servers while providing resource optimizing features.  The BIG-IP provides the ability to sanitize HTTP, FTP, and SNMP protocols and detect and block a number of known attack types. The BIG-IP also provides the ability to encrypt client and server communications. Note: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation.  All cryptography has only been asserted as tested by the vendor.

\r\n

The BIG-IP requires administrative users to be authenticated, enforces password complexity rules (only for locally-defined non-administrators), and locks out accounts if it appears a brute force attack is being performed.

\r\n

The BIG-IP audits both user and administrator actions for detailed review or statistical analysis of usage patterns.

","features":[]}