The NetScreen Target of Evaluation (TOE) consists of the following:
\r\nHenceforth, the above components are referred to as the NetScreen appliance.
\r\nThe NetScreen appliance is an integrated security network devices designed and manufactured by NetScreen Technologies, Incorporated, 805 11th Ave, Building 3, Sunnyvale, CA 94089 U.S.A, herein called simply NetScreen.
\r\nThe NetScreen appliance is an integrated security network appliance that operates as the central security hub in a network configuration. The NetScreen appliance controls traffic flow through the network and integrates stateful packet inspection firewall and traffic management features. The NetScreen appliance does include functions and capabilities that were not evaluated (e.g. VPN (encryption) capability, external Administrator Authentication, Remote Management of the device, etc.). A complete listing of the functions that are outside of the scope of evaluation are contained in the Validation Report (CCEVS-VR-03-0042).
\r\nThe 5200 model consists of hardware and firmware, running ScreenOS 4.0.2r7.0 in firmware, a proprietary operating system. The differences have no effect on the security functions claimed in the Security Target.
\r\nThe TOE generates audit records corresponding to traffic flow, administrator actions, identification and authentication. The TOE provides interfaces that allow the administrator to review the audit records, including the ability to search and sort upon the audit records. Additionally, the TOE provides the ability to protect the audit records and limit the loss of records due to storage exhaustion.
\r\nThe TOE enforces an Information Flow policy upon all packets attempting to traverse the NetScreen appliance. The policy is configurable by the administrator and is based on the presumed source IP address, destination IP address, protocol, source and destination interface, and service. The TOE has a packet buffer for temporary storage of packet information. All of the temporary storage is accounted for in that the size of the temporary storage relative to every packet is known ensuring that the TOE does not reuse any previous packet information.
\r\nAdministrators are the only users of the TOE and are forced to identify and authenticate themselves by the TOE before they are allowed to invoke any administrator commands. Note that the TOE includes the console port. However, the actual console used is not part of the TOE but is part of the environment. The Security Target includes an assumption that a VT-100 terminal or any device that can emulate a VT-100 terminal is required for use as a locally connected console.
\r\nSecurity Management is provided through the Administrator Interface. This interface allows an administrator (when properly identified and authenticated) to configure the NetScreen device. Therefore, the security management functions are not available to non-administrative users.
\r\nThe security functions of the TOE are protected by the administrative interface being a separate interface that is not connected to the network and, therefore, not susceptible to many of the general threats on the network such as sniffing packets or attempts to log into a public administrative interface. The administrative commands are limited to the console port, in the evaluation configuration, and the console port does not pass network traffic. Additionally, the TOE includes a system clock that can only be set and modified by the administrator, providing reliable timestamps for audit information. .
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the NetScreen appliances meet the security requirements contained in the “NetScreen Appliance Security Target: EAL4 Augmented”. The criteria against which the NetScreen appliance was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and National and International Interpretations effective on November 20, 2002. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the NetScreen appliances TOE is EAL4 augmented. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. Two validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in October 2003. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for NetScreen Appliance 5200 prepared by CCEVS. The following features were not evaluated: Virtual Private Networking (VPN), External Administrator Authentication (use of an external authentication server (e.g. Radius server)), Remote Management of the device, NTP (use of an external server to synchronize the time), the Malicious-URL screen commands (used to block specific URLs), Active-Active mode of NSRP (supports redundancy between traffic), schedule specific policies (used to restrict a traffic flow policy to a specific time range), and timer (used to automatically execute management functions). These features are not necessary to meet the security functional claims specified in the Security Target.
\r\n
The NetScreen appliance is a commercial network product that provides identification and authentication, information flow control, and audit. NetScreen appliances provide a level of protection that is appropriate for IT environments that require that information flows be controlled and restricted among network nodes where the NetScreen appliance components can be appropriately protected from physical attacks.
","features":[]}