Cisco Systems Firewall Services Module (FWSM) offers a range of security and networking services, including application-layer firewall services as well as stateful packet filtering firewall services. The Cisco FWSM is a high-speed, integrated firewall module for Cisco Catalyst® 6500 switches and Cisco 7600 Series routers. The Cisco router models included within the scope of this evaluation are the 7603, 7606, 7609, and 7613. The Cisco Catalyst switch models included within the scope of this evaluation are 6503, 6506, 6509-NEB, 6509, and 6513. Also included within the scope of the evaluation were the Sup720, Sup2 supervisor cards and the PIX Firewall Syslog Server (PFSS) version 5.1(4). From hereon these platforms will be referred to as the Target of Evaluation (TOE).
\r\nThe TOE provides a single point of defense as well as controlled and audited access to services between networks by permitting or denying the flow of information traversing the contexts on the appliance. Inspection engines provide application-layer firewall services for:
\r\nThe TOE supports multiple contexts (or virtual firewalls) executing simultaneously on the firewall module. Each firewall context (virtual firewall) is treated as a separate independent device with its own security policy, network interfaces, administrators and configuration file.
\r\nEach firewall module can operate as a single context or provide multiple contexts. Each firewall context executes in one of two firewall modes, routed or transparent. Either of these two modes can be used in single context or multiple context environments. In routed mode the TOE is a router hop in the network. It can mediate network access, perform NAT, and use OSPF between external and internal networks. Routed mode supports many interfaces, and each interface is on a different subnet. Routed mode interfaces can also be shared between contexts. In transparent mode, the TOE provides layer 2 transparent bridging. The TOE connects the same subnet on its inside and outside interfaces. No dynamic routing protocols or NAT are used. However, like routed mode, transparent mode also requires access lists to allow any traffic through the context as defined in administrator-created access-lists, and application-layer inspection engines can also be applied to this traffic. Transparent mode only supports two interfaces, an inside interface and an outside interface, and supports a single IP for remote management as well as virtual console access via the admin context.
\r\nThe TOE can be managed by SSH for secure remote management or via a physically secure local console connection.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Arca Common Criteria Test Laboratory processes and procedures that are compliant with the Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation demonstrated that the Security Management, Audit, Information Flow Control, Identification & Authentication, Protection, and Clock functions of the TOE met the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2 Part II and Part III. The evaluation team conducted the evaluation using the Common Methodology for Information Technology Security Evaluation, Version 2.2.
\r\nArca determined the product to be CC version 2.2 Part 2 and Part 3 conformant, including all Information Technology Security Evaluation Final Interpretations from January 2004 through March 27, 2004, and concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL) 4 have been met with the addition of ALC_FLR.1. In addition, the evaluation team confirmed that the TOE uses CCEVS precedent PD-0113, to satisfy SFR FAU_STG.1, and PD-0115 and 0026 to maintain consistency with the U.S. Department of Defense Application-level Firewall Protection Profile for Medium Robustness Environments, Version 1.0, June 28, 2000 [FWPP]. The product, configured as outlined in the Secure Installation Guidance, satisfies all of the security functional requirements stated in the Security Target and all of the requirements in the [FWPP] with the exception of AVA_VLA.3. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation carried out by Arca. The evaluation was completed in March 2007. Results of the evaluation can be found in the Validation Report prepared by the National Information Assurance Partnership (NIAP) CCEVS.
","environmental_strengths":"Cisco Firewall Services Modules (FWSM) are deployed at the edges of untrusted networks (such as the Internet), in order to provide controlled communications between two networks that are physically separated. The Cisco Firewall Services Modules (FWSM) evaluation at EAL4 augmented by ALC_FLR.1 indicates that the product is suitable to ensure a moderate level of security for protecting information in DoD Mission-Critical Categories. The TOE claims a minimum strength of function of SOF-medium for the TOE security functional requirements and the TOE as a whole. Appropriate physical protection of the Firewall Services Modules (FWSM) and the external audit server is required.
","features":[]}