Compliant Product - Check Point Software Technologies Ltd. Security Gateway and Maestro Hyperscale Appliances R81.00
Certificate Date: 2022.03.21CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11235-2022
Product Type: Firewall
Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
collaborative Protection Profile Module for Stateful Traffic Filter Firewalls v1.4 + Errata 20200625
PP-Module for Virtual Private Network (VPN) Gateways Version 1.1
CC Testing Lab: Gossamer Security Solutions
The Target of Evaluation (TOE) is Check Point Software Security Gateway and Maestro Hyperscale Appliances running software version R81.00. The product family is a set of VPN Gateway and packet filtering firewall appliances, a management appliance, and management software. The product provides controlled connectivity between two or more network environments. It mediates information flows between clients and servers located on internal and external networks governed by the firewalls.
The TOE is a distributed system with support for a security management server, allowing remote administration over a protected IPsec connection. The TOE includes the following distributed components:
All products are running Checkpoint version R81.00 software. All platforms are x86 based hardware. These platforms can be installed as a Security Gateway or a Standalone (i.e., a combination of a Security Management Server and a Security Gateway on a single hardware platform).
• Check Point 3600, 3800
• Check Point 6200, 6400, 6600, 6700, 6900
• Check Point 7000
• Check Point 154**, 156**
• Check Point 16000, 16200, 16600
• Checkpoint 26000, 28000, 28600
The following Check Point “Smart-1” Security Management Servers are included in the evaluated configuration, running the same R81.00 software. The below platform and virtualized platform run the same software but provide Security Management Server functionality and do not operate as a Security Gateway.
• Smart-1 525
• ESXi 7.0 (HPE D360 G10)
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Check Point Check Point Software Technologies LTD. Security Gateway Appliances R81.00 Common Criteria Supplement, Version 1.0, March 16, 2022 document, satisfies all of the security functional requirements stated in the Check Point Software Technologies Ltd. Security Gateway and Maestro Hyperscale Appliances R81.00 Security Target, Version 0.5, March 16, 2022. The project underwent CCEVS Validator review. The evaluation was completed in March 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11235-2022) prepared by CCEVS.
The logical boundaries of the Security Gateway and Maestro Hyperscale Appliances are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit logs and has the capability to store them internally or to send them to an external audit server. The connection between the TOE and the remote audit server is protected with IPsec. The TOE has a disk cleanup procedure where it removes old audit logs to allow space for new ones. When disk space falls below a predefined threshold (the cleanup procedure cannot keep up with the audit collection), the TOE stops collecting audit records.
The TOE is a distributed solution consisting of Security Gateway and Maestro Hyperscale Appliances as well as a Security Management Server. The Security Management Server can manage one or more Security Gateways and Maestro Hyperscale Appliances.
The TOE uses the Check Point Cryptographic Library version 1.1 that has received Cryptographic Algorithm Validation Program (CAVP) certificates for all cryptographic functions claimed in the ST. Cryptographic services include key management, random bit generation, encryption/decryption, digital signature, and secure hashing.
User data protection:
The TOE ensures that residual information is protected from potential reuse in accessible objects such as network packets.
Stateful Traffic Filtering Firewall:
The TOE supports many protocols for packet filtering including icmpv4, icmpv6, ipv4, ipv6, tcp and udp. The firewall rules implement the SPD rules (permit, deny, bypass). Each rule can be configured to log status of packets pertaining to the rule. All codes under each protocol are implemented. The TOE supports FTP for stateful filtering.
Routed packets are forwarded to a TOE interface with the interface’s MAC address as the layer-2 destination address. The TOE routes the packets using the presumed destination address in the IP header, in accordance with route tables maintained by the TOE.
IP packets are processed by the Check Point R81.00 software, which associates them with application-level connections, using the IP packet header fields: source and destination IP address and port, as well as IP protocol. Fragmented packets are reassembled before they are processed.
The TOE mediates the information flows according to an administrator-defined policy. Some of the traffic may be either silently dropped or rejected (with notification to the presumed source).
The TOE's firewall and VPN capabilities are controlled by defining an ordered set of rules in the Security Rule Base. The Rule Base specifies what communication will be allowed to pass and what will be blocked. It specifies the source and destination of the communication, what services can be used, at what times, whether to log the connection and the logging level.
Identification and authentication:
The TOE implements a password-based authentication mechanism for authenticating users and requires identification and authentication before allowing access. Only the banner may be presented before authentication is complete. The TOE supports passwords of varying length and allows an administrator to specify a minimum password length between 8 and 100 characters long. The password composition can contain all special characters as required by FIA_PMG_EXT.1.1.
Internally, the TOE keeps track of failed login attempts and if the configured number of attempts is met, the administrator is either locked out for a period of time or until the primary administrator unlocks the account. The local Command Line Interface (CLI) remains available when the remote account is locked out.
The TOE’s IPsec implementation supports Pre-Shared Keys (PSKs) and X.509 certificates (both RSA and ECDSA) for IKE authentication.
The TOE allows both local and remote administration for management of the TOE’s security functions. The TOE creates and maintains roles for configured administrators. An administrator can log in locally to the TOE using a serial connection. The local login operates in a CLI. There is one remote administration interface that can be used once the TOE is in its evaluated configuration. The remote administration interface is executed through a Graphical User Interface (GUI) program named SmartConsole using a connection protected by IPsec.
Please see the Stateful Traffic Filtering Firewall section for a description of the TOE’s packet filtering mechanism.
Protection of the TSF:
The TOE includes capabilities to protect itself from unwanted modification as well as protecting its persistent data.
The TOE does not store passwords in plaintext; they are obfuscated. The TOE does not support any command line capability to view any cryptographic keys generated or used by the TOE.
The TOE only allows updates after their signature is successfully verified. The TOE update mechanism uses ECDSA with SHA-512 and P-521 to verify the signature of the update package.
The TOE’s FIPS executables are signed using ECDSA with SHA-512 and P-521. For all other executables a hash is computed during system installation and configuration and during updates.
During power-up the integrity of all executables is verified. If an integrity test fails in the cryptographic module, the system will enter a kernel panic and will fail to boot. If an integrity test fails due to a non-matching hash, a log is written. Also, during power-up, algorithms are tested in the kernel and user-space. If any of these test fail, the TOE is not operational for users.
The TOE protects all communications among its distributed components with IPsec.
The TOE provides a timestamp for use with audit records, timing elements of cryptographic functions, and inactivity timeouts.
The TOE terminates interactive sessions if the session is inactive for an administrator configured period of time. The TOE also allows a session to be disconnected via a logout command. An administrator can configure a login banner to be displayed before authentication is completed.
The TOE protects all communications with outside entities using IPsec communications only. The TOE employs IPsec when it sends audit data to an audit server, and when allowing remote administration connections. Any protocol that is part of the distributed TOE must be protected in an IPsec connection.
Check Point Software Technologies Ltd.