Compliant Product - Palo Alto Networks PA-500, PA-2000 Series, PA-4000 Series, and PA-5000 Series Next-Generation Firewall with PAN-OS 4.0.12-h2 and User Identification Agent v3.1.2
Certificate Date: 11 April 2013
Validation Report Number: CCEVS-VR-VID10392-2013
Product Type: Firewall
Conformance Claim: EAL4 Augmented with ALC_FLR.2,ATE_DPT.3
PP Identifiers: None
CC Testing Lab: Leidos (formerly SAIC) Common Criteria Testing Laboratory
The Target of Evaluation (TOE) is Palo Alto Networks PA-500, PA-2000 Series, PA-4000 Series and PA-5000 Series Next-Generation Firewall devices comprising:
- The model appliances PA-500, PA-2020, PA-2050, PA-4020, PA-4050, PA-4060, PA-5020, PA-5050, and PA-5060 running PAN-OS v4.0.12-h2.
- The TOE also includes the User Identification Agent client version 3.1.2.
The TOE is a firewall that provides policy-based application visibility and control to protect traffic flowing through the enterprise network. The TOE is used to manage enterprise network traffic flows using function specific processing for networking, security, and management. The next-generation firewalls identify which applications are flowing across the network irrespective of port, protocol, or SSL encryption. Administrators can specify security policies based on an accurate identification of each application seeking access to the protected network. The firewalls use packet inspection and a library of applications to distinguish between applications that have the same protocol and port, and to identify potentially malicious applications that use non-standard ports. The purpose of the User Identification Agent component is to provide the firewall with the capability to automatically collect user-specific information that it uses in security policies and reporting.
Although there is no formal compliance claim, the ST and the TOE it describes do demonstrably meet all of the Security Functional Requirements (SFRs) of the following Protection Profile (PP):
U.S. Government Traffic-Filter Firewall Protection Profile for Medium Robustness Environments, Version 1.1, July 25, 2007
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the Palo Alto Networks PA-500, PA-2000 Series, PA-4000 Series and PA-5000 Series Next-Generation Firewall TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 2. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1, Revision 2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL4 assurance requirements package, augmented with ALC_FLR.2 (Flaw reporting procedures) and ATE_DPT.3 (Testing modular design). The product satisfies all of the security functional requirements stated in the Palo Alto Networks PA-500, PA-2000 Series, PA-4000 Series and PA-5000 Series Next-Generation Firewall running PAN-OS 4.0.12-h2 Security Target, when configured as specified in the evaluated guidance documentation.
A validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in April 2013. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10392-2013), prepared by CCEVS.
The Palo Alto Networks PA-500, PA-2000 Series, PA-4000 Series and PA-5000 Series Next-Generation Firewall running PAN-OS 4.0.12-h2 TOE claims conformance to EAL4 augmented with ALC_FLR.2 and ATE_DPT.3. This target was chosen to ensure that the TOE provides a moderate to high level of independently assured security where testing has been conducted against the TOE’s modular design description and flaw remediation procedures ensure that flaws are identified and corrected.
Palo Alto Networks Firewalls support the following security functions:
The TOE provides the capability to generate audit records of a number of security events including all user identification and authentication, configuration events, and information flow control events (i.e. decisions to allow and/or deny traffic flow). The management GUI is used to review the audit trail. The management GUI offers options to sort and search the audit records, and to include or exclude auditable events from the set of audited events. The TOE stores the audit trail locally. The TOE protects the audit trail by providing only restricted access to it; by not providing interfaces to modify the audit records. The TOE also provides a time-stamp for the audit records. In addition, the TOE monitors various events occurring on the firewall (such as authentication failures and information flow policy failures) and will generate an alarm if the number of such events reaches a configured limit, indicating a potential security violation.
Identification and Authentication
The TOE ensures that all users accessing the TOE user interfaces are identified and authenticated. The TOE accomplishes this by supporting local user authentication using an internal database. The TOE maintains information that includes username, password, and role (set of privileges), which it uses to authenticate the human user and to associate that user with an authorized role. In addition, the TOE can be configured to lock a user out after a configurable number of unsuccessful authentication attempts.
The TOE provides FIPS approved key management capabilities and cryptographic algorithms implemented in a FIPS 140-2 validated crypto-module (Certificate #1877) to support the provision of: trusted paths to remote administrators accessing the TOE via HTTPS; trusted channels to authorized external IT entities; SSL decryption; SSH decryption; and protection of TSF data communicated between the firewall device and the User Identification Agent.
User Data Protection
The TOE enforces the Unauthenticated Information Flow SFP to control the type of information that is allowed to flow through the TOE and the Unauthenticated TOE Services SFP to control access to services offered by the TOE. The enforcement process for these SFPs involves the TOE performing application identification and policy lookups to determine what actions to take. The security policies can specify whether to block or allow a network session based on the application, the source and destination addresses, the application service (such as HTTP), users, the devices and virtual systems, and the source and destination security zones. Security zones are classified as the ‘untrusted’ zone, where interfaces are connected to the Internet, and the ‘trusted’ zone, where interfaces connect only to the internal network. Virtual systems provide a way to customize administration, networking, and security policies for the network traffic belonging to specific departments or customers. Each virtual system specifies a collection of physical and logical interfaces, and security zones for which specific policies can be tailored. Administrator accounts can be defined that are limited to the administration of a specific virtual system.
In addition, each security policy can also specify one or more security profiles, including: antivirus profiles; antispyware profiles; vulnerability protection profiles; and file blocking profiles. The profiles can identify which applications are inspected for viruses, a combination of methods to combat spyware, the level of protection against known vulnerabilities, and which type of files can be uploaded or downloaded. The TOE compares the policy rules against the incoming traffic to determine what actions to take including: scan for threats; block or allow traffic; logging; and packet marking.
The TOE also implements an information flow control policy for its VPN capability, which uses IP Security (IPSec) and Internet Key Exchange (IKE) protocols to establish secure tunnels for VPN traffic. The VPN policy makes a routing decision based on the destination IP address. If traffic is routed through a VPN tunnel, it is encrypted as VPN traffic. It is not necessary to define special rules for this policy—routing and encryption decisions are determined only by the destination IP address.
Both when the TOE receives data from the network and when it transmits data to the network, it ensures that the buffers are not padded out with previously transmitted or otherwise residual information.
The TSF relies on the domain controller in the IT environment, which is used with the User Identification Agent, to provide it with user specific information that is used in security policies and reporting.
The TOE provides a number of management functions and restricts them to users with the appropriate privileges. The management functions include the capability to create new user accounts, configure the audit function including selection of the auditable events, configure the information flow control rules, and review the audit trail. The TOE provides Security Administrator, Audit Administrator, and Cryptographic Administrator and ensures the appropriate functions are restricted to these roles and there is no overlap between the roles, except that all administrators have read access to the audit trail.
The TOE offers one interface to manage its functions and access its data: a GUI management interface. The GUI management interface can be accessed via direct connection to the device, or remotely over HTTPS.
Protection of the TSF
The TOE provides fault tolerance, when it is deployed in active/passive pairs. If the active firewall fails because a selected Ethernet link fails, or if one or more of the specified destinations cannot be reached by the active firewall, the passive firewall becomes active automatically with no loss of service. The active firewall continuously synchronizes its configuration and session information with the passive firewall over two dedicated high availability (HA) interfaces. If one HA interface fails, synchronization continues over the remaining interface.
The TOE is able to detect replay attacks and reject the data. This is true for traffic destined for the TOE itself as well as traffic passing through the TOE.
In addition, the TOE provides a set of self-tests that demonstrate correct operation of the TSF, the cryptographic functions implemented in the TSF, and the key generation components implemented in the TSF.
The TOE uses its cryptographic capabilities to secure communication between the User Identification Agent and the firewall.
The TOE is able to enforce transport-layer quotas for the number of SYN requests per second, the number of UDP packets per second that do not match an existing UDP session, and the number of ICMP packets per second.
The TOE provides the capabilities for both TOE- and user-initiated locking of interactive sessions and for TOE termination of an interactive session after a period of inactivity. The TOE will display an advisory and consent warning message regarding unauthorized use of the TOE before establishing a user session. The TOE can also deny establishment of an authorized user session based on location, day, and time.
The TOE provides trusted paths to remote administrators accessing the TOE via HTTPS and trusted channels to authorized external IT entities.