Product Name: WatchGuard LiveSecurity
System with Firebox II 4.1
Product Type: Firewall
Date: August 29, 2000
Conformance Claim: EAL 2
PP Identifier: none
Security Target: 
Validation Report:
|
Key Words: firewall, packet-filtering, stateful,
IP
Vendor: WatchGuard Technologies
POC:
Phone:
Fax:
Email:
Web:
CC Testing Lab: Computer Sciences Corporation
|
PRODUCT DESCRIPTION
The WatchGuard LiveSecurity System consists of a suite of management
and security software tools coupled with a plug-and-play
network appliance called the WatchGuard Firebox II. The WatchGuard
LiveSecurity System with Firebox II, herein referred to as
WatchGuard, uses dynamic packet filtering rules to allow
the authorized administrator to add and remove rules depending
on network activity. WatchGuard uses a hybrid technology
of dynamic packet filtering and transparent proxies to control
and monitor the flow of IP packets through the firewall.
The transparent proxies used with WatchGuard provide added
security and filtering options for SMTP connections. WatchGuard
consists of four major components:
- LiveSecurity Broadcast Network - a subscription service
that sends software updates from the external network directly
to the Control Center platform. (This component is not
part of the evaluated TOE configuration).
- Control Center - software executing on a Windows NT
platform that configures and monitors the Firebox II. The
Control Center also contains the tools to perform logging
and notification of firewall events.
- Event Processor - software executing on a Windows NT
platform responsible for logging firewall audit events
and notifying the authorized administrator when a triggering
event is detected.
- Firebox II - a hardware firewall device that runs the
transparent proxies and the dynamic packet filter to control
the flow of IP information. The Firebox II is designed
to be a "network appliance" which is an easy
to use, low maintenance component that plugs into a network.
The WatchGuard provides the following security features:
- Security Audit: The Control Center provides the authorized
administrator with the ability to specify which traffic-filter
and application-filter log events to detect on the Firebox
II. These events are time-stamped and sent to the Event
Processor to be recorded within the audit log. The Control
Center is used by the authorized administrator to review
audit data generated by the Firebox II. The Control Center
provides the authorized administrator with the ability
to search the audit log by keywords and field types and
sort the audit log in chronological order.
- User Data Protection: The Firebox II provides SMTP application
level protection. The Firebox II ensures that information
contained in packets is no longer accessible once the packet
has been processed. The Firebox II enforces the information
flow Security Policy for all flows through the TOE.
- Privacy: NAT hides the internal network addresses from
hosts on an external network. WatchGuard supports two types
of NAT: Dynamic NAT and Static NAT.
- Authentication and Identification: The Control Center
provides role identification. This permits separation of
review operations from review/modify operations. The Control
Center and Firebox II establish an encrypted channel to
securely exchange control and status information. The Windows
NT login interface is used to provide authentication and
identification for authorized administrators accessing
the Management Station.
- Security Management: The Control Center provides the
authorized administrator with the ability to manage the
information flow Security Policy enforced by the Firebox
II, and audit events generated by the Firebox II. It also
permits the authorized administrator to examine information
flow rules, configuration parameters, and the audit log.
- Protection of Security Functions: Interfaces between
the external and internal networks are provided by the
Firebox II. It assures that information flow from the external
and internal networks cannot flow to or from the Management
Station.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance to the Trust
Technology Assessment Program (TTAP) process and scheme.
The purpose of the evaluation was to demonstrate that the
WatchGuard LiveSecurity System with Firebox II 4.1 meets
the security requirements contained in the Security Target.
The criteria against which the WatchGuard LiveSecurity
System with Firebox II 4.1 was judged are described in
the Common Criteria for Information Technology Security
Evaluation, Version 2.1. The evaluation methodology used
by the evaluation team to conduct the evaluation is the
Common Methodology for Information Technology Security
Evaluation, Version 1.0. Computer Sciences Corporation
has determined that the evaluation assurance level (EAL)
for the product, as specified in the Security Target, is
EAL 2 and the product configured as described in the WatchGuard
Technologies WatchGuard LiveSecurity System with Firebox
II 4.1, Delivery, Installation, Generation, and Startup
Guide satisfies all the security functional requirements
stated in the Security Target. Two certifiers on behalf
of the TTAP Oversight Board monitored the evaluation carried
out by Computer Sciences Corporation. The evaluation was
completed in August 2000. Results of the evaluation can
be found in the Evaluation Technical Report WatchGuard
Technologies WatchGuard LiveSecurity System with Firebox
II 4.1 TOE Evaluation prepared by Computer Sciences Corporation.
ENVIRONMENTAL STRENGTHS
It is assumed that the WatchGuard LiveSecurity System with
Firebox II 4.1 is located within a controlled access facility
that mitigates unauthorized, physical access and the firewall
is only used for firewall functionality. The WatchGuard
administrator is the only person allowed access to the
WatchGuard LiveSecurity System with Firebox II 4.1; there
are no non-administrative accounts on the management station.
The administrator is assumed to be trustworthy and trained
on security policies and practices of the environment for
which the WatchGuard LiveSecurity System with Firebox II
4.1 is intended to protect. The WatchGuard LiveSecurity
System with Firebox II 4.1 is intended to be used either
in environments in which, at most, sensitive but unclassified
information is processed, or the sensitivity level of the
information in both the internal and external networks
is equivalent (i.e., the firewall is not intended to separate
information of different classification levels).
|
![[X]](/assets/images/button_close.gif){kind=small}
