Recommendations on the operating environment

 

DEFINITION

The common criteria evaluate (on an Evaluation Assurance Level or EAL scale of 1 to 7) a product’s capacity to provide security functions for which it had been designed, as well as the quality of its life cycle (development, production, delivery, putting into service, updates).

Introduction

The installation of a Firewall often comes within the scope of setting up a global security policy. To ensure optimal protection of your assets, resources or information, it is not only a matter of installing a Firewall between your network and the Internet. This is namely because the majority of attacks come from the inside (accidents, disgruntled employees, dismissed employee having retained internal access, etc.). And one would also agree that installing a steel security door defeats its purpose when the walls are made of paper.

Backed by the Common Criteria, Stormshield Network advises taking into consideration the recommendations of use for the Administration Suite and Firewall product stated below. These recommendations set out the usage requirements by which to abide in order to ensure that your Firewall operates within the context of the common criteria certification.

Security watch

Please regularly check Stormshield security advisories published on https://advisories.stomshield.eu.

Always update your firewall if it allows fixing a security flaw. Updates are available here: https://mystormshield.eu.

Physical security measures

Stormshield Network Firewall-VPN appliances must be installed and stored in compliance with the state of the art regarding sensitive security devices: secured access to the premises, Shielded cables with twisted pairs, labeled cables, etc.

Organizational security measures

The default password of the “admin” user (super administrator) must be changed the very first time the product is used. The wizard will prompt the user to change his password during the initial installation, in the Administration of the appliance window. In the web administration interface, this password can be changed in the Administrator module (System menu), under the Administrator account tab.

The definition of this password must observe the best practices described in the following section, under User password management.

A particular administrative role – that of the super-administrator – has the following characteristics:

  • Only the super-administrator is permitted to connect via the local console on NETASQ firewall-VPN appliances, and only when installing the Firewall or for maintenance operations, apart from actual use of the equipment.
  • He is in charge of defining the profiles of other administrators,
  • All access to the premises where the appliances are stored has to be under his supervision, regardless of whether the access is due to an intervention on the appliance or on other equipment. He is responsible for all interventions carried out on appliances.

User and administrator passwords have to be chosen in such a way that successful attempts at cracking them will take longer. This can be assured with the implementation of a policy regulating their creation and verification.

Example

Combination of letters and numbers, minimum length, addition of special characters, words which are not taken from ordinary dictionaries, etc.

 

Administrators are attuned to these best practices in the course of their functions and have the responsibility of directing users’ awareness to these practices (Cf. Next section: User Awareness).

For equipment in “trusted” networks which have to be protected, the control policy for traffic to be implemented should be defined in the following manner:

  • Complete: the standard scenarios of how equipment is used have all been considered when defining the rules and their authorized limits have been defined.
  • Strict: only the necessary uses of the equipment are authorized.
  • Correct: rules do not contradict each other.
  • Unambiguous: the wording of the rules provides a competent administrator with all the relevant elements for direct configuration of the appliance.

Human media

Administrators are non hostile, competent persons with the necessary means for accomplishing their tasks. They have been trained to launch operations for which they are responsible. In particular, their skills and organization imply that:

  • Different administrators having the same rights will not perform administrative actions which conflict.
  • Logs are used and alarms are processed within the appropriate time frames.

Example

Incoherent modifications to the control policy for traffic.

IT security environment

Stormshield Network firewall-VPN appliances must be installed in accordance with the current network interconnection policy and are the only passageways between the different networks on which the control policy for traffic has to be applied. They are scaled according to the capacities of the adjacent devices or these devices restrict the number of packets per second, positioned slightly below the maximum treatment capacities of each firewall-VPN appliance installed in the network architecture.

Besides applying security functions, NETASQ firewall-VPN appliances do not provide any network service other than routing and address translation.

Example

no DHCP, DNS, PKI, application proxies, etc.*

 

Stormshield Network appliances are not configured to forward IPX, Netbios, AppleTalk, PPPoE or IPv6 information flows.

Firewall-VPN appliances do not depend on external “online” services (DNS, DHCP, RADIUS, etc.) to apply the information flow control policy.

Remote administration workstations are secured and kept up to date on all known vulnerabilities affecting operating systems and hosted applications. They are installed in protected premises and are exclusively dedicated to the administration of firewall-VPN appliance and the storage of backups.

Network devices that the firewall uses to establish VPN tunnels are subject to constraints relating to physical access, protection and control of their configuration. These constraints are equivalent to those faced by the TOE’s firewall-VPN appliances.

Workstations on which the VPN clients of authorized users are launched are subject to restrictions regarding physical access control, protection and control over their configuration, equivalent to the restrictions placed on workstations in trusted networks. They are secured and kept up to date on all known vulnerabilities affecting operating systems and hosted applications.

* These services are available on firewalls but are not part of the scope of evaluation of the common criteria.

 

Evaluated configurations and usage

The usage of the environment being evaluated must possess the following characteristics:

  • Certificates and CRLs are distributed manually (importing).
  • The usage mode subject to evaluation excludes the fact that the TOE relies on services other than PKI, DNS and DHCP servers and proxies. The optional modules provided by Stormshield Network to manage these services are disabled by default and have to stay that way. Specifically, these are:
  • the internal public key infrastructure (PKI),
  • User authentication module,
  • SSL VPN module (Portal and Tunnel),
  • antivirus engine (ClamAV or Kaspersky),
  • Active Update module,
  • Dynamic routing module (BIRD dynamic routing service),
  • DNS cache (DNS/Proxy cache),
  • SSH, DHCP, MPD and SNMPD servers (SSH server, DHCP server and SNMP agent),
  • DHCP client (DHCP server),
  • NTP daemon (NTP client),
  • DHCP relay,
  • Cloud backup service.
  • Even though it is supported, the IPv6 feature is disabled by default and must remain so for the duration of the evaluation.
  • IPSec administrators and users are managed by the internal LDAP directory. The evaluation of such usage excludes the fact that external LDAP clients outside the scope of the firewall-VPN appliance’s network can connect to this base.
  • Audit logs – depending on the model – are either stored locally or sent by Syslog.
  • The ability provided by the filter policy to associate each filter rule with an application inspection (HTTP, SMTP, POP3 and FTP proxies) and a schedule falls outside the scope of this evaluation and must not be used.
  • The option of associating a “decrypt” action (SSL proxy) with a filter rule in the filter policy falls outside the scope of this evaluation and must not be used.

 

Cryptographic algorithms needed for compliance with the RGS (General Security Guidelines defined by ANSSI, the French Network and Information Security Agency) and used for the evaluation

Algorithm Key size

Diffie-Hellman

2048, 3072, 4096

 

Algorithm Key size

RSA

2048, 4096

 

Algorithms Fingerprint size

HMAC-SHA1

160

HMAC-SHA2

256, 384, 512

SHA2

256, 384, 512

 

Algorithms Key size

AES

128, 192, 256

Triple DES

168

Blowfish

128 to 256

CAST

128

 

The Perfect Forward Secrecy (PFS) option performs a new Diffie-Hellman key exchange during IKE Phase 2. This allows ensuring that in the event a key has been stolen, the next or previous keys cannot be deduced, thereby preventing the whole IPSec exchange from being decrypted, apart from the segment of the communication protected by the corrupted key. You are strongly advised to leave PFS enabled in order to comply with the RGS, which is the scenario that has been chosen for the evaluation.

The security of the connection to the authentication portal and administration interface has been strengthened, as per the recommendations of the ANSSI (French Network and Information Security Agency). These connections have to go through certain versions of the SSL/TLS protocol. Version SSLv3 has been disabled to make way for TLS versions. The use of AES encryption suites with Diffie-Hellman has also been imposed. As Internet Explorer in version 6, 7 and 8 does not support this configuration, you are advised to use a higher version of this browser. This configuration must not be disabled in order to stay within the scope of the evaluation.