Maintenance Addendum Nortel Switched Firewall version 4.0.3 with Check Point VPN-1/FireWall-1 R55 (September 2005)
Maintenance Report
Issued by:
Communications Security Establishment
Certification Body
Canadian Common Criteria Evaluation and Certification Scheme
© 2005 Government of Canada, Communications Security Establishment
| Document number | 383-7-6-MR |
|---|---|
| Version | 1.1 |
| Date | 13 September 2005 |
1 Introduction
On 12 September 2005, Electronic Warfare Associates-Canada (EWA-Canada) submitted an Impact Analysis Report to the CCS Certification Body on behalf of Nortel, the developer of the Nortel Switched Firewall version 4.0.3 with Check Point VPN-1/FireWall-1 R55 product. The Impact Analysis Report is intended to satisfy requirements outlined in version 1.0 of the Common Criteria document CCIMB-2004-02-009: Assurance Continuity: CCRA Requirements. In accordance with those requirements, the Impact Analysis Report (IAR) describes the changes made to Nortel Switched Firewall version 4.0.3 with Check Point VPN-1/FireWall-1 R55 (the maintained Target of Evaluation), the evidence updated as a result of the changes and the security impact of the changes.
2 Description of changes
The product name has changed from the Nortel Networks Alteon Switched Firewall, to the Nortel Switched Firewall. The changes listed in the IAR include changes made from version 2.0.3 of the Nortel Switched Firewall to version 4.0.3; as well as, those changes made from FP3 HFA 315 in the Check Point VPN-1/FireWall-1 to R55.
The following characterizes the changes implemented in the Nortel Switched Firewall version 4.0.3 with Check Point VPN-1/FireWall-1 R55. For each change, it was verified that there were no required changes to the security functional requirements in the ST, and thorough functional and regression testing was conducted by the developer to ensure that the assurance in the Target of Evaluation (TOE) was maintained. The changes in Nortel Switched Firewall version 4.0.3 with Check Point VPN-1/FireWall-1 R55 comprise software changes that:
- restore the expected functionality of the product (bug fixes);
- support up to R55 of the Check Point VPN-1/FireWall-1;
- add functionality to portions of the product not included in the scope of the original evaluation;
- accommodate performance increases in new hardware models:
| ASF | SFD | SFA |
|---|---|---|
| 6414 | 5014 | 6400 |
| 6614 | 5014 | 6600 |
| 6416 | 5016 | 6400 |
| 6616 | 5016 | 6600 |
Some of the product changes are explicitly excluded from the original certified configuration of the TOE including the use of added CLI commands that give an administrator access to a graphical user interface during initial setup, and remote login to the product.
3 Affected developer evidence
Modifications to the product necessitated changes to a subset of the developer evidence that was previously submitted for the TOE. The set of affected developer evidence was identified in the IAR, and revised versions of all affected developer evidence were submitted.
Modifications to the security target were made to reflect the new product name, and version, as well as to include the expanded list of underlying hardware.
4 Conclusions
All changes to the TOE were features changes and isolated corrections to the product. Through functional and regression testing of the Nortel Switched Firewall version 4.0.3 with Check Point VPN-1/FireWall-1 R55, assurance gained in the original TOE certification was maintained. As all of the changes to the TOE have been classified as minor, it is the conclusion of the CB that the maintained TOE is appropriate for assurance continuity and reevaluation is not required.
5 References
Assurance Continuity: CCRA Requirements, CCIMB-2004-02-009, version 1.0, February 2004
Technical Oversight for Assurance Continuity of a certified TOE, version 1.0, 18 June 2004
Certification Report for EAL4 Evaluation of Nortel Alteon Switched Firewall (Version 2.0.3 with Hotfix 315/NG_FP3_HFA_315)