AAR Test Summary. FireEye CM, FX, EX, and NX Series Appliances

Transcription

1 AAR Test Summary FireEye CM, FX, EX, and NX Series Appliances FireEye CM, FX, EX, and NX Series Appliances Series Security Target, version 1.0 Protection Profile for Network Devices (NDPP), version 1.1, dated: 6/8/2012 Security Requirements for Network Devices Errata #3, dated: 1/13/2013 Version 3.0, 8/18/2015 Evaluated by: Office Park Dr. Montgomery Village, MD Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme

2 Contents 1 TOE Overview CM Series Appliances: CM 4400, CM 7400, CM FX Series Appliances: FX 5400, FX EX Series Appliances: EX 3400, EX 5400, EX 8400, EX NX Series Appliances: NX 900, NX 1400, NX 2400, NX 4400, NX 4420, NX 7400, NX 7420, NX 7500, NX 10000, NX9450, NX Security Features Supported non-toe Hardware/ Software/ Firmware Test Identification Testing Subset Test Equivalency Justification Recommendations/Conclusion TSS and Guidance Activities FAU_GEN.1 Guidance FAU_GEN.1 Guidance FAU_GEN FAU_STG_EXT.1.1 TSS FAU_STG_EXT.1.1 Guidance FAU_STG_EXT.1.1 TSS 1 (not audit server) FAU_STG_EXT.1.1 Guidance 1 (not audit server) FCS_CKM.1.1 TSS FCS_CKM_EXT.4.1 TSS FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) FDP_RIP.2.1 TSS FIA_PMG_EXT.1.1 Guidance FIA_UIA_EXT.1 TSS FIA_UIA_EXT.1 Guidance FMT_MTD.1 Guidance FMT_MTD.1 TSS FMT_SMF FMT_SMR.2 Guidance

3 FPT_SKP_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_ITT.1 TSS FPT_ITT.1 TSS FPT_ITT.1 Guidance FPT_STM.1 TSS FPT_STM.1 Guidance FPT_STM.1 Guidance FPT_TUD_EXT.1 TSS FPT_TUD_EXT.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 Guidance FTA_TAB.1 TSS FTP_ITC.1 TSS FTP_ITC.1 TSS FTP_ITC.1 Guidance FTP_TRP.1 TSS FTP_TRP.1 TSS FTP_TRP.1 Guidance FCS_TLS_EXT.1 TSS FCS_TLS_EXT.1 Guidance FCS_SSH_EXT.1.2 TSS FCS_SSH_EXT.1.3 TSS FCS_SSH_EXT.1.4 TSS FCS_SSH_EXT.1.4 Guidance FCS_SSH_EXT.1.6 TSS FCS_SSH_EXT.1.6 Guidance FCS_SSH_EXT.1.7 Guidance FCS_SSH_EXT.1.7 TSS Test Infrastructure... 46

4 7.1 Test Bed # Physical Component Overview TESTBED # Testbed Diagram TESTBED # Testbed Addressing TESTBED # Component Configuration Diagram TESTBED # Test bed # Physical Component Overview TESTBED # Testbed Diagram TESTBED # Testbed Addressing TESTBED # Component Configuration Diagram TESTBED # Audit Testing Summary FAU_GEN.1 Test FAU_STG_EXT.1 Test 1 (not audit server) Cryptographic Support Testing Summary FCS_CKM.1.1 Test FCS_COP.1.1 (1) Test FCS_COP.1.1 (2) Test FCS_COP.1.1 (3) Test FCS_COP.1.1 (4) Test FCS_RBG_EXT.1.1 Test FCS_RBG_EXT.1.1 Test 2 (SP A DRBG) Identification and Authentication Testing Summary FIA_PMG_EXT.1 Test FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UAU.7 Test # Protection of the TSF Testing Summary FPT_STM.1 Test # FPT_STM.1 Test # FPT_TUD_EXT.1 Test # FPT_TUD_EXT.1 Test #

5 8.5 TOE Access Testing Summary FTA_SSL_EXT.1 Test # FTA_SSL.3 Test # FTA_SSL.4 Test # FTA_SSL.4 Test # FTA_TAB.1 Test # Trusted Path/Channels Testing Summary FTP_ITC.1 Test # FTP_ITC.1 Test # FTP_TRP.1 Test # FTP_TRP.1 Test # TLS Testing Summary FCS_TLS_EXT.1 Test # FCS_TLS_EXT.1 Test #2a FCS_TLS_EXT.1 Test #2b FCS_TLS_EXT.1 Test #2c FCS_TLS_EXT.1 Test #2d SSH Testing Summary FCS_SSH_EXT.1.2 Test # FCS_SSH_EXT.1.2 Test # FCS_SSH_EXT.1.3 Test # FCS_SSH_EXT.1.4 Test # FCS_SSH_EXT.1.6 Test # FCS_SSH_EXT.1.7 Test # Conclusion... 66

6 1 TOE Overview The TOE consists of several families of appliances working together to form the network protection solution. Collectively, the product families provide , file, and network security with a centralized management platform. Each family performs a specific role in the overall network protection, as described below. 1.1 CM Series Appliances: CM 4400, CM 7400, CM 9400 The FireEye CM series is a group of management platforms that consolidates the administration, reporting, and data sharing of the FireEye NX, EX, and FX series in one easy-to-deploy, network-based platform. Within the FireEye deployment, the FireEye CM enables real-time sharing of the autogenerated threat intelligence to identify and block advanced attacks targeting the organization. It also enables centralized configuration, management, and reporting of FireEye platforms. 1.2 FX Series Appliances: FX 5400, FX 8400 The FireEye FX series is a group of threat prevention platforms that protect content against attacks originating in a wide range of file types. Web mail, online file transfer tools, the cloud, and portable file storage devices can introduce malware that can spread to file shares and content repositories. The FireEye FX platform analyzes network file shares and enterprise content management stores to detect and quarantine malware brought in by employees and others that bypass next-generation firewalls, IPS, AV, and gateways. 1.3 EX Series Appliances: EX 3400, EX 5400, EX 8400, EX 8420 The FireEye EX series secures against advanced attacks. As part of the FireEye Threat Prevention Platform, the FireEye EX uses signature-less technology to analyze every attachment and successfully quarantine spear-phishing s used in advanced targeted attacks. 1.4 NX Series Appliances: NX 900, NX 1400, NX 2400, NX 4400, NX 4420, NX 7400, NX 7420, NX 7500, NX 10000, NX 9450, NX The FireEye Network Threat Prevention Platform identifies and blocks zero-day Web exploits, droppers (binaries), and multi-protocol callbacks to help organizations scale their advanced threat defenses across a range of deployments, from the multi-gigabit headquarters down to remote, branch, and mobile offices. FireEye Network with Intrusion Prevention System (IPS) technology further optimizes spend, substantially reduces false positives, and enables compliance while driving security across known and unknown threats. 1.5 Security Features The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below. Security Audit Cryptography Support User Data Protection Identification & Authentication

7 Security Management Protection of the TSF Trusted Path/Channel TOE Access These features are consistent with the security functionality described in the NDPP. 1.6 Supported non-toe Hardware/ Software/ Firmware The TOE also supports (sometimes optionally) secure connectivity with several other IT environment devices, including, Component Required Usage/Purpose Description for TOE performance Management Workstation with Web Browser/SSH Client Yes This includes any IT Environment Management workstation with a Web Browser and a SSH client installed that is used by the TOE administrator to support TOE administration through HTTPS and SSH protected channels. Any SSH client that supports SSHv2 may be used. Any web browser that supports TLS 1.0 or greater may be used. NTP Server No The TOE supports communications with an NTP server to synchronize date and time. Syslog server No The syslog audit server is used for remote storage of audit records that have been generated by and transmitted from the TOE. LDAP AAA Server No This includes any IT environment LDAP AAA server that provides authentication services to TOE administrators. Table 1 IT Environment

8 2 Test Identification Test Case ID FAU_GEN.1 Test 1 FAU_GEN.1 Guidance 1 FAU_GEN.1 Guidance 2 FAU_STG_EXT.1.1 TSS 1 FAU_STG_EXT.1.1 Guidance 1 FAU_STG_EXT.1 Test 1 (not audit server) FAU_STG_EXT.1.1 TSS 1 (not audit server) FAU_STG_EXT.1.1 Guidance 1 (not audit server) FCS_CKM_EXT.4.1 TSS 1 FCS_COP.1.1 (1) Test 1 FCS_COP.1.1 (2) Test 1 FCS_COP.1.1 (3) Test 1 FCS_COP.1.1 (4) Test 1 FCS_RBG_EXT.1.1 Test 1 FCS_RBG_EXT.1.1 Test 2 (SP A DRBG) FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) FDP_RIP.2.1 TSS 1 FIA_PMG_EXT.1.1 Guidance 1 FIA_PMG_EXT.1 Test 1 FIA_UIA_EXT.1 TSS 1 Description of test case This test case demonstrated the TOEs ability to generated audit records based on specific events being triggered. Guidance evaluation activity. Guidance evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case showed that the connection between the TOE and the remote audit server could be encrypted TSS evaluation activity. Guidance evaluation activity. TSS evaluation activity. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. Guidance evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case verified the password capabilities of the TOE by attempting various good and bad password combinations and verifying the TOE handled them correctly. TSS evaluation activity.

9 Test Case ID FIA_UIA_EXT.1 Guidance 1 FIA_UIA_EXT.1 Test #1 FIA_UIA_EXT.1 Test #2 FIA_UIA_EXT.1 Test #3 FIA_UAU.7 Test #1 FMT_MTD.1 Guidance 1 FMT_MTD.1 TSS 1 FMT_SMR.2 Guidance 1 FPT_SKP_EXT.1 TSS 1 FPT_APW_EXT.1 TSS 1 FPT_APW_EXT.1 TSS 2 FPT_ITT.1 TSS 1 FPT_ITT.1 TSS 2 FPT_ITT.1 Guidance 1 FPT_ITT.1 Test 1 FPT_ITT.1 Test 2 FPT_STM.1 TSS 1 FPT_STM.1 Guidance 1 FPT_STM.1 Guidance 2 FPT_STM.1 Test #1 FPT_STM.1 Test #2 FPT_TUD_EXT.1 TSS 1 FPT_TUD_EXT.1 TSS 2 FPT_TUD_EXT.1 Test #1 FPT_TUD_EXT.1 Test #2 FPT_TST_EXT.1.1 TSS 1 Description of test case Guidance evaluation activity. This test case verified that for both remote and local login presenting the correct credentials resulted in access to the TOE and presenting incorrect credentials resulted in denied access. This test cased demonstrated that there is no remote functionality available to the administrator prior the logging into the TOE. This test case demonstrated that there is no local functionality available to the administrator prior the logging into the TOE. This test case demonstrated that during both local and remote logon the tester is not presented any feedback of the password entered. Guidance evaluation activity. TSS evaluation activity. Guidance evaluation activity. TSS evaluation activity. TSS evaluation activity. TSS evaluation activity. TSS evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case demonstrated secure connectivity between TOE components. This test case demonstrated secure connectivity between TOE components. TSS evaluation activity. Guidance evaluation activity. Guidance evaluation activity. This test demonstrated that the TOE administrator could update the TOE time. This test case demonstrated that the TOE could be configured to use a remote Time server. TSS evaluation activity. TSS evaluation activity. This test case demonstrated that the TOE could be updated when presented with a valid upgrade image. This test case demonstrated that the TOE could detect and reject invalid software updates. TSS evaluation activity.

10 Test Case ID FPT_TST_EXT.1.1 TSS 2 FPT_TST_EXT.1.1 Guidance 1 FTA_SSL_EXT.1 Test #1 FTA_SSL.3 Test #1 FTA_SSL.4 Test #1 FTA_SSL.4 Test #2 FTA_TAB.1 TSS 1 FTA_TAB.1 Test #1 FTP_ITC.1 TSS 1 FTP_ITC.1 TSS 2 FTP_ITC.1 Guidance 1 FTP_ITC.1 Test #1 FTP_ITC.1 Test #2 FTP_TRP.1 TSS 1 FTP_TRP.1 TSS 2 FTP_TRP.1 Guidance 1 FTP_TRP.1 Test #1 FTP_TRP.1 Test #2 FCS_TLS_EXT.1.1 TSS 1 FCS_TLS_EXT.1.1 Guidance 1 FCS_TLS_EXT.1.1 Test #1 FCS_TLS_EXT.1.1 Test #2 FCS_SSH_EXT.1.2 TSS 1 Description of test case TSS evaluation activity. Guidance evaluation activity. This test case demonstrated that the when a local administrative session timeout is set the TOE administrator is logged off after that time period has been crossed. This test case demonstrated that the when a remote administrative session timeout is set the TOE administrator is logged off after that time period has been crossed. This test case demonstrated that the local TOE administrator could log off of the TOE. This test case demonstrated that the remote TOE administrator could log off of the TOE. TSS evaluation activity. This test case demonstrated that the TOE supports a configurable banner for both local CLI and remote CLI administration. TSS evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case showed that the TOE could perform secure communications with remote syslog servers, time servers, and AAA servers over IPsec. This test case demonstrated that when the TOE connection is physically disconnected from the remote IT entity and reconnected the communication do not resume in plaintext. TSS evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case demonstrated that remote administration of the TOE takes place over encrypted communications (an SSH connection). This test case demonstrated that the TOE denies insecure remote administration attempts (telnet/http). TSS evaluation activity. Guidance evaluation activity. This test case demonstrated the TOEs ability to use secure ciphersuites. This test case demonstrated the TOEs correct implementation of the TLS stack. TSS evaluation activity.

11 Test Case ID FCS_SSH_EXT.1.2 Test #1 FCS_SSH_EXT.1.2 Test #2 FCS_SSH_EXT.1.3 TSS 1 FCS_SSH_EXT.1.3 Test #1 FCS_SSH_EXT.1.4 TSS 1 FCS_SSH_EXT.1.4 Guidance 1 FCS_SSH_EXT.1.4 Test #1 FCS_SSH_EXT.1.6 TSS 1 FCS_SSH_EXT.1.6 Guidance 1 FCS_SSH_EXT.1.6 Test #1 FCS_SSH_EXT.1.7 Guidance 1 FCS_SSH_EXT.1.7 TSS 1 FCS_SSH_EXT.1.7 Test #1 Table 2 Testing Summary Description of test case This test case demonstrated the TOEs ability to use asymmetric authentication for SSH session authentication. This test case demonstrated the TOEs ability to use password authentication for SSH session authentication. TSS evaluation activity. This test case demonstrated the TOEs ability to reject SSH packets larger than the allowed packet size. TSS evaluation activity. Guidance evaluation activity. This test case demonstrated the TOEs ability to use secure encryption algorithms for SSH sessions. TSS evaluation activity. Guidance evaluation activity. This test demonstrated the TOEs ability to use secure MACing algorithms for session integrity. Guidance evaluation activity. TSS evaluation activity. This test case demonstrated the TOEs ability to use Diffie- Hellman Group 14 for SSH sessions. This test case also demonstrated the TOEs ability to reject Diffie-Hellman Group 1 during SSH session establishment.

12 3 Testing Subset The following table identifies the chosen subset of TOE hardware models to be tested TOE Model CM 4400 CM 7400 CM 9400 FX 5400 FX 8400 EX 3400 EX 5400 EX 8400 EX 8420 NX 900 NX 1400 NX 2400 NX 4400 NX 4420 NX 7400 NX 7420 NX 7500 NX NX 9450 NX Table 3 Testing Subset CM Series Appliances No Yes No FX Series Appliances Yes No EX Series Appliances No Yes No No NX Series Appliances No No Yes No No Yes No Yes No No No Chosen for Testing

13 4 Test Equivalency Justification The following equivalency analysis provides a per category analysis of key areas of differentiation for each hardware model to determine the minimum subset to be used in testing. The areas examined will use the areas and analysis description provided in the supporting documentation for the NDPP. Platform/Hardware Differences The TOE boundary is inclusive of all hardware required by the TOE. The hardware platforms do not provide any of the TSF functionality. The hardware within the TOE only differs by configuration and performance. There are no hardware specific dependencies of the product. There isn t hardware specific functionality between appliance types. The base hardware may be configured as multiple types of appliances. Result: There are no hardware dependencies. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. NX Appliances: See processor analysis below for hardware related recommendations.

14 Processor Differences Across appliance platforms, there are several processors included, as follows, Appliance Processor Processor Family CM Series Appliances CM 4400 AMD Opteron 6328 CM 7400 CM 9400 AMD Opteron 6380 FX Series Appliances FX 5400 AMD Opteron 6328 FX 8400 AMD Opteron 6380 Both of these processors are part of the AMD Opteron 6300 Series Processor line of chips. Both of these processors are part of the AMD Opteron 6300 Series Processor line of chips. Instruction Set Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. Cores Base Speed 8 cores 2500 MHz 16 cores 3200 MHz 8 cores 2500 MHz 16 cores 3200 MHz Bits 64 bit 64 bit 64 bit 64 bit Floating Point Units Both processors support 256-bit FPU. Both processors support 256-bit FPU. Bus Speed Both processors support 6400 MT/s. Both processors support 6400 MT/s.

15 Appliance Processor Processor Family EX Series Appliances EX 3400 AMD Opteron Both of these EX processors are part of the AMD Opteron 6300 Series Processor line of chips. EX 8400 EX 8420 AMD Opteron 6380 NX Series Appliances NX 900 AMD Opteron 3365 NX 1400 NX 2400 AMD Opteron 4334 AMD Opteron 3300 Series Processor line of chips. AMD Opteron 4300 Series Processor line of chips Instruction Set Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP Cores Base Speed 8 cores 2500 MHz 16 cores 3200 MHz 8 cores 2300 MHz 6 cores 3100 MHz Bits 64 bit 64 bit 64 bit 64 bit Floating Point Units Both processors support 256-bit FPU. N/A N/A Bus Speed Both processors support 6400 MT/s MT/s 6400 MT/s

16 Appliance Processor Processor Family NX 4400 AMD Opteron Both of these 6328 processors are part of the NX 4420 AMD Opteron 6300 Series Processor line of chips. NX 7400 AMD Opteron NX NX 9450 NX NX NX 7500 Intel Xeon E v2 Ivy Bridge Intel Xeon (Ivy Bridge) family. Instruction Set Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. MMX, AES-NI, CLMUL, FMA3 x86-64, Intel 64, SSE, SSE2, SSE3, SSSE3, SSE4, SSE4.1, SSE4.2, AVX, AVX2, TXT, TSX, VT-x, VTd. Cores Base Speed 8 cores 2500 MHz 16 cores 3200 MHz Bits 64 bit 64 bit 12 cores 2.8 GHz 64 bit Floating Point Units Both processors support 256-bit FPU. 256-bit FPU. Bus Speed Both processors support 6400 MT/s GB/s Table 4 Processor Differences

17 The table above identifies all of the CPUs included in the products, generally speaking two closely related CPUs are used in the platforms. There are several exceptions to this in the NX series appliances. The following table provides an analysis and recommendations on an appliance series basis. Appliance Analysis Recommendation CM Series Appliances CM 4400 Each of these platforms use one of two very closely related CPUs Because of the processors are nearly identical. CM 7400 CM 9400 for processing. Both CPUs are part of the same processor family and support the same instruction sets. These CPUs only differ in performance related metrics (specifically cores and speed). All other aspects of the chips are identical. One example of the CM series of appliances will sufficiently demonstrate the functionality of the devices. FX Series Appliances FX 5400 FX 8400 EX Series Appliances EX 3400 EX 5400 EX 8400 EX 8420 NX Series Appliances NX 900 NX 1400 NX 2400 NX 4400 NX 4420 NX 7400 NX 7420 NX 9450 NX Each of these platforms use one of two very closely related CPUs for processing. Both CPUs are part of the same processor family and support the same instruction sets. These CPUs only differ in performance related metrics (specifically cores and speed). All other aspects of the chips are identical. Each of these platforms use one of two very closely related CPUs for processing. Both CPUs are part of the same processor family and support the same instruction sets. These CPUs only differ in performance related metrics (specifically cores and speed). All other aspects of the chips are identical. This family of appliances supports several different types of CPUs. Several of the appliances include the same AMD Opteron 6300 CPUs as the CM, EX, and FX appliance. The analyses associated with those platforms apply to these platforms. Several of the appliances also support the AMD Opteron 4300 CPUs (NX 1400 and 2400) and 3300 CPUs (NX 900). These processors are also very similar to the AMD Operon processors with the exception that there is no FPU support. Amongst these processors, there are several non-security relevant differences Because of the processors are nearly identical. One example of the FX series of appliances will sufficiently demonstrate the functionality of the devices. Because of the processors are nearly identical. One example of the EX series of appliances will sufficiently demonstrate the functionality of the devices. Because of the similarity in processors, one example of a platform with an AMD Opteron 3300/4300, one example with an AMD Opteron 6300, and one example with an Intel Ivy Bridge should be acceptable. One possible subset would include, 1. NX NX NX7500

18 Appliance Analysis Recommendation NX including, cores, base speed, and BUS speed. Finally, two of the NX 7500 appliances include Intel Ivy Bridge processors. These processors again are very closely related. They both are the same architecture, support the same instruction sets, and FPUs. They include several non-security relevant differences, including, cores, base speed, and BUS speed. Table 5 Processor Analysis Result: See analysis table above for recommendation

19 Software/OS Dependencies The underlying OS is installed with the application level software on each of the appliances. The underlying OS for all models within the TOE is CentOS 6.5 (Linux Kernel ). There are no specific dependencies on the OS since the TOE will not be installed on different OSs. Additionally, the underlying OS that is installed as part of the product software is identical between not only platforms in a given appliance series but also across all platforms. Result: There are no OS dependencies. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent. Differences in TOE Software Binaries All platforms run software version 7.6. Additionally, all of each of the platforms within a given appliance series run the exact same binary, as follows, Appliance Binary CM Series Appliances CM 4400 image-cms.img CM 7400 image-cms.img CM 9400 image-cms.img FX Series Appliances FX 5400 image-fms.img FX 8400 image-fms.img EX Series Appliances EX 3400 image-emps.img EX 5400 image-emps.img EX 8400 image-emps.img EX 8420 image-emps.img NX Series Appliances NX 900 image-wmps.img NX 1400 image-wmps.img NX 2400 image-wmps.img NX 4400 image-wmps.img NX 4420 image-wmps.img NX 7400 image-wmps.img NX 7420 image-wmps.img NX 7500 image-wmps.img NX9450 image-wmps.img NX image-wmps.img NX image-wmps.img

20 Table 6 TOE Software Binaries There are NO differences in the software being run (per appliance series). Result: There is no model specific software. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent. Differences in Libraries Used to Provide TOE Functionality All software binaries compiled in the TOE software are identical including the version of the library regardless of the platform for which the software is compiled. There are no differences between the included libraries. Result: There are no differences in the included libraries. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent. TOE Management Interface Differences There are several management interfaces for each of the appliances within the TOE including, Appliance Family Local CLI Remote CLI (via SSH) Remote GUI (device specific) Remote GUI (through CM) CM Series Yes Yes Yes N/A EX Series Yes Yes Yes Yes FX Series Yes Yes Yes Yes NX Series Yes Yes Yes Yes Table 7 TOE Management Interfaces The table above illustrates that each appliance can be managed either locally (via CLI) or remotely (via CLI or GUI). There is no difference in the way the administrative user interacts with each of the devices on a per appliance series basis. For example, the user interacts and is presented with the same management interface whether she is interacting with a CM4400 or a CM9400. The management interface is identical for each appliance in a given series. Result: There are no differences in the user interface amongst platforms. All CM Appliances are equivalent. All EX Appliances are equivalent.

21 All FX Appliances are equivalent. All NX Appliances are equivalent. TOE Functional Differences Each hardware model within the TOE boundary provides identical functionality. There is no difference in the way the user interacts with each of the devices or the services that are available for each of these devices on a per appliance series basis. For example, the user interaction with a CM4400 is identical to that of a CM9400. Each device within an appliance series runs the same version of software. Result: There are no security functional differences between platforms in a series. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent.

22 5 Recommendations/Conclusion Based on the analysis above, the following will sufficiently test the TOE, Appliance Family CM Series EX Series FX Series NX Series Table 8 Required Subset Required for Testing One appliance example One appliance example One appliance example One of the following appliances: NX900, NX1400, NX2400 One of the following appliances: NX4400, NX4420, NX7400, NX7420, NX10000, NX9450, NX10450 One of the following appliances: NX7500

23 6 TSS and Guidance Activities FAU_GEN.1 Guidance 1 The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN1.2, and the additional information specified in Table Evaluator Findings The evaluator checked the administrative guide to ensure that it lists all of the auditable events and provides a format for audit records. Section "Audit Messages," page 17, of AGD were used to determine the verdict of this work unit. Upon investigation, the evaluator found that AGD explicitly lists each of the auditable events and the fields associated with each audit record. Based on these findings, this assurance activity is considered satisfied Verdict FAU_GEN.1 Guidance 2 The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP. The evaluator shall examine the administrative guide and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements Evaluator Findings The evaluator made a determination of the administrative actions that are relevant in the context of this PP. The AGD document and all of the configuration guides listed in the section 9 of this document were used as part of this evaluation. The evaluator performed the following actions to identify the set of security relevant CLI commands and GUI options required by the evaluated configuration, The evaluator first began stepping through the AGD document. In addition to providing configuration specific guidance for configuring the TOE in the evaluated configuration, the document acts as a mapping document to other general guidance documents for the TOE. As part of this review, the evaluator successfully compared the AGD document to the ST to verify that each of the claimed security functionalities are discussed. Next, the evaluator reviewed each section of the other configuration documents referenced by the AGD.

24 Based on this analysis, the evaluator found the following actions as security relevant, Configuring users: [AGD] Page 26 Adding an Admin User and Setting the word; Enabling/disabling compliance mode: [AGD] Page 18 Entering Compliance, Page 19 Exiting Compliance; Configuring audit: [AGD] Page 20 Starting Audit Log Services, Page 20 Stopping Audit Log Services; Configuring TLS connections: [AGD] Page 27 Enabling TLS for HTTP Connections and Setting the Cipher List; Configuring SSH connections: [AGD] Page 27 Enabling ssh and Setting the Cipher List; Configuring authentication data: [AGD] Page 26 Adding an Admin User and Setting the word and Setting an Authentication Method; Configuring time/ntp: [AGD] Page 20 Setting the Clock; Performing updates: [AGD] Page 28 Installing an Updated System Image; Configuring the administrative inactivity period: [AGD] Page 28 Configuring the Administrative Inactivity Period; Configuring remote login banner: [AGD] Page 28 Configuring the Remote Login Banner Verdict FAU_GEN.2 None The evaluation of this SFR is tested in conjunction with the testing of FAU_GEN FAU_STG_EXT.1.1 TSS 1 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access Evaluator Findings The evaluator examined the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. Table 14 of Section 5 of the ST was used to determine the verdict of this working unit. Upon investigation, the evaluator found that, 1. The local logging buffer size can be configured from a range of 4096 (default) up to bytes. 2. The log buffer is circular, so newer messages overwrite older messages after the buffer is full. 3. The TOE protects communications with an external syslog server via TLS. Only Authorized Administrators are able to clear the local logs, and local audit records are stored in a directory that does not allow administrators to modify the contents. Based on these findings, this Assurance Activity is considered satisfied.

25 Verdict FAU_STG_EXT.1.1 Guidance 1 The evaluator shall also examine the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server (for TOEs that are not acting as an audit log server). For example, when an audit event is generated, is it simultaneously sent to the external server and the local store, or is the local store used as a buffer and cleared periodically by sending the data to the audit server Evaluator Findings The evaluator examined the operational guidance and determined that it describes the relationship between the local audit data and the audit data that are sent to the audit log server (for TOEs that are not acting as an audit log server). The AGD was used to determine the verdict of this work unit. Upon investigation, the evaluator found that section, Audit Message, page 18, contains a description of the relationship between remote audit records and local audit records. Specifically, audit records are "stored locally and sent remotely at the same time. Based on these findings, this work unit is considered satisfied Verdict FAU_STG_EXT.1.1 TSS 1 (not audit server) The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided Evaluator Findings The evaluator examined the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. Table 14 of Section 5 was used to determine the verdict of this work unit. Upon investigation, the evaluator found that the TOE protects communication with the syslog server via a TLS encrypted channel. The TOE transmits its audit events to all configured syslog servers at the same time logs are written to the local log buffer and to the console. The TOE is capable of detecting when the TLS connection fails. If the TLS connection fails, the TOE will buffer the audit records on the TOE when it discovers it can no longer communicate with its configured syslog server, and will transmit the buffer contents when connectivity to the syslog server is restored. Based on these findings, this Assurance Activity is considered satisfied Verdict

26 6.1.7 FAU_STG_EXT.1.1 Guidance 1 (not audit server) The evaluator shall also examine the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server Evaluator Findings The evaluator examined the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. The AGD document was used to as part of this evaluation. Upon investigation, the evaluator found that section "Using an Audit Server," page 16, of the AGD document provides a description of the requirements for remote logging. In particular, connections between the TOE and the remote syslog server must be protected using TLS. The section also provides a description of the required configuration options for the syslog server. Based on these findings, this assurance activity is considered satisfied Verdict FCS_CKM.1.1 TSS 1 The evaluator shall ensure that the TSS contains a description of how the TSF complies with A and/or B, depending on the selections made. This description shall indicate the sections in A and/or B that are implemented by the TSF, and the evaluator shall ensure that key establishment is among those sections that the TSF claims to implement. Any TOE-specific extensions, processing that is not included in the documents, or alternative implementations allowed by the documents that may impact the security requirements the TOE is to enforce shall be described Evaluator Findings The evaluator reviewed table 14 of Section 5 of the ST and found that the TSS explicitly indicates that the TOE implements several key establishment schemes, including, FFC Diffie-Hellman as specified in NIST SP A, ECDH Diffie-Hellman as specified in NIST SP A, RSA Key Transport as specified in SP NIST B. The TSS indicates that the TOE is fully compliant to SP A and SP B and that the TOE does not implement any TOE-specific extensions. Based on these findings, this assurance activity is considered satisfied Verdict

27 6.1.9 FCS_CKM_EXT.4.1 TSS 1 The evaluator shall check to ensure the TSS describes each of the secret keys (keys used for symmetric encryption), private keys, and CSPs used to generate key; when they are zeroized (for example, immediately after use, on system shutdown, etc.); and the type of zeroization procedure that is performed (overwrite with zeros, overwrite three times with random pattern, etc.). If different types of memory are used to store the materials to be protected, the evaluator shall check to ensure that the TSS describes the zeroization procedure in terms of the memory in which the data are stored (for example, "secret keys stored on flash are zeroized by overwriting once with zeros, while secret keys stored on the internal hard drive are zeroized by overwriting three times with a random pattern that is changed before each write") Evaluator Findings The evaluator examined table 14 of Section 5 in the ST and found the following. Keys Diffie Hellman private key Diffie Hellman public key SSH Private Key SSH Public Key SSH Session Key SSH Integrity Key TLS Private Key TLS Public Key TLS Session Encryption Key TLS Session Integrity Key Table 9 Zeroization Zeroization Description Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Key is overwritten by zeros when the compliance declassify zeroize command is issued. Key is overwritten by zeros when the compliance declassify zeroize command is issued. Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Key is overwritten by zeros when the compliance declassify zeroize command is issued. Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Each secret key and CSP is described along with zeroization characteristics. Based on these findings, this Assurance Activity is considered satisfied Verdict FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) The evaluator shall also confirm that the operational guidance contains appropriate instructions for configuring the RBG functionality Evaluator Findings The evaluator confirmed that the operational guidance contains appropriate instructions for configuring the RBG functionality. AGD document was used to determine the verdict of this working. Upon investigation, the evaluator found that section "Enabling the Trusted Platform Module," page 11, provides a description of how to enable the TPM module within the product which is required to appropriately seed the implemented DRBG.

28 Based on these findings, this assurance activity is considered satisfied Verdict FDP_RIP.2.1 TSS 1 The evaluator shall check to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. The evaluator shall ensure that this description at a minimum describes how the previous data are zeroized/overwritten, and at what point in the buffer processing this occurs Evaluator Findings The evaluator checked to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. Table 14 of Section 5 of the ST was used in this analysis. Upon investigation, the evaluator found that packets that are not the required length use zeros for padding. Residual data is never transmitted from the TOE. Once packet handling is completed its content is overwritten before memory buffer, which previously contained the packet, is reused. Based on these findings, this Assurance Activity is considered satisfied Verdict FIA_PMG_EXT.1.1 Guidance 1 The evaluator shall examine the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length Evaluator Findings The evaluator examined the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length. AGD was used as part of this evaluation. Upon investigation, the evaluator found that section, "Strong words," page 1, of AGD provides guidance for the minimum password requirements the TOE in the evaluated configuration. Based on these findings, this assurance activity is considered satisfied Verdict FIA_UIA_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. This description shall contain information pertaining to the credentials allowed/used, any protocol transactions that take place, and what constitutes a successful logon.

29 Evaluator Findings The evaluator examined the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. Table 14 of Section 5 of the ST was used to determine the verdict of this analysis. The TOE mediates all administrative actions through one of two interfaces, the CLI or GUI. Once a potential administrative user attempts to access the CLI or GUI of the TOE through either a directly connected console or remotely through an HTTPS/SSHv2 connection, the TOE prompts the user for a user name and password. The TOE provides a local password based authentication mechanism as well as TLS protected LDAP authentication, if configured. At initial login, the administrative user is prompted to provide a username. After the user provides the username, the user is prompted to provide the administrative password associated with the user account. The TOE then either grants administrative access (if the combination of username and password is correct) or indicates that the login was unsuccessful. Based on these findings, this Assurance Activity is considered satisfied Verdict FIA_UIA_EXT.1 Guidance 1 The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) to logging in are described. For each supported the login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on. If configuration is necessary to ensure the services provided before login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services Evaluator Findings The evaluator examined the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) to logging in are described. The AGD, CMSAG, FXSAG, NXSAG, and EXSAG documents were used with the evaluation activity. Upon investigation, the evaluator found that two methods of administration are available to the user, Command Line Interface (CLI) Graphical User Interface (GUI) The evaluator found that users are able to authenticate to the TOE at both the CLI and GUI and that the configuration steps for each interface are provided. The evaluator found that the following sections provide preparatory instructions for configuring users and credentials, CMSAG section "Managing Users using the WebUI," page 242 CMSAG section "Managing Users using the CLI," page 243 CMSAG section "Configuring word Validation Policies," page 247

30 FXAG section "Managing Users using the WebUI," page 109 FXAG section "Managing Users using the CLI," page 109 FXAG section "Configuring word Rules," page 114 NXAG section "Managing Users using the WebUI," page 140 NXAG section "Managing Users using the CLI," page 142 NXAG section "Configuring word Validation Policies," page 150 EXAG section "Managing Users Accounts" page 60 Based on these findings, this assurance activity is considered satisfied Verdict FMT_MTD.1 Guidance 1 The evaluator shall review the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions Evaluator Findings The evaluator reviewed the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions. The AGD document was used as part of this evaluation activity. Upon investigation, the evaluator found that the AGD document addresses the configuration of the following items in response to the requirements of the NDPP, Section Remote Access Administrative Access Section Strong words I&A Configuration Section LDAP Server Configuration I&A Configuration Section Date and Time Settings Time Functionality Section Configuring a Secure Syslog Server and Client Secure Logging Section Using an Audit Server Secure Logging Section Audit Messages Secure Logging Section Cryptographic POST - Cryptographic Support Section Supported Ciphersuites - Cryptographic Support These items combined covers all of the functionality described in the NDPP. Based on these findings, this work unit is considered satisfied Verdict FMT_MTD.1 TSS 1 The evaluator shall examine the TSS to determine that, for each administrative function identified in the operational guidance; those that are accessible through an interface prior to

31 administrator log-in are identified. For each of these functions, the evaluator shall also confirm that the TSS details how the ability to manipulate the TSF data through these interfaces is disallowed for non-administrative users Evaluator Findings The evaluator examined the TSS to determine that, for each administrative function identified in the operational guidance; those that are accessible through an interface prior to administrator log-in are identified. For each of these functions, the evaluator also confirmed that the TSS details how the ability to manipulate the TSF data through these interfaces is disallowed for non-administrative users. The evaluator examined Table 14 of Section 5 as part of this analysis. Upon investigation, the evaluator found that there are no administrative functions prior to authentication. Based on these findings, this Assurance Activity is considered satisfied Verdict FMT_SMF.1 None - The security management functions for FMT_SMF.1 are distributed throughout the PP and are included as part of the requirements in FMT_MTD, FPT_TST_EXT, and any cryptographic management functions specified in the reference standards. Compliance to these requirements satisfies compliance with FMT_SMF FMT_SMR.2 Guidance 1 The evaluator shall review the operational guidance to ensure that it contains instructions for administering the TOE both locally and remotely, including any configuration that needs to be performed on the client for remote administration Evaluator Findings The evaluator reviewed the operational guidance to ensure that it contains instructions for administering the TOE both locally and remotely, including any configuration that needs to be performed on the client for remote administration. The AGD, CMSAG, FXSAG, NXSAG, EXSAG, FXTMG, NXTMG, and EXTMG documents were used with the evaluation activity. The evaluator found that instructions for configuring the TOE locally is described in the CMSAG, FXSAG, NXSAG, and EXSAG documents, in the following sections, [CMAG] Section titled: Initial CM Series Platform Configuration [EXAG] Section titled: Using the Serial Console [FXAG] Section titled: Configuring Initial Settings Using the Serial Console Port [NXAG] Section titled: Configuring Initial Settings Using the Serial Console Port The evaluator found that instructions for configuring the TOE remotely is described in the FXTMG, NXTMG, and EXTMG, in the following sections, [FXTMG] Section titled: Configuring the Appliance Using the Web UI (for administration over HTTPS), Configuring the Appliance Using the CLI (for administration over SSH)