AAR Test Summary. FireEye CM, FX, EX, and NX Series Appliances
|
|
- Gilbert Daniel
- 8 years ago
- Views:
Transcription
1 AAR Test Summary FireEye CM, FX, EX, and NX Series Appliances FireEye CM, FX, EX, and NX Series Appliances Series Security Target, version 1.0 Protection Profile for Network Devices (NDPP), version 1.1, dated: 6/8/2012 Security Requirements for Network Devices Errata #3, dated: 1/13/2013 Version 3.0, 8/18/2015 Evaluated by: Office Park Dr. Montgomery Village, MD Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme
2 Contents 1 TOE Overview CM Series Appliances: CM 4400, CM 7400, CM FX Series Appliances: FX 5400, FX EX Series Appliances: EX 3400, EX 5400, EX 8400, EX NX Series Appliances: NX 900, NX 1400, NX 2400, NX 4400, NX 4420, NX 7400, NX 7420, NX 7500, NX 10000, NX9450, NX Security Features Supported non-toe Hardware/ Software/ Firmware Test Identification Testing Subset Test Equivalency Justification Recommendations/Conclusion TSS and Guidance Activities FAU_GEN.1 Guidance FAU_GEN.1 Guidance FAU_GEN FAU_STG_EXT.1.1 TSS FAU_STG_EXT.1.1 Guidance FAU_STG_EXT.1.1 TSS 1 (not audit server) FAU_STG_EXT.1.1 Guidance 1 (not audit server) FCS_CKM.1.1 TSS FCS_CKM_EXT.4.1 TSS FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) FDP_RIP.2.1 TSS FIA_PMG_EXT.1.1 Guidance FIA_UIA_EXT.1 TSS FIA_UIA_EXT.1 Guidance FMT_MTD.1 Guidance FMT_MTD.1 TSS FMT_SMF FMT_SMR.2 Guidance
3 FPT_SKP_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_ITT.1 TSS FPT_ITT.1 TSS FPT_ITT.1 Guidance FPT_STM.1 TSS FPT_STM.1 Guidance FPT_STM.1 Guidance FPT_TUD_EXT.1 TSS FPT_TUD_EXT.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 Guidance FTA_TAB.1 TSS FTP_ITC.1 TSS FTP_ITC.1 TSS FTP_ITC.1 Guidance FTP_TRP.1 TSS FTP_TRP.1 TSS FTP_TRP.1 Guidance FCS_TLS_EXT.1 TSS FCS_TLS_EXT.1 Guidance FCS_SSH_EXT.1.2 TSS FCS_SSH_EXT.1.3 TSS FCS_SSH_EXT.1.4 TSS FCS_SSH_EXT.1.4 Guidance FCS_SSH_EXT.1.6 TSS FCS_SSH_EXT.1.6 Guidance FCS_SSH_EXT.1.7 Guidance FCS_SSH_EXT.1.7 TSS Test Infrastructure... 46
4 7.1 Test Bed # Physical Component Overview TESTBED # Testbed Diagram TESTBED # Testbed Addressing TESTBED # Component Configuration Diagram TESTBED # Test bed # Physical Component Overview TESTBED # Testbed Diagram TESTBED # Testbed Addressing TESTBED # Component Configuration Diagram TESTBED # Audit Testing Summary FAU_GEN.1 Test FAU_STG_EXT.1 Test 1 (not audit server) Cryptographic Support Testing Summary FCS_CKM.1.1 Test FCS_COP.1.1 (1) Test FCS_COP.1.1 (2) Test FCS_COP.1.1 (3) Test FCS_COP.1.1 (4) Test FCS_RBG_EXT.1.1 Test FCS_RBG_EXT.1.1 Test 2 (SP A DRBG) Identification and Authentication Testing Summary FIA_PMG_EXT.1 Test FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UAU.7 Test # Protection of the TSF Testing Summary FPT_STM.1 Test # FPT_STM.1 Test # FPT_TUD_EXT.1 Test # FPT_TUD_EXT.1 Test #
5 8.5 TOE Access Testing Summary FTA_SSL_EXT.1 Test # FTA_SSL.3 Test # FTA_SSL.4 Test # FTA_SSL.4 Test # FTA_TAB.1 Test # Trusted Path/Channels Testing Summary FTP_ITC.1 Test # FTP_ITC.1 Test # FTP_TRP.1 Test # FTP_TRP.1 Test # TLS Testing Summary FCS_TLS_EXT.1 Test # FCS_TLS_EXT.1 Test #2a FCS_TLS_EXT.1 Test #2b FCS_TLS_EXT.1 Test #2c FCS_TLS_EXT.1 Test #2d SSH Testing Summary FCS_SSH_EXT.1.2 Test # FCS_SSH_EXT.1.2 Test # FCS_SSH_EXT.1.3 Test # FCS_SSH_EXT.1.4 Test # FCS_SSH_EXT.1.6 Test # FCS_SSH_EXT.1.7 Test # Conclusion... 66
6 1 TOE Overview The TOE consists of several families of appliances working together to form the network protection solution. Collectively, the product families provide , file, and network security with a centralized management platform. Each family performs a specific role in the overall network protection, as described below. 1.1 CM Series Appliances: CM 4400, CM 7400, CM 9400 The FireEye CM series is a group of management platforms that consolidates the administration, reporting, and data sharing of the FireEye NX, EX, and FX series in one easy-to-deploy, network-based platform. Within the FireEye deployment, the FireEye CM enables real-time sharing of the autogenerated threat intelligence to identify and block advanced attacks targeting the organization. It also enables centralized configuration, management, and reporting of FireEye platforms. 1.2 FX Series Appliances: FX 5400, FX 8400 The FireEye FX series is a group of threat prevention platforms that protect content against attacks originating in a wide range of file types. Web mail, online file transfer tools, the cloud, and portable file storage devices can introduce malware that can spread to file shares and content repositories. The FireEye FX platform analyzes network file shares and enterprise content management stores to detect and quarantine malware brought in by employees and others that bypass next-generation firewalls, IPS, AV, and gateways. 1.3 EX Series Appliances: EX 3400, EX 5400, EX 8400, EX 8420 The FireEye EX series secures against advanced attacks. As part of the FireEye Threat Prevention Platform, the FireEye EX uses signature-less technology to analyze every attachment and successfully quarantine spear-phishing s used in advanced targeted attacks. 1.4 NX Series Appliances: NX 900, NX 1400, NX 2400, NX 4400, NX 4420, NX 7400, NX 7420, NX 7500, NX 10000, NX 9450, NX The FireEye Network Threat Prevention Platform identifies and blocks zero-day Web exploits, droppers (binaries), and multi-protocol callbacks to help organizations scale their advanced threat defenses across a range of deployments, from the multi-gigabit headquarters down to remote, branch, and mobile offices. FireEye Network with Intrusion Prevention System (IPS) technology further optimizes spend, substantially reduces false positives, and enables compliance while driving security across known and unknown threats. 1.5 Security Features The TOE is comprised of several security features. Each of the security features identified above consists of several security functionalities, as identified below. Security Audit Cryptography Support User Data Protection Identification & Authentication
7 Security Management Protection of the TSF Trusted Path/Channel TOE Access These features are consistent with the security functionality described in the NDPP. 1.6 Supported non-toe Hardware/ Software/ Firmware The TOE also supports (sometimes optionally) secure connectivity with several other IT environment devices, including, Component Required Usage/Purpose Description for TOE performance Management Workstation with Web Browser/SSH Client Yes This includes any IT Environment Management workstation with a Web Browser and a SSH client installed that is used by the TOE administrator to support TOE administration through HTTPS and SSH protected channels. Any SSH client that supports SSHv2 may be used. Any web browser that supports TLS 1.0 or greater may be used. NTP Server No The TOE supports communications with an NTP server to synchronize date and time. Syslog server No The syslog audit server is used for remote storage of audit records that have been generated by and transmitted from the TOE. LDAP AAA Server No This includes any IT environment LDAP AAA server that provides authentication services to TOE administrators. Table 1 IT Environment
8 2 Test Identification Test Case ID FAU_GEN.1 Test 1 FAU_GEN.1 Guidance 1 FAU_GEN.1 Guidance 2 FAU_STG_EXT.1.1 TSS 1 FAU_STG_EXT.1.1 Guidance 1 FAU_STG_EXT.1 Test 1 (not audit server) FAU_STG_EXT.1.1 TSS 1 (not audit server) FAU_STG_EXT.1.1 Guidance 1 (not audit server) FCS_CKM_EXT.4.1 TSS 1 FCS_COP.1.1 (1) Test 1 FCS_COP.1.1 (2) Test 1 FCS_COP.1.1 (3) Test 1 FCS_COP.1.1 (4) Test 1 FCS_RBG_EXT.1.1 Test 1 FCS_RBG_EXT.1.1 Test 2 (SP A DRBG) FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) FDP_RIP.2.1 TSS 1 FIA_PMG_EXT.1.1 Guidance 1 FIA_PMG_EXT.1 Test 1 FIA_UIA_EXT.1 TSS 1 Description of test case This test case demonstrated the TOEs ability to generated audit records based on specific events being triggered. Guidance evaluation activity. Guidance evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case showed that the connection between the TOE and the remote audit server could be encrypted TSS evaluation activity. Guidance evaluation activity. TSS evaluation activity. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. This test case verified the correct implementation of the cryptographic algorithm by testing against the NIST Validation System. Guidance evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case verified the password capabilities of the TOE by attempting various good and bad password combinations and verifying the TOE handled them correctly. TSS evaluation activity.
9 Test Case ID FIA_UIA_EXT.1 Guidance 1 FIA_UIA_EXT.1 Test #1 FIA_UIA_EXT.1 Test #2 FIA_UIA_EXT.1 Test #3 FIA_UAU.7 Test #1 FMT_MTD.1 Guidance 1 FMT_MTD.1 TSS 1 FMT_SMR.2 Guidance 1 FPT_SKP_EXT.1 TSS 1 FPT_APW_EXT.1 TSS 1 FPT_APW_EXT.1 TSS 2 FPT_ITT.1 TSS 1 FPT_ITT.1 TSS 2 FPT_ITT.1 Guidance 1 FPT_ITT.1 Test 1 FPT_ITT.1 Test 2 FPT_STM.1 TSS 1 FPT_STM.1 Guidance 1 FPT_STM.1 Guidance 2 FPT_STM.1 Test #1 FPT_STM.1 Test #2 FPT_TUD_EXT.1 TSS 1 FPT_TUD_EXT.1 TSS 2 FPT_TUD_EXT.1 Test #1 FPT_TUD_EXT.1 Test #2 FPT_TST_EXT.1.1 TSS 1 Description of test case Guidance evaluation activity. This test case verified that for both remote and local login presenting the correct credentials resulted in access to the TOE and presenting incorrect credentials resulted in denied access. This test cased demonstrated that there is no remote functionality available to the administrator prior the logging into the TOE. This test case demonstrated that there is no local functionality available to the administrator prior the logging into the TOE. This test case demonstrated that during both local and remote logon the tester is not presented any feedback of the password entered. Guidance evaluation activity. TSS evaluation activity. Guidance evaluation activity. TSS evaluation activity. TSS evaluation activity. TSS evaluation activity. TSS evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case demonstrated secure connectivity between TOE components. This test case demonstrated secure connectivity between TOE components. TSS evaluation activity. Guidance evaluation activity. Guidance evaluation activity. This test demonstrated that the TOE administrator could update the TOE time. This test case demonstrated that the TOE could be configured to use a remote Time server. TSS evaluation activity. TSS evaluation activity. This test case demonstrated that the TOE could be updated when presented with a valid upgrade image. This test case demonstrated that the TOE could detect and reject invalid software updates. TSS evaluation activity.
10 Test Case ID FPT_TST_EXT.1.1 TSS 2 FPT_TST_EXT.1.1 Guidance 1 FTA_SSL_EXT.1 Test #1 FTA_SSL.3 Test #1 FTA_SSL.4 Test #1 FTA_SSL.4 Test #2 FTA_TAB.1 TSS 1 FTA_TAB.1 Test #1 FTP_ITC.1 TSS 1 FTP_ITC.1 TSS 2 FTP_ITC.1 Guidance 1 FTP_ITC.1 Test #1 FTP_ITC.1 Test #2 FTP_TRP.1 TSS 1 FTP_TRP.1 TSS 2 FTP_TRP.1 Guidance 1 FTP_TRP.1 Test #1 FTP_TRP.1 Test #2 FCS_TLS_EXT.1.1 TSS 1 FCS_TLS_EXT.1.1 Guidance 1 FCS_TLS_EXT.1.1 Test #1 FCS_TLS_EXT.1.1 Test #2 FCS_SSH_EXT.1.2 TSS 1 Description of test case TSS evaluation activity. Guidance evaluation activity. This test case demonstrated that the when a local administrative session timeout is set the TOE administrator is logged off after that time period has been crossed. This test case demonstrated that the when a remote administrative session timeout is set the TOE administrator is logged off after that time period has been crossed. This test case demonstrated that the local TOE administrator could log off of the TOE. This test case demonstrated that the remote TOE administrator could log off of the TOE. TSS evaluation activity. This test case demonstrated that the TOE supports a configurable banner for both local CLI and remote CLI administration. TSS evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case showed that the TOE could perform secure communications with remote syslog servers, time servers, and AAA servers over IPsec. This test case demonstrated that when the TOE connection is physically disconnected from the remote IT entity and reconnected the communication do not resume in plaintext. TSS evaluation activity. TSS evaluation activity. Guidance evaluation activity. This test case demonstrated that remote administration of the TOE takes place over encrypted communications (an SSH connection). This test case demonstrated that the TOE denies insecure remote administration attempts (telnet/http). TSS evaluation activity. Guidance evaluation activity. This test case demonstrated the TOEs ability to use secure ciphersuites. This test case demonstrated the TOEs correct implementation of the TLS stack. TSS evaluation activity.
11 Test Case ID FCS_SSH_EXT.1.2 Test #1 FCS_SSH_EXT.1.2 Test #2 FCS_SSH_EXT.1.3 TSS 1 FCS_SSH_EXT.1.3 Test #1 FCS_SSH_EXT.1.4 TSS 1 FCS_SSH_EXT.1.4 Guidance 1 FCS_SSH_EXT.1.4 Test #1 FCS_SSH_EXT.1.6 TSS 1 FCS_SSH_EXT.1.6 Guidance 1 FCS_SSH_EXT.1.6 Test #1 FCS_SSH_EXT.1.7 Guidance 1 FCS_SSH_EXT.1.7 TSS 1 FCS_SSH_EXT.1.7 Test #1 Table 2 Testing Summary Description of test case This test case demonstrated the TOEs ability to use asymmetric authentication for SSH session authentication. This test case demonstrated the TOEs ability to use password authentication for SSH session authentication. TSS evaluation activity. This test case demonstrated the TOEs ability to reject SSH packets larger than the allowed packet size. TSS evaluation activity. Guidance evaluation activity. This test case demonstrated the TOEs ability to use secure encryption algorithms for SSH sessions. TSS evaluation activity. Guidance evaluation activity. This test demonstrated the TOEs ability to use secure MACing algorithms for session integrity. Guidance evaluation activity. TSS evaluation activity. This test case demonstrated the TOEs ability to use Diffie- Hellman Group 14 for SSH sessions. This test case also demonstrated the TOEs ability to reject Diffie-Hellman Group 1 during SSH session establishment.
12 3 Testing Subset The following table identifies the chosen subset of TOE hardware models to be tested TOE Model CM 4400 CM 7400 CM 9400 FX 5400 FX 8400 EX 3400 EX 5400 EX 8400 EX 8420 NX 900 NX 1400 NX 2400 NX 4400 NX 4420 NX 7400 NX 7420 NX 7500 NX NX 9450 NX Table 3 Testing Subset CM Series Appliances No Yes No FX Series Appliances Yes No EX Series Appliances No Yes No No NX Series Appliances No No Yes No No Yes No Yes No No No Chosen for Testing
13 4 Test Equivalency Justification The following equivalency analysis provides a per category analysis of key areas of differentiation for each hardware model to determine the minimum subset to be used in testing. The areas examined will use the areas and analysis description provided in the supporting documentation for the NDPP. Platform/Hardware Differences The TOE boundary is inclusive of all hardware required by the TOE. The hardware platforms do not provide any of the TSF functionality. The hardware within the TOE only differs by configuration and performance. There are no hardware specific dependencies of the product. There isn t hardware specific functionality between appliance types. The base hardware may be configured as multiple types of appliances. Result: There are no hardware dependencies. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. NX Appliances: See processor analysis below for hardware related recommendations.
14 Processor Differences Across appliance platforms, there are several processors included, as follows, Appliance Processor Processor Family CM Series Appliances CM 4400 AMD Opteron 6328 CM 7400 CM 9400 AMD Opteron 6380 FX Series Appliances FX 5400 AMD Opteron 6328 FX 8400 AMD Opteron 6380 Both of these processors are part of the AMD Opteron 6300 Series Processor line of chips. Both of these processors are part of the AMD Opteron 6300 Series Processor line of chips. Instruction Set Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. Cores Base Speed 8 cores 2500 MHz 16 cores 3200 MHz 8 cores 2500 MHz 16 cores 3200 MHz Bits 64 bit 64 bit 64 bit 64 bit Floating Point Units Both processors support 256-bit FPU. Both processors support 256-bit FPU. Bus Speed Both processors support 6400 MT/s. Both processors support 6400 MT/s.
15 Appliance Processor Processor Family EX Series Appliances EX 3400 AMD Opteron Both of these EX processors are part of the AMD Opteron 6300 Series Processor line of chips. EX 8400 EX 8420 AMD Opteron 6380 NX Series Appliances NX 900 AMD Opteron 3365 NX 1400 NX 2400 AMD Opteron 4334 AMD Opteron 3300 Series Processor line of chips. AMD Opteron 4300 Series Processor line of chips Instruction Set Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP Cores Base Speed 8 cores 2500 MHz 16 cores 3200 MHz 8 cores 2300 MHz 6 cores 3100 MHz Bits 64 bit 64 bit 64 bit 64 bit Floating Point Units Both processors support 256-bit FPU. N/A N/A Bus Speed Both processors support 6400 MT/s MT/s 6400 MT/s
16 Appliance Processor Processor Family NX 4400 AMD Opteron Both of these 6328 processors are part of the NX 4420 AMD Opteron 6300 Series Processor line of chips. NX 7400 AMD Opteron NX NX 9450 NX NX NX 7500 Intel Xeon E v2 Ivy Bridge Intel Xeon (Ivy Bridge) family. Instruction Set Both processors support the following instruction sets, MMX, SSE, SSE2, SSE3, SSSE3, SSE4, AES, AVX, BMI1, F16C, FMA3, FMA4, TBM, XOP. MMX, AES-NI, CLMUL, FMA3 x86-64, Intel 64, SSE, SSE2, SSE3, SSSE3, SSE4, SSE4.1, SSE4.2, AVX, AVX2, TXT, TSX, VT-x, VTd. Cores Base Speed 8 cores 2500 MHz 16 cores 3200 MHz Bits 64 bit 64 bit 12 cores 2.8 GHz 64 bit Floating Point Units Both processors support 256-bit FPU. 256-bit FPU. Bus Speed Both processors support 6400 MT/s GB/s Table 4 Processor Differences
17 The table above identifies all of the CPUs included in the products, generally speaking two closely related CPUs are used in the platforms. There are several exceptions to this in the NX series appliances. The following table provides an analysis and recommendations on an appliance series basis. Appliance Analysis Recommendation CM Series Appliances CM 4400 Each of these platforms use one of two very closely related CPUs Because of the processors are nearly identical. CM 7400 CM 9400 for processing. Both CPUs are part of the same processor family and support the same instruction sets. These CPUs only differ in performance related metrics (specifically cores and speed). All other aspects of the chips are identical. One example of the CM series of appliances will sufficiently demonstrate the functionality of the devices. FX Series Appliances FX 5400 FX 8400 EX Series Appliances EX 3400 EX 5400 EX 8400 EX 8420 NX Series Appliances NX 900 NX 1400 NX 2400 NX 4400 NX 4420 NX 7400 NX 7420 NX 9450 NX Each of these platforms use one of two very closely related CPUs for processing. Both CPUs are part of the same processor family and support the same instruction sets. These CPUs only differ in performance related metrics (specifically cores and speed). All other aspects of the chips are identical. Each of these platforms use one of two very closely related CPUs for processing. Both CPUs are part of the same processor family and support the same instruction sets. These CPUs only differ in performance related metrics (specifically cores and speed). All other aspects of the chips are identical. This family of appliances supports several different types of CPUs. Several of the appliances include the same AMD Opteron 6300 CPUs as the CM, EX, and FX appliance. The analyses associated with those platforms apply to these platforms. Several of the appliances also support the AMD Opteron 4300 CPUs (NX 1400 and 2400) and 3300 CPUs (NX 900). These processors are also very similar to the AMD Operon processors with the exception that there is no FPU support. Amongst these processors, there are several non-security relevant differences Because of the processors are nearly identical. One example of the FX series of appliances will sufficiently demonstrate the functionality of the devices. Because of the processors are nearly identical. One example of the EX series of appliances will sufficiently demonstrate the functionality of the devices. Because of the similarity in processors, one example of a platform with an AMD Opteron 3300/4300, one example with an AMD Opteron 6300, and one example with an Intel Ivy Bridge should be acceptable. One possible subset would include, 1. NX NX NX7500
18 Appliance Analysis Recommendation NX including, cores, base speed, and BUS speed. Finally, two of the NX 7500 appliances include Intel Ivy Bridge processors. These processors again are very closely related. They both are the same architecture, support the same instruction sets, and FPUs. They include several non-security relevant differences, including, cores, base speed, and BUS speed. Table 5 Processor Analysis Result: See analysis table above for recommendation
19 Software/OS Dependencies The underlying OS is installed with the application level software on each of the appliances. The underlying OS for all models within the TOE is CentOS 6.5 (Linux Kernel ). There are no specific dependencies on the OS since the TOE will not be installed on different OSs. Additionally, the underlying OS that is installed as part of the product software is identical between not only platforms in a given appliance series but also across all platforms. Result: There are no OS dependencies. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent. Differences in TOE Software Binaries All platforms run software version 7.6. Additionally, all of each of the platforms within a given appliance series run the exact same binary, as follows, Appliance Binary CM Series Appliances CM 4400 image-cms.img CM 7400 image-cms.img CM 9400 image-cms.img FX Series Appliances FX 5400 image-fms.img FX 8400 image-fms.img EX Series Appliances EX 3400 image-emps.img EX 5400 image-emps.img EX 8400 image-emps.img EX 8420 image-emps.img NX Series Appliances NX 900 image-wmps.img NX 1400 image-wmps.img NX 2400 image-wmps.img NX 4400 image-wmps.img NX 4420 image-wmps.img NX 7400 image-wmps.img NX 7420 image-wmps.img NX 7500 image-wmps.img NX9450 image-wmps.img NX image-wmps.img NX image-wmps.img
20 Table 6 TOE Software Binaries There are NO differences in the software being run (per appliance series). Result: There is no model specific software. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent. Differences in Libraries Used to Provide TOE Functionality All software binaries compiled in the TOE software are identical including the version of the library regardless of the platform for which the software is compiled. There are no differences between the included libraries. Result: There are no differences in the included libraries. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent. TOE Management Interface Differences There are several management interfaces for each of the appliances within the TOE including, Appliance Family Local CLI Remote CLI (via SSH) Remote GUI (device specific) Remote GUI (through CM) CM Series Yes Yes Yes N/A EX Series Yes Yes Yes Yes FX Series Yes Yes Yes Yes NX Series Yes Yes Yes Yes Table 7 TOE Management Interfaces The table above illustrates that each appliance can be managed either locally (via CLI) or remotely (via CLI or GUI). There is no difference in the way the administrative user interacts with each of the devices on a per appliance series basis. For example, the user interacts and is presented with the same management interface whether she is interacting with a CM4400 or a CM9400. The management interface is identical for each appliance in a given series. Result: There are no differences in the user interface amongst platforms. All CM Appliances are equivalent. All EX Appliances are equivalent.
21 All FX Appliances are equivalent. All NX Appliances are equivalent. TOE Functional Differences Each hardware model within the TOE boundary provides identical functionality. There is no difference in the way the user interacts with each of the devices or the services that are available for each of these devices on a per appliance series basis. For example, the user interaction with a CM4400 is identical to that of a CM9400. Each device within an appliance series runs the same version of software. Result: There are no security functional differences between platforms in a series. All CM Appliances are equivalent. All EX Appliances are equivalent. All FX Appliances are equivalent. All NX Appliances are equivalent.
22 5 Recommendations/Conclusion Based on the analysis above, the following will sufficiently test the TOE, Appliance Family CM Series EX Series FX Series NX Series Table 8 Required Subset Required for Testing One appliance example One appliance example One appliance example One of the following appliances: NX900, NX1400, NX2400 One of the following appliances: NX4400, NX4420, NX7400, NX7420, NX10000, NX9450, NX10450 One of the following appliances: NX7500
23 6 TSS and Guidance Activities FAU_GEN.1 Guidance 1 The evaluator shall check the administrative guide and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the PP is described and that the description of the fields contains the information required in FAU_GEN1.2, and the additional information specified in Table Evaluator Findings The evaluator checked the administrative guide to ensure that it lists all of the auditable events and provides a format for audit records. Section "Audit Messages," page 17, of AGD were used to determine the verdict of this work unit. Upon investigation, the evaluator found that AGD explicitly lists each of the auditable events and the fields associated with each audit record. Based on these findings, this assurance activity is considered satisfied Verdict FAU_GEN.1 Guidance 2 The evaluator shall also make a determination of the administrative actions that are relevant in the context of this PP. The evaluator shall examine the administrative guide and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the PP. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are security relevant with respect to this PP. The evaluator may perform this activity as part of the activities associated with ensuring the AGD_OPE guidance satisfies the requirements Evaluator Findings The evaluator made a determination of the administrative actions that are relevant in the context of this PP. The AGD document and all of the configuration guides listed in the section 9 of this document were used as part of this evaluation. The evaluator performed the following actions to identify the set of security relevant CLI commands and GUI options required by the evaluated configuration, The evaluator first began stepping through the AGD document. In addition to providing configuration specific guidance for configuring the TOE in the evaluated configuration, the document acts as a mapping document to other general guidance documents for the TOE. As part of this review, the evaluator successfully compared the AGD document to the ST to verify that each of the claimed security functionalities are discussed. Next, the evaluator reviewed each section of the other configuration documents referenced by the AGD.
24 Based on this analysis, the evaluator found the following actions as security relevant, Configuring users: [AGD] Page 26 Adding an Admin User and Setting the word; Enabling/disabling compliance mode: [AGD] Page 18 Entering Compliance, Page 19 Exiting Compliance; Configuring audit: [AGD] Page 20 Starting Audit Log Services, Page 20 Stopping Audit Log Services; Configuring TLS connections: [AGD] Page 27 Enabling TLS for HTTP Connections and Setting the Cipher List; Configuring SSH connections: [AGD] Page 27 Enabling ssh and Setting the Cipher List; Configuring authentication data: [AGD] Page 26 Adding an Admin User and Setting the word and Setting an Authentication Method; Configuring time/ntp: [AGD] Page 20 Setting the Clock; Performing updates: [AGD] Page 28 Installing an Updated System Image; Configuring the administrative inactivity period: [AGD] Page 28 Configuring the Administrative Inactivity Period; Configuring remote login banner: [AGD] Page 28 Configuring the Remote Login Banner Verdict FAU_GEN.2 None The evaluation of this SFR is tested in conjunction with the testing of FAU_GEN FAU_STG_EXT.1.1 TSS 1 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access Evaluator Findings The evaluator examined the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. Table 14 of Section 5 of the ST was used to determine the verdict of this working unit. Upon investigation, the evaluator found that, 1. The local logging buffer size can be configured from a range of 4096 (default) up to bytes. 2. The log buffer is circular, so newer messages overwrite older messages after the buffer is full. 3. The TOE protects communications with an external syslog server via TLS. Only Authorized Administrators are able to clear the local logs, and local audit records are stored in a directory that does not allow administrators to modify the contents. Based on these findings, this Assurance Activity is considered satisfied.
25 Verdict FAU_STG_EXT.1.1 Guidance 1 The evaluator shall also examine the operational guidance to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server (for TOEs that are not acting as an audit log server). For example, when an audit event is generated, is it simultaneously sent to the external server and the local store, or is the local store used as a buffer and cleared periodically by sending the data to the audit server Evaluator Findings The evaluator examined the operational guidance and determined that it describes the relationship between the local audit data and the audit data that are sent to the audit log server (for TOEs that are not acting as an audit log server). The AGD was used to determine the verdict of this work unit. Upon investigation, the evaluator found that section, Audit Message, page 18, contains a description of the relationship between remote audit records and local audit records. Specifically, audit records are "stored locally and sent remotely at the same time. Based on these findings, this work unit is considered satisfied Verdict FAU_STG_EXT.1.1 TSS 1 (not audit server) The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided Evaluator Findings The evaluator examined the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. Table 14 of Section 5 was used to determine the verdict of this work unit. Upon investigation, the evaluator found that the TOE protects communication with the syslog server via a TLS encrypted channel. The TOE transmits its audit events to all configured syslog servers at the same time logs are written to the local log buffer and to the console. The TOE is capable of detecting when the TLS connection fails. If the TLS connection fails, the TOE will buffer the audit records on the TOE when it discovers it can no longer communicate with its configured syslog server, and will transmit the buffer contents when connectivity to the syslog server is restored. Based on these findings, this Assurance Activity is considered satisfied Verdict
26 6.1.7 FAU_STG_EXT.1.1 Guidance 1 (not audit server) The evaluator shall also examine the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server Evaluator Findings The evaluator examined the operational guidance to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. The AGD document was used to as part of this evaluation. Upon investigation, the evaluator found that section "Using an Audit Server," page 16, of the AGD document provides a description of the requirements for remote logging. In particular, connections between the TOE and the remote syslog server must be protected using TLS. The section also provides a description of the required configuration options for the syslog server. Based on these findings, this assurance activity is considered satisfied Verdict FCS_CKM.1.1 TSS 1 The evaluator shall ensure that the TSS contains a description of how the TSF complies with A and/or B, depending on the selections made. This description shall indicate the sections in A and/or B that are implemented by the TSF, and the evaluator shall ensure that key establishment is among those sections that the TSF claims to implement. Any TOE-specific extensions, processing that is not included in the documents, or alternative implementations allowed by the documents that may impact the security requirements the TOE is to enforce shall be described Evaluator Findings The evaluator reviewed table 14 of Section 5 of the ST and found that the TSS explicitly indicates that the TOE implements several key establishment schemes, including, FFC Diffie-Hellman as specified in NIST SP A, ECDH Diffie-Hellman as specified in NIST SP A, RSA Key Transport as specified in SP NIST B. The TSS indicates that the TOE is fully compliant to SP A and SP B and that the TOE does not implement any TOE-specific extensions. Based on these findings, this assurance activity is considered satisfied Verdict
27 6.1.9 FCS_CKM_EXT.4.1 TSS 1 The evaluator shall check to ensure the TSS describes each of the secret keys (keys used for symmetric encryption), private keys, and CSPs used to generate key; when they are zeroized (for example, immediately after use, on system shutdown, etc.); and the type of zeroization procedure that is performed (overwrite with zeros, overwrite three times with random pattern, etc.). If different types of memory are used to store the materials to be protected, the evaluator shall check to ensure that the TSS describes the zeroization procedure in terms of the memory in which the data are stored (for example, "secret keys stored on flash are zeroized by overwriting once with zeros, while secret keys stored on the internal hard drive are zeroized by overwriting three times with a random pattern that is changed before each write") Evaluator Findings The evaluator examined table 14 of Section 5 in the ST and found the following. Keys Diffie Hellman private key Diffie Hellman public key SSH Private Key SSH Public Key SSH Session Key SSH Integrity Key TLS Private Key TLS Public Key TLS Session Encryption Key TLS Session Integrity Key Table 9 Zeroization Zeroization Description Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Key is overwritten by zeros when the compliance declassify zeroize command is issued. Key is overwritten by zeros when the compliance declassify zeroize command is issued. Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Key is overwritten by zeros when the compliance declassify zeroize command is issued. Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Keys are overwritten with zeros at power cycle. Each secret key and CSP is described along with zeroization characteristics. Based on these findings, this Assurance Activity is considered satisfied Verdict FCS_RBG_EXT.1.1 Guidance 1 (SP A DRBG) The evaluator shall also confirm that the operational guidance contains appropriate instructions for configuring the RBG functionality Evaluator Findings The evaluator confirmed that the operational guidance contains appropriate instructions for configuring the RBG functionality. AGD document was used to determine the verdict of this working. Upon investigation, the evaluator found that section "Enabling the Trusted Platform Module," page 11, provides a description of how to enable the TPM module within the product which is required to appropriately seed the implemented DRBG.
28 Based on these findings, this assurance activity is considered satisfied Verdict FDP_RIP.2.1 TSS 1 The evaluator shall check to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. The evaluator shall ensure that this description at a minimum describes how the previous data are zeroized/overwritten, and at what point in the buffer processing this occurs Evaluator Findings The evaluator checked to ensure that the TSS describes packet processing to the extent that they can determine that no data will be reused when processing network packets. Table 14 of Section 5 of the ST was used in this analysis. Upon investigation, the evaluator found that packets that are not the required length use zeros for padding. Residual data is never transmitted from the TOE. Once packet handling is completed its content is overwritten before memory buffer, which previously contained the packet, is reused. Based on these findings, this Assurance Activity is considered satisfied Verdict FIA_PMG_EXT.1.1 Guidance 1 The evaluator shall examine the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length Evaluator Findings The evaluator examined the operational guidance to determine that it provides guidance to security administrators on the composition of strong passwords, and that it provides instructions on setting the minimum password length. AGD was used as part of this evaluation. Upon investigation, the evaluator found that section, "Strong words," page 1, of AGD provides guidance for the minimum password requirements the TOE in the evaluated configuration. Based on these findings, this assurance activity is considered satisfied Verdict FIA_UIA_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. This description shall contain information pertaining to the credentials allowed/used, any protocol transactions that take place, and what constitutes a successful logon.
29 Evaluator Findings The evaluator examined the TSS to determine that it describes the logon process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for the product. Table 14 of Section 5 of the ST was used to determine the verdict of this analysis. The TOE mediates all administrative actions through one of two interfaces, the CLI or GUI. Once a potential administrative user attempts to access the CLI or GUI of the TOE through either a directly connected console or remotely through an HTTPS/SSHv2 connection, the TOE prompts the user for a user name and password. The TOE provides a local password based authentication mechanism as well as TLS protected LDAP authentication, if configured. At initial login, the administrative user is prompted to provide a username. After the user provides the username, the user is prompted to provide the administrative password associated with the user account. The TOE then either grants administrative access (if the combination of username and password is correct) or indicates that the login was unsuccessful. Based on these findings, this Assurance Activity is considered satisfied Verdict FIA_UIA_EXT.1 Guidance 1 The evaluator shall examine the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) to logging in are described. For each supported the login method, the evaluator shall ensure the operational guidance provides clear instructions for successfully logging on. If configuration is necessary to ensure the services provided before login are limited, the evaluator shall determine that the operational guidance provides sufficient instruction on limiting the allowed services Evaluator Findings The evaluator examined the operational guidance to determine that any necessary preparatory steps (e.g., establishing credential material such as pre- shared keys, tunnels, certificates, etc.) to logging in are described. The AGD, CMSAG, FXSAG, NXSAG, and EXSAG documents were used with the evaluation activity. Upon investigation, the evaluator found that two methods of administration are available to the user, Command Line Interface (CLI) Graphical User Interface (GUI) The evaluator found that users are able to authenticate to the TOE at both the CLI and GUI and that the configuration steps for each interface are provided. The evaluator found that the following sections provide preparatory instructions for configuring users and credentials, CMSAG section "Managing Users using the WebUI," page 242 CMSAG section "Managing Users using the CLI," page 243 CMSAG section "Configuring word Validation Policies," page 247
30 FXAG section "Managing Users using the WebUI," page 109 FXAG section "Managing Users using the CLI," page 109 FXAG section "Configuring word Rules," page 114 NXAG section "Managing Users using the WebUI," page 140 NXAG section "Managing Users using the CLI," page 142 NXAG section "Configuring word Validation Policies," page 150 EXAG section "Managing Users Accounts" page 60 Based on these findings, this assurance activity is considered satisfied Verdict FMT_MTD.1 Guidance 1 The evaluator shall review the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions Evaluator Findings The evaluator reviewed the operational guidance to determine that each of the TSF-datamanipulating functions implemented in response to the requirements of this PP is identified, and that configuration information is provided to ensure that only administrators have access to the functions. The AGD document was used as part of this evaluation activity. Upon investigation, the evaluator found that the AGD document addresses the configuration of the following items in response to the requirements of the NDPP, Section Remote Access Administrative Access Section Strong words I&A Configuration Section LDAP Server Configuration I&A Configuration Section Date and Time Settings Time Functionality Section Configuring a Secure Syslog Server and Client Secure Logging Section Using an Audit Server Secure Logging Section Audit Messages Secure Logging Section Cryptographic POST - Cryptographic Support Section Supported Ciphersuites - Cryptographic Support These items combined covers all of the functionality described in the NDPP. Based on these findings, this work unit is considered satisfied Verdict FMT_MTD.1 TSS 1 The evaluator shall examine the TSS to determine that, for each administrative function identified in the operational guidance; those that are accessible through an interface prior to
31 administrator log-in are identified. For each of these functions, the evaluator shall also confirm that the TSS details how the ability to manipulate the TSF data through these interfaces is disallowed for non-administrative users Evaluator Findings The evaluator examined the TSS to determine that, for each administrative function identified in the operational guidance; those that are accessible through an interface prior to administrator log-in are identified. For each of these functions, the evaluator also confirmed that the TSS details how the ability to manipulate the TSF data through these interfaces is disallowed for non-administrative users. The evaluator examined Table 14 of Section 5 as part of this analysis. Upon investigation, the evaluator found that there are no administrative functions prior to authentication. Based on these findings, this Assurance Activity is considered satisfied Verdict FMT_SMF.1 None - The security management functions for FMT_SMF.1 are distributed throughout the PP and are included as part of the requirements in FMT_MTD, FPT_TST_EXT, and any cryptographic management functions specified in the reference standards. Compliance to these requirements satisfies compliance with FMT_SMF FMT_SMR.2 Guidance 1 The evaluator shall review the operational guidance to ensure that it contains instructions for administering the TOE both locally and remotely, including any configuration that needs to be performed on the client for remote administration Evaluator Findings The evaluator reviewed the operational guidance to ensure that it contains instructions for administering the TOE both locally and remotely, including any configuration that needs to be performed on the client for remote administration. The AGD, CMSAG, FXSAG, NXSAG, EXSAG, FXTMG, NXTMG, and EXTMG documents were used with the evaluation activity. The evaluator found that instructions for configuring the TOE locally is described in the CMSAG, FXSAG, NXSAG, and EXSAG documents, in the following sections, [CMAG] Section titled: Initial CM Series Platform Configuration [EXAG] Section titled: Using the Serial Console [FXAG] Section titled: Configuring Initial Settings Using the Serial Console Port [NXAG] Section titled: Configuring Initial Settings Using the Serial Console Port The evaluator found that instructions for configuring the TOE remotely is described in the FXTMG, NXTMG, and EXTMG, in the following sections, [FXTMG] Section titled: Configuring the Appliance Using the Web UI (for administration over HTTPS), Configuring the Appliance Using the CLI (for administration over SSH)
Common Criteria NDPP SIP Server EP Assurance Activity Report
Common Criteria NDPP SIP Server EP Assurance Activity Report Pascal Patin ISSUED BY Acumen Security, LLC. 1 Revision History: Version Date Changes Initial Release 7/20/2015 Initial Release Version 1.0
More informationAssurance Activities Report for a Target of Evaluation. Security Target (Version 0.9)
Assurance Activities Report for a Target of Evaluation Cisco Integrated Services Router (ISR) 800 Series Security Target (Version 0.9) Assurance Activities Report (AAR) Version 1.0 10/31/2014 Evaluated
More informationProtection Profile for Network Devices
Protection Profile for Network Devices Information Assurance Directorate 08 June 2012 Version 1.1 Table of Contents 1 INTRODUCTION... 1 1.1 Compliant Targets of Evaluation... 1 2 SECURITY PROBLEM DESCRIPTION...
More informationSecurity Requirements for Network Devices
Security Requirements for Network Devices Information Assurance Directorate 10 December 2010 Version 1.0 Table of Contents 1 INTRODUCTION... 1 1.1 Compliant Targets of Evaluation... 1 2 SECURITY PROBLEM
More informationcollaborative Protection Profile for Network Devices
collaborative Protection Profile for Network Devices Version 0.1 05-Sep-2014 Acknowledgements This collaborative Protection Profile (cpp) was developed by the Network international Technical Community
More informationCisco Email Security Appliance. Security Target. Version 1.0. October 2014
Cisco Email Security Appliance Security Target Version 1.0 October 2014 Americas Headquarters: Cisco Systems, Inc., 170 West Tasman Drive, San Jose, CA 95134-1706 USA 2014 Cisco Systems, Inc. All rights
More informationDell Networking Switches Security Target. Version 1.0 January 22, 2015
Version 1.0 January 22, 2015 Revision History Date Version Author Description 06/16/2014 0.1 Cygnacom Solutions First Draft 08/01/2014 0.2 Cygnacom Solutions Vendor review & OS v9.6 updates 08/31/2014
More informationHow To Test A Toe For Security
Supporting Document Mandatory Technical Document Evaluation Activities for Network Device cpp September-2014 Version 0.1 CCDB- Foreword This is a supporting
More information3e Technologies International 3e-636 Series Network Security Device. Security Target
3e Technologies International 3e-636 Series Network Security Device Security Target 45040-007-01 Revision J March 12, 2015 Version 1.0 Page 1 2015 3e Technologies International, Inc. All rights reserved.
More informationNetwork Device Collaborative Protection Profile (NDcPP) Extended Package Session Border Controller. July 24, 2015 Version 1
Network Device Collaborative Protection Profile (NDcPP) Extended Package Session Border Controller July 24, 2015 Version 1 1 Table of Contents 1 Introduction... 4 1.1 Conformance Claims...4 1.2 How to
More informationHP StoreOnce Backup System Generation 3 Version 3.6.6 Security Target
HP StoreOnce Backup System Generation 3 Version 3.6.6 Security Target Version 1.0 February 12, 2014 Prepared for: Hewlett-Packard Long Down Avenue Stoke Gifford Bristol BS34 8QZ UK Prepared By: Leidos
More informationProtection Profile for Wireless Local Area Network (WLAN) Access Systems
Protection Profile for Wireless Local Area Network (WLAN) Access Systems Information Assurance Directorate 01 December 2011 Version 1.0 Table of Contents 1 Introduction to the PP... 1 1.1 PP Overview of
More informationCisco Unified Communications Manager
Cisco Unified Communications Manager Security Target Version 1.0 10 August 2015 EDCS - 1502591 Page 1 of 53 Table of Contents 1 SECURITY TARGET INTRODUCTION... 8 1.1 ST and TOE Reference... 8 1.2 TOE Overview...
More informationProtection Profile for Mobile Device Management
31 December 2014 Version 2.0 REVISION HISTORY Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 February 2014 Typographical changes and clarifications to front-matter 2.0 31 December 2014
More informationFIPS 140-2 Non- Proprietary Security Policy. McAfee SIEM Cryptographic Module, Version 1.0
FIPS 40-2 Non- Proprietary Security Policy McAfee SIEM Cryptographic Module, Version.0 Document Version.4 December 2, 203 Document Version.4 McAfee Page of 6 Prepared For: Prepared By: McAfee, Inc. 282
More informationCertification Report
Certification Report HP Network Automation Ultimate Edition 10.10 Issued by: Communications Security Establishment Certification Body Canadian Common Criteria Evaluation and Certification Scheme Government
More informationSecurity Target. ST Version 1.1. August 26, 2014
Security Target Juniper Networks M, T, MX and PTX Routers and EX9200 Switches running Junos OS 13.3R1.8 and Juniper QFX and EX Switches Running Junos OS 13.2X50-D19 and Junos OS 13.2X51-D20 ST Version
More informationFIPS 140-2 SECURITY POLICY FOR
FIPS 140-2 SECURITY POLICY FOR SPECTRAGUARD ENTERPRISE SERVER August 31, 2011 FIPS 140-2 LEVEL-1 SECURITY POLICY FOR AIRTIGHT NETWORKS SPECTRAGUARD ENTERPRISE SERVER 1. Introduction This document describes
More informationProtection Profile for Mobile Device Management
Protection Profile for Mobile Device Management 7 March 2014 Version 1.1 1 Revision History Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 March 2014 Typographical changes and clarifications
More informationU.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments
U.S. Government Protection Profile for Application-level Firewall In Basic Robustness Environments Information Assurance Directorate Version 1.1 July 25, 2007 Forward This Protection Profile US Government
More informationExtended Package for Mobile Device Management Agents
Extended Package for Mobile Device Management Agents 31 December 2014 Version 2.0 REVISION HISTORY Version Date Description 1.0 21 October 2013 Initial Release 1.1 7 February 2014 Typographical changes
More informationMobile Billing System Security Target
Mobile Billing System Security Target Common Criteria: EAL1 Version 1.2 25 MAY 11 Document management Document identification Document ID Document title Product version IDV_EAL1_ASE IDOTTV Mobile Billing
More informationComplying with PCI Data Security
Complying with PCI Data Security Solution BRIEF Retailers, financial institutions, data processors, and any other vendors that manage credit card holder data today must adhere to strict policies for ensuring
More informationMcAfee Firewall Enterprise 8.2.1
Configuration Guide FIPS 140 2 Revision A McAfee Firewall Enterprise 8.2.1 The McAfee Firewall Enterprise FIPS 140 2 Configuration Guide, version 8.2.1, provides instructions for setting up McAfee Firewall
More informationAustralasian Information Security Evaluation Program
Australasian Information Security Evaluation Program Juniper Networks, Inc. JUNOS 12.1 X46 D20.6 for SRX-Series Platforms Certification Report 2015/90 3 July 2015 Version 1.0 Commonwealth of Australia
More informationMcAfee Web Gateway Version 7.2.0.1 EAL 2 + ALC_FLR.2 Security Target
McAfee Web Gateway Version 7.2.0.1 EAL 2 + ALC_FLR.2 Release Date: 5 October 2012 Version: 1.0 Prepared By: Primasec Ltd. Prepared For: McAfee Inc. 3965 Freedom Circle Santa Clara, CA 95054 Document Introduction
More informationPT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations
PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations Instructor Version Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 FA0/1
More informationSSL-TLS VPN 3.0 Certification Report. For: Array Networks, Inc.
SSL-TLS VPN 3.0 Certification Report For: Array Networks, Inc. Prepared by: ICSA Labs 1000 Bent Creek Blvd., Suite 200 Mechanicsburg, PA 17050 USA http://www.icsalabs.com SSL-TLS VPN 3.0 Certification
More informationSECURITY TARGET FOR FORTIANALYZER V4.0 MR3 CENTRALIZED REPORTING
SECURITY TARGET FOR FORTIANALYZER V4.0 MR3 CENTRALIZED REPORTING Document No. 1735-005-D0001 Version: 1.0, 3 June 2014 Prepared for: Fortinet, Incorporated 326 Moodie Drive Ottawa, Ontario Canada, K2H
More informationNational Information Assurance Partnership
National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Validation Report 3eTI 3e-636 Series Network Security Devices Report Number: CCEVS-VR-VID10580 Dated: March 25,
More informationProtection Profile for Server Virtualization
Protection Profile for Server Virtualization 29 October 2014 Version 1.0 i 0 Preface 0.1 Objectives of Document This document presents the Common Criteria (CC) Protection Profile (PP) to express the fundamental
More informationProtection Profile for Full Disk Encryption
Protection Profile for Full Disk Encryption Mitigating the Risk of a Lost or Stolen Hard Disk Information Assurance Directorate 01 December 2011 Version 1.0 Table of Contents 1 Introduction to the PP...
More informationSecurity Target. NetIQ Access Manager 4.0. Document Version 1.13. August 7, 2014. Security Target: NetIQ Access Manager 4.0
Security Target NetIQ Access Manager 4.0 Document Version 1.13 August 7, 2014 Document Version 1.13 NetIQ Page 1 of 36 Prepared For: Prepared By: NetIQ, Inc. 1233 West Loop South Suite 810 Houston, TX
More informationSamsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target
Samsung SDS Co., LTD Samsung SDS CellWe EMM (MDMPP11) Security Target Version 0.6 2015/05/08 Prepared for: Samsung SDS 123, Olympic-ro 35-gil, Songpa-gu, Seoul, Korea 138-240 Prepared By: www.gossamersec.com
More informationFIPS 140-2 Non-Proprietary Security Policy. IBM Internet Security Systems SiteProtector Cryptographic Module (Version 1.0)
FIPS 140-2 Non-Proprietary Security Policy IBM Internet Security Systems SiteProtector Document Version 2.3 August 5, 2010 Document Version 2.3 IBM Internet Security Systems Page 1 of 24 Prepared For:
More informationProtection Profile for Voice Over IP (VoIP) Applications
Protection Profile for Voice Over IP (VoIP) Applications 21 October 2013 Version 1.2 Table of Contents 1 INTRODUCTION... 1 1.1 Overview of the TOE... 1 1.2 Usage of the TOE... 1 2 SECURITY PROBLEM DESCRIPTION...
More informationEnterasys Networks, Inc. Netsight/Network Access Control v3.2.2. Security Target
Enterasys Networks, Inc. Netsight/Network Access Control v3.2.2 Security Target Evaluation Assurance Level: EAL2+ Document Version: 0.7 Prepared for: Prepared by: Enterasys Networks, Inc. Corsec Security,
More informationMapping Between Collaborative Protection Profile for Network Devices, Version 1.0, 27-Feb-2015 and NIST SP 800-53 Revision 4
Mapping Between Collaborative Protection Profile for Network Devices, Version 1.0, 27-Feb-2015 and NIST SP 800-53 Revision 4 Introduction Several of the NIST SP 800-53/CNSS 1253 controls are either fully
More informationMcAfee Firewall Enterprise 8.3.1
Configuration Guide Revision A McAfee Firewall Enterprise 8.3.1 FIPS 140-2 The McAfee Firewall Enterprise FIPS 140-2 Configuration Guide, version 8.3.1, provides instructions for setting up McAfee Firewall
More informationRemote Administration
Windows Remote Desktop, page 1 pcanywhere, page 3 VNC, page 7 Windows Remote Desktop Remote Desktop permits users to remotely execute applications on Windows Server 2008 R2 from a range of devices over
More informationwww.xceedium.com 2: Do not use vendor-supplied defaults for system passwords and other security parameters
2: Do not use vendor-supplied defaults for system passwords and other security parameters 2.1: Always change vendor-supplied defaults and remove or disable unnecessary default accounts before installing
More informationCisco Aggregation Services Router (ASR) 900 Series
Cisco Aggregation Services Router (ASR) 900 Series Security Target Version 1.0 26 March 2015 Table of Contents 1 SECURITY TARGET INTRODUCTION...8 1.1 ST AND TOE REFERENCE... 8 1.2 TOE OVERVIEW... 8 1.2.1
More informationSecurity Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2
BlackBerry Enterprise Service 10 BlackBerry Device Service Solution Version: 10.2 Security Technical Overview Published: 2014-09-10 SWD-20140908123239883 Contents 1 About BlackBerry Device Service solution
More informationCisco 800, 1900, 2900, 3900 Series Integrated Service Routers (ISR) Security Target
Cisco 800, 1900, 2900, 3900 Series Integrated Service Routers (ISR) Security Target Revision 1.0 August 2011 1 Table of Contents 1 SECURITY TARGET INTRODUCTION... 6 1.1 ST and TOE Reference... 6 1.2 Acronyms
More informationChapter 17. Transport-Level Security
Chapter 17 Transport-Level Security Web Security Considerations The World Wide Web is fundamentally a client/server application running over the Internet and TCP/IP intranets The following characteristics
More informationFileCloud Security FAQ
is currently used by many large organizations including banks, health care organizations, educational institutions and government agencies. Thousands of organizations rely on File- Cloud for their file
More informationFor the protocol access paths listed in the following table, the Sentry firmware actively listens on server ports to provide security for the CDU.
CDU Security This provides a quick reference for access paths to Server Technology s Cabinet Distribution Unit (CDU) products, shows if the access path is secure, and if so, provides an overview of how
More informationMcAfee Firewall Enterprise v8.2.0 and McAfee Firewall Enterprise Control Center v5.2.0 Security Target
v8.2.0 and McAfee Firewall Enterprise Control Center v5.2.0 10 January 2012 Version 1.1 Prepared By: Primasec Ltd For McAfee Inc 2340 Energy Park Drive St. Paul, MN 55108 USA Contents 1 Introduction...
More informationFINAL DoIT 04.01.2013- v.8 APPLICATION SECURITY PROCEDURE
Purpose: This procedure identifies what is required to ensure the development of a secure application. Procedure: The five basic areas covered by this document include: Standards for Privacy and Security
More informationNortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy
Nortel Networks, Inc. VPN Client Software (Software Version: 7_11.101) FIPS 140-2 Non-Proprietary Security Policy Level 1 Validation Document Version 0.5 Prepared for: Prepared by: Nortel Networks, Inc.
More informationCisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Security Target
Cisco Adaptive Security Appliances (ASA) Firewall and Virtual Private Network (VPN) Platform Security Target This document provides the basis for an evaluation of a specific Target of Evaluation (TOE).
More informationAppGate Security Server, Version 8.0.4. Security Target. Document Version: 2.9 Date: 2008-04-10
AppGate Security Server, Version 8.0.4 Security Target Document Version: 2.9 Date: 2008-04-10 Contents 1 INTRODUCTION...6 1.1 ST Identification...6 1.2 ST Overview...6 1.3 CC Conformance Claim...6 1.4
More informationSecure Network Communications FIPS 140 2 Non Proprietary Security Policy
Secure Network Communications FIPS 140 2 Non Proprietary Security Policy 21 June 2010 Table of Contents Introduction Module Specification Ports and Interfaces Approved Algorithms Test Environment Roles
More informationSonicWALL PCI 1.1 Implementation Guide
Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard
More informationFIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager
FIPS 140-2 Security Policy LogRhythm 6.0.4 Log Manager LogRhythm 3195 Sterling Circle, Suite 100 Boulder CO, 80301 USA September 17, 2012 Document Version 1.0 Module Version 6.0.4 Page 1 of 23 Copyright
More informationSecurity Policy Revision Date: 23 April 2009
Security Policy Revision Date: 23 April 2009 Remote Desktop Support Version 3.2.1 or later for Windows Version 3.1.2 or later for Linux and Mac 4 ISL Light Security Policy This section describes the procedure
More informationProtection Profile for Software Full Disk Encryption
Protection Profile for Software Full Disk Encryption Mitigating the Risk of a Lost or Stolen Hard Disk Information Assurance Directorate 14 February 2013 Version 1.0 Table of Contents 1 Introduction to
More informationComputer Security: Principles and Practice
Computer Security: Principles and Practice Chapter 24 Windows and Windows Vista Security First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Windows and Windows Vista Security
More informationCCNA Security. Chapter Two Securing Network Devices. 2009 Cisco Learning Institute.
CCNA Security Chapter Two Securing Network Devices 1 The Edge Router What is the edge router? - The last router between the internal network and an untrusted network such as the Internet - Functions as
More informationCisco Email Security Appliance (ESA), with Software Version AsyncOS 9.1
Cisco Email Security Appliance (ESA), with Software Version AsyncOS 9.1 CC Configuration Guide Version 1.4 September 1, 2015 Table of Contents 1 Introduction... 7 1.1 Audience... 7 1.2 Purpose... 7 1.3
More informationBlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: 10.1.1. Security Note
BlackBerry Enterprise Service 10 Secure Work Space for ios and Android Version: 10.1.1 Security Note Published: 2013-06-21 SWD-20130621110651069 Contents 1 About this guide...4 2 What is BlackBerry Enterprise
More informationMcAfee Web Gateway Version 7.0.1.1 EAL 2 + ALC_FLR.2 Security Target
McAfee Web Gateway Version 7.0.1.1 EAL 2 + ALC_FLR.2 Security Target Release Date: September 2010 Document ID: Version: Draft J Prepared By: Primasec Ltd. Prepared For: McAfee Inc. 3965 Freedom Circle
More informationMarimba Client and Server Management from BMC Software Release 6.0.3
Marimba Client and Server Management from BMC Software Release 6.0.3 Version 2.3.0 4 June, 2007 Prepared by: BMC Software, Inc. 2101 City West Blvd. Houston, Texas 77042 TABLE OF CONTENTS 1. Introduction...
More informationFIPS 140-2 Security Policy LogRhythm 6.0.4 or 6.3.4 Windows System Monitor Agent
FIPS 140-2 Security Policy LogRhythm 6.0.4 or 6.3.4 Windows System Monitor Agent LogRhythm, Inc. 4780 Pearl East Circle Boulder, CO 80301 May 1, 2015 Document Version 2.0 Module Versions 6.0.4 or 6.3.4
More informationSecurity Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0
Security Guide BlackBerry Enterprise Service 12 for ios, Android, and Windows Phone Version 12.0 Published: 2015-02-06 SWD-20150206130210406 Contents About this guide... 6 What is BES12?... 7 Key features
More informationConfiguration Backup and Restore. Dgw v2.0 May 14, 2015. www.media5corp.com
Dgw v2.0 May 14, 2015 www.media5corp.com Table of Contents Configuration Backup and Restore... 3 File Servers... 4 Configuring the FTP Server...4 Configuring the TFTP Server...4 Configuring the HTTP Server...
More informationCertification Report
Certification Report McAfee Network Security Platform v7.1 (M-series sensors) Issued by: Communications Security Establishment Canada Certification Body Canadian Common Criteria Evaluation and Certification
More informationChapter 7 Transport-Level Security
Cryptography and Network Security Chapter 7 Transport-Level Security Lectured by Nguyễn Đức Thái Outline Web Security Issues Security Socket Layer (SSL) Transport Layer Security (TLS) HTTPS Secure Shell
More informationCriteria for web application security check. Version 2015.1
Criteria for web application security check Version 2015.1 i Content Introduction... iii ISC- P- 001 ISC- P- 001.1 ISC- P- 001.2 ISC- P- 001.3 ISC- P- 001.4 ISC- P- 001.5 ISC- P- 001.6 ISC- P- 001.7 ISC-
More informationINTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505
INTEGRATION GUIDE DIGIPASS Authentication for Cisco ASA 5505 Disclaimer DIGIPASS Authentication for Cisco ASA5505 Disclaimer of Warranties and Limitation of Liabilities All information contained in this
More informationNational Information Assurance Partnership. Common Criteria Evaluation and Validation Scheme Validation Report
National Information Assurance Partnership TM Common Criteria Evaluation and Validation Scheme Validation Report Cisco Intrusion Detection System Sensor Appliance IDS-4200 series Version 4.1(3) Report
More informationCrashPlan Security SECURITY CONTEXT TECHNOLOGY
TECHNICAL SPECIFICATIONS CrashPlan Security CrashPlan is a continuous, multi-destination solution engineered to back up mission-critical data whenever and wherever it is created. Because mobile laptops
More informationJMCS Northern Light Video Conferencing System Security Target
JMCS Northern Light Video Conferencing System Security Target Common Criteria: EAL2 Version 1.2 22 FEB 12 Document management Document identification Document ID Document title Product version NLVC_ST_EAL2
More informationProtection Profile for Email Clients
Protection Profile for Email Clients 1 April 2014 Version 1.0 Page 1 of 69 1 Introduction... 4 1.1 Overview of the TOE... 4 1.2 Usage of the TOE... 4 2 SECURITY PROBLEM DESCRIPTION... 6 2.1 Threats...
More informationACS 5.x and later: Integration with Microsoft Active Directory Configuration Example
ACS 5.x and later: Integration with Microsoft Active Directory Configuration Example Document ID: 113571 Contents Introduction Prerequisites Requirements Components Used Conventions Background Information
More informationEMC Corporation Data Domain Operating System Version 5.2.1.0. Security Target. Evaluation Assurance Level (EAL): EAL2+ Document Version: 0.
EMC Corporation Data Domain Operating System Version 5.2.1.0 Security Target Evaluation Assurance Level (EAL): EAL2+ Document Version: 0.11 Prepared for: Prepared by: EMC Corporation 176 South Street Hopkinton,
More informationSecurity Target. Security Target SQL Server 2008 Team. Author: Roger French Version: 1.04 Date: 2011-09-26
SQL Server 2008 Team Author: Roger French Version: 1.04 Date: 2011-09-26 Abstract This document is the (ST) for the Common Criteria certification of the database engine of Microsoft SQL Server 2008 R2.
More informationFIPS 140 2 Non Proprietary Security Policy: Kingston Technology DataTraveler DT4000 Series USB Flash Drive
FIPS 140 2 Non Proprietary Security Policy Kingston Technology Company, Inc. DataTraveler DT4000 G2 Series USB Flash Drive Document Version 1.8 December 3, 2014 Document Version 1.8 Kingston Technology
More informationLow Assurance Security Target for a Cisco VoIP Telephony System
Low Assurance Security Target for a Cisco VoIP Telephony System Security Target Version 1.6 March 14, 2005 Document Control Preparation Action Name Date Prepared by: Rob Hunter of TNO-ITSEF BV on behalf
More informationSecurity Configuration Guide P/N 300-010-493 Rev A05
EMC VPLEX Security Configuration Guide P/N 300-010-493 Rev A05 June 7, 2011 This guide provides an overview of VPLEX security configuration settings, including secure deployment and usage settings needed
More informationMcAfee Firewall Enterprise v7.0.1.02 Security Target
McAfee Firewall Enterprise v7.0.1.02 Security Target 8 Nov 2010 Version 1.3 Prepared By: Primasec Ltd For McAfee Inc 2340 Energy Park Drive St. Paul, MN 55108 USA McAfee Inc. Page 1 of 60 Contents 1 Introduction...
More informationHow To Protect Your Network From Attack From Outside From Inside And Outside
IT 4823 Information Security Administration Firewalls and Intrusion Prevention October 7 Notice: This session is being recorded. Lecture slides prepared by Dr Lawrie Brown for Computer Security: Principles
More informationConsiderations In Developing Firewall Selection Criteria. Adeptech Systems, Inc.
Considerations In Developing Firewall Selection Criteria Adeptech Systems, Inc. Table of Contents Introduction... 1 Firewall s Function...1 Firewall Selection Considerations... 1 Firewall Types... 2 Packet
More informationExecutive Summary and Purpose
ver,1.0 Hardening and Securing Opengear Devices Copyright Opengear Inc. 2013. All Rights Reserved. Information in this document is subject to change without notice and does not represent a commitment on
More informationvcloud Director User's Guide
vcloud Director 5.5 This document supports the version of each product listed and supports all subsequent versions until the document is replaced by a new edition. To check for more recent editions of
More informationAcano solution. Security Considerations. August 2015 76-1026-01-E
Acano solution Security Considerations August 2015 76-1026-01-E Contents Contents 1 Introduction... 3 2 Acano Secure Development Lifecycle... 3 3 Acano Security Points... 4 Acano solution: Security Consideration
More informationSENSE Security overview 2014
SENSE Security overview 2014 Abstract... 3 Overview... 4 Installation... 6 Device Control... 7 Enrolment Process... 8 Authentication... 9 Network Protection... 12 Local Storage... 13 Conclusion... 15 2
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationData Sheet. NCP Secure Enterprise Management. Next Generation Network Access Technology
Centrally Managed VPN Fully Automatic Operation of a Remote Access VPN via a Single Console Enables easy rollout and operation of secure remote access infrastructures Central creation of client configuration
More informationFISMA / NIST 800-53 REVISION 3 COMPLIANCE
Mandated by the Federal Information Security Management Act (FISMA) of 2002, the National Institute of Standards and Technology (NIST) created special publication 800-53 to provide guidelines on security
More informationMcAfee Email Gateway Appliance Version 7.0.1 NDPP Compliance Security Target
McAfee Email Gateway Appliance Version 7.0.1 NDPP Compliance Release Date: 8 August 2013 Version: 2.3 Prepared By: Primasec Ltd. Prepared For: McAfee Inc. 2821 Mission College Blvd. Santa Clara, CA 95054
More informationChapter 8 Lab B: Configuring a Remote Access VPN Server and Client
Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client Topology Note: ISR G2 devices have Gigabit Ethernet interfaces instead of FastEthernet Interfaces. All contents are Copyright 1992 2012
More informationIntroduction to Endpoint Security
Chapter Introduction to Endpoint Security 1 This chapter provides an overview of Endpoint Security features and concepts. Planning security policies is covered based on enterprise requirements and user
More informationCisco AnyConnect Secure Mobility Client VPN User Messages, Release 3.1
Cisco AnyConnect Secure Mobility Client VPN User Messages, Release 3.1 October 15, 2012 The following user messages appear on the AnyConnect client GUI. A description follows each message, along with recommended
More informationSymantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2
Symantec Corporation Symantec Enterprise Vault Cryptographic Module Software Version: 1.0.0.2 FIPS 140 2 Non Proprietary Security Policy FIPS Security Level: 1 Document Version: 1.1 Prepared for: Prepared
More informationS E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s
S E C U R I T Y A S S E S S M E N T : B o m g a r A p p l i a n c e s During the period between November 2012 and March 2013, Symantec Consulting Services partnered with Bomgar to assess the security
More informationFortiOS Handbook - Hardening your FortiGate VERSION 5.2.3
FortiOS Handbook - Hardening your FortiGate VERSION 5.2.3 FORTINET DOCUMENT LIBRARY http://docs.fortinet.com FORTINET VIDEO GUIDE http://video.fortinet.com FORTINET BLOG https://blog.fortinet.com CUSTOMER
More informationSNAPcell Security Policy Document Version 1.7. Snapshield
SNAPcell Security Policy Document Version 1.7 Snapshield July 12, 2005 Copyright Snapshield 2005. May be reproduced only in its original entirety [without revision]. TABLE OF CONTENTS 1. MODULE OVERVIEW...3
More informationSecurity Target for Cisco Remote Access VPN
Security Target for Cisco Remote Access VPN Reference: ST 16 May 2007 Version 1.17 CISCO Systems Inc. 170 West Tasman Drive San Jose CA 95124-1706 USA Copyright: 2007 Cisco Systems, Inc. Table of Contents
More information