Transcription
Configuration Guide for Common CriteriaEvaluationMcAfee Advanced Threat Defense 4.12McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
COPYRIGHTCopyright 2020 McAfee, LLCTRADEMARK ATTRIBUTIONSMcAfee and the McAfee logo, McAfee Active Protection, ePolicy Orchestrator, McAfee ePO, McAfee EMM, Foundstone, McAfeeLiveSafe, McAfee QuickClean, Safe Eyes, McAfee SECURE, SecureOS, McAfee Advanced Threat Defense, AMAS, McAfee Shredder,SiteAdvisor, McAfee Stinger, True Key, TrustedSource, VirusScan are trademarks or registered trademarks of McAfee, LLC or itssubsidiaries in the US and other countries. Other marks and brands may be claimed as the property of others.LICENSE INFORMATIONLicense AgreementNOTICE TO ALL USERS: CAREFULLY READ THE APPROPRIATE LEGAL AGREEMENT CORRESPONDING TO THE LICENSE YOU PURCHASED, WHICH SETSFORTH THE GENERAL TERMS AND CONDITIONS FOR THE USE OF THE LICENSED SOFTWARE. IF YOU DO NOT KNOW WHICH TYPE OF LICENSE YOU HAVEACQUIRED, PLEASE CONSULT THE SALES AND OTHER RELATED LICENSE GRANT OR PURCHASE ORDER DOCUMENTS THAT ACCOMPANY YOURSOFTWARE PACKAGING OR THAT YOU HAVE RECEIVED SEPARATELY AS PART OF THE PURCHASE (AS A BOOKLET, A FILE ON THE PRODUCT CD, OR AFILE AVAILABLE ON THE WEBSITE FROM WHICH YOU DOWNLOADED THE SOFTWARE PACKAGE). IF YOU DO NOT AGREE TO ALL OF THE TERMS SETFORTH IN THE AGREEMENT, DO NOT INSTALL THE SOFTWARE. IF APPLICABLE, YOU MAY RETURN THE PRODUCT TO MCAFEE OR THE PLACE OFPURCHASE FOR A FULL REFUND.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Table of Contents1.Introduction . 61.1Evaluated Products . 61.2Acronyms . 62.Evaluated Capabilities. 63.MATD Configuration . 73.1Accessing ATD . 73.2User Management . 83.3Date and Time Management . 103.4DNS Settings . 134.Security Configuration . 134.1Uploading CA certificate to trusted CA bundle . 144.2Uploading Web Server Certificate . 144.3Configuring Syslog Server . 154.4Certificate validation . 174.5Enabling Common Criteria Mode . 204.6Certificate Signing Request . 234.7Reference Identifier . 244.8Supported Ciphers . 254.9Audit Logs . 254.10Audit Server Configuration . 254.11Login Banner . 254.12Password Recommendations . 264.13User Account Lockout . 274.14Self-Test . 284.15Recover TLS Session . 284.16Secure Software Update . 29Appendix A – MATD Audit Event Logs . 315.Audit Logs . 315.1User login and logout from UI . 315.2Dashboard Page . 33McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
5.3Analysis Page. 335.3.1 Analysis Status . 335.3.2 Analysis Reports . 335.4Policy Page . 345.4.1 VM Profile . 345.4.2 Analyzer Profile . 385.5Manage Page . 405.5.1 MATD Users . 415.5.2 Date & Time . 425.5.3 DNS . 445.5.4 ePO Login & DXL. 455.5.5 Global Settings . 485.5.6 LDAP . 495.5.7 Licensing . 505.5.8 Proxy . 505.5.9 SNMP . 525.5.10Syslog . 535.5.11TAXII . 585.5.12Telemetry. 615.5.13Backup & Restore . 625.5.13.1Backup . 625.5.13.2Restore . 645.5.14Email Connector . 655.5.14.1Configuration . 655.5.14.2Filtering Rules . 695.5.15Global Whitelist . 695.5.16Image & Software . 715.5.16.1Content Update . 715.5.16.2Image . 775.5.16.3Software. 795.5.17Maintenance . 79McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
5.5.17.15.5.18Database Pruning . 79Security . 805.5.18.1Advanced Security Settings . 805.5.18.2CSR Generation . 845.5.18.3Manage Certificates. 865.5.19Troubleshooting . 895.5.20Others . 915.5.21Certificate Validation related audit logs . 925.5.22CLI Commands . 94McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
1. IntroductionThis guide includes procedures for configuring Common Criteria on McAfeeAdvanced Thread Defense (MATD) version 4.12 running on models ATD3100 and ATD-6100.1.1Evaluated ProductsThe evaluated product is McAfee Advanced Threat Defense (MATD)MATD is an on-premise appliance that facilitates detection and prevention ofmalware. MATD provides protection from known, near-zero day, and zeroday malware without compromising on the quality of service to your networkusers.MATD has the added advantage of being an integrated solution. In additionto its own multi-level threat detection capabilities, its ability to seamlesslyintegrate with other McAfee security products protects your network againstmalware and other Advanced Persistent Threats (APTs).Any software capable of being involved in hostile activities with respect to acomputer, application, or network can be termed as malware. MATD isdesigned for detecting file-based malware.The software identification for the evaluated product is as follows:McAfee Advanced Threat Defense 4.12.0.1.2AcronymsAMASAPTMATDAdvance Malware Analysis SystemAdvance Persistent ThreatMcAfee Advanced Threat Defense2. Evaluated CapabilitiesThe Common Criteria configuration adds support for many securitycapabilities. Some of those capabilities include the following: Protected Audit DataRemote AdministrationSession ManagementMcAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
3. MATD ConfigurationThis section will guide/enable admin user to configure different features andfunctionalities of MATD.3.1Accessing ATDBefore accessing MATD CLI or UI, admin need to configure IP address, networkmask and default gateway. Use below set of commands to assign or modifyIP network parameters: set appliance ip IP address netmask set appliance gateway gateway set appliance name hostname To access MATD UI, type https:// IP address of MATD in the browser.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
To access MATD CLI:A. Connect serial console to MATD appliance and configure theHyperTerminal with below settings: Baud rate - 9600Number of Bits - 8Parity - NoneStop Bits - 1Control Flow - NoneB. User can do SSH to MATD on port 2222 using SSH client. In CommonCriteria mode of operation SSH to port 2222 will be disabled.Use below credentials for login with administrative privilege:A. For UI console use default credentials as username: admin andpassword: adminB. For CLI console use default credentials as username: cliadmin andpassword: atdadminTo logout current session:A. For UI console click the “Log Out” button on the upper left corner toterminate or logoff current UI session.B. For CLI console use “exit” command to terminate or logoff current CLIsession.3.2User ManagementMATD allows admin user to create new users or modify existing ones.For creating new users follow below steps:McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
A. Log on to the Advanced Threat Defense web interface.B. Click Manage ATD Configuration ATD Users, then click New.C. Configure all mandatory fields (marked with *) at the minimum tocreate a user successfully.D. Configure the user options, then click Save.For changing user password or other user properties follow below steps:A. Log on to the Advanced Threat Defense web interface.B. Click Manage ATD Configuration ATD Users, then select userand click Edit button.C. Change the user properties or password, then click Save.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
3.3Date and Time ManagementConfigure the date and time.MATD uses the date and time that you configure for all its functional and displaypurposes. The date and time displays on the MATD web interface, reports, logfiles, and CLI.You can either manually specify the date and time or configure Network TimeProtocol (NTP) servers as the time source for MATD. The NTP version wesupport is: NTP Version: 4.2.6p5. If you specify NTP servers, you can configureup to 3 Network Time Protocol (NTP) servers. MATD acts as an NTP client andsynchronizes with the highest priority NTP server that is available. The NTPimplementation does not accept broadcast or multicast NTP packets (noconfiguration is required to attain this).By default, synchronization with NTP servers is enabled in MATD and set topool.ntp.org as the default NTP server. The default time zone is Pacific StandardTime (UTC-8).Follow below steps to configure or change date and time settings:Using NTP:A. Log on to the Advanced Threat Defense web interface.B. Click Manage ATD Configuration Date & Time.C. Configure/Modify the Date and Time Settings, then click Submit.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Using secure NTP:A. Log on to the Advanced Threat Defense web interface.B. Click Manage ATD Configuration Date & Time.C. Enable Secure checkbox corresponding to the NTP server you wish to usewith secure NTP.D. Provide the NTP server IP/hostname.E. Select the authentication Key ID (of the secure NTP server) and selectauthentication key type. Note: MD5 key type is disabled in FIPS mode.F. Enter the corresponding authentication key set in the Authentication Keyfield and click submit button.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
G. Click yes and OK to the pop-up messages respectively.H. Status ought to be green if secured NTP is configured properly, otherwiseyou will see status to be red. If this the case, please recheck theauthentication details and connectivity with the secure NTP server.Successful configuration:Failure in configuring:McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Using manual setting:A.B.C.D.E.Log on to the Advanced Threat Defense web interface.Click Manage ATD Configuration Date & Time.Disable NTP by deselecting “Enable Network Time Protocol”.Set date and time under “Date and Time Setting” section.Sumit the changes.Time zone can be set to desired one under section “Time Zone Settings” andapplicable for both methods.3.4DNS SettingsTo configure DNS server, follow below steps:A. Log on to the McAfee Advanced Threat Defense web interface.B. Click Manage ATD Configuration DNS.C. In DNS Setting, complete these settings, then click Apply.I.Domain - Type your domain nameII.Preferred DNS Server - Type IP address of the primary DNS serverIII.Alternate DNS Server - Type IP address of the secondary DNSserver.D. In Malware DNS Setting, type IP address of the DNS server to use formalware analysis in the sandbox environment, then click Apply.4. Security ConfigurationAdmin can configure multiple security settings and enforce Common Criteriamode on MATD. Below sections will guide how to configure these importantsettings.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
4.1Uploading CA certificate to trusted CA bundleMATD validates web server and syslog server certificate chain and validationwill pass only if root CA is trusted by MATD. MATD maintains a trusted CAbundle for this purpose and admin can add a new root CA before using theend server certificate.To upload certificates in Trusted CA bundle:A.B.C.D.E.4.2Login to MATD UI.Go to Manage tab.Click on the Security drop down to the left of this page.Click on Manage Certificates.In this page, admin can upload trusted CA certificates in the Trusted CACertificate field. Make sure to upload root CA certificate before uploadingany sub CA certificate. Upload CA certificates individually instead ofchain certificates.Uploading Web Server CertificateMATD runs secure web server for interaction with user and other integratedMcAfee products. Admin can upload custom certificates to be used by MATDweb server.Follow below steps to upload web server certificate in MATD:A. Upload root CA and sub CA (if any) of web server certificate to TrustedCA bundle as mentioned in Section 4.4 “Certificate validation”B. Navigate to MATD UI, Manage Security ManageCertificates Web Certificate Upload.C. Click Browse button and select the web server certificate to be uploaded.Make sure certificate must be in PEM format and appended with privatekey also.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Uploaded web server certificate will be validated/checked for all criteria asmentioned in Section 4.4 with title “All certificate will be validated for belowchecks:”.D. On successful validation of web server certificate, web service of MATDwill restart to make use of new certificate.In case of any certificate validation failure a pop-up message will be displayedshowing failure reason. Admin will get the opportunity to accept the risk andcontinue uploading web server certificate like below.There are some mandatory checks for which certificates will be rejectedwithout giving any option to admin user.4.3Configuring Syslog ServerMATD can be configured for sending syslog events/audits/logs to remoteSyslog server for monitoring purpose. MATD supports syslog messages overUDP, TCP and TCP with TLS protocols. For CC mode of operation Syslog mustuse “TCP/TLS Encryption” protocol only.Steps to configure remote syslog server settings:A. Navigate to Manage ATD Configuration Syslog tab.B. Select “Enable Logging” and configure valid IP address/hostname,protocol as TCP/TLS Encryption and port number (default is 6514) asshown below.C. “Validate Syslog Server Certificate” should be checked for CC mode ofoperation. This will enable MATD to validate syslog server certificatepresented at the time of connection establishment.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Make sure the root CA of syslog server certificate is uploaded to Trusted CAbundle of MATD else trust establishment will fail. Refer to section 4.2“Uploading CA certificate to trusted CA bundle” for more details.D. Using “Test Connection” button, admin can check reachability to syslogserver. If connection test is successful, a Success pop-up message willbe shown as below:E. Check “Audit Log” checkbox, it is a mandatory step for enabling Auditfunction for Common Criteria of operation. By default, this setting willbe enabled.F. Click “Submit” button.G. In case of syslog server certificate validation failure, MATD will displaya pop-up message providing the details of the validationfailures/errors. Below is one such example.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
There are some mandatory checks for which certificates will be rejectedwithout giving any option to admin user.4.4Certificate validationAll certificate will be validated for below checks:A.B.C.D.E.F.G.H.I.Expiry date and time.CA flag if not end certificate.Certificate key size should be greater or equal to 2048Certificate signature methods: sha256, sha384, sha512Certificate presented identifier (hostname/IP) should match an entry inSAN or CN (if match not found in SAN) (Refer section: 4.7 – Referenceidentifier for further details)Wildcard validation of SAN or CN filed for presented identifier, it shouldbe in the left-most domain level and there shouldn’t be more than onewildcard in any of the entriesCertificate chain validation. Root CA must be trusted by MATD.Certificate revocation check using CRL. Authority information access(AIA) URL is must for checking revocation status, MATD accepts onlyHTTP URL in AIA.X509v3 Extended Key Usage for purpose like server authentication,client authentication and certificate signing.Certificate validation criteria in detail:Syslog certificate:The following are mandatory criteria, failing which, the user must rectifythem and upload a valid certificate: The syslog server certificate’s root certificate must be uploaded in thetrusted CA bundle of the ATD which uses the syslog server.Private key of syslog server certificate must be configured along withthe certificate.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Any of the certificates in the chain of the web certificate including itselfshould not have expired.Extended key usage extension should have ‘Server Authentication’purpose.Public key size should not be lesser than 2048 bits.Supported signature algorithms: sha 256, sha 384 and sha 512.Certificate chain validation should pass for the certificate.Certificate should not be corrupted.If OCSP URl is present and reachable: Extended key usage should have ‘OCSP Signing’ purpose. The certificate should not be revoked.When OCSP URI is absent: The certificate should not be revoked. CRL URI must be present in certificate and should be reachable.Hostname validation and wildcard checks:In case Subject Alternative Name field (SAN) is present in thecertificate: Presented hostname should match Subject Alternative name(SAN) field.Wildcard if present in any SAN entry must be present only inleftmost domain level.More than one wildcard must not be present in any entry ofSubject Alternative Name (SAN) field.When the SAN field is absent: Presented hostname should match Common name (CN) field.Wildcard if present in CN field must be present only in leftmostdomain level.More than one wildcard must not be present in Common name(CN) field.Please note that in the case of syslog server, since a user must upload avalid certificate to proceed with the configuration, if/when the certificatebecomes invalid post upload, the connection between the ATD and syslogserver is disconnected and the user is intimated of the same via Audit logsand security logs in ATD.Web certificate:McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
The following are mandatory criteria, failing which, the user must rectifythem and upload a valid certificate: The web server certificate’s root certificate must be uploaded in thetrusted CA bundle of the ATD which uses the syslog server.Private key must be appended to the certificate.Certificate should not be corrupted.The following certificate failures are communicated to the user who can thenchoose to accept the failures in the certificate and proceed using it, or rectifythem and upload a valid certificate: Any of the certificates in the chain of the web certificate including itselfhas expired.Extended key usage extension does not have ‘Server Authentication’purpose.Public key size lesser than 2048 bits.Signature algorithms other than sha 256, sha 384, sha 512 used.Certificate chain validation failure when parent URL of the certificatesin the chain are not reachable.If OCSP URl is present and reachable: Extended key usage does not have ‘OCSP Signing’ purpose. The certificate has been revoked.When OCSP URI is absent:The certificate has been revoked.CRL URI is not found in certificate or other certificate validationissues reported by openssl verify -crl check.Hostname validation and wildcard checks: In case Subject Alternative Name field (SAN) is present in thecertificate: Presented hostname does not match Subject Alternative name(SAN) field.Wildcard present in domain level other than the leftmost of aSAN entry.More than one wildcard is present in an entry of SubjectAlternative Name (SAN) field.When the SAN field is absent: Presented hostname does not match Common name (CN) field.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Wildcard present in domain level other than the leftmost of CNfield.More than one wildcard is present in Common name (CN) field.Trusted CA certificate:The following are mandatory criteria, failing which, the user must rectifythem and upload a valid certificate: The root certificate of the certificate chain must be uploaded as atrusted CA certificate before uploading any of the intermediatecertificate as trusted CA certificates.Basic constraints extension is present.CA flag must be set to true.The trusted CA certificates must be uploaded one at a time.Certificate should not be corrupted.The following certificate failures are communicated to the user who can thenchoose to accept the failures in the certificate and proceed using it, or rectifythem and upload a valid certificate: Any of the certificates in the chain of the trusted certificate includingitself has expired.Certificate chain validation failure when parent URL of uploadedcertificate is not reachable.Public key size lesser than 2048 bits.Signature algorithms other than sha 256, sha 384, sha 512 used.If OCSP URl is present and reachable: Extended key usage does not have ‘OCSP Signing’ purpose. The certificate has been revoked.When OCSP URI is absent: 4.5The certificate has been revoked.CRL URI is not found in certificate or other certificate validationissues reported by openssl verify -crl check.Enabling Common Criteria ModeMATD supports Common Criteria mode of operation. Admin can enable ordisable Common Criteria mode by changing configuration.Please note that on enabling Common Criteria mode port 2222 will getdisabled automatically which is used for SSH to MATD.Steps to Enable Common Criteria Mode:McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
A. Enable remote logging with syslog server configured to use “TCP/TLSEncryption” protocol, enable “Validate Syslog Server Certificate” andenable “Audit Log”. For more details check section 4.3 “ConfiguringSyslog Server”B. Upload a valid web server certificate to MATD. Check section 4.2“Uploading web server certificate” for more details.C. Navigate to Manage Security Advanced Security Settings.D. Check “Common Criteria Mode” checkbox, and the MATD system willcheck the Common Criteria eligibility.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
E. If not eligible, a failure pop-up message box will show the failurereason(s). Admin user can either accept the risk and continue with thecertificates having not met the requirements or can click on cancelbutton to stop the process.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Below is one such example of pop-up message:F. Click on “Save” button.4.6Certificate Signing RequestGenerating a Certificate Signing Request:Advanced Threat Defense allows you to generate a certificate signingrequest (CSR) from the web interface.To generate a CSR, you need to enter your organization details, and the keysize. You can then generate your CSR, export it, and submit it to a certificatesigning authority to get it signed.Steps for CSR generation:A. Log on to the Advanced Threat Defense web interface.B. Click Manage Security CSR Generation.C. Fill the CSR Generation fields with your organization details.a. Common Name [CN] – Enter the domain name of yourorganization.b. Organization Name [O] – Enter your organization name.c. Organization Unit [OU] – Enter the organization unit that isordering the certificated. City/Town [L], State/Province [ST], Country [C] – Enter theaddress of your organization.e. Email Id [ea] – Enter the email address to contact yourorganization.f. Hash Function – Select a hash function for your certificate.g. Key Size (in bits) – Select a key size for your certificate in bits.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
D. Click Generate to generate your CSR. Your CSR is now listed in theCertificate Signing Request Message section. You can use the icon inthe Action column to Export or Remove your CSR. Once the certificateis signed, you can upload it as Web Certificate from the ManageCertificate page.4.7Reference IdentifierMATD validates the presented hostname, IP Address and FQDN asreferenced identifier for Syslog and Web server certificates.In the case of Syslog, MATD takes the IP Address or FQDN configured in “IPAddress/Hostname” field available in Manage ATD Configuration Syslog page.In the case of Web certificate, MATD uses the IP address or thehostname/FQDN set for the device as referenced identifier. First, configuredIP address is tried for match in SAN/CN field of certificate and thenhostname/FQDN.The comparison of the hostname happens against the entries in SubjectAlternative Name (SAN) field of the respective server certificate and if nomatch is found, we look for a match with CN field of the certificate. Also, ifthe SAN field is absent, the match would happen against CN.McAfee Advanced Threat Defense 4.12Configuration Guide for Common Criteria Evaluation
Note that although IP addresses can be used for identity verification incertificates, it is recommended that FQDN be used for stronger security.4.8Supported CiphersMATD supports below list of Ciphers when Common Criteria mode isenabled.For nginx(web) server, port 443: TLS DHE RSA WITH AES 128 GCM SHA256TLS DHE RSA WITH AES 256 GCM SHA384TLS ECDHE RSA WITH AES 128 GCM SHA256TLS ECDHE RSA WITH AES 256 GCM SHA384TLS ECDHE RSA WITH AES 128 CBC SHA256For syslog communication: 4.9TLS DHE RSA WITH AES 128 GCM SHA256TLS DHE RSA WITH AES 256 GCM SHA384TLS ECDHE ECDSA WITH AES 128 GCM SHA256TLS ECDHE ECDSA WITH AES 256 GCM SHA384TLS ECDHE RSA WITH AES 128 GCM SHA256TLS ECDHE RSA WITH AES 256 GCM SHA384TLS RSA AES 128 GCM SHA256TLS RSA AES 256 GCM SHA384Audit LogsSee complete list of Audit logs/events in the Appendix A.The audit logs corresponding to the events are simultaneously sent to theexternal syslog server and local store.MATD rotates local audit log file r
McAfee Advanced Threat Defense 4.12 Configuration Guide for Common Criteria Evaluation Configuration Guide for Common Criteria Evaluation McAfee Advanced Threat Defense 4.12
