Transcription
FireEye NX Series Appliances v9.0Common Criteria Security TargetVersion 1.1Prepared by:Acumen Security2400 Research BlvdRockville MD 208501
Table Of Contents1Security Target Introduction . 51.1 Security Target and TOE Reference . 51.2 TOE Overview. 51.2.1 TOE Product Type . 51.3 TOE Description . 51.4 TOE Evaluated Configuration . 61.5 TOE Architecture . 71.5.1 Physical Boundaries . 71.5.2 Logical Scope of the TOE . 71.5.3 TOE Documentation . 92Conformance Claims . 102.1 CC Conformance . 102.2 Protection Profile Conformance . 102.3 Conformance Rationale . 102.3.1 Technical Decisions . 103Security Problem Definition . 123.1 Threats . 123.2 Assumptions. 133.3 Organizational Security Policies . 144Security Objectives. 164.1 Security Objectives for the Operational Environment. 165Security Requirements . 185.1 Conventions . 195.2 Security Functional requirements. 195.2.1 Security Audit (FAU) . 195.2.2 Cryptographic Support (FCS) . 215.2.3 Identification and Authentication (FIA) . 275.2.4 Security Management (FMT) . 295.2.5 Protection of the TSF (FPT) . 305.2.6 TOE Access (FTA) . 315.2.7 Trusted path/channels (FTP) . 325.3 Dependency Rationale for SFRs . 325.4 Security Assurance Requirements . 322
5.5 Assurance Measures . 336TOE Summary Specification . 346.1 Key Storage and Zeroization . 4473Terms and Definitions . 45
Revision HistoryVersion1.01.14DateApril 2021May 2021DescriptionInitial ReleaseUpdated to address ECR comments
1 Security Target Introduction1.1 Security Target and TOE ReferenceThis section provides information needed to identify and control this ST and its TOE.CategoryST TitleST AuthorST VersionTOE IdentifierTOE HardwareTOE SoftwareTOE DeveloperKey WordsIdentifierFireEye NX Series Appliances v9.0 Common Criteria Security TargetAcumen Security, LLC1.1FireEye NX Series Appliances v9.0Physical appliances: NX1500, NX2500, NX2550, NX3500, NX4500, NX5500, NX6500Virtual appliances: NX1500V, NX2500V, NX2550V, NX4500V, NX6500VPhysical and virtual appliance software: 9.0FireEye, Inc.Network Device, Security ApplianceTable 1 TOE/ST Identification1.2 TOE OverviewFireEye Network Security is an effective cyber threat protection solution that helps organizationsminimize the risk of costly breaches by accurately detecting and immediately stopping advanced,targeted and other evasive attacks hiding in Internet traffic.Note: Breach detection functionality has not been evaluated as part of the Common Criteria evaluation.1.2.1 TOE Product TypeFireEye NX Series Appliances is a network appliance. Each appliance runs a custom-built hardenedversion of Linux with only the required services enabled. Please see Section 1.3 for the specific TOE typeof each model.1.3 TOE DescriptionThe TOE is comprised of twelve models of the FireEye NX Series Appliances as shown below.NX1500NetworkMonitoring PortsManagement PortsStorageEnclosureProcessorTOE TypeNX2500NX25504x 10/100/1000 BASE-TPorts2x 10/100/1000 BASE- TPorts500 GB disk4x 1GigE BypassDesktopIntel Atom C2558(Slivermont)Stand-alone physicalnetwork device1 Rack UnitIntel Xeon D-1531 (Broadwell)2x 4TB disk / 4TB virtual disk RAID11 Rack UnitIntel Xeon E3-1240 v6 (Kaby Lake)Stand-alone physical networkdeviceStand-alone physical networkdevice2x 10/100/1000 BASE-T Ports1 TB disk4x 10GigE SFP 4x 1GigE Bypass2x 1GigETable 2 NX HW Series Appliances 500NX5500NX65004x 10GigE SFP 4x 1GigE Bypass8x 10GigE SFP 4x 1GigE Bypass8x 10GigE SFP 4x 1GigE Bypass8x 10GigE SFP 2x 40GigE QSFP 2x 1GigE2x 1GigE2x 1GigE2x 1GigE
NX3500Storage2x 4TB disk / 4TBvirtual disk RAID 1EnclosureProcessor2 Rack UnitsIntel Xeon E5-2620 v4(Broadwell)TOE TypeStand-alone physicalnetwork deviceNX45002x 4TB disk / 4TBvirtual disk RAID12 Rack UnitsIntel Xeon E52620 v4(Broadwell)Stand-alonephysical networkdeviceNX5500NX65002x 4TB disk / 4TB virtualdisk RAID 12 10 TB disk / 10 TB virtualdisk RAID 12 Rack UnitsIntel Xeon E5-2683 v4(Broadwell)2 Rack UnitsIntel Xeon Platinum 8168(Skylake)Stand-alone physicalnetwork deviceStand-alone physicalnetwork deviceTable 3 NX HW Series Appliances (2)NX1500VNetworkMonitoring PortsManagement PortsCPU CoresMemoryStorageProcessorEnvironmentTOE TypeNX2500VNX2550V8x 1GigE interfaces8x 1GigE interfaces8x 1GigE interfaces2x 1GigE interfaces310 GB384 GB diskIntel Xeon E5-4620 v4(Broadwell)VMware vSphere ESXi 6.7Stand-alone virtual networkdevice2x 1GigE interfaces616 GB384 GB diskIntel Xeon E5-4620 v4(Broadwell)VMware vSphere ESXi 6.7Stand-alone virtual networkdevice2x 1GigE interfaces816 GB384 GB diskIntel Xeon E5-4620 v4 (Broadwell)VMware vSphere ESXi 6.7Stand-alone virtual networkdeviceTable 4 NX Virtual Series Appliances (1)NX4500VNetwork Monitoring PortsManagement PortsCPU CoresMemoryStorageProcessorEnvironmentTOE Type8x 1GigE interfaces2x 1GigE interfaces832 GB512 GB diskIntel Xeon E5-4620 v4 (Broadwell)VMware vSphere ESXi 6.7Stand-alone virtual network deviceNX6500V8x 1GigE interfaces2x 1GigE interfaces1664 GB512 GB diskIntel Xeon E5-4620 v4 (Broadwell)VMware vSphere ESXi 6.7Stand-alone virtual network deviceTable 5 NX Virtual Series Appliances (2)1.4 TOE Evaluated ConfigurationThe TOE evaluated configuration consists of one of the NX series appliances listed above. The TOE hasbeen evaluated to work with the following devices in the IT environment. Some components are requiredto operate the TOE, while other components may be included at the discretion of the administrator.ComponentVirtual HardwareManagementWorkstation with WebBrowser/SSH Client6RequiredYes Usage/Purpose Description for TOE performanceVirtual hardware provided by VMware vSphere ESXi 6.7 and IntelXeon E5-4620 v4 (Broadwell).This includes any IT Environment Management workstation with aWeb Browser and an SSH client installed that is used by the TOEadministrator to support TOE administration through HTTPS and SSH
ComponentRequiredSyslog serverNoNTP ServerNoUsage/Purpose Description for TOE performanceprotected channels. Any SSH client that supports SSHv2 may be used.Any web browser that supports TLS 1.1 or TLS 1.2 may be used.The syslog audit server is used for remote storage of audit recordsthat have been generated by and transmitted from the TOE. Thesyslog server must support communications using TLS 1.1 or TLS 1.2.NTP server supporting SHA-1 integrity verification.Table 6 IT Environment ComponentsThe NX1500V and NX6500V were tested on a Dell PowerEdge R830.The following figure provides a visual depiction of an example of a typical TOE deployment.1.5 TOE Architecture1.5.1 Physical BoundariesThe TOE is a hardware and software solution that is comprised of the security appliance models describedabove. The TOE guidance documentation that is considered to be part of the TOE is the FireEye NX SeriesAppliances v9.0 Common Criteria Guidance Addendum document and is downloadable from the FireEyewebsite.The network on which the TOE resides is considered part of the environment. The software is pre-installedand is comprised of only the software versions identified above. In addition, software updates aredownloadable from the FireEye website. A login ID and password is required to download the softwareupdate.1.5.2 Logical Scope of the TOEThe TOE provides the following security functions: 7Protected Communications. The TOE protects the integrity and confidentiality ofcommunications as follows:o TLS connectivity with the following entities: Audit Server Management Web Browsero SSH connectivity with the following entities: Management SSH ClientSecure Administration. The TOE enables secure local and remote management of its securityfunctions, including:o Local console CLI administrationo Remote CLI administration via SSHv2
ooooo Remote GUI administration via HTTPS/TLSAdministrator authentication using a local databaseTimed user lockout after multiple failed authentication attemptsPassword complexity enforcementRole Based Access Control - the TOE supports several types of administrative user roles.Collectively these sub-roles comprise the “Security Administrator”o Configurable banners to be displayed at logino Timeouts to terminate administrative sessions after a set period of inactivityo Protection of secret keys and passwordsTrusted Update. The TOE ensures the authenticity and integrity of software updates throughdigital signatures and requires administrative intervention prior to the software updates beinginstalled.Security Audit. The TOE keeps local and remote audit records of security relevant events. The TOEinternally maintains the date and time which can be set manually or using authenticated NTP.Self-Test. The TOE performs a suite of self-tests to ensure the correct operation and enforcementof its security functions.Cryptographic Operations. The TOE provides cryptographic support for the services described inTable 7. The related CAVP validation details are provided in Table 8 and Table 9.Cryptographic MethodTLS EstablishmentSSH EstablishmentECDSA Signature ServicesRSA Signature ServicesRandom Bit GenerationHashingHMACAESUse within the TOEUsed to establish initial TLS sessionUsed to establish initial SSH sessionUsed in TLS session establishmentUsed in TLS session establishmentUsed in SSH session establishmentUsed in secure software updateUsed in TLS session establishmentUsed in SSH session establishmentUsed in secure software updateUsed in NTP integrityUsed to provide TLS traffic integrity verificationUsed to provide SSH traffic integrity verificationUsed to encrypt TLS trafficUsed to encrypt SSH trafficTable 7 TOE Provided CryptographyThe TOE utilizes two cryptographic libraries. The FireEye Cryptographic Implementation version 9.0provides the majority of cryptographic operations.AlgorithmRSAStandardOperationSFRFIPS 186-4FCS CKM.1FCS COP.1/SigGenFCS COP.1/HashECDSAC1720C1749FIPS 186-4DRBGC1720C1749C1720SP 800-90AKey GenerationSignatureGeneration/VerificationKey GenerationSignatureGeneration/VerificationRandom Bit GenerationISO/IEC 10118-3:2004HashingSHS8CAVPCert #C1720C1749FCS CKM.1FCS COP.1/SigGenFCS RBG EXT.1
AlgorithmHMACAESCVLRSACAVPCert rationSFRISO/IEC 9797-2:2011Keyed-HashingFCS COP.1/KeyedHashAES specified in ISO 18033-3CBC specified in ISO 10116GCM specified in ISO 19772CTR specified in ISO 10116SP 800-56AEncryption/DecryptionFCS COP.1/DataEncryptionKey EstablishmentFCS CKM.2RSAES-PKCS1-v1 5Key EstablishmentFCS CKM.2Table 8 CAVP Algorithm Testing ReferencesThe FireEye Cryptographic implementation version 9.0 runs in the Kernel and provides cryptographicoperations related to entropy.AlgorithmDRBGSHSHMACCAVPCert RSP 800-90ARandom Bit GenerationFCS RBG EXT.1ISO/IEC 10118-3:2004HashingFCS COP.1/HashISO/IEC 9797-2:2011Keyed-HashingFCS COP.1/KeyedHashTable 9 CAVP Algorithm Testing References1.5.3 TOE DocumentationThe table below lists the TOE guidance documentation. AGD and ST are provided in .pdf form on theNIAP portal.Reference[AGD][ST]TitleFireEye NX Series Appliances v9.0 Common Criteria Guidance AddendumFireEye NX Series Appliances v9.0 Common Criteria Security TargetTable 10 TOE Documents9Version1.11.1
2 Conformance Claims2.1 CC ConformanceThis TOE is conformant to: Common Criteria for Information Technology Security Evaluations Part 1, Version 3.1, Revision 5,April 2017 Common Criteria for Information Technology Security Evaluations Part 2, Version 3.1, Revision 5,April 2017: Part 2 extended Common Criteria for Information Technology Security Evaluations Part 3, Version 3.1, Revision 5,April 2017: Part 3 conformant2.2 Protection Profile ConformanceThis TOE claims exact conformance to: collaborative Protection Profile for Network Devices, Version 2.2e [NDcPP]2.3 Conformance RationaleThe security problem definition, security objectives and security requirements in this Security Target areall taken from the [NDcPP]. All of the mandatory security requirements are included and selection-basedSFRs are included based on the instructions in the [NDcPP].2.3.1 Technical DecisionsAll NIAP Technical Decisions (TDs) issued to date that are applicable to [NDcPP] have been considered.The following table identifies all applicable TD:IdentifierApplicable0581 – NIT Technical Decision for Elliptic curve-basedkey establishment and NIST SP 800-56Arev30580 – NIT Technical Decision for clarification aboutuse of DH14 in NDcPPv2.2e0572 – NiT Technical Decision for RestrictingFTP ITC.1 to only IP address identifiers0571 – NiT Technical Decision for Guidance on how tohandle FIA AFL.10570 – NiT Technical Decision for Clarification aboutFIA AFL.10569 – NIT Technical Decision for Session ID UsageConflict in FCS DTLSS EXT.1.70564 – NiT Technical Decision for VulnerabilityAnalysis Search Criteria0563 – NiT Technical Decision for Clarification of auditdate information0556 – NIT Technical Decision for RFC 5077 question0555 – NIT Technical Decision for RFC Referenceincorrect in TLSS Test0547 – NIT Technical Decision for Clarification ondeveloper disclosure of AVA VAN0546 – NIT Technical Decision for DTLS - clarificationof Application Note 630538 – NIT Technical Decision for Outdated link toallowed-with list0537 – NIT Technical Decision for Incorrect referenceto FCS TLSC EXT.2.30536 – NIT Technical Decision for Update VerificationInconsistencyYes10Exclusion Rationale (if esThe ST does not include DTLS SFRs.
IdentifierApplicable0528 – NIT Technical Decision for Missing EAs forFCS NTP EXT.1.40527 – Updates to Certificate Revocation Testing(FIA X509 EXT.1)YesTable 11 Technical Decisions11YesExclusion Rationale (if applicable)
3 Security Problem DefinitionThe security problem definition has been taken from [NDcPP] and is reproduced here for theconvenience of the reader. The security problem is described in terms of the threats that the TOE isexpected to address, assumptions about the operational environment, and any organizational securitypolicies that the TOE is expected to enforce.3.1 ThreatsThe following threats are drawn directly from the [NDcPP]:IDT.UNAUTHORIZED ADMINISTRATOR ACCESST.WEAK CRYPTOGRAPHYT.UNTRUSTED COMMUNICATION CHANNELST.WEAK AUTHENTICATION ENDPOINTST.UPDATE COMPROMISET.UNDETECTED ACTIVITY12ThreatThreat agents may attempt to gain Administrator access to theNetwork Device by nefarious means such as masquerading asan Administrator to the device, masquerading as the device toan Administrator, replaying an administrative session (in itsentirety, or selected portions), or performing man-in-themiddle attacks, which would provide access to theadministrative session, or sessions between Network Devices.Successfully gaining Administrator access allows maliciousactions that compromise the security functionality of thedevice and the network on which it resides.Threat agents may exploit weak cryptographic algorithms orperform a cryptographic exhaust against the key space. Poorlychosen encryption algorithms, modes, and key sizes will allowattackers to compromise the algorithms, or brute force exhaustthe key space and give them unauthorized access allowingthem to read, manipulate and/or control the traffic withminimal effort.Threat agents may attempt to target Network Devices that donot use standardized secure tunnelling protocols to protect thecritical network traffic. Attackers may take advantage of poorlydesigned protocols or poor key management to successfullyperform man-in-the-middle attacks, replay attacks, etc.Successful attacks will result in loss of confidentiality andintegrity of the critical network traffic, and potentially couldlead to a compromise of the Network Device itself.Threat agents may take advantage of secure protocols that useweak methods to authenticate the endpoints, e.g. a sharedpassword that is guessable or transported as plaintext. Theconsequences are the same as a poorly designed protocol, theattacker could masquerade as the Administrator or anotherdevice, and the attacker could insert themselves into thenetwork stream and perform a man-in-the-middle attack. Theresult is the critical network traffic is exposed and there couldbe a loss of confidentiality and integrity, and potentially theNetwork Device itself could be compromised.Threat agents may attempt to provide a compromised updateof the software or firmware which undermines the securityfunctionality of the device. Non-validated updates or updatesvalidated using non-secure or weak cryptography leave theupdate firmware vulnerable to surreptitious alteration.Threat agents may attempt to access, change, and/or modifythe security functionality of the Network Device without
T.SECURITY FUNCTIONALITY COMPROMISET.PASSWORD CRACKINGT.SECURITY FUNCTIONALITY FAILUREAdministrator awareness. This could result in the attackerfinding an avenue (e.g., misconfiguration, flaw in the product)to compromise the device and the Administrator would haveno knowledge that the device has been compromised.Threat agents may compromise credentials and device dataenabling continued access to the Network Device and itscritical data. The compromise of credentials includes replacingexisting credentials with an attacker’s credentials, modifyingexisting credentials, or obtaining the Administrator or devicecredentials for use by the attacker.Threat agents may be able to take advantage of weakadministrative passwords to gain privileged access to thedevice. Having privileged access to the device provides theattacker unfettered access to the network traffic and mayallow them to take advantage of any trust relationships withother Network Devices.An external, unauthorized entity could make use of failed orcompromised security functionality and might thereforesubsequently use or abuse security functions without priorauthentication to access, change or modify device data, criticalnetwork traffic or security functionality of the device.Table 12 Threats3.2 AssumptionsThe following assumptions are drawn directly from the [NDcPP]:IDA.PHYSICAL PROTECTIONA.LIMITED FUNCTIONALITYA.NO THRU TRAFFIC PROTECTION13AssumptionThe Network Device is assumed to be physically protected in itsoperational environment and not subject to physical attacks thatcompromise the security or interfere with the device’s physicalinterconnections and correct operation. This protection is assumed to besufficient to protect the device and the data it contains. As a result, thecPP does not include any requirements on physical tamper protection orother physical attack mitigations. The cPP does not expect the product todefend against physical access to the device that allows unauthorizedentities to extract data, bypass other controls, or otherwise manipulatethe device. For vNDs, this assumption applies to the physical platform onwhich the VM runs.The device is assumed to provide networking functionality as its corefunction and not provide functionality/services that could be deemed asgeneral purpose computing. For example, the device should not provide acomputing platform for general purpose applications (unrelated tonetworking functionality).In the case of vNDs, the VS is considered part of the TOE with only onevND instance for each physical hardware platform. The exception beingwhere components of the distributed TOE run inside more than onevirtual machine (VM) on a single VS. There are no other guest VMs on thephysical platform providing non-Network Device functionality.A standard/generic Network Device does not provide any assuranceregarding the protection of traffic that traverses it. The intent is for theNetwork Device to protect data that originates on or is destined to the
IDA.TRUSTED ADMINISTRATORA.REGULAR UPDATESA.ADMIN CREDENTIALS SECUREA.RESIDUAL INFORMATIONA.VS TRUSTED ADMINISTRATORA.VS REGULAR UPDATESA.VS ISOLATONA.VS CORRECT CONFIGURATIONAssumptiondevice itself, to include administrative data and audit data. Traffic that istraversing the Network Device, destined for another network entity, isnot covered by the ND cPP. It is assumed that this protection will becovered by cPPs and PP-Modules for particular types of Network Devices(e.g., firewall).The Security Administrator(s) for the Network Device are assumed to betrusted and to act in the best interest of security for the organization.This includes appropriately trained, following policy, and adhering toguidance documentation. Administrators are trusted to ensurepasswords/credentials have sufficient strength and entropy and to lackmalicious intent when administering the device. The Network Device isnot expected to be capable of defending against a maliciousAdministrator that actively works to bypass or compromise the securityof the device.For TOEs supporting X.509v3 certificate-based authentication, theSecurity Administrator(s) are expected to fully validate (e.g. offlineverification) any CA certificate (root CA certificate or intermediate CAcertificate) loaded into the TOE’s trust store (aka 'root store', ' trusted CAKey Store', or similar) as a trust anchor prior to use (e.g. offlineverification).The Network Device firmware and software is assumed to be updated byan Administrator on a regular basis in response to the release of productupdates due to known vulnerabilities.The Administrator’s credentials (private key) used to access the NetworkDevice are protected by the platform on which they reside.The Administrator must ensure that there is no unauthorized accesspossible for sensitive residual information (e.g. cryptographic keys, keyingmaterial, PINs, passwords etc.) on networking equipment when theequipment is discarded or removed from its operational environment.The Security Administrators for the VS are assumed to be trusted and toact in the best interest of security for the organization. This includes notinterfering with the correct operation of the device. The Network Deviceis not expected to be capable of defending against a malicious VSAdministrator that actively works to bypass or compromise the securityof the device.The VS software is assumed to be updated by the VS Administrator on aregular basis in response to the release of product updates due to knownvulnerabilities.For vNDs, it is assumed that the VS provides, and is configured to providesufficient isolation between software running in VMs on the samephysical platform. Furthermore, it is assumed that the VS adequatelyprotects itself from software running inside VMs on the same physicalplatform.For vNDs, it is assumed that the VS and VMs are correctly configured tosupport ND functionality implemented in VMs.Table 13 Assumptions3.3 Organizational Security PoliciesThe following Organizational Security Policies are drawn directly from the [NDcPP]:14
IDP.ACCESS BANNERTable 14 OSPs15OSPThe TOE shall display an initial banner describing restrictions of use, legalagreements, or any other appropriate information to which users consentby accessing the TOE.
4 Security ObjectivesThe security objectives have been taken from [NDcPP] and are reproduced here for the convenience ofthe reader.4.1 Security Objectives for the Operational EnvironmentThe following security objectives for the operational environment assist the TOE in correctly providingits security functionality. These track with the assumptions about the environment.IDOE.PHYSICALOE.NO GENERAL PURPOSEOE.NO THRU TRAFFIC PROTECTIONOE.TRUSTED ADMINOE.UPDATESOE.ADMIN CREDENTIALS SECUREOE.RESIDUAL INFORMATIONOE.VM CONFIGURATIONObjective for the Operation EnvironmentPhysical security, commensurate with the value of the TOE and the datait contains, is provided by the environment.There are no general-purpose computing capabilities (e.g., compilers oruser applications) available on the TOE, other than those servicesnecessary for the operation, administration and support of the TOE.Note: For vNDs the TOE includes only the contents of the its own VM,and does not include other VMs or the VS.The TOE does not provide any protection of traffic that traverses it. It isassumed that protection of this traffic will be covered by other securityand assurance measures in the operational environment.Security Administrators are trusted to follow and apply all guidancedocumentation in a trusted manner. For vNDs, this includes the VSAdministrator responsible for configuring the VMs that implement NDfunctionality.For TOEs supporting X.509v3 certificate-based authentication, theSecurity Administrator(s) are assumed to monitor the revocation statusof all certificates in the TOE's trust store and to remove any certificatefrom the TOE’s trust store in case such certificate can no longer betrusted.The TOE firmware and software is updated by an Administrator on aregular basis in response to the release of product updates due toknown vulnerabilities.The Administrator’s credentials (private key) used to access the TOEmust be protected on any other platform on which they reside.The Security Administrator ensures that there is no unauthorized accesspossible for sensitive residual information (e.g. cryptographic keys,keying material, PINs, passwords etc.) on networking equipment whenthe equipment is discarded or removed from its operationalenvironment. For vNDs, this applies when the physical platform onwhich the VM runs is removed from its operational environment.For vNDs, the Security Administrator ensures that the VS and VMs areconfigured tooo16reduce the attack surface of VMs as much as possible whilesupporting ND functionality (e.g., remove unnecessary virtualhardware, turn off unused inter-VM communications mechanisms),andcorrectly implement ND functionality (e.g., ensure virtualnetworking is properly configured to support network traffic,management channels, and audit reporting).
The VS should be operated in a manner that reduces the likelihood thatvND operations are adversely affected
1 Version 1.1 Prepared by: Acumen Security 2400 Research Blvd Rockville MD 20850 FireEye NX Series Appliances v9.0 Common Criteria Security Target
