NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - FireEye MX Series Appliances

Certificate Date:  2016.01.21

Validation Report Number:  CCEVS-VR-VID10674-2016

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Network Devices Version 1.1

CC Testing Lab:  Acumen Security

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The FireEye MX series appliances are mobile management platforms that work in conjunction with the FireEye MTP App to assimilate and disperse threat information to mobile endpoints, and offer integration with MDM solutions for a true detect to fix solution.

Evaluated Configuration

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the FireEye MX Series Appliances were evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  The product, when delivered configured as identified in the FireEye FIPS Mode and Common Criteria Addendum document, satisfies all of the security functional requirements stated in the FireEye MX Series Appliances Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in January 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

Environmental Strengths

Security audit

The FireEye MX Series Appliances provide extensive auditing capabilities. The TOE generates a comprehensive set of audit logs that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include: failure on invoking cryptographic functionality such as establishment, termination and failure of a TLS session; establishment, termination and failure of an SSH session; modifications to the group of users that are part of the authorized administrator roles; all use of the user identification mechanism; any use of the authentication mechanism; any change in the configuration of the TOE, changes to time, initiation of TOE update, indication of completion of TSF self-test, maximum sessions being exceeded, termination of a remote session; and initiation and termination of a trusted channel.

The TOE is configured to transmit its audit messages to an external syslog server. Communication with the syslog server is protected using TLS and the TOE can determine when communication with the syslog server fails.

The logs for the appliances can be viewed on the TOE via the TOE CLI. The records include the date/time the event occurred, the event/type of event, the user ID associated with the event, and additional information of the event and its success and/or failure.  The TOE does not have an interface to modify audit records, though there is an interface available for the authorized administrator to clear audit data stored locally on the TOE.

User Data Protection

The TOE ensures that all information that flows from the TOE does not contain residual information from previous traffic.  Packets are padded with zeros.  Residual data is never transmitted from the TOE.

Identification and Authentication

The TOE performs two types of authentication: device-level authentication of remote IT Environment devices (e.g., audit servers) and user authentication for the Authorized Administrator of the TOE.  Device-level authentication of remote IT Environment devices allows the TOE to establish a secure channel with an IT Environment trusted peer.  The secure channel is established only after each device authenticates the other.  This device-level authentication is performed via TLS authentication.

The TOE provides authentication services for administrative users to connect to the TOEs CLI administrator interface.  The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality.  In the Common Criteria evaluated configuration, the TOE is configured to require a minimum password length of 15 characters, as well as, mandatory password complexity rules.  The TOE provides administrator authentication against a local user database.  Password-based authentication can be performed on any TOE administrative interface including local CLI and remote CLI over SSH.

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  Management can take place over a variety of interfaces including:

·         Local console command line administration at each of the appliances

·         Remote command line administration via SSHv2 at each of the appliances

The TOE provides the ability to securely manage:

·         All TOE administrative users;

·         All identification and authentication;

·         All audit functionality of the TOE;

·         All TOE cryptographic functionality;

·         The timestamps maintained by the TOE; and

·         Update to the TOE.

The TOE supports several administrator roles, including,

·         Admin: The system administrator is a “super user” who has all capabilities.

·         Monitor: The system monitor has read-only access

·         Operator: The system operator has a subset of the capabilities associated with the admin role.

·         Analyst: The system analyst focuses on data plane analysis.

·         Auditor: The system auditor reviews audit logs and performs forensic analysis.

These roles are collectively known as the “Authorized Administrator”

The TOE supports the configuration of login banners to be displayed at time of login and inactivity timeouts to terminate administrative sessions after a set period of inactivity.

Protection of the TSF

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  Additionally the TOE software is a custom-built hardened version of Linux and access to memory space is restricted to only require software services.

The TOE internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE.  Administrators can update the TOE’s clock manually, or can configure the TOE to use NTP to synchronize the TOE’s clock with an external time source.  Finally, the TOE performs testing to verify correct operation of the security appliances themselves.

The TOE verifies all software updates via digital signature and requires administrative intervention prior to the software updates being installed on the TOE to avoid the installation of unauthorized software.

TOE Access

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. 

The TOE also displays an Authorized Administrator configured banner on the CLI management interfaces prior to allowing any administrative access to the TOE.

Trusted path/Channels

The TOE supports several types of secure communications, including,

·         Trusted paths with remote administrators over SSH,

·         Trusted channels with remote IT Environment audit servers over TLS,

Each of these trusted paths/channels are secured using either TLS or SSH.

Vendor Information

FireEye, Inc.
Peter Kim
Site Map              Contact Us              Home