NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - FireEye HX Series Appliances

Certificate Date:  2016.02.01

Validation Report Number:  CCEVS-VR-VID10675-2016

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    Protection Profile for Network Devices Version 1.1

CC Testing Lab:  Acumen Security


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The FireEye HX series appliances enable security operations teams to correlate network and endpoint activity. Organizations can automatically investigate alerts generated by FireEye Threat Prevention Platforms, log management, and network security products, apply intelligence from FireEye to continuously validate Indicators of Compromises on the endpoints and identify if a compromise has occurred and assess the potential risk. Further, organizations can quickly triage the incident to understand the details and contain compromised endpoints with a single click and contain compromised devices within a single click workflow.


Evaluated Configuration


Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the FireEye HX Series Appliances were evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4.  The product, when delivered configured as identified in the FireEye FIPS Mode and Common Criteria Addendum document, satisfies all of the security functional requirements stated in the FireEye HX Series Appliances Security Target. The project underwent CCEVS Validator review.  The evaluation was completed in February 2016.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

Security audit

The FireEye HX Series Appliances provide extensive auditing capabilities. The TOE generates a comprehensive set of audit logs that identify specific TOE operations. For each event, the TOE records the date and time of each event, the type of event, the subject identity, and the outcome of the event. Auditable events include: failure on invoking cryptographic functionality such as establishment, termination and failure of a TLS session; establishment, termination and failure of an SSH session; modifications to the group of users that are part of the authorized administrator roles; all use of the user identification mechanism; any use of the authentication mechanism; any change in the configuration of the TOE, changes to time, initiation of TOE update, indication of completion of TSF self-test, maximum sessions being exceeded, termination of a remote session; and initiation and termination of a trusted channel.

The TOE is configured to transmit its audit messages to an external syslog server. Communication with the syslog server is protected using TLS and the TOE can determine when communication with the syslog server fails.

The logs for all of the appliances can be viewed on the TOE via the TOE CLI. The records include the date/time the event occurred, the event/type of event, the user ID associated with the event, and additional information of the event and its success and/or failure.  The TOE does not have an interface to modify audit records, though there is an interface available for the authorized administrator to clear audit data stored locally on the TOE.

User Data Protection

The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic.  Packets are padded with zeros.  Residual data is never transmitted from the TOE.

Identification and Authentication

The TOE performs three types of authentication: device-level authentication of remote IT Environment devices (e.g., audit servers and LDAP servers) and user authentication for the Authorized Administrator of the TOE (both locally and remotely).  Device-level authentication of remote IT Environment devices allows the TOE to establish a secure channel with an IT Environment trusted peer.  The secure channel is established only after each device authenticates the other.  This device-level authentication is performed via TLS authentication.

The TOE provides authentication services for administrative users to connect to the TOEs secure GUI or CLI administrator interface.  The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality.  In the Common Criteria evaluated configuration, the TOE is configured to require a minimum password length of 15 characters, as well as, mandatory password complexity rules.  The TOE provides two administrator authentication methods:

·         Authentication against a local user database

·         Authentication via LDAP over TLS (part of the TOE IT environment)

Password-based authentication can be performed on any TOE administrative interface including local CLI, remote CLI over SSH, and remote GUI over HTTPS.

Security Management

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  Management can take place over a variety of interfaces including:

·         Local console command line administration at each of the appliances

·         Remote command line administration via SSHv2 at each of the appliances

·         Remote GUI administration via TLS

While the TOE provides multiple interfaces to perform administration, all functionality available via the command line interface is limited. All general and security administration for all of the appliances will take place at one of several locations including,

·         Remote GUI administration to the appliance being managed over HTTPS,

·         Remote CLI administration to each appliance over an SSH tunnel over HTTPS,

·         Local administration via direction connection.

The TOE provides the ability to securely manage:

·         All TOE administrative users;

·         All identification and authentication;

·         All audit functionality of the TOE;

·         All TOE cryptographic functionality;

·         The timestamps maintained by the TOE; and

·         Update to the TOE.

The TOE supports several administrator roles, including,

·         Admin: The system administrator is a “super user” who has all capabilities.

·         Monitor: The system monitor has read-only access

·         Operator: The system operator has a subset of the capabilities associated with the admin role.

·         Analyst: The system analyst focuses on data plane analysis.

·         Auditor: The system auditor reviews audit logs and performs forensic analysis.

These roles are collectively known as the “Authorized Administrator”

The TOE supports the configuration of login banners to be displayed at time of login and inactivity timeouts to terminate administrative sessions after a set period of inactivity.

Protection of the TSF

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of cryptographic keys and passwords.  Additionally the TOE software is a custom-built hardened version of Linux and access to memory space is restricted to only required software services.

The TOE internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE.  Administrators can update the TOE’s clock manually, or can configure the TOE to use NTP to synchronize the TOE’s clock with an external time source.  Finally, the TOE performs testing to verify correct operation of the security appliances themselves.

The TOE verifies all software updates via digital signature and requires administrative intervention prior to the software updates being installed on the TOE to avoid the installation of unauthorized software. 

TOE Access

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session. 

The TOE also displays an Authorized Administrator configured banner on both the GUI and CLI management interfaces prior to allowing any administrative access to the TOE.

Trusted path/Channels

The TOE supports several types of secure communications, including,

·         Trusted paths with remote administrators over SSH,

·         Trusted paths with remote administrators over TLS,

·         Trusted channels with remote IT Environment audit servers over TLS,

·         Trusted channels with remote IT Environment LDAP servers over TLS.

Each of these trusted paths/channels are secured using either TLS or SSH.


Vendor Information

Logo
FireEye, Inc.
Peter Kim
408-321-6300
certifications@fireeye.com

www.fireeye.com
Site Map              Contact Us              Home