NIAP: Compliant Product
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - CounterACT version 7.0

Certificate Date:  2018.04.02

Validation Report Number:  CCEVS-VR-VID10728-2018

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0

CC Testing Lab:  Booz Allen Hamilton Common Criteria Testing Laboratory

CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Product Description

The ForeScout CounterACT is a network device that enables network access control, threat protection, and compliance of the entire enterprise based on network security policies. The ForeScout CounterACT type is justified because the ForeScout CounterACT provides an infrastructure role in internetworking of different network environments across an enterprise.

Evaluated Configuration

The TOE is ForeScout CounterACT that runs the CounterACT software version 7.0.

In its evaluated configuration, the TOE is configured to directly communicate with the following environment components: 

  • Management Workstation: Any general-purpose computer that is used by a Security Administrator to manage the TOE. The TOE can be managed remotely, in which case the management workstation requires an SSH client to access the CLI or the CounterACT Console GUI application installed.
  • Active Directory (AD) Server: A system that is capable of receiving authentication requests using LDAP over TLS and validating these requests against identity and credential data that is defined in an LDAP directory. In the evaluated configuration, the TOE connects to a server with Microsoft Active Directory for its remote authentication store.
  • Syslog Server: The TOE connects to a Syslog Server to send Syslog messages for remote storage via TLS connection where the TOE is the TLS client. This is used to send copies of audit data to be stored in a remote location for data redundancy purposes.
  • Certificate Authority (CA) Server/Online Certificate Status Protocol (OCSP) Responder: A server deployed within the Operational Environment which confirms the validity and revocation status of certificates.
  • Network Infrastructure: The network infrastructure contains components such as routers, switches, DNS server, etc.

Additionally, the following environment component was required for trusted update functionality:

  • Update Server: A general-purpose computer controlled by the vendor that includes a web server and is used to store software update packages that can be retrieved by product customers using HTTPS/TLS enabled browser or Console. The host of the CounterACT Console application provides the secure channel and not the TOE. The TOE does not directly communicate with the update server. The TOE receives the update from the CounterACT Console.

Security Evaluation Summary

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. CounterACT was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 4. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the ForeScout CounterACT Security Target Version 1.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in March 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID10728-2018 prepared by CCEVS.

Environmental Strengths

Security Audit

The TOE contains mechanisms to generate audit data to record predefined events on the TOE. The audit logs are stored in an internal database on the TOE’s local hard drive. An authorized administrator has the ability to enable/disable the forwarding of events to a syslog server. When enabled, the audit data is also securely transmitted to the syslog server using a TLS v1.1 or 1.2 communication channel. 

Cryptographic Support

The TOE provides cryptography in support of SSH, and TLS (v1.1 and 1.2) trusted communications. RSA key generation is implemented in accordance with FIPS 186-4 and RSA key establishment is implemented in accordance with NIST SP 800-56B.  Diffie-Hellman group 14 (FFC) key generation is implemented in accordance with RFC 3526, Section 3 and Diffie-Hellman group 14 key establishment is implemented in accordance with RFC 3526, Section 3. Keys are destroyed when no longer used. AES, SHA, HMAC, RSA are all used by the TOE for encryption, hashing, message authentication and digital signatures, respectively. The TOE uses a hash DRBG to provide the random bit generation services with 256 bits of entropy. The cryptographic implementation has been validated to ensure that the algorithms are appropriately strong for use in trusted communications.

Identification and Authentication

The TOE provides local password authentication as well as providing the ability to securely connect to an Active Directory server for the authentication of users. Communications over this interface is secured using TLS in which the TOE is acting as a client. The TOE enforces X.509 certificates to support authentication for TLS connections. The only available function available to an unauthenticated user is the ability to acknowledge a warning banner.

Security Management

The TOE can be administered locally and remotely and uses role based access control to prevent unauthorized management. The TOE enforces role based access control (RBAC) to prevent/allow access to TSF data and functionality. The NDcPP scopes the management capabilities to: manually download an update, manually initiate an update which verifies the digital signature before installation, configure inactivity time, and configuring the access banner.

A pre-defined set of permissions is called a role. The TOE has one pre-defined role: “Admin”. The user permissions for the “Admin” role cannot be modified or customized. A user assigned the “Admin” role is the TOE administrator (Security Administrator) and has access to all Console tools and features.  All other users that do not have the full set of administrative permissions are categorized as a “Console User”. A Console User’s set of permissions are set during creation and can be customized by adding and subtracting specific permissions to allow/disallow the user TOE functionality. 

Protection of the TSF

The TOE is expected to ensure the security and integrity of all data that is stored locally and accessed remotely. Passwords are not stored in plaintext. The cryptographic module prevents the unauthorized disclosure of secret cryptographic data.  The TOE does not support automatic updates.  An administrator has the ability to query the TOE for the currently executing version the TOE software and is required to manually initiate the update process from the Console.  The TOE automatically verifies the digital signature of the software update prior to installation. If the digital signature is found to be invalid for any reason the update is not installed. If the signature is deemed invalid, the administrator will be provided a warning banner and allow an administrator to continue with the installation or abort. There is no means for an administrative override to continue the installation if the signature is completely missing.  The TOE implements a self-testing mechanism that is automatically executed during the initial start-up and can be manually initiated by an administrator after authentication, to verify the correct operation of product and cryptographic modules. The TOE provides its own time via its internal clock.

TOE Access

The TOE displays a configurable warning banner prior to its use. Inactive sessions will be terminated after an administrator-configurable time period. Users are allowed to terminate their own interactive session. Once a remote session has been terminated the TOE requires the user to re-authenticate to establish a new session. Local and remote sessions are terminated after the administrator configured inactivity time limit is reached.

Trusted Path/Channels 

Users can access a CLI for administration functions remotely via SSH (remote console) or a local physical connection (local console) to the TOE.  The TOE provides the SSH server functionality.  The main administrator interface is the ClounterACT Console GUI application which is running on a separate Windows PC. The CounterACT Console initiates a TLS connection to the TOE appliance, which is acting as a TLS server, for this connection.

Vendor Information

ForeScout Technologies, Inc.
Wallace Sann
Site Map              Contact Us              Home