NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco FirePOWER Version 6.1

Certificate Date:  2018.01.17

Validation Report Number:  CCEVS-VR-VID10768-2018

Product Type:    IDS/IPS
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 1.0
  Extended Package for Intrusion Prevention Systems Version 2.11

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The TOE is an Intrusion Detection and Prevention System, which consists of the FMC and Sensors. The FMC provides a centralized management console and event database for the system, and aggregates and correlates intrusion, discovery, and connection data from managed Sensors. Sensors monitor all network traffic for security events and violations, and can alert and/or block malicious traffic as defined in the intrusion and access control rules.


Evaluated Configuration

In the evaluated configuration, the TOE consists of at least one FMC managing one or more Sensor all running version 6.1. The FMC and Sensor can be physical appliances or virtual appliances. 

The TOE can optionally connect to an NTP server for clock updates. If the TOE is to be remotely administered, the management station must connect using SSHv2 or using web browser for the UI over HTTPS.  A syslog server can also be used to store audit records, and the syslog server must support syslog over TLS.

The following figure provides a visual depiction of an example TOE deployment.  The TOE boundary is surrounded with a dotted blue line.


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012. The product, when delivered and configured as identified in the Cisco Common Criteria Supplemental User Guide for FirePOWER v6.1, Version 1.0, December 13, 2017 document, satisfies all of the security functional requirements stated in the Cisco FirePOWER Version 6.1 Security Target, Version 1.0, January 2, 2018.  The project underwent CCEVS Validator review.  The evaluation was completed in January 2018.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10768-2018) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the Cisco FirePOWER are realized in the security functions that it implements. Each of these security functions is summarized below.

Security Audit:

The TOE is designed to be able to generate logs for a wide range of security relevant events such as login attempts and management functions. The complete list of auditable events and contents is in TSS. The TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to an external syslog server over a secure communication channel. The timestamp included in the audit content can be manually set or set by an external NTP server in the operational environment.

Cryptographic support:

The TOE includes a FIPS-certified cryptographic module that provides key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols including TLS, HTTPS, and SSH. The complete specification of algorithms, key sizes, and other attributes is in TSS.

Identification and authentication:

The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers both a locally connected console as well as network accessible interfaces (SSHv2 and HTTPS) for remote interactive administrator sessions.

The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. All authorized TOE users must have a user account with security attributes that control the user’s access to TSF data and management functions. These security attributes include user name, password, and roles for TOE users. In addition, the TOE supports X.509v3 certificate authentication for the external syslog server.

Optionally, the TOE can be configured to utilize the services of trusted RADIUS and LDAP servers in the operational environment to support, for example, centralized user administration.

Security management:

The TOE provides a web-based (using HTTPS) management interface for all TOE administration, including the IDS and access control rule sets, user accounts and roles, and audit functions. The ability to manage various security attributes, system parameters and all TSF data is controlled and limited to those users who have been assigned the appropriate administrative role.

The TOE also provides a command line interface (CLI) and shell access to the underlying operating system of the TOE components. The shell access must be restricted to off-line installation, pre-operational configuration, and maintenance and troubleshooting of the TOE. The CLI provides only a subset of the management functions provided by the web GUI and is only available on the Sensors. The use of the web GUI is highly recommended over the CLI.  

Security management relies on a management workstation in the operational environment with a properly supported web browser or SSH client to access the management interfaces.

Protection of the TSF:

The TOE implements a number of features design to protect itself to ensure the reliability and integrity of its security features. It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability) or can utilize a trusted time server in the operational environment.

The TOE ensures that data transmitted between separate parts of the TOE are protected from disclosure or modification. This protection is ensured by transmission of data between the TOE components over a secure, TLS-protected tunnel.

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE Access:

The TOE can be configured to display an informative advisory banner when an administrator establishes an interactive session and subsequently enforce an administrator-defined inactivity timeout value after which the inactive session will be terminated. The administrators can also terminate their own interactive sessions when needed.

Trusted path/channels:

The TOE protects interactive communication with administrators using SSHv2 for CLI access or HTTPS for web GUI access. The TOE protects communication with network peers, such as a syslog server, using TLS connections. All the underlying algorithms for the specified security protocols are FIPS-certified.

Intrusion Prevention System:

The TOE provides intrusion policies consisting of rules and configurations invoked by the access control policy. The intrusion policies are the last line of defense before the traffic is allowed to its destination. All traffic permitted by the access control policy is then inspected by the designated intrusion policy. Using intrusion rules and other preprocessor settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.

If the vendor-provided intrusion policies do not fully address the security needs of the organization, custom policies can improve the performance of the system in the environment and can provide a focused view of the malicious traffic and policy violations occurring on the network. By creating and tuning custom policies the administrators can configure, at a very granular level, how the system processes and inspects the traffic on the network for intrusions.

Using Security Intelligence, the administrators can blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by the access control rules. Optionally, the administrators can use a “monitor-only” setting for Security Intelligence filtering.


Vendor Information

Logo
Cisco Systems, Inc.
Laura Stubbs
410-309-4862
N/A
certteam@cisco.com

www.cisco.com
Site Map              Contact Us              Home