Compliant Product - Forcepoint NGFW 6.3.1
Certificate Date: 2018.03.12CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10854-2018
Product Type: Firewall
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 1.0
CC Testing Lab: Gossamer Security Solutions
The Forcepoint NGFW is a stateful packet filtering firewall. The Forcepoint NGFW system is composed of two physical appliances: the NGFW Engine and the Security Management Center (SMC) Appliance. The NGFW Engine controls connectivity and information flow between internal and external connected networks. The SMC Appliance provides administrative functionality supporting the configuration and operation of NGFW Engines. Throughout the remainder of this document, references to the NGFW Engine are meant to reference the TOE’s firewall engine, while references to the NGFW are meant to refer to the TOE as a whole.
The NGFW Engine controls connectivity and information flow between internal and external connected networks. The NGFW Engine also provides a means to keep the internal host’s IP-address private from external users. The NGFW Engine is intended to be used as a network perimeter security gateway that provides a controlled connection.
The NGFW is assumed to be installed and operated within a physically protected environment, administered by trusted and trained administrators over a trusted and separate management network. Multiple installations of the NGFW Engine may be used in combination to provide a company with an overall network topology.
The NGFW Engine contains a hardened Linux operating system (with a 4.9 kernel) executing on a single or multi-processor Forcepoint hardware platform.
The SMC Appliance (or SMC) contains the Management Server and Log Server. Like the NGFW Engine, the SMC contains a hardened Linux-based operating system (which uses a 2.6.32 kernel) to support the management capabilities and allow for the operation and configuration of firewall engines.
Forcepoint NGFW Security Management Center (SMC) Appliance running software version 6.3.1:
Forcepoint NGFW Engine running software version 6.3.1 and including the following models:
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012. The product, when delivered and configured as identified in the Forcepoint NGFW Common Criteria Evaluated Configuration Guide, Version 6.3.1 Rev E, document, satisfies all of the security functional requirements stated in the Forcepoint NGFW (FWcPP10) Security Target, Version 1.0, March 5, 2018. The project underwent CCEVS Validator review. The evaluation was completed in March 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10854-2018) prepared by CCEVS.
The logical boundaries of the Forcepoint NGFW are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit events for numerous activities including policy enforcement, system management and authentication. A syslog server in the environment is relied on to store audit records generated by the TOE. The TOE generates a complete audit record including the IP address of the TOE, the event details, and the time the event occurred. The time stamp is provided by the TOE’s Linux-based operating system in conjunction with the appliance hardware. When the syslog server writes the audit record to the audit trail, it applies its own time stamp, placing the entire TOE-generated syslog protocol message MSG contents into an encapsulating syslog record.
Because the TOE consists of two components, each physical component of the TOE must be considered when discussing the TOE cryptographic support. Both components of the TOE utilize cryptography to verify trusted updates, and the SMC uses cryptography to support its use of the TLS protocol to protect network communication.
User data protection:
The TOE ensures that residual information is protected from potential reuse in accessible objects such as network packets.
The TOE provides an information flow control mechanism using a rule base that comprises a set of security policy rules, i.e., the firewall security policy. The NGFW Engine enforces the firewall security policy on all traffic that passes through the engine, via its internal or external network Ethernet interfaces.
Identification and authentication:
The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of reading the login banner, and performing firewall packet filtering operations. The TOE authenticates administrative users. In order for an administrative user to access the TOE, a user account including a user name and password must be created for the user.
Security management commands are limited to authorized users (i.e., administrators) and available only after they have provided acceptable user identification and authentication data to the TOE. Administrators access the TOE remotely using a TLS protected communication channel between the Management Server and the Client GUI (which runs on a workstation in the IT environment). Administrators can also access the TOE via a local console which provides limited functionality.
Protection of the TSF:
The TOE provides a variety of means of protecting itself. The TOE performs self-tests that cover the correct operation of the TOE. It provides functions necessary to securely update the TOE. It’s Linux-based operating system utilizes a hardware clock to ensure reliable timestamps. It protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible through the TOE, even to a Security Administrator. The TOE also utilizes a dedicated, local network for communications between the TOE’s components.
The TOE can be configured to display a logon banner before a user session is established. The TOE also enforces inactivity timeouts for local and remote sessions.
The TOE protects interactive communication with administrators using TLS for GUI access, ensuring both integrity and disclosure protection. If the negotiation of an encrypted session fails, the attempted connection will not be established.
The TOE protects communication with network peers, such as an external syslog server, using TLS connections to prevent unintended disclosure or modification of logs.