NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv

Certificate Date:  2018.11.30

Validation Report Number:  CCEVS-VR-VID10889-2018

Product Type:    Firewall
   Virtual Private Network
   IDS/IPS
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0 + Errata 20180314
  collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
  Extended Package for Intrusion Prevention Systems Version 2.11
  Extended Package for VPN Gateways Version 2.1

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv (TOE) are purpose-built, scalable platforms with firewall and VPN and IPS capabilities provided by Firepower Threat Defense (FTD) software.


Evaluated Configuration

The TOE consists of one or more physical devices as specified below and includes the Cisco FTD, FMC, and FXOS software.  Each instantiation of the TOE has two or more network interfaces, and is able to filter IP traffic to and through those interfaces.

If the TOE is to be remotely administered, the management station must connect using SSHv2.  When web UI is used, a remote workstation with a TLS-enabled browser must be available.  A syslog server can also be used to store audit records, and the syslog server must support syslog over TLS or IPsec.  The TOE is able to filter connections to/from these external using its IP traffic filtering, and can encrypt traffic where necessary using TLS, SSH, and/or IPsec.

The evaluated configuration consists of the following devices:


TOE Configuration

Hardware Configurations              

Software Version

FP 4110

FP 4120

FP 4140

FP 4150

 

The Firepower 4100 chassis contains the following components:

 

·         Network module 1 with eight fixed SFP+ ports (1G and 10G connectivity), the management port, RJ-45 console port, Type A USB port, PID and S/N card, locator indicator, and power switch

·         Two network modules slots (network module 2 and network module 3)

·         Two (1+1) redundant power supply module slots

·         Six fan module slots

·         Two SSD bays

FXOS release 2.2 and FTD release 6.2

FP 9300

 

The Firepower 9300 chassis contains the following components:

 

·         Firepower 9300 Supervisor—Chassis supervisor module

?  Management port

?  RJ-45 console port

?  Type A USB port

?  Eight ports for 1 or 10 Gigabit Ethernet SFPs (fiber and copper)

·         Firepower 9300 Security Module—Up to three security modules

?  800 GB of solid state storage per security blade (2 x 800 GB solid state drives running RAID1)

·         Firepower Network Module—Two single-wide network modules or one double-wide network module

·         Two power supply modules (AC or DC)

·         Four fan modules

FXOS release 2.2 and FTD release 6.2

FS750

FS1000

FS2000

FS2500

FS4000

FS4500

The Cisco FireSIGHT Series provides centralized management console with up to 4 management interfaces, and up to 10 Gbps speed.

FP release 6.2

FMCv

FMCv running on ESXi 5.5 or 6.0 on the Unified Computing System (UCS) B200-M4, B200-M5, C220-M4S, C220-M5, C240-M5, C240-M4SX, C240-M4L, C460-M4, C480-M5, E140S-M2/K9, E180D-M2/K9 and E160S-M3

6.2


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012  The product, when delivered and configured as identified in the Cisco FXOS 2.2 on Firepower 4100/9300 for FTD Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration, Version 1.0, November 29, 2018 and FTD (NGFW) v6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv Common Criteria Supplemental User Guide, Version 1.0, November 29, 2018 documents, satisfies all of the security functional requirements stated in the Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv Security Target, Version 1.0, November 29, 2018.  The project underwent CCEVS Validator review.  The evaluation was completed in November 2018.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10889-2018) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions.  The TOE generates an audit record for each auditable event.  The administrator configures auditable events, performs back-up operations, and manages audit data storage.  The TOE provides the administrator with a circular audit trail or a configurable audit trail threshold to track the storage capacity of the audit trail.  Audit logs are backed up over an encrypted channel to an external audit server.

Communication:

The TOE allows authorized administrators to control which Sensor is managed by the FMC. This is performed through a registration process over TLS. The administrator can also de-register a Sensor if he or she wish to no longer manage it through the FMC.

Cryptographic support:

The TOE provides cryptography in support of other TOE security functionality.  The TOE provides cryptography in support of secure connections using IPsec and TLS, and remote administrative management via SSHv2, and TLS/HTTPS. The cryptographic random bit generators (RBGs) are seeded by an entropy noise source.

Full Residual Information protection:

The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic.  Packets are padded with zeros.  Residual data is never transmitted from the TOE.

Identification and authentication:

The TOE performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the authorized administrator of the TOE.  Device-level authentication allows the TOE to establish a secure channel with a trusted peer.  The secure channel is established only after each device authenticates the other.  Device-level authentication is performed via IKE/IPsec X509v3 certificate based authentication or pre-shared key methods.

The TOE provides authentication services for administrative users wishing to connect to the TOEs secure CLI and GUI administrator interfaces.  The TOE requires authorized administrators to authenticate prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters as well as mandatory password complexity rules. The TOE also implements a lockout mechanism if the number of configured unsuccessful threshold has been exceeded. 

The TOE provides administrator authentication against a local user database.  Password-based authentication can be performed on the serial console or SSH and HTTPS interfaces.  The SSHv2 interface also supports authentication using SSH keys.

Security management:

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure SSHv2 or TLS/HTTPS session, or via a local console connection.  The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; TOE configuration file storage and retrieval, and the information flow control policies enforced by the TOE including encryption/decryption of information flows for VPNs.  The TOE supports an “authorized administrator” role, which equates to any account authenticated to an administrative interface (CLI or GUI, but not VPN), and possessing sufficient privileges to perform security-relevant administrative actions.

When an administrative session is initially established, the TOE displays an administrator- configurable warning banner.  This is used to provide any information deemed necessary by the administrator.  After a configurable period of inactivity, administrative sessions will be terminated, requiring administrators to re-authenticate.

Protection of the TSF:

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to authorized administrators.  The TOE prevents reading of cryptographic keys and passwords. 

Additionally, the TOE is not a general-purpose operating system and access to the TOE memory space is restricted to only TOE functions.

The TOE internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE.  Administrators can update the TOE’s clock manually.  Additionally, the TOE performs testing to verify correct operation of the appliance itself and that of the cryptographic module. Whenever any system failures occur within the TOE the TOE will cease operation.

TOE access:

When an administrative session is initially established, the TOE displays an administrator- configurable warning banner.  This is used to provide any information deemed necessary by the administrator.  After a configurable period of inactivity, administrator and VPN client sessions will be terminated, requiring re-authentication. The TOE also supports direct connections from VPN clients, and protects against threats related to those client connections. The TOE disconnects sessions that have been idle too long, and can be configured to deny sessions based on IP, time, and day, and to NAT external IPs of connecting VPN clients to internal network addresses.

Trusted path/channels:

The TOE supports establishing trusted paths between itself and remote administrators using SSHv2 for CLI access, and TLS/HTTPS for GUI access.  The TOE supports use of TLS and/or IPsec for connections with remote syslog servers.  The TOE can establish trusted paths of peer-to-peer VPN tunnels using IPsec, and VPN client tunnels using IPsec or TLS. Note that the VPN client is in the operational environment.

Filtering:

The TOE provides stateful traffic firewall functionality including IP address-based filtering (for IPv4 and IPv6) to address the issues associated with unauthorized disclosure of information, inappropriate access to services, misuse of services, disruption or denial of services, and network-based reconnaissance.  Address filtering can be configured to restrict the flow of network traffic between protected networks and other attached networks based on source and/or destination IP addresses.  Port filtering can be configured to restrict the flow of network traffic between protected networks and other attached networks based on the originating (source) and/or receiving (destination) port (service).  Stateful packet inspection is used to aid in the performance of packet flow through the TOE and to ensure that only packets are only forwarded when they’re part of a properly established session. The TOE supports protocols that can spawn additional sessions in accordance with the protocol RFCs where a new connection will be implicitly permitted when properly initiated by an explicitly permitted session. The File Transfer Protocol is an example of such a protocol, where a data connection is created as needed in response to an explicitly allowed command connection.  System monitoring functionality includes the ability to generate audit messages for any explicitly defined (permitted or denied) traffic flow.  TOE administrators have the ability to configure permitted and denied traffic flows, including adjusting the sequence in which flow control rules will be applied, and to apply rules to any network interface of the TOE.

The TOE also provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. More accurately, these tunnels are sets of security associations (SAs). The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used. SAs are unidirectional and are established per the ESP security protocol. An authorized administrator can define the traffic that needs to be protected via IPsec by configuring access lists (permit, deny, log) and applying these access lists to interfaces using crypto map set.

Intrusion Prevention System: 

The TOE provides intrusion policies consisting of rules and configurations invoked by the access control policy. The intrusion policies are the last line of defense before the traffic is allowed to its destination. All traffic permitted by the access control policy is then inspected by the designated intrusion policy. Using intrusion rules and other preprocessor settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.

If the vendor-provided intrusion policies do not fully address the security needs of the organization, custom policies can improve the performance of the system in the environment and can provide a focused view of the malicious traffic and policy violations occurring on the network. By creating and tuning custom policies the administrators can configure, at a very granular level, how the system processes and inspects the traffic on the network for intrusions.

Using Security Intelligence, the administrators can blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by the access control rules. Optionally, the administrators can use a “monitor-only” setting for Security Intelligence filtering.


Vendor Information


Cisco Systems, Inc.
Marty Loy
4103094862
certteam@cisco.com

www.cisco.com
Site Map              Contact Us              Home