Compliant Product - Cisco Firepower NGIPS/NGIPSv 6.2 with FireSIGHT (FMC) and FMCv 6.2
Certificate Date: 2019.10.10CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10918-2019
Product Type: Firewall
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
Extended Package for Intrusion Prevention Systems Version 2.11
CC Testing Lab: Gossamer Security Solutions
The Target of Evaluation (TOE) is the Cisco Firepower NGIPS/NGIPSv 6.2 with FireSIGHT (FMC) and FMCv 6.2
The TOE is an Intrusion Detection and Prevention System, which consists of the FMC and Sensors. The FMC provides a centralized management console and event database for the system, and aggregates and correlates intrusion, discovery, and connection data from managed Sensors. Sensors monitor all network traffic for security events and violations, and can alert and/or block malicious traffic as defined in the intrusion and access control rules. The TOE in the evaluated configuration deploys at least one FMC managing at one or more Sensors. Each model of the TOE consists of a set of appliances or virtual appliances which vary primarily based on the processing power, memory performance, disk space, and port density. The virtual appliances run on hypervisor ESXi and underlying UCS hardware models which also vary based on the processing power, memory performance, disk space, and port density.
The evaluated configuration consists of the following hardware and software:
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, September 2012. The product, when delivered and configured as identified in the Common Criteria Supplemental User Guide for Cisco Firepower NGIPS and NGIPSv 6.2 with FMC and FMCv 6.2, Version 1.0, September 16, 2019 document, satisfies all of the security functional requirements stated in the Cisco Firepower NGIPS/NGIPSv 6.2 with FireSIGHT (FMC) and FMCv 6.2 Security Target, Version 1.2, October 8, 2019. The project underwent CCEVS Validator review. The evaluation was completed in September 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE is designed to be able to generate logs for a wide range of security relevant events such as login attempts and management functions. TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to an external syslog server over a secure communication channel. The timestamp included in the audit content can be manually set on FMC/FMCv and automatically synchronized with other TOE components.
The TOE allows authorized administrators to control which Sensor is managed by the FMC. This is performed through a registration process over TLS. The administrator can also de-register a Sensor if they opt to no longer manage it through the FMC.
The TOE provides FIPS-certified algorithms to provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols including TLS, HTTPS, and SSH.
Identification and authentication:
The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers both a locally connected console as well as network accessible interfaces (SSHv2 and HTTPS) for remote interactive administrator sessions.
The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. All authorized TOE users must have a user account with security attributes that control the user’s access to TSF data and management functions. These security attributes include user name, password, and roles for TOE users. In addition, the TOE supports X.509v3 certificate authentication for the external syslog server.
Optionally, the TOE can be configured to utilize the services of trusted RADIUS and LDAP servers in the operational environment to support, for example, centralized user administration.
The TOE provides a web-based (using HTTPS) management interface for all TOE administration, including the IDS and access control rule sets, user accounts and roles, and audit functions. The ability to manage various security attributes, system parameters and all TSF data is controlled and limited to those users who have been assigned the appropriate administrative role.
The TOE also provides a command line interface (CLI) and shell access to the underlying operating system of the TOE components. The shell access must be restricted to off-line installation, pre-operational configuration, and maintenance and troubleshooting of the TOE. The CLI provides only a subset of the management functions provided by the web GUI and is only available on the Sensors. The use of the web GUI is highly recommended over the CLI.
Security management relies on a management workstation in the operational environment with a properly supported web browser or SSH client to access the management interfaces.
Protection of the TSF:
The TOE implements a number of features design to protect itself to ensure the reliability and integrity of its security features. It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability) or can utilize a trusted time server in the operational environment.
The TOE ensures that data transmitted between separate parts of the TOE are protected from disclosure or modification. This protection is ensured by transmission of data between the TOE components over a secure, TLS-protected tunnel.
The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.
The TOE can be configured to display an informative advisory banner when an administrator establishes an interactive session and subsequently enforce an administrator-defined inactivity timeout value after which the inactive session will be terminated. The administrators can also terminate their own interactive sessions when needed.
The TOE protects interactive communication with administrators using SSHv2 for CLI access or HTTPS for web GUI access. The TOE protects communication with network peers, such as a syslog server, using TLS connections.
Intrusion Prevention System:
The TOE provides intrusion policies consisting of rules and configurations invoked by the access control policy. The intrusion policies are the last line of defense before the traffic is allowed to its destination. All traffic permitted by the access control policy is then inspected by the designated intrusion policy. Using intrusion rules and other preprocessor settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.
If the vendor-provided intrusion policies do not fully address the security needs of the organization, custom policies can improve the performance of the system in the environment and can provide a focused view of the malicious traffic and policy violations occurring on the network. By creating and tuning custom policies the administrators can configure, at a very granular level, how the system processes and inspects the traffic on the network for intrusions.
Using Security Intelligence, the administrators can blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by the access control rules. Optionally, the administrators can use a “monitor-only” setting for Security Intelligence filtering.
Cisco Systems, Inc.