Compliant Product - Cisco Stealthwatch Enterprise 7.1
Certificate Date: 2020.07.21CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11059-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
CC Testing Lab: Gossamer Security Solutions
The Cisco Stealthwatch Enterprise 7.1 TOE is a centrally managed system of distributed components for collection, storage, analysis, of network telemetry data. The evaluated configuration of the TOE consists of one Stealthwatch Management Console (SMC), one or more Flow Collectors (FC), one or more Flow Sensors (FS), and one or more UDP Directors (UDPD). Each of the TOE components is available as a stand-alone physical appliance, or as a virtual appliance. The physical and virtual appliances provide equivalent functionality and a mixture of physical and virtual appliances can be deployed together.
The SMC provides the administrative interface to manage all TOE components. The FC receives telemetry data from Stealthwatch Flow Sensors and other sources, analyzes the data, sends event notifications to SMC, and supports further forensics and long-term data analysis. The FS produces telemetry for segments of the switching and routing infrastructure that cannot generate NetFlow natively. The UDP Director (UDPD) simplifies the collection and distribution of network and security data across the enterprise.
Cisco Stealthwatch Enterprise provides visibility and security analytics (threat detection, and threat response) using network traffic telemetry data. Stealthwatch Enterprise can generate telemetry data directly (by directly monitoring traffic flows) or can collect telemetry data generated by devices in an existing network infrastructure.
The evaluated configuration consists of the following physical and virtual devices, all running Stealthwatch software image release 7.1.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Cisco Cisco Stealthwatch Compliance Guide 7.1, Version 1.0, July 2, 2020 document, satisfies all of the security functional requirements stated in the Cisco Stealthwatch Enterprise 7.1 Security Target, Version 1.1, July 17, 2020. The project underwent CCEVS Validator review. The evaluation was completed in July 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The Cisco Stealthwatch Enterprise provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The Cisco Stealthwatch Enterprise generates an audit record for each auditable event. Each security relevant audit event has the date, timestamp, event description, and subject identity. The administrator configures auditable events, configures secure transmission of audit records to a remote audit server, and manages audit data storage. The TOE provides the administrator with a local circular audit trail. Audit messages are stored locally and transmitted over an encrypted channel to an external audit server.
The TOE allows authorized administrators to control which Stealthwatch appliance (FC, FS, and UDPD) is managed by the SMC. This is performed through a registration process over TLS. The administrator can also de-register an appliance if he or she wishes to no longer manage it through the SMC. For this TOE, the process of registration/joining a new managed appliance (FC, FS, UDPD) to the SMC is manually initiated by the administrator installing each appliance. The initial TLS connection is authenticated to the SMC using the SMC administrator’s username/password, at which point the appliances exchange their X.509 certificates, and from that point forward all TLS communications among appliances are authenticated using X.509 certificates.
The TOE provides cryptography in support of other Cisco Stealthwatch security functionality. This cryptography has been validated by the NIST CAVP. The TOE provides cryptography in support of TLS, which is used for remote administrative management, secure communication among TOE components, and connections from the TOE to LDAP and syslog servers.
The cryptographic services provided by the TOE are described in the table below.
During initial installation each TOE component generates its own unique self-signed X.509v3 certificate, and during initial configuration all those certificates are replaced with new CA-signed identity certificates which are then used for all TLS connections including mutual authentication of TLS connections among TOE components. Each TOE component generates its own unique keypair and its own certificate signing requests (CSR), and imports TLS certificates that have been signed by an external CA server.
Identification and authentication:
TOE components perform two types of authentication: password-based authentication of administrators for remote administration TOE; and certificate-based authentication of devices. Device-level authentication allows TOE components to establish secure channels with other TOE components, and with external servers (LDAP and syslog).The TOE provides administrator authentication against a local user database. Password-based authentication can be performed on the serial console, and the GUI (accessible via HTTPS/TLS). For authentication to the GUI, the TOE optionally supports use of an authentication, authorization, and accounting (AAA) server (using LDAP over TLS), which would be outside the TOE boundary.
The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality. The TOE can be configured to require a minimum password length of 15 characters.
After a configurable number of incorrect login attempts at administrative interfaces where authentication is processed locally (i.e. where LDAP is not used), the TOE will lock the offending account until an Administrator defined time period has elapsed.
Security management:The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure HTTPS/TLS session or via a local console connection. The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; and updates to the TOE.
When an administrative session is initially established, the TOE displays an administrator- configurable warning banner. This is used to provide any information deemed necessary by the administrator. After a set amount of time of inactivity, the administrator will be locked out of the administrator interface.
Protection of the TSF:
The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators. The TOE prevents reading of plaintext cryptographic keys and passwords.
The TOE internally maintains the date and time. This date and time is used as the timestamp that is applied to audit records generated by the TOE. Administrators can update the TOE’s clock manually.
The TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software. The TOE performs self-testing to verify correct operation of its cryptographic module. The TOE components are not general-purpose operating systems; root access is not permitted, external software applications cannot be installed, and access to memory space is restricted to TOE functions.
The TOE is distributed, including multiple appliances that communicate with each other over a network. These internal TOE communications between TOE components are protected within TLS and authenticated using X.509 certificates.
The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period. Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.
The TOE can also display an Authorized Administrator specified banner on the CLI management interface and the WebUI prior to allowing any administrative access to the TOE.
The TOE establishes a trusted path with syslog servers using TLS, and with LDAP servers using TLS. Remote administration of the TOE uses TLS/HTTPS. All communications between TOE components are protected within TLS; the initial joining of TOE components is authenticated using a username and password that’s manually entered during the joining process, and subsequent communications between TOE components are automatically authenticated using X.509 certificates.
Cisco Systems, Inc.