NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Cisco FTD 6.4 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv

Certificate Date:  2021.06.16

Validation Report Number:  CCEVS-VR-VID11141-2021

Product Type:    Wireless Monitoring
   Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.2e
  Extended Package for Intrusion Prevention Systems Version 2.11

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]

Administrative Guide [PDF]


Product Description

The Cisco ASA 5500 series and the ISA 3000 are purpose-built platforms with IPS capabilities provided by Firepower Threat Defense (FTD) software. The Cisco FTD Virtual or FTDv running on UCS/ENCS platform (TOE) is also a firewall platform with IPS capabilities. The FMC physical and virtual appliances provide a centralized management console and event database for the FTD and FTDv, and aggregate and correlate intrusion, discovery, and connection data from the FTD and FTDv. The FMC and ASA5500/ISA3000/FTDv (running FTD) appliances form the TOE (Distributed TOE Use Case 3). In this deployment, the FTD provides network analysis, intrusion detection, and access control functionalities. 


Evaluated Configuration

The TOE is a hardware and software solution comprised of the components described in the table below. The evaluated configuration consists of one or more FTD physical or virtual devices which include the 6.4 software and managed by one FMC physical or virtual device.

 

Hardware Models and Specifications

TOE Configuration

Hardware Configurations     

Software Version

5508-X

5516-X

The Cisco 5500-X Adaptive Security Appliance provides 4-8 Gigabit Ethernet interfaces, and support for up to 300 VPNs.

 

FTD release 6.4

ISA 3000-4C

ISA 3000-2C2F

 

 

The ISA 3000 series appliances are purpose-built, firewall platforms with VPN capabilities, with 4 Gigabit Ethernet interfaces, and support for up to 25 VPN peers.

 

 

FTD release 6.4

FMC1000-K9

FMC2500-K9

FMC4500-K9

FMC1600-K9

FMC2600-K9

FMC4600-K9

 

 

 

The Cisco FMC Series provides centralized management console with up to 4 management interfaces, and up to 10 Gbps speed.

FMC v6.4

FMCv

FTDv

FMCv and FTDv running on ESXi 6.0/6.5 on the Unified Computing System (UCS) UCSB-B200-M4, UCSC-C220-M4S, UCSC-C240-M4SX, UCSC-C240-M4L, UCSB-B200-M5, UCSC-C220-M5, UCSC-C240-M5, UCS-E160S-M3 and UCS-E180D-M3 installed on ISR.

FTDv running on NFVIS 3.12 on the ENCS 5406, 5408, and 5412.

 

FMC v6.4 and FTDv 6.4

 


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the Cisco FTD 6.4 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv Common Criteria Supplemental User Guide, Version 0.5, June 9, 2021 document, and the Cisco FTD v6.4 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv Common Criteria User Guide Supplement IPS & VPN Functionality, Version 0.3, June 2, 2021 document, satisfies all of the security functional requirements stated in the Cisco FTD 6.4 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv Security Target, Version 0.7, June 9, 2021.  The project underwent CCEVS Validator review.  The evaluation was completed in June 2021.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.


Environmental Strengths

The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions.  The TOE generates an audit record for each auditable event.  The administrator configures auditable events, performs back-up operations, and manages audit data storage.  The TOE provides the administrator with a circular audit trail where the TOE overwrites the oldest audit record with the newest audit record when space is full. Audit logs are backed up over an encrypted channel to an external audit server.

Communication:

The TOE allows authorized administrators to control which Sensor is managed by the FMC. This is performed through a registration process over TLS. The administrator can also de-register a Sensor if he or she wish to no longer manage it through the FMC.

Cryptographic support:

The TOE provides cryptography in support of other TOE security functionality.  The TOE provides cryptography in support of secure connections using IPsec and TLS, and remote administrative management via SSHv2 and TLS/HTTPS. The cryptographic random bit generators (RBGs) are seeded by an entropy noise source.

Identification and authentication:

The TOE performs two types of authentication: device-level authentication of the remote device (VPN peers) and user authentication for the authorized administrator of the TOE.  Device-level authentication allows the TOE to establish a secure channel with a trusted peer.  The secure channel is established only after each device authenticates the other.  Device-level authentication is performed via IKE/IPsec X509v3 certificate based authentication or pre-shared key methods.

The TOE provides authentication services for administrative users wishing to connect to the TOEs secure CLI and GUI administrator interfaces.  The TOE requires authorized administrators to authenticate prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters as well as mandatory password complexity rules. The TOE also implements a lockout mechanism if the number of unsuccessful authentication attempts exceeds the configured threshold.

The TOE provides administrator authentication against a local user database.  Password-based authentication can be performed on the serial console or SSH and HTTPS interfaces.  The SSHv2 interface also supports authentication using SSH keys.

Security management:

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure SSHv2 or TLS/HTTPS session, or via a local console connection.  Optionally, the FTD component also supports tunneling the SSH connections in IPsec VPN tunnels. Management of all security functions can be performed via the FMC/FMCv component of the TOE, while a subset of management functions can be performed on the FTD/FTDv component.  The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality and the timestamps maintained by the TOE. The TOE supports an “authorized administrator” role, which equates to any account authenticated to an administrative interface (CLI or GUI, but not VPN), and possessing sufficient privileges to perform security-relevant administrative actions. When an administrative session is initially established, the TOE displays an administrator- configurable warning banner.  This is used to provide any information deemed necessary by the administrator.  After a configurable period of inactivity, administrative sessions will be terminated, requiring administrators to re-authenticate.

Protection of the TSF:

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to authorized administrators. The TOE prevents reading of cryptographic keys and passwords. 

Additionally, the TOE is not a general-purpose operating system and access to the TOE memory space is restricted to only TOE functions.

The TOE internally maintains the date and time. This date and time are used in the timestamp that is applied to audit records generated by the TOE. Administrators can update the TOE’s clock manually via FMC. Additionally, the TOE performs testing to verify correct operation of the appliance itself and that of the cryptographic module. Whenever any system failures occur within the TOE the TOE will cease operation.

TOE access:

When an administrative session is initially established, the TOE displays an administrator- configurable warning banner.  This is used to provide any information deemed necessary by the administrator.  After a configurable period of inactivity, administrator sessions will be terminated, requiring re-authentication.

Trusted path/channels:

The TOE supports establishing trusted paths between itself and remote administrators using SSHv2 for CLI access on the FTD and FMC and TLS/HTTPS for web UI access on the FMC.  The TOE supports use of TLS and/or IPsec for connections with remote syslog servers. The SSH remote administrator communications on the FTD can be tunneled in IPsec. 

Intrusion prevention system:

The TOE provides intrusion policies consisting of rules and configurations invoked by the access control policy. The intrusion policies are the last line of defense before the traffic is allowed to its destination. All traffic permitted by the access control policy is then inspected by the designated intrusion policy. Using intrusion rules and other preprocessor settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.

If the vendor-provided intrusion policies do not fully address the security needs of the organization, custom policies can improve the performance of the system in the environment and can provide a focused view of the malicious traffic and policy violations occurring on the network. By creating and tuning custom policies the administrators can configure, at a very granular level, how the system processes and inspects the traffic on the network for intrusions.

Using Security Intelligence, the administrators can blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by the access control rules. Optionally, the administrators can use a “monitor-only” setting for Security Intelligence filtering.


Vendor Information


Cisco Systems, Inc.
Cert Team
4103094862
certteam@cisco.com

www.cisco.com
Site Map              Contact Us              Home