Compliant Product - Cisco Firepower NGIPS/NGIPSv 6.4 with FMC/FMCv 6.4
Certificate Date: 2021.09.03CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11144-2021
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
Extended Package for Intrusion Prevention Systems Version 2.11
CC Testing Lab: Gossamer Security Solutions
The TOE, sometimes referred to as Cisco Firepower NGIPS, provides advanced threat protection as an intrusion prevention system that can be deployed inline (as an IPS to block suspicious or malicious traffic in real-time) or passive (as an IPS/IDS sensor) by integrating real-time inspection and logging of IPv4 and IPv6 traffic.
The Firepower Management Center (FMC) is a network appliance that provides a centralized management console and database repository for the Firepower System deployment. Administrators can also deploy 64-bit virtual Firepower Management Centers (FMCv) as ESXi hosts using the VMware vSphere Hypervisor. The FMC is a key component in the Cisco NGIPS system. Administrators can use the FMC to manage the full range of Sensors that comprise the Cisco NGIPS system, and to aggregate, analyze, and respond to the threats they detect on their network.
In the evaluated configuration, the TOE consists of at least one FMC managing one or more Sensor all running version 6.4. The FMC and Sensor can be physical appliances or virtual appliances.
If the TOE is to be remotely administered, the management station must connect using SSHv2 or using web browser for the UI over HTTPS. A syslog server can also be used to store audit records, and the syslog server must support syslog over TLS. The Access control policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic using intrusion rules and other preprocessor settings provided by the TOE.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, September 16, 2021. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, July 2017. The product, when delivered and configured as identified in the Common Criteria Supplemental User Guide for Cisco Firepower NGIPS/NGIPSv 6.4 with FMC/FMCv 6.4, Version 0.2, July 19, 2021 document, satisfies all of the security functional requirements stated in the Cisco Firepower NGIPS/NGIPSv 6.4 with FMC/FMCv6.4 Security Target, version 0.5, August 17, 2021. The project underwent CCEVS Validator review. The evaluation was completed in August 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE is designed to be able to generate logs for a wide range of security relevant events such as login attempts and management functions. The TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to an external syslog server over a secure communication channel. The timestamp included in the audit content can be manually set on FMC/FMCv and automatically synchronized with other TOE components.
The TOE allows authorized administrators to control which Sensor is managed by the FMC. This is performed through a registration process over TLS. The administrator can also de-register a Sensor if he or she wish to no longer manage it through the FMC.
The TOE provides FIPS-certified algorithms to provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols including TLS, HTTPS, and SSH.
Identification and authentication:
The TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. The TOE offers both a locally connected console as well as network accessible interfaces (SSHv2 and HTTPS) for remote interactive administrator sessions.
The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. All authorized TOE users must have a user account with security attributes that control the user’s access to TSF data and management functions. These security attributes include username, password, and roles for TOE users. In addition, the TOE supports X.509v3 certificate authentication for the external syslog server.
The TOE provides a web-based (using HTTPS) management interface for all TOE administration, including the IDS and access control rule sets, user accounts and roles, and audit functions. The ability to manage various security attributes, system parameters and all TSF data is controlled and limited to those users who have been assigned the appropriate administrative role.
The TOE also provides a command line interface (CLI) and shell access to the underlying operating system of the TOE components. The shell access must be restricted to off-line installation, pre-operational configuration, and maintenance and troubleshooting of the TOE. The CLI provides only a subset of the management functions provided by the web GUI and is only available on the Sensors. The use of the web GUI is highly recommended over the CLI.
Security management relies on a management workstation in the operational environment with a properly supported web browser or SSH client to access the management interfaces.
Protection of the TSF:
The TOE implements a number of features design to protect itself to ensure the reliability and integrity of its security features. It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability) or can utilize a trusted time server in the operational environment.
The TOE ensures that data transmitted between separate parts of the TOE are protected from disclosure or modification. This protection is ensured by transmission of data between the TOE components over a secure, TLS-protected tunnel.
The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.
The TOE can be configured to display an informative advisory banner when an administrator establishes an interactive session and subsequently enforce an administrator-defined inactivity timeout value after which the inactive session will be terminated. The administrators can also terminate their own interactive sessions when needed.
The TOE protects interactive communication with administrators using SSHv2 for CLI access or HTTPS for web GUI access. The TOE protects communication with network peers, such as a syslog server, using TLS connections.
The TOE provides intrusion policies consisting of rules and configurations invoked by the access control policy. The intrusion policies are the last line of defense before the traffic is allowed to its destination. All traffic permitted by the access control policy is then inspected by the designated intrusion policy. Using intrusion rules and other preprocessor settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.
If the vendor-provided intrusion policies do not fully address the security needs of the organization, custom policies can improve the performance of the system in the environment and can provide a focused view of the malicious traffic and policy violations occurring on the network. By creating and tuning custom policies, the administrators can configure, at a very granular level, how the system processes and inspects the traffic on the network for intrusions.
Using Security Intelligence, the administrators can blacklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by the access control rules. Optionally, the administrators can use a “monitor-only” setting for Security Intelligence filtering.
Cisco Systems, Inc.