Compliant Product - Bastille Enterprise Fusion Center Version 3.2.0
Certificate Date: 2022.09.06CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11311-2022
Product Type: Application Software
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Application Software Version 1.4
CC Testing Lab: UL Verification Services Inc. (Formerly InfoGard)
The Bastille Enterprise Fusion Center analyzes observed wireless device data to detect devices, their metadata, and their locations (the data collection component is not part of the evaluation). The Fusion Center provides real time feeds of this enriched device data. This data enables users to make security decisions by leveraging the real time wireless device inventory the Fusion Center provides and site policies of the organization. Sites can include one or more floors of a building, multiple buildings, or entire organization campuses.
The Fusion Center provides secure access to the data through the use of APIs available to users via the TLS protected network connections. There are several web-based (single page) applications that are built into the TOE and these are built exclusively with the aforementioned APIs. Usage of these APIs is outside of scope of this evaluation. The TOE can also provide notifications to subscriber application through the use of webhooks via secured TLS protocol.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. Bastille Enterprise Fusion Center v3.2.0 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5, April 2017. The TOE, when installed and configured per the instructions provided in the preparative and administrative guidance, satisfies all the security functional requirements stated in the Bastille Enterprise Fusion Center v3.2.0 Security Target. The evaluation underwent CCEVS Validator review. The evaluation was completed in September 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS and the Assurance Activity Report.
The TOE does not directly perform cryptographic services, but rather calls the platform-provided crypto library, so cryptographic operations are out of the TOE logical scope.
User Data Protection
The TOE protects confidential data using platform provided mechanisms and does not collect sensitive information from the platform or users. The TOE restricts its access to platform resources to network connections.
Identification and Authentication
The TOE uses x509 certificates to verify the authenticity of the remote services when initiating secure communications with them.
The TOE provides security management functionality for users to perform initial configuration and to configure external connections. Configuration is stored in a way recommended by the platform. The TOE requires users to change the built-in OS credentials during initial configuration of the TOE. The TOE configures file permissions for its binaries to protect from modification by unprivileged users.
The TOE does not collect or transmit Personal Identifiable Information.
Protection of the TSF
The TOE employs built-in anti-exploitation capabilities and uses only supported platform APIs and a limited number of 3rd party libraries. The TOE uses SemVer format to track TOE versions.
The TOE provides its current version number and capabilities to check for existing updates to the TOE. The TOE is distributed with the OS as a Virtual Appliance, and updates are distributed as a complete virtual appliance image.
The TOE performs encryption of transmitted sensitive data using platform provided functionality.