CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: Cisco Secure Network Analytics (SNA) 7.4 Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration 

Administrative Guide: Cisco Secure Network Analytics Release Notes 7.4.0 

Administrative Guide: Cisco Secure Network Analytics System Configuration Guide 7.4.1 

Administrative Guide: Cisco Secure Network Analytics Update Guide 7.4.1 

Administrative Guide: Cisco Secure Network Analytics Virtual Edition Appliance Installation Guide 7.4.1 

Administrative Guide: Cisco Secure Network Analytics Smart Software Licensing Guide 7.4 

Administrative Guide: Cisco Secure Network Analytics (Data sheet) 

Administrative Guide: Cisco Stealthwatch x210 Series Hardware Installation Guide 

The Cisco Secure Network Analytics (SNA) TOE is a centrally managed system of distributed components for collection, storage, analysis, of network telemetry data.  The evaluated configurations of the TOE consist of one SNA Management Console (SMC), one or more Flow Collectors (FC), one or more Flow Sensors (FS), and one or more UDP Directors (UDPD).  Each of the TOE components is available as a stand-alone physical appliance, or as a virtual appliance.  The physical and virtual appliances provide equivalent functionality, and a mixture of physical and virtual appliances can be deployed together.

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance.  The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the Cisco Secure Network Analytics (SNA) 7.4 Preparative Procedures & Operational User Guide for the Common Criteria Certified Configuration, Version 1.1, February 16, 2023, document, satisfies all of the security functional requirements stated in the Cisco Secure Network Analytics (SNA) 7.4 Security Target, Version 1.2, February 20, 2023.  The project underwent CCEVS Validator review.  The evaluation was completed in February  2023.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11313-2023) prepared by CCEVS.

The logical boundaries of the Secure Network Analytics (SNA) are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The Cisco Secure Network Analytics provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions.  The Cisco Secure Network Analytics generates an audit record for each auditable event.  Each security relevant audit event has the date, timestamp, event description, and subject identity.  The administrator configures auditable events, configures secure transmission of audit records to a remote audit server, and manages audit data storage.  The TOE provides the administrator with a local circular audit trail.  Audit messages are stored locally and transmitted over an encrypted channel to an external audit server.

Communication:

The TOE allows authorized administrators to control which SNA appliance (FC, FS, and UDPD) is managed by the SMC. This is performed through a registration process over TLS. The administrator can also de-register an appliance if he or she wishes to no longer manage it through the SMC.  For this TOE the process of registration/joining a new managed appliance (FC, FS, UDPD) to the SMC is manually initiated by the administrator installing each appliance.  The initial TLS connection is authenticated to the SMC using the SMC administrator’s username/password, at which point the appliances exchange their X.509 certificates, and from that point forward all TLS communications among appliances are authenticated using X.509 certificates.

Cryptographic support:

The TOE provides cryptography in support of other Cisco SNA security functionality.  This cryptography has been validated by the NIST CAVP.

The TOE provides cryptography in support for TLS, which is used for remote administrative management, and secure communication among TOE components, and connects from the TOE to LDAP and syslog servers.  The cryptographic services provided by the TOE are described below.

During initial installation each TOE component generates its own unique self-signed X.509v3 certificate, and during initial configuration all those certificates are replaced with new CA-signed identity certificates which are then used for all TLS connections including mutual authentication of TLS connections among TOE components.  Each TOE component generates its own unique keypair and its own certificate signing requests (CSR), and imports TLS certificates that have been signed by an external CA server.

Identification and authentication:

TOE components perform two types of authentication: password-based authentication of administrators for remote administration of the TOE; and certificate-based authentication of devices.  Device-level authentication allows TOE components to establish secure channels with other TOE components, and with external servers (LDAP and syslog).

The TOE provides administrator authentication against a local user database.  Password-based authentication can be performed on the serial console, and the GUI (accessible via HTTPS/TLS).  For authentication to the GUI, the TOE optionally supports use of a AAA server (using LDAP over TLS), which would be outside the TOE boundary.

The TOE requires Authorized Administrators to authenticate prior to being granted access to any of the management functionality.  The TOE can be configured to require a minimum password length of 15 characters.

After a configurable number of incorrect login attempts at administrative interfaces where authentication is processed locally (i.e. where LDAP is not used), the TOE will lock the offending account until an Administrator defined time period has elapsed.

Security management:

The TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE.  All TOE administration occurs either through a secure HTTPS/TLS session or via a local console connection.  The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; and updates to the TOE.

When an administrative session is initially established, the TOE displays an administrator- configurable warning banner.  This is used to provide any information deemed necessary by the administrator.  After a set amount of time of inactivity, the administrator will be locked out of the administrator interface.

Protection of the TSF:

The TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and access controls to limit configuration to Authorized Administrators.  The TOE prevents reading of plaintext cryptographic keys and passwords.

The TOE internally maintains the date and time.  This date and time is used as the timestamp that is applied to audit records generated by the TOE.  Administrators can update the TOE’s clock manually.

The TOE is able to verify any software updates prior to the software updates being installed on the TOE to avoid the installation of unauthorized software.  The TOE performs self-testing to verify correct operation of its cryptographic module.  The TOE components are not general-purpose operating systems; root access is not permitted, external software applications cannot be installed, and access to memory space is restricted to TOE functions.

The TOE is distributed, including multiple appliances that communicate with each other over a network.  These internal TOE communications between TOE components are protected within TLS, and authenticated using X.509 certificates.

TOE access:

The TOE can terminate inactive sessions after an Authorized Administrator configurable time-period.  Once a session has been terminated the TOE requires the user to re-authenticate to establish a new session.

The TOE can also display an Authorized Administrator specified banner on the CLI management interface and the WebUI prior to allowing any administrative access to the TOE.

Trusted path/channels:

The TOE establishes a trusted path with syslog servers using TLS, and with LDAP servers using TLS.  Remote administration of the TOE uses TLS/HTTPS.  All communications between TOE components are protected within TLS; the initial joining of TOE components is authenticated using a username and password that’s manually entered during the joining process, and subsequent communications between TOE components are automatically authenticated using X.509 certificates.

Vendor Information