Fidelis Network and Deception monitors network traffic for malicious content coming into the network (intrusion) and for sensitive and secure data leaving the network (extrusion). It operates continuously, observing network traffic as it is perceived on the attached networks. Traffic observed by a Fidelis Network sensor is reassembled into sessions, protocols and applications are identified, and contents are analyzed in order to determine if they contain inappropriate data, based on configured policy rules. When inappropriate content is identified, the sensor takes action as defined by the rule that was triggered, such as alert, prevent, throttle, quarantine, reroute, or whitelist. A rule may invoke several actions for a single violation.
\r\nThe focus of the evaluation was on functionality meeting the requirements specified in collaborative Protection Profile for Network Devices, Version 2.2e, including: protection of communications between TOE components and between the TOE and trusted external IT entities; identification and authentication of administrators; auditing of security-relevant events; verification of the source and integrity of updates to the TOE; and use of approved cryptographic mechanisms.
","evaluation_configuration":"The Fidelis Network and Deception Target of Evaluation (TOE) is a combination of the following Fidelis components in a distributed deployment:
\r\n· Fidelis Network v9.3.3 CommandPost management console
\r\n· Fidelis Network Collector v9.3.3
\r\n· Fidelis Network Sensor component v9.3.3
\r\n· Fidelis Sandbox appliance v9.3.3
\r\n· Decoy Server appliance v9.3.3.
\r\nThe CommandPost, Collector, Sensor, and Decoy Server components are outlined in the following table:
\r\n| \r\n Component \r\n | \r\n\r\n Appliance Models (Revision J) \r\n | \r\n\r\n Virtual Models \r\n | \r\n
| \r\n CommandPost \r\n | \r\n\r\n CommandPost appliance \r\n | \r\n\r\n CommandPost VM \r\n | \r\n
| \r\n Collector \r\n | \r\n\r\n Collector SA2 \r\nCollector XA2 \r\nCollector XA4 \r\nCollector Controller 2 \r\nCollector Controller 10G \r\n | \r\n\r\n Collector SA VM \r\n | \r\n
| \r\n Sensor \r\n | \r\n\r\n Direct 50 \r\nDirect 100 \r\nDirect 250 \r\nDirect 500 \r\nDirect 1000 \r\nDirect 2500 \r\nDirect 5000 \r\nDirect 10G \r\n | \r\n\r\n Direct VM \r\n | \r\n
| \r\n \r\n | \r\n\r\n Internal 1000 \r\nInternal 2500 \r\nInternal 5000 \r\nInternal 10G \r\n | \r\n\r\n Internal VM \r\n | \r\n
| \r\n \r\n | \r\n\r\n Web \r\n | \r\n\r\n Web VM \r\n | \r\n
| \r\n \r\n | \r\n\r\n Mail 250 \r\nMail 500 \r\nMail 1000 \r\nMail 5000 \r\n | \r\n\r\n Mail VM 250 \r\nMail VM 500 \r\nMail VM 1000 \r\nMail VM 5000 \r\n | \r\n
| \r\n Decoy Server \r\n | \r\n\r\n Decoy Server \r\nFDH-3000 \r\nFDH-1000 \r\n | \r\n\r\n Decoy Server VM \r\n | \r\n
The Sandbox component is available in a single appliance form factor.
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was judged are described in Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 5. The product, when delivered and configured as described in the guidance documentation, satisfies all of the security functional requirements stated in the Fidelis Network v9.3.3 Security Target. The project underwent CCEVS validation team review. The evaluation was completed in March 2021. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
","environmental_strengths":"Security Audit
\r\nThe TOE generates audit records of security relevant events. Generated audit records include the date and time of the event, the event type, the subject identity and the outcome of the event. For audit events resulting from the actions of identified users, the identity of the user is recorded in the generated audit record. The TOE can be configured to store audit records locally on the CommandPost appliance so they can be accessed by an administrator and can also be configured to export the audit records to an external audit server.
\r\nCryptographic Support
\r\nThe TOE is operated in FIPS mode and includes an OpenSSL cryptographic module with CAVP approved algorithms. The module provides key management, random bit generation, encryption/decryption, digital signature and cryptographic hashing and keyed-hash message authentication features in support of higher level cryptographic protocols, including TLS and HTTPs.
\r\nCommunication
\r\nThe TOE is deployed as a distributed configuration. Initial configuration for each of the appliances is performed by directly attaching a keyboard and monitor to the appliance. The System Setup is used to set network parameters and certificate files. After initial configuration and connection of each appliance to the network, the administrator adds each appliance to CommandPost to register them. After registration, CommandPost communicates to each newly registered appliance at its configured IP address using TLS.
\r\nIdentification and Authentication
\r\nThe TOE requires users (i.e., administrators) to be successfully identified and authenticated before they can access any security management functions available in the TOE. Administrators manage the TOE remotely using the CommandPost web-based GUI accessed via HTTPS or locally using the CLI by a directly connected USB keyboard and a monitor to the appliance VGA connector. The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords on all of the TOE components. Additionally, the TOE can be configured to authenticate remote administrators to use the services of trusted LDAP servers in the operational environment..
\r\nThe TOE can detect when a configurable number of failed remote authentication attempts has been made. When the configured number of unsuccessful authentication attempts has been reached, the remote administrator is locked out until a local administrator resets the password. If all remote administrators are locked out, the CommandPost can be accessed by the default admin account, thus preventing any condition where no administrator access is available.
\r\nThe TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. Passwords can be composed of any combination of upper and lower case letters, numbers, and the following special characters: “!”, “@”, “#”, “$”, “%”, “^”, “&”, “*”, “(“, “)”, blank space, “~”, “`”, “_”, “+”, “-“, “=”, “{“, “}”, “|”, “[“, “]”, “:”, “;”, “<”, “>”, and “/”. The administrator can configure a minimum password length, which can be set to any length from 1 to 999 characters including 15.
\r\nSecurity Management
\r\nAdministrators manage the TOE remotely using the CommandPost web-based GUI accessed via HTTPS or locally through the Command Line Interface using a keyboard and a monitor directly connected to the appliance’s VGA connector.
\r\nThe TOE also provides the ability to manage the TOE locally using the CLI by directly attaching a keyboard and monitor to the appliance. However, the TOE is designed to be managed using the CommandPost GUI from a remote HTTPS/TLS client. Following the initial configuration, all changes should be performed by an authorized user from CommandPost. The TOE provides the System Administrator role which corresponds to the [CPP_ND_V2.2E] Security Administrator.
\r\nProtection of the TSF
\r\nIn the distributed deployment, the TOE protects communication between its components using HTTPS/TLS.
\r\nThe TOE protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. The TOE includes a hardware-based real-time clock that in conjunction with an NTP server in the operational environment ensures that reliable time information is available (e.g., for log accountability).
\r\nThe TOE includes a suite of power on self-tests that confirm the integrity of the TOE software and demonstrate correct operation of the TOE at start up.
\r\nThe TOE verifies the integrity of updates to the TOE’s software and firmware prior to installation by calculating a cryptographic hash of the update and allowing the administrator to confirm its correctness against a hash value published by Fidelis.
\r\nTOE Access
\r\nThe TOE can be configured to display an administrator-defined advisory banner before establishing an administrative user session and to terminate both local and remote interactive sessions after a configurable period of inactivity. It also provides users the capability to terminate their own interactive sessions.
\r\nTrusted Path/Channels
\r\nThe TOE protects interactive communication with remote administrators using HTTPS.
\r\nThe TOE uses TLS v1.2 to protect communications with the following external IT entities: audit server; authentication server; Fidelis Insight Server.
","features":[]}