The TOE consists of hardware and software that provide connectivity and security services onto multiple secure devices. The TOE is comprised of both software and hardware. The TOE appliances are comprised of the following: Cisco Secure Firewall 4200 Series (4215, 4225 and 4245) and Firewall Management Center (FMC) (FMC1600, FMC2600, FMC4600, FMC1700, FMC2700, FMC4700 and FMCv). The software is comprised of the FTD software image Release 7.4 and FMC (or FMCv) version 7.4.
\r\nFor firewall service, the TOE provides application-aware stateful packet filtering firewalls. A stateful packet filtering firewall controls the flow of IP traffic by matching information contained in the headers of connection-oriented or connection-less IP packets against a set of rules specified by the authorized administrator for firewalls. This header information includes source and destination host (IP) addresses, source and destination port numbers, and the transport service application protocol (TSAP) held within the data field of the IP packet. Depending upon the rule and the results of the match, the firewall either passes or drops the packet. The stateful firewall remembers the state of the connection from information gleaned from prior packets flowing on the connection and uses it to regulate current packets. The packet will be denied if the security policy is violated.
\r\nIn addition to IP header information, the TOE mediates information flows on the basis of other information, such as the direction (incoming or outgoing) of the packet on any given firewall network interface. For connection-oriented transport services, the firewall either permits connections and subsequent packets for the connection or denies the connection and subsequent packets associated with the connection.
\r\nThe application-inspection capabilities automate the network to treat traffic according to detailed policies based not only on port, state, and addressing information, but also on application information buried deep within the packet header. By comparing this deep-packet inspection information with corporate policies, the firewall will allow or block certain traffic. For example, it will automatically drop application traffic attempting to gain entry to the network through an open port-even if it appears to be legitimate at the user and connection levels-if a business's corporate policy prohibits that application type from being on the network.
\r\nThe TOE provides intrusion prevention system (IPS) capabilities by combining the security of a Next Generation IPS (NGIPS) with the power of access control, malware protection, and URL/IP filtering (Block List/Do Not Block List) known as Security Intelligence. The TOE monitors incoming and outgoing network traffic and performs real-time traffic analysis and logging using the industry-leading Snort® engine. All packets on the monitored network are scanned, decoded, preprocessed and compared against a set of rules to determine whether inappropriate traffic, such as system attacks, is being sent over the network. The system generates alerts or blocks the traffic when deviations of the expected network behavior are detected or when there is a match to a known attack pattern.
\r\nThe TOE also provides IPsec connection capabilities. All references within this ST to “VPN” connectivity refer to the use of IPsec tunnels to secure connectivity to and/or from the TOE, for example, gateway-to-gateway[1] VPN or remote access VPN.
\r\n","evaluation_configuration":"The TOE consists of at least one Cisco Secure Firewall device (Cisco Secure Firewall 4200 series) running the FTD software and one or more physical FMC devices running the FMC software or virtual devices running FMCv software. The TOE includes the following models:
\r\n| \r\n TOE Configuration \r\n | \r\n\r\n Software Version \r\n | \r\n
| \r\n FP 4215 \r\nFP 4225 \r\nFP 4245 \r\n | \r\n\r\n FTD v7.4 \r\n | \r\n
| \r\n FMC1600 \r\nFMC2600 \r\nFMC4600 \r\nFMC1700 \r\nFMC2700 \r\nFMC4700 \r\n\r\n | \r\n\r\n FMC v7.4 \r\n | \r\n
| \r\n FMCv running on ESXi 7.0 on the Unified Computing System (UCS) UCSC-C220-M5, UCSC-C240-M5, UCSC-C480-M5, UCSC-C220-M6, UCSC-C225-M6, UCSC-C240-M6, UCSC-C220-M7, UCSC-C240-M7and UCS-E1100D-M6 \r\n | \r\n\r\n FMCv v7.4 \r\n | \r\n
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Cisco FTD v7.4 with FMC/FMCv Common Criteria Supplement User Guide, Version 1.0, January 22, 2025 and the Cisco FTD v7.4 with FMC/FMCv Common Criteria Supplemental User Guide & VPN Functionality, Version 0.4, November 22, 2024 documents, satisfies all of the security functional requirements stated in the Cisco FTD v7.4 on Cisco Secure Firewall 4200 Series with FMC/FMCv Security Target, Version 1.0, January 29, 2025. The project underwent CCEVS Validator review. The evaluation was completed in February 2025. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11460-2025) prepared by CCEVS.
","environmental_strengths":"The logical boundaries of the Cisco FTD 7.4 on Cisco Secure Firewall 4200 Series with FMC and FMCv are realized in the security functions that it implements. Each of these security functions is summarized below.
\r\n\r\n
Security audit:
\r\nThe TOE provides extensive auditing capabilities. The TOE can audit events related to cryptographic functionality, identification and authentication, and administrative actions. The TOE generates an audit record for each auditable event. The administrator configures auditable events, performs back-up operations, and manages audit data storage. The TOE provides the administrator with a circular audit trail where the TOE overwrites the oldest audit record with the newest audit record when space is full. Audit logs are backed up over an encrypted channel to an external audit server.
\r\nCommunication:
\r\nThe TOE allows authorized administrators to control which FTD device is managed by the FMC. This is performed through a registration process over TLS. The administrator can also de-register a FTD device if he or she wish to no longer manage it through the FMC.
\r\nCryptographic support:
\r\nThe TOE provides cryptography in support of other TOE security functionality. The TOE provides cryptography in support of secure connections using IPsec and TLS, and remote administrative management via SSHv2 and TLS/HTTPS. The cryptographic random bit generators (RBGs) are seeded by an entropy noise source.
\r\nUser Data Protection:
\r\nThe TOE ensures that all information flows from the TOE do not contain residual information from previous traffic. Packets are padded with zeros. Residual data is never transmitted from the TOE.
\r\nIdentification and authentication:
\r\nThe TOE performs two types of authentications: device-level authentication of the remote device (VPN peers) and user authentication for the authorized administrator of the TOE or for IPsec VPN clients. Device-level authentication allows the TOE to establish a secure channel with a trusted peer. The secure channel is established only after each device authenticates the other. Device-level authentication is performed via IKE/IPsec X509v3 certificate-based authentication while user-level authentication from IPsec VPN clients uses certificate-based authentication (all IPsec VPN sessions are terminated at the FTD, not the FMC/FMCv).
\r\nThe TOE provides authentication services for administrative users wishing to connect to the TOEs secure CLI and GUI administrator interfaces. The TOE requires authorized administrators to authenticate prior to being granted access to any of the management functionality. The TOE can be configured to require a minimum password length between 1 and 127 characters for FTD and 8 and 127 characters for FMC as well as mandatory password complexity rules. The TOE also implements a lockout mechanism when the number of unsuccessful authentication attempts exceeds the configured threshold.
\r\nThe TOE provides administrator authentication against a local user database. Password-based authentication can be performed on the serial console or SSH and HTTPS interfaces. The SSHv2 interface also supports authentication using SSH keys.
\r\nSecurity management:
\r\nThe TOE provides secure administrative services for management of general TOE configuration and the security functionality provided by the TOE. All TOE administration occurs either through a secure SSHv2 or TLS/HTTPS session, or via a local console connection. Optionally, the FTD component also supports tunneling the SSH connections in IPsec VPN tunnels (peer-to-peer, or remote VPN client). Management of all security functions can be performed via the FMC/FMCv component of the TOE, while a subset of management functions can be performed on the FTD component. The TOE provides the ability to securely manage all TOE administrative users; all identification and authentication; all audit functionality of the TOE; all TOE cryptographic functionality; the timestamps maintained by the TOE; and the information flow control policies enforced by the TOE including encryption/decryption of information flows for VPNs. The TOE supports an “authorized administrator” role, which equates to any account authenticated to an administrative interface (CLI or GUI, but not VPN), and possessing sufficient privileges to perform security-relevant administrative actions.
\r\nWhen an administrative session is initially established, the TOE displays an administrator- configurable warning banner. This is used to provide any information deemed necessary by the administrator. After a configurable period of inactivity, administrative sessions will be terminated, requiring administrators to re-authenticate.
\r\nProtection of the TSF:
\r\nThe TOE protects against interference and tampering by untrusted subjects by implementing identification, authentication, and administrator roles to limit configuration to authorized administrators. The TOE prevents reading of cryptographic keys and passwords.
\r\nAdditionally, the TOE is not a general-purpose operating system and access to the TOE memory space is restricted to only TOE functions.
\r\nThe TOE internally maintains the date and time. This date and time are used as the timestamp that is applied to audit records generated by the TOE. Administrators can update the TOE’s clock manually via FMC. Additionally, the TOE performs testing to verify correct operation of the appliance itself and that of the cryptographic module. Whenever any system failures occur within the TOE the TOE will cease operation.
\r\nThe TOE provides the ability to manually upgrade firmware/software for security administrators. Administrators can query the current executing version of the TOE’s firmware/software and the most recently installed version via the FMC Web UI.
\r\nTOE access:
\r\nWhen an administrative session is initially established, the TOE displays an administrator- configurable warning banner. This is used to provide any information deemed necessary by the administrator. After a configurable period of inactivity, administrator and VPN client sessions will be terminated, requiring re-authentication. The TOE also supports direct connections from VPN clients, and protects against threats related to those client connections. The TOE disconnects sessions that have been idle too long, and can be configured to deny sessions based on IP, time, and day, and to NAT external IPs of connecting VPN clients to internal network addresses.
\r\nTrusted path/channels:
\r\nThe TOE supports establishing trusted paths between itself and remote administrators using SSHv2 for CLI access on the FTD and FMC and TLS/HTTPS for web UI access on the FMC. The TOE supports use of TLS and/or IPsec for connections with remote syslog servers. The TOE can establish trusted paths of peer-to-peer VPN tunnels using IPsec, and VPN client tunnels using IPsec. Note that the VPN client is in the operational environment.
\r\nFiltering:
\r\nThe TOE provides stateful traffic firewall functionality including IP address-based filtering (for IPv4 and IPv6) to address the issues associated with unauthorized disclosure of information, inappropriate access to services, misuse of services, disruption or denial of services, and network-based reconnaissance. Address filtering can be configured to restrict the flow of network traffic between protected networks and other attached networks based on source and/or destination IP addresses. Port filtering can be configured to restrict the flow of network traffic between protected networks and other attached networks based on the originating (source) and/or receiving (destination) port (service). Stateful packet inspection is used to aid in the performance of packet flow through the TOE and to ensure that only packets are only forwarded when they’re part of a properly established session. The TOE supports protocols that can spawn additional sessions in accordance with the protocol RFCs where a new connection will be implicitly permitted when properly initiated by an explicitly permitted session. The File Transfer Protocol is an example of such a protocol, where a data connection is created as needed in response to an explicitly allowed command connection. System monitoring functionality includes the ability to generate audit messages for any explicitly defined (permitted or denied) traffic flow. TOE administrators have the ability to configure permitted and denied traffic flows, including adjusting the sequence in which flow control rules will be applied, and to apply rules to any network interface of the TOE.
\r\nThe TOE also provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. More accurately, these tunnels are sets of security associations (SAs). The SAs define the protocols and algorithms to be applied to sensitive packets and specify the keying material to be used. SAs are unidirectional and are established per the ESP security protocol. An authorized administrator can define the traffic that needs to be protected via IPsec by configuring access lists (permit, deny, log) and applying these access lists to interfaces using VPN policies.
\r\nIntrusion prevention system:
\r\nThe TOE provides intrusion policies consisting of rules and configurations invoked by the access control policy. The intrusion policies are the last line of defense before the traffic is allowed to its destination. All traffic permitted by the access control policy is then inspected by the designated intrusion policy. Using intrusion rules and other preprocessor settings, these policies inspect traffic for security violations and, in inline deployments, can block or alter malicious traffic.
\r\nIf the vendor-provided intrusion policies do not fully address the security needs of the organization, custom policies can improve the performance of the system in the environment and can provide a focused view of the malicious traffic and policy violations occurring on the network. By creating and tuning custom policies, the administrators can configure, at a very granular level, how the system processes and inspects the traffic on the network for intrusions.
\r\nUsing Security Intelligence, the administrators can blocklist—deny traffic to and from—specific IP addresses, URLs, and DNS domain names, before the traffic is subjected to analysis by the access control rules. Optionally, the administrators can use a “monitor-only” setting for Security Intelligence filtering.
","features":[{"id":737,"feature_name":"Asymmetric Key Generation"},{"id":732,"feature_name":"Auditing"},{"id":755,"feature_name":"Certificate Authentication"},{"id":742,"feature_name":"Certificate Validation"},{"id":740,"feature_name":"Cryptographic Hashing"},{"id":738,"feature_name":"Cryptographic Key Establishment"},{"id":739,"feature_name":"Cryptographic Signature Verification"},{"id":736,"feature_name":"DRBG"},{"id":759,"feature_name":"Firewall"},{"id":749,"feature_name":"HTTPS Client"},{"id":757,"feature_name":"IKEv2"},{"id":761,"feature_name":"Intrusion Prevention"},{"id":752,"feature_name":"IPsec"},{"id":734,"feature_name":"Key Destruction"},{"id":745,"feature_name":"SSH Server"},{"id":758,"feature_name":"TLS 1.2"},{"id":744,"feature_name":"TLS Client"},{"id":743,"feature_name":"TLS Server with Mutual Authentication"},{"id":762,"feature_name":"VPN Gateway"}]}