Compliant Product - Forcepoint NGFW 6.5
Certificate Date: 2019.10.28CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10995-2019
Product Type: Firewall
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0 + Errata 20180314
CC Testing Lab: Gossamer Security Solutions
The Forcepoint Next Generation Firewall is a stateful packet filtering firewall. The Forcepoint Next Generation Firewall (NGFW) system is composed of two physical appliances: the NGFW Engine and the Security Management Center (SMC) Appliance. The NGFW Engine controls connectivity and information flow between internal and external connected networks. The SMC Appliance provides administrative functionality supporting the configuration and operation of NGFW Engines.
The NGFW Engine controls connectivity and information flow between internal and external connected networks. The NGFW Engine also provides a means to keep the internal host’s IP-address private from external users. The NGFW Engine is intended to be used as a network perimeter security gateway that provides a controlled connection.
Forcepoint NGFW 6.5 consists of:
Forcepoint NGFW Security Management Center (SMC) Appliance running software version 6.5.7:
· Appliance SMC 1000 G2
Forcepoint NGFW Engine running software version 6.5.4 and including the following models:
· Desktop models: 330, 335
· 1U models: 1101, 1105, 2101, 2105,
· 2U models: 3301, 3305
· 4U model: 6205
· Virtual model: ESXi 6.5 on Dell PowerEdge R440
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Forcepoint Forcepoint NGFW Common Criteria Evaluated Configuration Guide 6.5.4, Rev D document, satisfies all of the security functional requirements stated in the Forcepoint NGFW 6.5 (FWcPP20E) Security Target, Version 1.5, 10/07/2019. The project underwent CCEVS Validator review. The evaluation was completed in October 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundaries of the TOE are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit events for numerous activities including policy enforcement, system management and authentication. A syslog server in the environment is relied on to store audit records generated by the TOE. The TOE generates a complete audit record including the IP address of the TOE, the event details, and the time the event occurred. The time stamp is provided by the TOE’s Linux-based operating system in conjunction with the appliance hardware. When the syslog server writes the audit record to the audit trail, it applies its own time stamp, placing the entire TOE-generated syslog protocol message MSG contents into an encapsulating syslog record.
The TOE is a distributed solution consisting of the Security Management Center and NGFW Engines. The Security Management Center can manage one or more NGFW Engines. The TOE uses a registration process to join Engines to an SMC.
Because the TOE consists of distributed components, each physical component of the TOE must be considered when discussing the TOE cryptographic support. Both types of components (the SMC and its Engines) of the TOE utilize cryptography to verify trusted updates, for TLS protected management communications between the SMC and its Engines, and the SMC uses cryptography to support its use of the TLS protocol to protect network communications with external IT entities.
The TOE provides an information flow control mechanism using a rule base that comprises a set of security policy rules, i.e., the firewall security policy. The NGFW Engine enforces the firewall security policy on all traffic that passes through the engine, via its internal or external network Ethernet interfaces.
Identification and authentication:
The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of reading the login banner, and performing firewall packet filtering operations. The TOE authenticates administrative users. In order for an administrative user to access the TOE, a user account including a user name and password must be created for the user.
Security management commands are limited to authorized users (i.e., administrators) and available only after they have provided acceptable user identification and authentication data to the TOE. Administrators access the TOE remotely using a TLS protected communication channel between the Management Server and the Client GUI (which runs on a workstation in the IT environment). Administrators can also access the TOE via a local console which provides limited functionality.
Protection of the TSF:
The TOE provides a variety of means of protecting itself. The TOE performs self-tests that cover the correct operation of the TOE. It provides functions necessary to securely update the TOE. It’s Linux-based operating system utilizes a hardware clock to ensure reliable timestamps. It protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible through the TOE, even to a Security Administrator. The TOE also utilizes a dedicated, local network for communications between the TOE’s components.
The TOE can be configured to display a logon banner before a user session is established. The TOE also enforces inactivity timeouts for local and remote sessions.
The TOE protects interactive communication with administrators using TLS for GUI access, ensuring both integrity and disclosure protection. If the negotiation of an encrypted session fails, the attempted connection will not be established.
The TOE protects communication with network peers, such as an external syslog server, using TLS connections to prevent unintended disclosure or modification of logs.
The TOE protects communications between distributed components using a TLS-based trusted channel. The TOE uses TLS while registering new Engines with the SMC and once registered, the Engine and SMC use mutually-authenticated TLS to protect management communications.