CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide 

Administrative Guide 

Administrative Guide 

The Forescout platform is used to dynamically identify and evaluate network infrastructure, devices and applications connected to the network, and provide enforcement of Network Access Policy (NAC) and Enterprise Conformance Policies.

The Target of Evaluation (TOE) is the Forescout hardware that runs the Forescout software version 8.3. The TOE is a family of products, which includes the following appliance models: CT-R, CT-100, CT-1000, CT-2000, CT-4000, CT-10000, CEM-5, CEM-10, CEM-25, CEM-50, CEM-100, CEM-150, CEM-200, 4130, 5110, 5120, 5140, and 5160.

In its evaluated configuration, the TOE is configured to directly communicate with the following environment components:

• Management Workstation: Any general-purpose computer that is used by a Security Administrator to manage the TOE. The TOE can be managed remotely, in which case the management workstation requires an SSH client to access the CLI or the Forescout Console GUI application installed on a Windows platform.
• Active Directory (AD) Server: A system that is capable of receiving authentication requests using LDAP over TLS and validating these requests against identity and credential data that is defined in an LDAP directory. In the evaluated configuration, the TOE connects to a server with Microsoft Active Directory for its remote authentication store.
• Audit Server: The TOE connects to an Audit Server (a.k.a. Syslog Server) to send Syslog messages for remote storage via TLS connection where the TOE is the TLS client. This is used to send copies of audit data to be stored in a remote location for data redundancy purposes.
• OCSP Responder: A server deployed within the Operational Environment which confirms the validity and revocation status of certificates
• Network Infrastructure: The network infrastructure contains components such as routers, switches, DNS server, etc.

Additionally, the following environment component was required for trusted update functionality:

• Update Server: A general-purpose computer controlled by the vendor that includes a web server and is used to store software update packages that can be retrieved by product customers using HTTPS/TLS enabled browser or Console. The host of the Forescout Console application provides the secure channel and not the TOE. The TOE does not directly communicate with the update server. The TOE receives the update from the Forescout Console.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Forescout was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 5. The product, when installed and configured per the instructions provided in the preparative guidance, satisfies all of the security functional requirements stated in the Forescout v8.3 Security Target Version 2.0. The evaluation underwent CCEVS Validator review. The evaluation was completed in August 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, CCEVS-VR-VID11279-2022 prepared by CCEVS.

Security Audit

The TOE contains mechanisms to generate audit data to record predefined events on the TOE. The audit logs are stored in an internal database on the TOE’s local hard drive. An authorized administrator has the ability to enable/disable the forwarding of events to an audit server. In the evaluated configuration, the audit data is also securely transmitted to the audit server using a TLS v1.2 communication channel.

Cryptographic Support

The TOE provides cryptography in support of SSH and TLS (v1.2) trusted communications. Two different cryptography software packages are included with the TOE: Bouncy Castle and OpenSSL. Bouncy Castle is used specifically for communications with the management workstation running the Console. OpenSSL is used for all other TLS and SSH communications. The TOE immediately destroys keys when no longer used. The following table identifies the cryptographic services per cryptographic library.

The cryptographic implementation has been validated to ensure that the algorithms are appropriately strong for use in trusted communications: OpenSSL: C1887 and A1941 and Bouncy Castle: C944 and A1959.

Identification and Authentication

The TSF provides a configurable number of maximum consecutive authentication failures that are permitted by a user. Once this number has been met, the account is locked for a configurable time interval or until a Security Administrator manually unlocks the account.

The TOE provides local password authentication for CLI and Console users as well as providing the ability to securely connect to an Active Directory server for the authentication of Console users. Communications over this interface is secured using TLS in which the TOE is acting as a client. The TOE enforces the use of X.509 certificates to support authentication for TLS connections. The only function available to an unauthenticated user is the ability to acknowledge a warning banner. Passwords that are maintained by the TSF can be composed of upper case, lower case, numbers and special characters. A Security Administrator can define the minimum password length between 15 and 30 characters.

Security Management

The TOE can be administered locally and remotely and uses role-based access control to prevent unauthorized management and access to TSF data. The TOE maintains the role of Security Administrator which is fulfilled by users with the “cliadmin” role for the CLI interfaces and by users with the Administrator role (default account “admin”) for the Console interface.

Protection of the TSF

The TOE is expected to ensure the security and integrity of all data that is stored locally and accessed remotely. Passwords are not stored in plaintext. The TOE does not support automatic updates. An administrator has the ability to query the TOE for the currently executing version the TOE software and is required to manually initiate the update process from the Console. The TOE automatically verifies the digital signature of the software update prior to installation. If the digital signature is found to be invalid for any reason the update is not installed. If the signature is deemed invalid, the administrator will be provided a warning banner. There is no means for an administrative override to continue the installation if the signature is completely missing. The TOE implements a self-testing mechanism that is automatically executed during the initial start-up and can be manually initiated by an administrator after authentication, to verify the correct operation of product and cryptographic modules. The TOE provides its own time via its internal clock.

TOE Access

The TOE displays a configurable warning banner prior to its use. Inactive sessions will be terminated after an administrator-configurable time period. Users are allowed to terminate their own interactive session. Once a remote session has been terminated the TOE requires the user to re-authenticate to establish a new session. Local and remote sessions are terminated after the administrator configured inactivity time limit is reached.

Trusted Path/Channels

Users can access a CLI for administration functions remotely via SSH (remote console) or a local physical connection (local console) to the TOE. The TOE provides the SSH server functionality. The Console is the main administrator interface, which is running on a separate Windows PC and requires the use of TLS to communicate with the TOE.

The TOE acts as a TLS client to initiate the following secure paths to

• User authentication (Active Directory)
• Auditing (audit server)

The TOE acts as a TLS server and receives requests to establish the following secure paths from:

• Forescout Console

Vendor Information