Compliant Product - Forcepoint NGFW 6.10.9
Certificate Date: 2023.04.24CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11343-2023
Product Type: Network Device
Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
collaborative Protection Profile Module for Stateful Traffic Filter Firewalls v1.4 + Errata 20200625
PP-Module for Virtual Private Network (VPN) Gateways Version 1.2
CC Testing Lab: Gossamer Security Solutions
Administrative Guide: Common Criteria Evaluated Configuration Guide
Administrative Guide: Installation Guide
Administrative Guide: Product Guide
Administrative Guide: How to install Forcepoint NGFW in FIPS mode
The Forcepoint Next Generation Firewall (NGFW) is a stateful packet filtering firewall and VPN gateway. The NGFW system is composed of the NGFW Engine (a physical or virtual appliance) and the Virtual Security Management Center (SMC). The NGFW Engine controls connectivity and information flow between internal and external connected networks. The Virtual SMC Appliance provides administrative functionality supporting the configuration and operation of NGFW Engines. Throughout the remainder of this document, references to the NGFW Engine are meant to reference the TOE’s firewall engine, while references to the NGFW are meant to refer to the TOE as a whole.
The NGFW Engine controls connectivity and information flow between internal and external connected networks. The NGFW Engine also provides a means to keep the internal host’s IP-address private from external users. The NGFW Engine is intended to be used as a network perimeter security gateway that provides a controlled connection.
The NGFW Engine provides VPN gateway capabilities, allowing the Engine to use IKE/IPsec to protect traffic exchanged with remote peer gateways (for a site-to-site VPN configuration) and with VPN clients.
The NGFW is assumed to be installed and operated within a physically protected environment, administered by trusted and trained administrators over a trusted and separate management network. Multiple installations of the NGFW Engine may be used in combination to provide a company with an overall network topology.
The NGFW Engine contains a hardened Linux operating system (with a 4.19 kernel) executing on a single or multi-processor Forcepoint hardware platform.
The Virtual SMC Appliance (or SMC) contains the Management Server and Log Server. Like the NGFW Engine, the SMC contains a hardened Linux-based operating system (which uses a 4.18 kernel) to support the management capabilities and allow for the operation and configuration of firewall engines.
The TOE is Forcepoint NGFW 6.10.9 which consists of:
· Forcepoint NGFW Security Management Center (SMC) Virtual Appliance running software version 6.10.9 on ESXi 7.0.
· Forcepoint NGFW Engine running software version 6.10.9 and includes the following models:
o Desktop models: N120, N120W, N120WL, N120L, N60, N60L
o 1U models: 2201, 2205, 2210
o 2U models: 3401, 3405, 3410
o Virtual model: ESXi 7.0
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017. The product, when delivered and configured as identified in the Forcepoint Next Generation Firewall 6.10 Common Criteria Evaluated Configuration Guide Revision C document, satisfies all of the security functional requirements stated in the Forcepoint NGFW 6.10.9 Security Target, Version 0.5, April 14, 2023. The project underwent CCEVS Validator review. The evaluation was completed in April 2023. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID11343-2023) prepared by CCEVS.
The logical boundaries of the NGFW are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit events for numerous activities including policy enforcement, system management and authentication. A syslog server in the environment is relied on to store audit records generated by the TOE. The TOE generates a complete audit record including the IP address of the TOE, the event details, and the time the event occurred. The time stamp is provided by the TOE’s Linux-based operating system in conjunction with the appliance hardware. When the syslog server writes the audit record to the audit trail, it applies its own time stamp, placing the entire TOE-generated syslog protocol message MSG contents into an encapsulating syslog record.
The TOE is a distributed solution consisting of the SMC and NGFW Engines. The SMC can manage one or more NGFW Engines. The TOE uses a registration process to join Engines to an SMC.
Because the TOE consists of distributed components, each physical component of the TOE must be considered when discussing the TOE cryptographic support. Both types of components (the SMC and its Engines) of the TOE utilize cryptography to verify trusted updates, for TLS protected management communications between the SMC and its Engines, and the SMC uses cryptography to support its use of the TLS protocol to protect network communications with external IT entities. Additionally, the TOE provides the ability to synchronize its time with a NTP server using NTPv4. The time data is protected by a SHA1 message digest.
User data protection:
The TOE ensures that all information flows from the TOE do not contain residual information from previous traffic. New packet data is used to overwrite any previous data in a buffer and any additional buffer space is padded with zeros before the packet is forwarded. Residual data is never transmitted from the TOE.
The TOE provides an information flow control mechanism using a rule base that comprises a set of security policy rules, i.e., the firewall security policy. The NGFW Engine enforces the firewall security policy on all traffic that passes through the engine, via its internal or external network Ethernet interfaces.
Identification and authentication:
The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of reading the login banner, and performing firewall packet filtering operations. The TOE authenticates administrative users. In order for an administrative user to access the TOE, a user account including a user name and password must be created for the user.
The TOE supports X509v3 certificate validation during negotiation of TLS protected syslog and for secure communications between distributed TOE components (SMC and NGFW Engine). Certificates are validated as part of the authentication process when they are presented to the TOE and when they are loaded into the TOE.
Security management commands are limited to authorized users (i.e., administrators) and available only after they have provided acceptable user identification and authentication data to the TOE. Administrators access the TOE remotely using a TLS protected communication channel between the Management Server and the Client GUI (which runs on a workstation in the IT environment or in a web browser). Administrators can also access the TOE via a local console which provides limited functionality.
Please see the Firewall Section for a description of the TOE’s packet filtering mechanism.
Protection of the TSF:
The TOE provides a variety of means of protecting itself. The TOE performs self-tests that cover the correct operation of the TOE. It provides functions necessary to securely update the TOE. Its Linux-based operating system utilizes a hardware clock to ensure reliable timestamps. It protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible through the TOE, even to a Security Administrator.
The TOE can be configured to display a logon banner before a user session is established. The TOE also enforces inactivity timeouts for local and remote sessions.
The TOE protects interactive communication with administrators using TLS for GUI access, ensuring both integrity and disclosure protection. If the negotiation of an encrypted session fails, the attempted connection will not be established.
The TOE protects communication with network peers, such as an external syslog server, using TLS connections to prevent unintended disclosure or modification of logs.
The TOE protects communications between distributed components using a TLS-based trusted channel. The TOE uses a distinct TLS channel while registering new Engines with the SMC and once registered, the Engine and SMC communication is replaced with a different mutually-authenticated TLS channel to protect management communications.
Mutual authentication using client-side x.509v3 certificates is supported by the SMC TLS client for syslog over TLS and for the TLS communication between the distributed TOE components.