Common Criteria NDcPP Assurance Activity Report FireEye HX Series

Transcription

1 Common Criteria NDcPP Assurance Activity Report FireEye HX Series Danielle Canoles ISSUED BY Acumen Security 1

2 Revision History: Version Date Changes Version 1.0 June 2018 Initial Release Version 1.1 July 2018 Updated based on ECR comments Version 1.2 July 2018 Updated based on ECR comments 2

3 FireEye HX Series Appliances ST Version 1.2, July 2018 Collaborative Protection Profile for Network Devices, Version 2.0 Collaborative Protection Profile for Network Devices, Version Errata Evaluated by: Office Park Dr. Montgomery Village, MD Prepared for: National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme 3

4 The Developer of the TOE: FireEye, Inc. The Author of the Security Target: Acumen Security 2400 Research Blvd Suite 395, Rockville, MD The TOE Evaluation was Sponsored by: FireEye, Inc. Evaluation Personnel: Acumen Security Personnel Common Criteria Version Common Criteria Version 3.1 Revision 5 Common Evaluation Methodology Version CEM Version 3.1 Revision 5 4

5 Table of Contents 1 TOE Overview TOE Description Assurance Activities Identification Test Equivalency Justification Test Diagram Testbed Diagram Testbed Component Description Test Tools Detailed Test Cases (Auditing) Test Cases (Auditing) FAU_GEN.1 TSS FAU_GEN.1 Guidance FAU_GEN.1 Guidance FAU_GEN.1 Test FAU_GEN FAU_STG_EXT.1 TSS FAU_STG_EXT.1 TSS FAU_STG_EXT.1 TSS FAU_STG_EXT.1 TSS FAU_STG_EXT.1 Guidance FAU_STG_EXT.1 Guidance FAU_STG_EXT.1. Guidance FAU_STG.1 Test FAU_STG.1 Test Test Cases (Cryptographic Support) FCS_CKM.1 TSS FCS_CKM.1 Guidance

6 5.2.3 FCS_CKM.1 Test FCS_CKM.2 TSS FCS_CKM.2 Guidance FCS_CKM.2 Test FCS_CKM.4.1 TSS FCS_CKM.4 TSS FCS_CKM.4 TSS FCS_CKM.4 TSS FCS_CKM.4 Guidance FCS_CKM.4 Guidance FCS_COP.1/DataEncryption Test FCS_COP.1/SigGen Test FCS_COP.1/Hash TSS FCS_COP.1/Hash Guidance FCS_COP.1/Hash Test FCS_COP.1/KeyedHash TSS FCS_COP.1/KeyedHash Test FCS_RBG_EXT.1 TSS FCS_RBG_EXT.1 Guidance FCS_RBG_EXT.1.1 Test Test Cases (HTTPS) FCS_HTTPS_EXT.1 TSS FCS_HTTPS_EXT.1 Test # Test Cases (SSHS) FCS_SSHS_EXT.1.2 TSS FCS_SSHS_EXT.1.2 Test FCS_SSHS_EXT.1.2 Test FCS_SSHS_EXT.1.3 TSS FCS_SSHS_EXT.1.3 Test FCS_SSHS_EXT.1.4 TSS FCS_SSHS_EXT.1.4 Guidance FCS_SSHS_EXT.1.4 Test

7 5.4.9 FCS_SSHS_EXT.1.5 TSS FCS_SSHS_EXT.1.5 Guidance FCS_SSHS_EXT.1.5 Test FCS_SSHS_EXT.1.5 Test FCS_SSHS_EXT.1.6 TSS FCS_SSHS_EXT.1.6 Guidance FCS_SSHS_EXT.1.6 Test FCS_SSHS_EXT.1.6 Test FCS_SSHS_EXT.1.7 TSS FCS_SSHS_EXT.1.7 Guidance FCS_SSHS_EXT.1.7 Test FCS_SSHS_EXT.1.7 Test FCS_SSHS_EXT.1.8 TSS FCS_SSHS_EXT.1.8 Guidance FCS_SSHS_EXT.1.8 Test Test Cases (TLSC) FCS_TLSC_EXT.1.1 TSS FCS_TLSC_EXT.1.1 Guidance FCS_TLSC_EXT.1.1 Test # FCS_TLSC_EXT.1.1 Test # FCS_TLSC_EXT.1.1 Test # FCS_TLSC_EXT.1.1 Test # FCS_TLSC_EXT.1.1 Test #5a FCS_TLSC_EXT.1.1 Test #5b FCS_TLSC_EXT.1.1 Test #5c FCS_TLSC_EXT.1.1 Test #5d FCS_TLSC_EXT.1.1 Test #5e FCS_TLSC_EXT.1.1 Test 5f FCS_TLSC_EXT.1.2 TSS FCS_TLSC_EXT.1.2 TSS FCS_TLSC_EXT.1.2 Guidance FCS_TLSC_EXT.1.2 Test #

8 FCS_TLSC_EXT.1.2 Test # FCS_TLSC_EXT.1.2 Test # FCS_TLSC_EXT.1.2 Test # FCS_TLSC_EXT.1.2 Test #5 (a) FCS_TLSC_EXT.1.2 Test #5 (b) FCS_TLSC_EXT.1.3 Test # FCS_TLSC_EXT.1.4 TSS FCS_TLSC_EXT.1.4 Guidance FCS_TLSC_EXT.1.4 Test # FCS_TLSS_EXT.1.1 TSS FCS_TLSS_EXT.1.1 Guidance FCS_TLSS_EXT.1.1 Test # FCS_TLSS_EXT.1.1 Test FCS_TLSS_EXT.1.1 Test # FCS_TLSS_EXT.1.1 Test #4c FCS_TLSS_EXT.1.1 Test #4d FCS_TLSS_EXT.1.1 Test #4e FCS_TLSS_EXT.1.2 TSS FCS_TLSS_EXT.1.2 Guidance FCS_TLSS_EXT.1.2 Test # FCS_TLSS_EXT.1.3 TSS FCS_TLSS_EXT.1.3 Guidance FCS_TLSS_EXT.1.3 Test # Test Cases (Identification and Authentication) FIA_AFL.1 TSS FIA_AFL.1 TSS FIA_AFL.1 Guidance FIA_AFL.1 Guidance FIA_AFL.1 Test # FIA_AFL.1 Test # FIA_PMG_EXT.1.1 Guidance FIA_PMG_EXT.1 Test

9 5.6.9 FIA_UIA_EXT.1 TSS FIA_UIA_EXT.1 TSS FIA_UIA_EXT.1 Guidance FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UIA_EXT.1 Test # FIA_UAU_EXT FIA_UAU.7 Test # FIA_X509_EXT.1.1/Rev TSS FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.1/Rev Test # FIA_X509_EXT.1.2/Rev Test # FIA_X509_EXT.1.2/Rev Test # FIA_X509_EXT.2 TSS FIA_X509_EXT.2 TSS FIA_X509_EXT.2 Test # FIA_X509_EXT.3 TSS FIA_X509_EXT.3 Guidance FIA_X509_EXT.3 Test # FIA_X509_EXT.3 Test # Test Cases (Security Management) FMT_MOF.1/ManualUpdate Guidance FMT_MOF.1/ManualUpdate Test # FMT_SMF.1 TSS FMT_SMR.2 Guidance FMT_SMR.2 Test # Test Cases (Protection of the TSF)

10 5.8.1 FPT_SKP_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_APW_EXT.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 TSS FPT_TST_EXT.1.1 Guidance FPT_TST_EXT.1.1 Test # FPT_TUD_EXT.1 TSS FPT_TUD_EXT.1 TSS FPT_TUD_EXT.1 Guidance FPT_TUD_EXT.1 Guidance FPT_TUD_EXT.1 Test # FPT_TUD_EXT.1 Test #2 (a) FPT_TUD_EXT.1 Test #2 (b) FPT_TUD_EXT.1 Test #2 (c) FPT_TUD_EXT.1 Test #2 (d) FPT_STM_EXT.1 TSS FPT_STM_EXT.1 Guidance FPT_STM_EXT.1 Test # FPT_STM_EXT.1 Test # Test Cases (TOE Access) FTA_SSL_EXT.1 Guidance FTA_SSL_EXT.1 Test # FTA_SSL.3 Guidance FTA_SSL.3 Test # FTA_SSL.4 Guidance FTA_SSL.4 Test # FTA_SSL.4 Test # FTA_TAB.1 TSS FTA_TAB.1 Guidance FTA_TAB.1 Test # Test Cases (Trusted Path/Channels)

11 FTP_ITC.1 TSS FTP_ITC.1 TSS FTP_ITC.1 Guidance FTP_ITC.1 Test #1, 2, FTP_ITC.1 Test # FTP_TRP.1/Admin TSS FTP_TRP.1/Admin TSS FTP_TRP.1/Admin Guidance FTP_TRP.1/Admin Test #1, Security Assurance Requirements ADV Assurance Activities ADV_FSP AGD Assurance Activities AGD_OPE AGD_PRE ALC Assurance Activities ALC_CMC ALC_CMS ATE Assurance Activities ATE_IND AVA Assurance Activities AVA_VAN Conclusion

12 Table 1 Evaluated Hardware Models Table 2 Testbed Component Description Table 3 FAU_GEN.1 TSS Table 4 FAU_GEN.1 Guidance Table 5 FAU_GEN.1 Test Table 6 FAU_STG.1 TSS Table 7 FAU_STG_EXT.1 TSS Table 8 FAU_STG_EXT.1 TSS Table 9 FAU_STG.1 TSS Table 10 FAU_STG.1 Guidance Table 11 FAU_STG.1 Guidance Table 12 FAU_STG.1 Guidance Table 13 FAU_STG.1 Test Table 14 FAU_STG.1 Test Table 15 FCS_CKM.1 TSS Table 16 FCS_CKM.1 Guidance Table 17 FCS_CKM.1 Test Table 18 FCS_CKM.2 TSS Table 19 FCS_CKM.2 Guidance Table 20 FCS_CKM.2 Test Table 21 FCS_CKM.4.1 TSS Table 22 FCS_CKM.4.1 TSS Table 23 FCS_CKM.4 TSS Table 24 FCS_CKM.4 TSS Table 25 FCS_CKM.4 Guidance Table 26 FCS_CKM.4 Guidance Table 27 FCS_COP.1/DataEncryption Test Table 28 FCS_COP.1/SigGen Test Table 29 FCS_COP.1/Hash TSS Table 30 FCS_COP.1/Hash Guidance Table 31 FCS_COP.1/Hash Test Table 32 FCS_COP.1/KeyedHash TSS Table 33 FCS_COP.1/KeyedHash Test Table 34 FCS_RBG_EXT.1 TSS Table 35 FCS_RBG_EXT.1 Guidance Table 36 FCS_RBG_EXT.1.1 Test Table 37 FCS_HTTPS_EXT.1 TSS Table 38 FCS_HTTPS_EXT.1 Test # Table 39 FCS_SSHS_EXT.1.2 TSS Table 40 FCS_SSHS_EXT.1.2 Test Table 41 FCS_SSHS_EXT.1.2 Test Table 42 FCS_SSHS_EXT.1.3 TSS Table 43 FCS_SSHS_EXT.1.3 Test Table 44 FCS_SSHS_EXT.1.4 TSS Table 45 FCS_SSHS_EXT.1.4 Guidance Table 46 FCS_SSHS_EXT.1.4 Test Table 47 FCS_SSHS_EXT.1.5 TSS

13 Table 48 FCS_SSHS_EXT.1.5 Guidance Table 49 FCS_SSHS_EXT.1.5 Test Table 50 FCS_SSHS_EXT.1.5 Test Table 51 FCS_SSHS_EXT.1.5 Test Table 52 FCS_SSHS_EXT.1.6 TSS Table 53 FCS_SSHS_EXT.1.6 Guidance Table 54 FCS_SSHS_EXT.1.6 Test Table 55 FCS_SSHS_EXT.1.6 Test Table 56 FCS_SSHS_EXT.1.7 TSS Table 57 FCS_SSHS_EXT.1.7 Guidance Table 58 FCS_SSHS_EXT.1.7 Test Table 59 FCS_SSHS_EXT.1.7 Test Table 60 FCS_SSHS_EXT.1.8 TSS Table 61 FCS_SSHS_EXT.1.8 Guidance Table 62 FCS_SSHS_EXT.1.8 Test Table 63 FCS_TLSC_EXT.1.1 TSS Table 64 FCS_TLSC_EXT.1.1 Guidance Table 65 FCS_TLSC_EXT.1.1 Test Table 66 FCS_TLSC_EXT.1.1 Test # Table 67 FCS_TLSC_EXT.1.1 Test # Table 68 FCS_TLSC_EXT.1.1 Test # Table 69 FCS_TLSC_EXT.1.1 Test #5a Table 70 FCS_TLSC_EXT.1.1 Test #5b Table 71 FCS_TLSC_EXT.1.1 Test #5c Table 72 FCS_TLSC_EXT.1.1 Test #5d Table 73 FCS_TLSC_EXT.1.1 Test #5e Table 74 FCS_TLSC_EXT.1.1 Test #5f Table 75 FCS_TLSC_EXT.1.2 TSS Table 76 FCS_TLSC_EXT.1.2 TSS Table 77 FCS_TLSC_EXT.1.2 Guidance Table 78 FCS_TLSC_EXT.1.2 Test # Table 79 FCS_TLSC_EXT.1.2 Test Table 80 FCS_TLSC_EXT.1.2 Test Table 81 FCS_TLSC_EXT.1.2 Test Table 82 FCS_TLSC_EXT.1.2 Test #5 (a) Table 83 FAU_STG.1 TSS Table 84 FCS_TLSC_EXT.1.4 TSS Table 85 FCS_TLSC_EXT.1.4 Guidance Table 86 FCS_TLSC_EXT.1.4 Test # Table 87 FCS_TLSS_EXT.1.1 TSS Table 88 FCS_TLSS_EXT.1.1 Guidance Table 89 FCS_TLSS_EXT.1.1 Test # Table 90 FCS_TLSS_EXT.1.1 Test Table 91 FCS_TLSS_EXT.1.1 Test # Table 92 FCS_TLSS_EXT.1.1 Test #4c Table 93 FCS_TLSS_EXT.1.1 Test #4d Table 94 FCS_TLSS_EXT.1.1 Test #4e

14 Table 95 FCS_TLSS_EXT.1.2 TSS Table 96 FCS_TLSS_EXT.1.2 Guidance Table 97 FCS_TLSS_EXT.1.2 Test # Table 98 FCS_TLSS_EXT.1.3 TSS Table 99 FCS_TLSS_EXT.1.3 Guidance Table 100 FCS_TLSS_EXT.1.3 Test # Table 101 FIA_AFL.1 TSS Table 102 FIA_AFL.1 TSS Table 103 FIA_AFL.1 Guidance Table 104 FIA_AFL.1 Guidance Table 105 FIA_AFL.1 Test # Table 106 FIA_AFL.1 Test # Table 107 FIA_PMG_EXT.1.1 Guidance Table 108 FIA_PMG_EXT.1 Test Table 109 FIA_UIA_EXT.1 TSS Table 110 FIA_UIA_EXT.1 TSS Table 111 FIA_UIA_EXT.1 Guidance Table 112 FIA_UIA_EXT.1 Test # Table 113 FIA_UIA_EXT.1 Test # Table 114 FIA_UIA_EXT.1 Test # Table 115 FIA_UAU.7 Test # Table 116 FIA_X509_EXT.1.1/Rev TSS Table 117 FIA_X509_EXT.1.1/Rev Test # Table 118 FIA_X509_EXT.1.1/Rev Test # Table 119 FIA_X509_EXT.1.1/Rev Test # Table 120 FIA_X509_EXT.1.1/Rev Test # Table 121 FIA_X509_EXT.1.1/Rev Test # Table 122 FIA_X509_EXT.1.1/Rev Test # Table 123 FIA_X509_EXT.1.1/Rev Test # Table 124 FIA_X509_EXT.1.2/Rev Test # Table 125 FIA_X509_EXT.1.2/Rev Test # Table 126 FIA_X509_EXT.2 TSS Table 127 FIA_X509_EXT.2 TSS Table 128 FIA_X509_EXT.2 Test # Table 129 FIA_X509_EXT.3 TSS Table 130 FIA_X509_EXT.3 Guidance Table 131 FIA_X509_EXT.3 Test Table 132 FIA_X509_EXT.3 Test Table 133 FMT_MOF.1/ManualUpdate Guidance Table 134 FMT_MOF.1/ManualUpdate Test # Table 135 FMT_SMF.1 TSS Table 136 FMT_SMR.2 Guidance Table 137 FMT_SMR.2 Test # Table 138 FPT_SKP_EXT.1 TSS Table 139 FPT_APW_EXT.1 TSS Table 140 FPT_APW_EXT.1 TSS Table 141 FPT_TST_EXT.1.1 TSS

15 Table 142 FPT_TST_EXT.1.1 TSS Table 143 FPT_TST_EXT.1.1 Guidance Table 144 FPT_TST_EXT.1.1 Test # Table 145 FPT_TUD_EXT.1 TSS Table 146 FPT_TUD_EXT.1 TSS Table 147 FPT_TUD_EXT.1 Guidance Table 148 FPT_TUD_EXT.1 Guidance Table 149 FPT_TUD_EXT.1 Test # Table 150 FPT_TUD_EXT.1 Test #2 (a) Table 151 FPT_TUD_EXT.1 Test #2 (b) Table 152 FPT_TUD_EXT.1 Test #2 (c) Table 153 FPT_TUD_EXT.1 Test #2 (d) Table 154 FPT_STM_EXT.1 TSS Table 155 FPT_STM_EXT.1 Guidance Table 156 FPT_STM_EXT.1 Test # Table 157 FPT_STM_EXT.1 Test # Table 158 FTP_SSL_EXT.1 Guidance Table 159 FTA_SSL_EXT.1 Test # Table 160 FTP_SSL.3 Guidance Table 161 FTA_SSL.3 Test # Table 162 FTA_SSL.4 Guidance Table 163 FTA_SSL.4 Test # Table 164 FTA_SSL.4 Test # Table 165 FTA_TAB.1 TSS Table 166 FTA_TAB.1 Guidance Table 167 FTA_TAB.1 Test # Table 168 FTP_ITC.1 TSS Table 169 FTP_ITC.1 TSS Table 170 FTP_ITC.1 Guidance Table 171 FTP_ITC.1 Test #1/2/ Table 172 FTP_ITC.1 Test # Table 173 FTP_TRP.1/Admin TSS Table 174 FTP_TRP.1/Admin TSS Table 175 FTP_TRP.1/Admin Guidance Table 176 FTP_TRP.1/Admin Test #1, Table 177 ADV_FSP Table 178 AGD_OPE Table 179 AGD_PRE Table 180 ALC_CMC Table 181 ALC_CMS Table 182 ATE_IND Table 183 AVA_VAN

16 1 TOE Overview The FireEye HX Series Appliances are network devices providing organizations with the ability to continuously monitor endpoints for advanced malware and indicators of compromise. The HX 4502v is a virtual appliance version of the TOE, and the hardware and virtualization layer are included in the TOE boundary. There may only be one instance of the HX 4502v virtual appliance installed on the physical hardware platform. 1.1 TOE Description FireEye HX series appliances are network devices that provide a managed solution for managing the security posture of connected end points. No other guest VMs providing network device functionality may be installed on the physical hardware platform. The TOE is comprised of a three models of the FireEye HX Series Appliances shown below. Table 1 Evaluated Hardware Models HX 4402 HX 4502 HX 4502v Network Ports 2x 10/100/1000BASE-T Ports 2x 1GigE, 2x 1GigE (MB) 2 vmxnet3 interfaces from 4 x 1Gb, 2 x 1Gb + 2 x 10Gb, 4 x 10Gb Storage 4x 1.8 TB HDD, RAID 10 4x 4TB HDD, RAID GB, RAID 10 8TB Effective Enclosure 1RU rack server 1RU rack server 1RU rack server Power Supply Redundant (1+1) 750 watt, VAC, 9 4.5A, Hz, IEC60320-C14 inlet, FRU Redundant (1+1) 750 watt, VAC, 9 4.5A, Hz, IEC60320-C14 inlet, FRU Redundant (1+1) W AC or 1100 W DC, V AC/240 V DC, 50/60 Hz Operating Temp 10 C to 35 C 10 C to 35 C 10 C to 35 C Processor AMD Opteron Intel Xeon Intel Xeon Environment N/A N/A VMware vsphere ESXi

17 2 Assurance Activities Identification The Assurance Activities contained within this document include all those defined within the NDcPP Errata based upon the core SFRs and those implemented based on selections within the PP. 17

18 3 Test Equivalency Justification Each evaluated platform was tested as part of the evaluation. No further equivalency justification is required. 18

19 4 Test Diagram 4.1 Testbed Diagram 4.2 Testbed Component Description The following table provides a description of each of components in the testbed. Table 2 Testbed Component Description Component Software Version HX 4402 HX Series Application Software: 4.0 Administrator - HX 4402 Windows 10, CentOS VM, Ubuntu VM HX 4502 HX Series Application Software: 4.0 Administrator - HX 4502 Windows 10, CentOS VM, Ubuntu VM HX 4502v HX Series Application Software: 4.0 Administrator - HX 4502v Windows 10, CentOS VM, Ubuntu VM 4.3 Test Tools The following test tools were used as part of testing, OpenSSH, 7 OpenSSL, Acumen-TLS, 1.0 Acumen-TLSS, 1.0 Large putty tool,

20 5 Detailed Test Cases (Auditing) 5.1 Test Cases (Auditing) FAU_GEN.1 TSS 1 Table 3 FAU_GEN.1 TSS 1 For the administrative task of generating/import of, changing, or deleting of cryptographic keys as defined in FAU_GEN.1.1c, the TSS should identify what information is logged to identify the relevant key. The evaluator examined the section titled TOE Summary Specification in the Security Target (ST) to determine the verdict of this assurance activity. Upon investigation, the evaluator found that the TSS states, [f]or generating/ importing of, changing, and deleting of certificates and associated keys, the TOE logs the certificate ID which directly maps to a unique key pair FAU_GEN.1 Guidance 1 Table 4 FAU_GEN.1 Guidance 1 The evaluator shall check the guidance documentation and ensure that it lists all of the auditable events and provides a format for audit records. Each audit record format type must be covered, along with a brief description of each field. The evaluator shall check to make sure that every audit event type mandated by the cpp is described and that the description of the fields contains the information required in FAU_GEN1.2, and the additional information specified in the table of audit events. The evaluator examined the guidance document to determine if it lists all auditable events. The section titled Auditable Events (section 3.4) of AGD was used to determine the verdict of this assurance activity. The evaluator first found an identification of each auditable event as a row within Table 2 of the AGD in the section titled Auditable Events. The evaluator next compared this list of events to the auditable events listed in the NDcPP. Each event listed in the NDcPP is also listed in AGD. Next, the evaluator reexamined AGD and found that the section titled Auditable Events contains a listing and description of each of the fields in generated audit records that contain the information required in FAU_GEN FAU_GEN.1 Guidance 2 Table 4 FAU_GEN.1 Guidance 2 The evaluator shall also make a determination of the administrative actions that are relevant in the context of the cpp. The evaluator shall examine the guidance documentation and make a determination of which administrative commands, including subcommands, scripts, and configuration files, are related to the configuration (including enabling or disabling) of the mechanisms implemented in the TOE that are necessary to enforce the requirements specified in the cpp. The evaluator shall document the methodology or approach taken while determining which actions in the administrative guide are related to TSF data related to configuration changes. The evaluator may perform this activity as part of the activities associated with ensuring that the corresponding guidance documentation satisfies the requirements related to it. The evaluator examined the guidance documentation to determine which administrative commands are relevant in the context of the cpp. The ST and AGD 20

21 were used to determine the verdict of this assurance activity. The evaluator first examined the entirety of AGD to determine what administrative are associated with each administrative activity. The evaluator found the following are applicable, Administrative Activity Method Section (Command/GUI Configuration) Audit configuration Command Line Interface 3.3 Authentication failure configuration Command Line Interface 4.4 User Creation Graphical User Interface 4.5 Software update Command Line Interface 8 Setting time Command Line Interface 9 Configuring banner Graphical User Interface 11.1 Configuring banner Command Line Interface 11.2 Next, the evaluator examined each of test cases and for those test cases which exercised the above referenced functionality. The audit record associated with the configuration was captured. The following table reflects the test cases in which those configurations can be found and identifies the specific method for invoking the functionality that generated the audit record. Administrative Activity Method Test Case Audit configuration CLI FAU_STG_EXT.1_T2 User Creation GUI FIA_PMG_EXT.1.1_T1 Authentication failure configuration CLI FIA_AFL.1 Test #1 Software update CLI FPT_TUD_EXT.1 Test #2 (b) Setting time CLI FPT_STM.1.1_T1 Configuring banner GUI FTA_TAB.1_T1 Configuring banner CLI FTA_TAB.1_T1 The above analysis illustrates that each of the relevant configuration methods is appropriately audited by the TOE. Based on these findings, this assurance activity is considered satisfied FAU_GEN.1 Test 1 Item Test ID Objective Table 5 FAU_GEN.1 Test 1 Data/Description FAU_GEN.1_T1 The evaluator shall test the TOE s ability to correctly generate audit records by having the TOE generate audit records for the events listed in the table of audit events and 21

22 administrative actions listed above. This should include all instances of an event: for instance, if there are several different I&A mechanisms for a system, the FIA_UIA_EXT.1 events must be generated for each mechanism. The evaluator shall test that audit records are generated for the establishment and termination of a channel for each of the cryptographic protocols contained in the ST. If HTTPS is implemented, the test demonstrating the establishment and termination of a TLS session can be combined with the test for an HTTPS session. When verifying the test results, the evaluator shall ensure the audit records generated during testing match the format specified in the guidance documentation, and that the fields in each audit record have the proper entries. Test Flow Trigger each auditable event on the TOE Verify that each audit record is generated and contains the required information /Fail Result The audit records associated with each test case are recorded with each test case. A comparison of required audit records to the presented audit records was additionally performed. This analysis shows that each required audit record is generated by the TOE, meeting the test requirements. PASS FAU_GEN.2 None The evaluation of this SFR is tested in conjunction with the testing of FAU_GEN FAU_STG_EXT.1 TSS 1 Table 6 FAU_STG.1 TSS 1 The evaluator shall examine the TSS to ensure it describes the means by which the audit data are transferred to the external audit server, and how the trusted channel is provided. The evaluator examined the TSS to ensure that it describes the means by which audit data is transmitted to an external audit server, and how the trusted channel is provided. The TSS entry for FAU_STG_EXT.1 in the section titled TOE Summary Specification of ST was used to determine the verdict of this assurance activity. The evaluator found that the TSS states that the TOE sends audit records to an external syslog server over TLS. To support this functionality, the TOE transmits its audit events to all configured syslog servers at the same time logs are written locally to non-volatile storage. If the TLS connection fails, the TOE continues to store audit records locally on the TOE, and will transmit any locally stored contents when connectivity to the syslog server is restored FAU_STG_EXT.1 TSS 2 Table 7 FAU_STG_EXT.1 TSS 2 The evaluator shall examine the TSS to ensure it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. The evaluator examined the TSS to determine if it describes the amount of audit data that are stored locally; what happens when the local audit data store is full; and how these records are protected against unauthorized access. The TSS entry for FAU_STG_EXT.1 in the section titled TOE Security Functional Requirements of ST was used to determine the verdict of this assurance activity. The evaluator 22

23 found that the TSS states that, The TOE stores a limited set of audit records locally on the TOE. The evaluator, next, found that, when the local audit storage on the TOE is exhausted, the oldest log files are deleted to allow a new log to be created.. Finally, the evaluator found that the TOE implements the following protection to protect against unauthorized access to local audit records, Only Authorized Administrators are able to clear the local logs, and local audit records are stored in a directory that does not allow administrators to modify the contents FAU_STG_EXT.1 TSS 3 Table 8 FAU_STG_EXT.1 TSS 3 The evaluator shall examine the TSS to ensure that it details the behavior of the TOE when the storage space for audit data is full. When the option overwrite previous audit record is selected this description should include an outline of the rule for overwriting audit data. If other actions are chosen such as sending the new audit data to an external IT entity, then the related behavior of the TOE shall also be detailed in the TSS. The evaluator examined the TSS to ensure that it details the behavior of the TOE when the storage space for audit data is full. The FAU_STG_EXT.1 SFR found in the section titled Security Audit (FAU) of the ST and the TSS entry for FAU_STG_EXT.1 in the section titled TOE Summary Specification of ST were used to determine the verdict of this assurance activity. The evaluator found that overwrite previous audit records according to the following rule: [overwrite oldest record first] was selected in the SFR. Next, the evaluator confirmed that the TSS provides a description of how the TOE implements this functionality. The TSS states, When the local log is full, the oldest log files are deleted to allow a new log to be created. The evaluator found this description to be consist with the selection within the SFR FAU_STG_EXT.1 TSS 4 Table 9 FAU_STG.1 TSS 4 The evaluator shall examine the TSS to ensure that it details whether the transmission of audit information to an external IT entity can be done in realtime or periodically. In case the TOE does not perform transmission in realtime the evaluator needs to verify that the TSS provides details about what event stimulates the transmission to be made as well as the possible as well as acceptable frequency for the transfer of audit data. The evaluator examined the TSS to ensure that it details whether the transmission of audit information to an external IT entity can be done in realtime or periodically. The FAU_STG_EXT.1 SFR found in the section titled TOE Security Functional Requirements of the ST and the TSS entry for FAU_STG_EXT.1 in the section titled TOE Summary Specification of ST were used to determine the verdict of this assurance activity. Upon investigation, the evaluator found that the TSS states that [T]he TOE transmits its audit events to all configured syslog servers at the same time logs are written locally to non-volatile storage. This is real-time. 23

24 FAU_STG_EXT.1 Guidance 1 Table 10 FAU_STG.1 Guidance 1 The evaluator shall also examine the guidance documentation to ensure it describes how to establish the trusted channel to the audit server, as well as describe any requirements on the audit server (particular audit server protocol, version of the protocol required, etc.), as well as configuration of the TOE needed to communicate with the audit server. The evaluator examined the guidance documentation to determine if it describes how to establish a trusted channel to an audit server. The section titled Audit Server Configuration (section 3.3) of AGD was used to determine the verdict of this assurance activity. Upon investigation, the evaluator found that AGD states that the TOE securely send traffic to an external audit server via TLS. Next, the evaluator found that AGD provides instructions for configuring the secure connection between the TOE and the remote audit server via CLI. Finally, the evaluator found that AGD defines the following requirements for audit server to which the TOE connects: audit server must be a syslog server supporting TCP and TLS 1.1/ FAU_STG_EXT.1 Guidance 2 Table 11 FAU_STG.1 Guidance 2 The evaluator shall also examine the guidance documentation to determine that it describes the relationship between the local audit data and the audit data that are sent to the audit log server. For example, when an audit event is generated, is it simultaneously sent to the external server and the local store, or is the local store used as a buffer and cleared periodically by sending the data to the audit server. The evaluator examined the guidance documentation to determine if the relationship between local and external audit data. The section titled System Behavior (section 3.2) of AGD was used to determine the verdict of this assurance activity. Upon investigation, the evaluator found that AGD describes the relationship between local and external audit data, as follows, When configured to use an audit server the CM appliance transmits audit events to the audit server at the same time logs are written locally to non-volatile storage. If the connection fails, the CM continues to store audit records locally and will transmit any stored contents when connectivity to the syslog server is restored." FAU_STG_EXT.1. Guidance 3 Table 12 FAU_STG.1 Guidance 3 The evaluator shall also ensure that the guidance documentation describes all possible configuration options for FAU_STG_EXT.1.3 and the resulting behavior of the TOE for each possible configuration. The description of possible configuration options and resulting behavior shall correspond to those described in the TSS. The evaluator examined the guidance documentation to determine if it describes all possible configuration options for FAU_STG_EXT.1.3 and the TOE behavior for 24

25 each possible configuration. The TSS entry for FAU_STG_EXT.1 in the section titled TOE Summary Specification of ST and the section titled System Behavior (section 3.2) of AGD was used to determine the verdict of this assurance activity. The evaluator found that the description of the available configuration options for handling a full local audit record as described in AGD. Next, the evaluator compared the exhausted local audit handling description found in AGD to the description provided by the TSS of the ST. The descriptions of the behavior found in AGD and ST are consistent FAU_STG.1 Test 1 Table 13 FAU_STG.1 Test 1 Item Data/Description Test ID FAU_STG_EXT.1 Objective The evaluator shall establish a session between the TOE and the audit server according to the configuration guidance provided. The evaluator shall then examine the traffic that passes between the audit server and the TOE during several activities of the evaluator s choice designed to generate audit data to be transferred to the audit server. The evaluator shall observe that these data are not able to be viewed in the clear during this transfer, and that they are successfully received by the audit server. The evaluator shall record the particular software (name, version) used on the audit server during testing. The evaluator shall verify that the TOE is capable of transferring audit data to an external audit server automatically without administrator intervention. Note Syslog ng version 3.14 Test Flow Configure the TOE to communicate with a syslog via TLS Generate audit events (the event itself does not matter) Capture the traffic between the switch and the syslog server Verify that the packets are TLS encrypted /Fail The TOE passes all audit traffic to the remote audit server through a secure channel. This meets the testing requirements. Result PASS FAU_STG.1 Test 2 Item Test ID Objective Table 14 FAU_STG.1 Test 2 Data/Description FAU_STG_EXT.1_T2 The evaluator shall perform operations that generate audit data and verify that this data is stored locally. The evaluator shall perform operations that generate audit data until the local storage space is exceeded and verifies that the TOE complies with the behaviour defined in FAU_STG_EXT.1.3. Depending on the configuration this means that the evaluator has to check the content of the audit data when the audit data is just filled to the maximum and then verifies that the audit data remains unchanged with every new auditable event that should be tracked but that the audit data is recorded again after the local storage for audit data is cleared (for the option drop newaudit data in FAU_STG_EXT.1.3). Depending on the configuration this means that the evaluator has to check the content of the audit data when the audit data is just filled to the maximum and then verifies that: The existing audit data is overwritten with every new 25

26 auditable event that should be tracked according to the specified rule (for the option overwrite previous audit records in FAU_STG_EXT.1.3) Test Flow Set the log file size limit Generate audit data to fill the log New audit logs are created when file size reaches set maximum /Fail When audit log files reaches maximum size, a new audit log file is created and the old file overwritten. Result PASS 5.2 Test Cases (Cryptographic Support) FCS_CKM.1 TSS 1 Table 15 FCS_CKM.1 TSS 1 The evaluator shall ensure that the TSS identifies the key sizes supported by the TOE. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme. The evaluator examined the TSS to determine if it identifies the key sizes supported by the TOE. The TSS entry for FCS_CKM.1 in the section titled TOE Security Functional Requirements of ST was used to determine the verdict of this assurance activity. The evaluator found that the TSS states that the TOE supports RSA key generation schemes as specified in NIST SP , with key sizes of 2048 and 3072 bits. Next, the evaluator confirmed that the TSS describes how these keys are used by the TOE FCS_CKM.1 Guidance 1 Table 16 FCS_CKM.1 Guidance 1 The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key generation scheme(s) and key size(s) for all cryptographic protocols defined in the Security Target. The evaluator examined guidance documentation to determine if it instructs the administrator how to configure TOE to use the selected key generation schemes and key sizes. The section titled Configuring SSH Public Keys (section 4.2) of AGD was used to determine the verdict of this assurance activity. In particular, the evaluator found that the configuration for generating keys through the CLI. These keys are generated in association with remote SSH authentication FCS_CKM.1 Test 1 Table 17 FCS_CKM.1 Test 1 The evaluator shall verify the implementation of Key Generation by the TOE using the Key Generation test. The implemented cryptographic module employed by the TOE has been subject to the Key Generation test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. CAVP Algorithm Certificate # RSA # 2605, DSA # 1286, ECDSA #

27 5.2.4 FCS_CKM.2 TSS 1 Table 18 FCS_CKM.2 TSS 1 The evaluator shall ensure that the supported key establishment schemes correspond to the key generation schemes identified in FCS_CKM.1.1. If the ST specifies more than one scheme, the evaluator shall examine the TSS to verify that it identifies the usage for each scheme (including whether the TOE acts as a sender, a recipient, or both). If Diffie-Hellman group 14 is selected from FCS_CKM.2.1, the TSS shall describe how the implementation meets RFC 3526 Section 3. The evaluator examined the TSS to determine if the supported key establishment schemes correspond to the key generation schemes identified in FCS_CKM.1.1. The TSS entries for FCS_CKM.1 and FCS_CKM.2 in the section TOE Summary Specification of ST was used to determine the verdict of this assurance activity. The evaluator compared the key establishment schemes listed in FCS_CKM.2 to the key generation schemes listed in FCS_CKM.1. Upon investigation, the evaluator found that FCS_CKM.2 do not introduce any key generation scheme not include in FCS_CKM FCS_CKM.2 Guidance 1 Table 19 FCS_CKM.2 Guidance 1 The evaluator shall verify that the AGD guidance instructs the administrator how to configure the TOE to use the selected key establishment scheme(s). The evaluator examined the guidance documentation to determine if it instructs the administrator how to configure TOE to use the selected key establishment schemes. The entire AGD was used to determine the verdict of this Assurance Activity. Upon investigation, the evaluator found that no configuration is required and the key establishment schemes are used automatically when the appropriate cryptographic function is invoked FCS_CKM.2 Test 1 Table 20 FCS_CKM.2 Test 1 The evaluator shall verify the implementation of the key establishment schemes of the supported by the TOE. The implemented cryptographic module employed by the TOE has been subject to the Key Agreement Scheme test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. CAVP Algorithm Certificate # CVL # 1406, RSA SP B: Vender Affirmed FCS_CKM.4.1 TSS 1 Table 21 FCS_CKM.4.1 TSS 1 The evaluator examines the TSS to ensure it lists all relevant keys (describing the origin and storage location of each), all relevant key destruction situations (e.g. factory reset or device wipe function, disconnection of trusted channels, key change as part of a secure channel protocol), and the destruction method used in each case. For 27

28 the purpose of this Evaluation Activity the relevant keys are those keys that are relied upon to support any of the SFRs in the Security Target. The evaluator confirms that the description of keys and storage locations is consistent with the functions carried out by the TOE (e.g. that all keys for the TOE-specific secure channels and protocols, or that support FPT_APW.EXT.1 and FPT_SKP_EXT.1, are accounted for). In particular, if a TOE claims not to store plaintext keys in non-volatile memory then the evaluator checks that this is consistent with the operation of the TOE. The evaluator examined the TSS to ensure that it lists each type of plaintext key material and its origin and storage location. The TSS entry for FCS_CKM.4 in the section title TOE Security Functional Requirements as well as Key Zeroization of ST were used to determine the verdict of this assurance activity. According to the TSS the following plaintext keys are stored in volatile memory: Diffie Hellman Private Key Diffie Hellman Public Key SSH Session Key TLS Session Encryption Key TLS Session Integrity Key Additionally, the following plaintext keys are kept in non-volatile storage on the TOE. SSH Private Key TLS Private Key The evaluator compared the list of keys to the keys which would be expected for the supported cryptographic protocols and found this list consistent with those keys FCS_CKM.4 TSS 2 Table 22 FCS_CKM.4.1 TSS 2 The evaluator shall check to ensure the TSS identifies how the TOE destroys keys stored as plaintext in nonvolatile memory, and that the description includes identification and description of the interfaces that the TOE uses to destroy keys (e.g., file system APIs, key store APIs). The evaluator examined the TSS to determine if it describes when each type of key material is cleared. The TSS entry for FCS_CKM.4 and the section titled Key Storage and Zeroization of ST was used to determine the verdict of this assurance activity. Upon investigation, the evaluator found that the TOE includes the following keys stored as plaintext in non-volatile memory, SSH Private Key SSH Public Key SSH Session Key TLS Private Key TLS Public Key Next, the evaluator found that each key is overwritten by zeros. Finally, the evaluator found the zeroization is triggered by the administrative user issuing the zeroization command on the CLI. 28

29 5.2.9 FCS_CKM.4 TSS 3 Table 23 FCS_CKM.4 TSS 3 Where the TSS identifies keys that are stored in a non-plaintext form, the evaluator shall check that the TSS identifies the encryption method and the key-encrypting-key used, and that the key-encrypting-key is either itself stored in an encrypted form or that it is destroyed by a method included under FCS_CKM.4. The TOE meets all requirements specified in FIPS for destruction of keys and Critical Security Parameters (CSPs). All keys within the TOE are securely destroyed and each of the descriptions given is located in section 6.1 -Table 10 of the ST FCS_CKM.4 TSS 4 Table 24 FCS_CKM.4 TSS 4 The evaluator shall check that the TSS identifies any configurations or circumstances that may not conform to the key destruction requirement (see further discussion in the Guidance Documentation section below). Note that reference may be made to the Guidance Documentation for description of the detail of such cases where destruction may be prevented or delayed. The evaluator shall check that the TSS identifies any configurations or circumstances that may not conform to the key destruction requirement. Upon investigation, the evaluator found that the TOE does not have any circumstances that may not conform to key destruction requirements FCS_CKM.4 Guidance 1 Table 25 FCS_CKM.4 Guidance 1 The evaluator shall check that the guidance documentation identifies configurations or circumstances that may not strictly conform to the key destruction requirement, and that this description is consistent with the relevant parts of the TSS (and any other supporting information used). The evaluator reviewed the TSS and the entire AGD documentation for the TOE and found no items that did not meet conformance to the key destruction requirement. Based on these findings, the above requirement has been met FCS_CKM.4 Guidance 2 Table 26 FCS_CKM.4 Guidance 2 The evaluator shall check that the guidance documentation provides guidance on situations where key destruction may be delayed at the physical layer. The evaluator reviewed the TSS and entire AGD and found no instance in which key destruction is delayed following the request for destruction. Based on these findings, the above requirement has been met FCS_COP.1/DataEncryption Test 1 Table 27 FCS_COP.1/DataEncryption Test 1 The evaluator shall verify the implementation of symmetric encryption supported by the TOE. 29

30 30 CAVP Algorithm Certificate # AES # FCS_COP.1/SigGen Test 1 The implemented cryptographic module employed by the TOE has been subject to the Encryption test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. Table 28 FCS_COP.1/SigGen Test 1 The evaluator shall verify the implementation of the digital signature algorithms supported by the TOE. The implemented cryptographic module employed by the TOE has been subject to the Digital Signature test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. CAVP Algorithm Certificate ECDSA # 1193, RSA # FCS_COP.1/Hash TSS 1 Table 29 FCS_COP.1/Hash TSS 1 The evaluator shall check that the association of the hash function with other TSF cryptographic functions (for example, the digital signature verification function) is documented in the TSS. The evaluator examined the TSS to determine that the association of the hash function with other TSF cryptographic features is documented in the TSS. The TSS entry for FCS_COP.1/Hash in the section titled TOE Summary Specification of ST was used to determine the verdict of this assurance activity. Upon investigation, the evaluator found that the TSS describes each of the associated TSF cryptographic functions for which hashing is associated with, as follows, FCS_COP.1/Hash Guidance 1 TLS/SSH SHA1, SHA-256, SHA-384, SHA-512 Digital Signature Verification for Trusted Update - SHA-256 Hashing of passwords in non-volatile memory - SHA-512 Additionally, the evaluator compared the list of cryptographic functions provided by the TSF to the functions mapped in the TSS and found them to be consistent. Table 30 FCS_COP.1/Hash Guidance 1 The evaluator checks the AGD documents to determine that any configuration that is required to configure the required hash sizes is present. The evaluator examined the guidance documents to determine if they describe any configuration that is required for the required hash sizes. The entirety of AGD was used to determine the verdict of this assurance activity. Upon investigation, the evaluator found that the following hash sizes configurations are required, There are no hash configurations required by the administrator. Hashes are automatically selected based on cryptographic protocol usage.

31 Additionally, the evaluator compared the instructions listed in AGD to the actual usage of the TOE during testing and found that the listed configuration covers the each way the hash functions can be configured for the TOE FCS_COP.1/Hash Test 1 Table 31 FCS_COP.1/Hash Test 1 The evaluator shall verify the implementation of hashing supported by the TOE. The implemented cryptographic module employed by the TOE has been subject to the Hashing test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. 31 CAVP Algorithm Certificate # SHS # FCS_COP.1/KeyedHash TSS 1 Table 32 FCS_COP.1/KeyedHash TSS 1 The evaluator shall examine the TSS to ensure that it specifies the following values used by the HMAC function: key length, hash function used, block size, and output MAC length used. The evaluator examined the TSS to ensure that it specifies the following values used by the HMAC function: key length, hash function used, block size, and output MAC length used. The TSS entry for FCS_COP.1/KeyedHash in the section titled TOE Summary Specification of ST was used to determine the verdict of this assurance activity. The evaluator found the following information in the TSS for the supported HMACs: FCS_COP.1/KeyedHash Test 1 Key length: 512, 512, 1024, 1024 Hash function used: SHA-1, SHA-256, SHA-384, SHA-512 Block size: 512, 512, 1024, 1024 Output MAC: 160, 256, 384, 512 Additionally, the evaluator compared the values provided in the TSS to the definition of the SFR in ST and the operation of the TOE during testing. The evaluator found that values listed to be consistent with the implementation of the algorithm. Table 33 FCS_COP.1/KeyedHash Test 1 The evaluator shall verify the implementation of MACing supported by the TOE. The implemented cryptographic module employed by the TOE has been subject to the HMAC test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. CAVP Algorithm Certificate # HMAC-SHS # 3172

32 FCS_RBG_EXT.1 TSS 1 Table 34 FCS_RBG_EXT.1 TSS 1 The evaluator shall examine the TSS to determine that it specifies the DRBG type, identifies the entropy source(s) seeding the DRBG, and state the assumed or calculated min-entropy supplied either separately by each source or the min-entropy contained in the combined seed value. The evaluator examined the TSS to determine that it specifies the DRBG type, identifies the entropy source(s) seeding the DRBG, and state the assumed or calculated min-entropy supplied either separately by each source or the minentropy contained in the combined seed value. The FCS_RBG_EXT.1 entry of the TSS was used to determine the verdict of this activity. Upon investigation, the evaluator found the following, FCS_RBG_EXT.1 Guidance 1 DRBG Type: NIST-approved AES-CTR Deterministic Random Bit Generator (DRBG) Entropy Sources: Four separate software sources Min-Entropy: 256-bits Table 35 FCS_RBG_EXT.1 Guidance 1 The evaluator shall confirm that the guidance documentation contains appropriate instructions for configuring the RNG functionality. The evaluator confirmed that the guidance documentation contains appropriate instructions for configuring the RNG functionality. Upon investigation, the evaluator found that no configuration is required for implementation of the RNG functionality. The entirety of AGD was used for this activity FCS_RBG_EXT.1.1 Test 1 Table 36 FCS_RBG_EXT.1.1 Test 1 The evaluator shall verify the implementation of SP A DRBG supported by the TOE. The implemented cryptographic module employed by the TOE has been subject to the DRBG test. The module passed each test. The individual algorithm implementations have been tested against the CAVP algorithm validation system. The associated certificate number is listed below. CAVP Algorithm Certificate # DRBG# Test Cases (HTTPS) FCS_HTTPS_EXT.1 TSS 1 Table 37 FCS_HTTPS_EXT.1 TSS 1 The evaluator shall examine the TSS and determine that enough detail is provided to explain how the implementation complies with RFC 2818.