1. Manuals
  2. Brands
  3. Fidelis Manuals
  4. Network Hardware
  5. Common Criteria
  6. Configuration manual

Fidelis Common Criteria Configuration Manual

Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Fidelis Network
Common Criteria
Configuration Guide
Version 9.0.3

Advertisement

Table of Contents
loading

Related Manuals for Fidelis Common Criteria

Summary of Contents for Fidelis Common Criteria

  • Page 1 Fidelis Network ™ Common Criteria Configuration Guide Version 9.0.3...
  • Page 2 This document cannot be modified or converted to any other electronic or machine-readable form in whole or in part without prior written approval of Fidelis Cybersecurity. While we have done our best to ensure that the material found in this document is accurate,...

  • Page 3: Table Of Contents

    Enhanced Information for Common Criteria Configuration of [1]........ 7 Appendix C Common Criteria ....................... 7 Common Criteria Compliant Configuration ....................7 Common Criteria Compliant Trusted Channels to External Components ..........8 System Updates ............................8 Digital Signatures for Updates ....................... 8 Common Criteria Compliant Published Hash for Updates ..............

  • Page 4: Common Criteria Configuration Guide

    Common Criteria Configuration Guide This document is the Fidelis Network Common Criteria Configuration Guide. It replaces Appendix C of the Enterprise Setup and Configuration Guide [1]. The information in the following sections is new or corrected information related to the Enterprise Setup and Configuration Guide [1] reproduced as entire sections in this document.

  • Page 5: Enhanced Information For Chapter 2, Appendix A And Appendix B Of [1]

    The sections below provide corrected information required to configure, monitor and maintain a working system as certified by Common Criteria. These sections are based on the information in the Enterprise Setup and Configuration Guide [1], and are reproduced here in entirety with new or corrected information.

  • Page 6: Connect A Physical Appliance To The Network And Configure

    Follow instructions in this section to generate a Certificate Signing Request (CSR); obtain a certificate, CA certificates, CRL; import these for use by a Fidelis Network component. Run all commands in this section as root. In all commands, <subsystem> is the affected part of Fidelis Network functionality and must be one of the recognized subsystems listed above.

  • Page 7: Appendix B Security Best Practices

    User Access Change the Default Account Passwords When you receive the Fidelis system, you receive an initial login and password for command line access. You should change this password. To do this: Connect to the appliance CLI via console using the fidelis account and default password .

  • Page 8: Configure Password Requirements For Local Users

    The minimum password length is administrator configurable from 1 to 999 characters. Recommended value is 8. Fidelis Network components utilize Linux Pluggable Authentication Module (PAM), which provides dynamic authentication support for component applications and services. To configure minimum password length for logging into the component via the console, the pam-cracklib module “minlen”...
  • Page 9 In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower, and digit). The default for this parameter is 9. Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...

  • Page 10: Enhanced Information For Common Criteria Configuration Of [1]

    Common Criteria Compliant Configuration K2 and the Fidelis Network module have earned Common Criteria Certification. The following provides the steps required to create the security configuration used for Common Criteria Certification. 1. During initial setup, make sure that NTP is setup correctly and servers are reachable from the appliance.

  • Page 11: Common Criteria Compliant Trusted Channels To External Components

    RSA secret key. Fidelis will download both via HTTPS and verify the signature using the on-board public key (corresponding to the RSA key used to create the signature). If the verification fails, it is assumed that the download was corrupted and hence the package and its signature are deleted.

  • Page 12: Power On Self Tests And Process Manager

    WARNING: In case of fatal POST failures, contact Fidelis Support immediately. The process manager service checks the binary integrity of every Fidelis daemon dedicated to the primary security function of the product before it starts any of them. If a single integrity check fails,...

  • Page 13: Audit Events

    /FSS/log/. Audit Events The table below lists and describes applicable audit events and administrative actions for each of the security functional requirements (SFRs) covered by Common Criteria. The general order of the audit events is as follows: Date.
  • Page 14 EXT.1 TLS Session endpoints audit[27394]: Sensor <linux90s-sensor> identification TLS ERROR: Local: ::ffff:10.89.184.31, (if applicable), Remote: ::ffff:10.89.184.32, certificate error:1408A0C1:SSL depth, Issuer, routines:SSL3_GET_CLIENT_HELLO:n Subject (if o shared cipher applicable), and reason for failure Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
  • Page 15 FIA_UIA_EX All use of the Provided user Remote: identification and identity, origin Feb 18 13:03:14 10.42.209.241 FSS authentication of the attempt audit: admin logged on from mechanism 192.168.42.5 Local: Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
  • Page 16 Aug 11 13:34:33 localhost Depth = 0, Subject (if Aug 11 13:34:33 localhost Issuer = applicable), /C=US/ST=MD/L=Bethesda/O=Fidelis and reason Cybersecurity/OU=Research and De for failure. velpoment/CN=Vadim-Fidelis- RootCA1/emailAddress=VF- RootCA1@fidelissecurity.com, Aug 11 13:34:33 localhost Subject = Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
  • Page 17 Sep 8 23:36:50 localhost SHA-256 hash identification of the corresponding public key in DER format: 002bf89ebb085e8bd0b61d466d2d34972 ca8c8e9d1574ec40 ac7d032af9b13c Sep 8 23:35:57 localhost FSS audit[21861]: Destroyed the certificate revocation list (CRL). Sep 8 23:35:57 localhost issuer: /C=US/ST=Maryland/L=Bethesda/O=Fid Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
  • Page 18 Type: metadatav FPT_ITT.1/J Initiation of the Identification Mar 29 16:18:37 localhost FSS trusted channel. of the initiator audit[77497]: admin unregistered Sensor and target of linux90col Termination of the failed trusted Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
  • Page 19 FTA_SSL.4 The termination of an Identity of Feb 18 10:31:57 10.42.209.241 FSS interactive session administrator audit: admin logged out from Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
  • Page 20 10.42.209.155 (calling: login) Component Processes and Descriptions The table below lists all Fidelis Network processes that handle network traffic. Table 3. Traffic Handling Processes and Descriptions Component Process Name Privilege...

  • Page 21: Making Configuration Changes

    Making Configuration Changes The vi editor (/bin/vi) may be used when making manual changes to files on a Fidelis Network system. Set Up FIPS 140-2 Certificates Fidelis Network ships with FIPS 140-2 mode for communication enabled by default. Users must install and set up FIPS 140-2-compliant certificates and enable FIPS 140-2 encryption for data storage on K2.

  • Page 22: Tls

    Recovery steps for TLS failures are common for all TOE interfaces utilizing TLS as secure transport layer, whether the TOE acts a TLS client or a TLS server, or both, and apply to K2 Web Server, K2 LDAP TLS client, syslog-ng TLS client, the Fidelis Insight Server TLS client, and distributed TOE intercomponent TLS communications.

  • Page 23: Remote Authentication

    Aug 11 13:34:33 localhost TLS ERROR: Local: ::ffff:10.89.184.31, Remote: ::ffff:10.89.184.32, error: 140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFI CATE:no certificate returned Remote Authentication LDAP is the only allowable remote authentication method, and neither RADIUS nor TACACS can be used. Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...

  • Page 24: Connections Between Distributed Toe Components

    Fidelis Network will continually attempt to reestablish the connection until working order is restored. Messages are available from log files to indicate any detected errors in communications. After restoring the network, the Fidelis Network administration will not need to perform any restoration tasks since Fidelis Network will recover automatically.

  • Page 25: References

    References [1] Fidelis Cybersecurity, Fidelis Network Version 9.0.3 Enterprise Setup and Configuration Guide, 2017. [2] Fidelis Cybersecurity, Fidelis Network Version 9.0.3 User Guide, 2017. Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...

Table of Contents