Page 1
Fidelis Network ™ Common Criteria Configuration Guide Version 9.0.3...
Page 2
This document cannot be modified or converted to any other electronic or machine-readable form in whole or in part without prior written approval of Fidelis Cybersecurity. While we have done our best to ensure that the material found in this document is accurate,...
Enhanced Information for Common Criteria Configuration of [1]........ 7 Appendix C Common Criteria ....................... 7 Common Criteria Compliant Configuration ....................7 Common Criteria Compliant Trusted Channels to External Components ..........8 System Updates ............................8 Digital Signatures for Updates ....................... 8 Common Criteria Compliant Published Hash for Updates ..............
Common Criteria Configuration Guide This document is the Fidelis Network Common Criteria Configuration Guide. It replaces Appendix C of the Enterprise Setup and Configuration Guide [1]. The information in the following sections is new or corrected information related to the Enterprise Setup and Configuration Guide [1] reproduced as entire sections in this document.
The sections below provide corrected information required to configure, monitor and maintain a working system as certified by Common Criteria. These sections are based on the information in the Enterprise Setup and Configuration Guide [1], and are reproduced here in entirety with new or corrected information.
Follow instructions in this section to generate a Certificate Signing Request (CSR); obtain a certificate, CA certificates, CRL; import these for use by a Fidelis Network component. Run all commands in this section as root. In all commands, <subsystem> is the affected part of Fidelis Network functionality and must be one of the recognized subsystems listed above.
User Access Change the Default Account Passwords When you receive the Fidelis system, you receive an initial login and password for command line access. You should change this password. To do this: Connect to the appliance CLI via console using the fidelis account and default password .
The minimum password length is administrator configurable from 1 to 999 characters. Recommended value is 8. Fidelis Network components utilize Linux Pluggable Authentication Module (PAM), which provides dynamic authentication support for component applications and services. To configure minimum password length for logging into the component via the console, the pam-cracklib module “minlen”...
Page 9
In addition to the number of characters in the new password, credit (of +1 in length) is given for each different kind of character (other, upper, lower, and digit). The default for this parameter is 9. Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Common Criteria Compliant Configuration K2 and the Fidelis Network module have earned Common Criteria Certification. The following provides the steps required to create the security configuration used for Common Criteria Certification. 1. During initial setup, make sure that NTP is setup correctly and servers are reachable from the appliance.
RSA secret key. Fidelis will download both via HTTPS and verify the signature using the on-board public key (corresponding to the RSA key used to create the signature). If the verification fails, it is assumed that the download was corrupted and hence the package and its signature are deleted.
WARNING: In case of fatal POST failures, contact Fidelis Support immediately. The process manager service checks the binary integrity of every Fidelis daemon dedicated to the primary security function of the product before it starts any of them. If a single integrity check fails,...
/FSS/log/. Audit Events The table below lists and describes applicable audit events and administrative actions for each of the security functional requirements (SFRs) covered by Common Criteria. The general order of the audit events is as follows: Date.
Page 14
EXT.1 TLS Session endpoints audit[27394]: Sensor <linux90s-sensor> identification TLS ERROR: Local: ::ffff:10.89.184.31, (if applicable), Remote: ::ffff:10.89.184.32, certificate error:1408A0C1:SSL depth, Issuer, routines:SSL3_GET_CLIENT_HELLO:n Subject (if o shared cipher applicable), and reason for failure Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Page 15
FIA_UIA_EX All use of the Provided user Remote: identification and identity, origin Feb 18 13:03:14 10.42.209.241 FSS authentication of the attempt audit: admin logged on from mechanism 192.168.42.5 Local: Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Page 16
Aug 11 13:34:33 localhost Depth = 0, Subject (if Aug 11 13:34:33 localhost Issuer = applicable), /C=US/ST=MD/L=Bethesda/O=Fidelis and reason Cybersecurity/OU=Research and De for failure. velpoment/CN=Vadim-Fidelis- RootCA1/emailAddress=VF- RootCA1@fidelissecurity.com, Aug 11 13:34:33 localhost Subject = Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Page 17
Sep 8 23:36:50 localhost SHA-256 hash identification of the corresponding public key in DER format: 002bf89ebb085e8bd0b61d466d2d34972 ca8c8e9d1574ec40 ac7d032af9b13c Sep 8 23:35:57 localhost FSS audit[21861]: Destroyed the certificate revocation list (CRL). Sep 8 23:35:57 localhost issuer: /C=US/ST=Maryland/L=Bethesda/O=Fid Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Page 18
Type: metadatav FPT_ITT.1/J Initiation of the Identification Mar 29 16:18:37 localhost FSS trusted channel. of the initiator audit[77497]: admin unregistered Sensor and target of linux90col Termination of the failed trusted Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Page 19
FTA_SSL.4 The termination of an Identity of Feb 18 10:31:57 10.42.209.241 FSS interactive session administrator audit: admin logged out from Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Page 20
10.42.209.155 (calling: login) Component Processes and Descriptions The table below lists all Fidelis Network processes that handle network traffic. Table 3. Traffic Handling Processes and Descriptions Component Process Name Privilege...
Making Configuration Changes The vi editor (/bin/vi) may be used when making manual changes to files on a Fidelis Network system. Set Up FIPS 140-2 Certificates Fidelis Network ships with FIPS 140-2 mode for communication enabled by default. Users must install and set up FIPS 140-2-compliant certificates and enable FIPS 140-2 encryption for data storage on K2.
Recovery steps for TLS failures are common for all TOE interfaces utilizing TLS as secure transport layer, whether the TOE acts a TLS client or a TLS server, or both, and apply to K2 Web Server, K2 LDAP TLS client, syslog-ng TLS client, the Fidelis Insight Server TLS client, and distributed TOE intercomponent TLS communications.
Aug 11 13:34:33 localhost TLS ERROR: Local: ::ffff:10.89.184.31, Remote: ::ffff:10.89.184.32, error: 140890B2:SSL routines:SSL3_GET_CLIENT_CERTIFI CATE:no certificate returned Remote Authentication LDAP is the only allowable remote authentication method, and neither RADIUS nor TACACS can be used. Fidelis Network Common Criteria Configuration Guide Version 9.0.3 www.fidelissecurity.com...
Fidelis Network will continually attempt to reestablish the connection until working order is restored. Messages are available from log files to indicate any detected errors in communications. After restoring the network, the Fidelis Network administration will not need to perform any restoration tasks since Fidelis Network will recover automatically.