Table of Contents
Advertisement
The certified configuration includes only the Fidelis Network configuration, including admin interface. Any
additional interface available by your hardware appliance is not certified. For example, the Integrated
Lights-Out (iLO) and the Integrated Management Module (IMM) are excluded from the certified
configuration.
Fidelis Common Criteria certification excludes the fidelis account for command line access (refer to
Default
Accounts) after initial configuration. This account is used for initial system configuration. After
initial setup, the fidelis account should not be used unless directed by Fidelis Cybersecurity Technical
Support to diagnose problems.
Common Criteria certification applies to Rev H hardware. Contact Technical Support to determine your
hardware revision. Virtual appliances are supported by the certification on host hardware that includes
Intel Core or Xeon processors based on the Ivy Bridge or Haswell microarchitecture, which implement
Intel Secure Key.
The sections below provide additional information required to monitor and maintain a working system
configured for Common Criteria.
Common Criteria Compliant Trusted Channels to
External Components
Fidelis establishes secure connections to external components within the customer network. Fidelis will
establish trusted channels with an external audit and LDAP servers with TLS enabled communications.
Refer to
Enable Client Authentication
Refer to chapter 13 of User Guide.
System Updates
Digital Signatures for Updates
Fidelis checks for software updates available on the Fidelis Insight Cloud using HTTPS connections. A
software update is available as a tar package along with its digital signature created using RSA secret
key. Fidelis will download both via HTTPS and verify the signature using the on-board public key
(corresponding to the RSA key used to create the signature). If the verification fails, it is assumed that the
download was corrupted and hence the package and its signature are deleted.
Common Criteria Compliant Published Hash for Updates
Software and Policy updates for Fidelis Network are available at the Fidelis Support portal. Fidelis also
publishes the SHA256 hash with the updates. The Common Criteria compliant trusted update mechanism
for Fidelis Network is for an administrator to:
1.
Operate the K2 in air gap mode. Refer to chapter 10 in the Guide to Creating Policies.
For Air Gap operation, access the K2 GUI and navigate to the System / Version Control / Download
Control page. Ensure that the parameter: Check for Updates is set to: Never. The K2 GUI page
System / Version Control / Scheduled Installs will then display: No scheduled installs, indicating that
automatic updates are disabled.
2. Download the updates and the hash files from the Fidelis Support portal.
3. Verify the SHA256 hash of the downloaded package is the same as published hash on the portal,
using openssl command line utility, for example:
openssl dgst -sha256 fidelis_xps_9.0.3.x86_64.tar
Fidelis Network Common Criteria Configuration Guide Version 9.0.3
.
8
www.fidelissecurity.com
Advertisement
Table of Contents
