manualshive.com logo in svg

Fidelis Common Criteria, Configuration Manual

"Introducing Fidelis Common Criteria – an advanced Configuration Manual designed to simplify the setup process. This comprehensive manual provides step-by-step instructions, ensuring easy understanding of the product's features and functionalities. Download the free manual from our website manualshive.com and get started with Fidelis today."

Share
Download
background image

 

 

Fidelis Network Common Criteria Configuration Guide Version 9.0.3   

 

7

 

        

www.fidelissecurity.com

 

 

Enhanced Information for Common Criteria 
Configuration of [1] 

 
 

Appendix C Common Criteria 

This 

appendix

 includes information about the following 

Common Criteria compliant configuration and 

other pertinent information.

 

 
Common Criteria Compliant Configuration  

K2 and the Fidelis Network module have earned Common Criteria Certification. The following provides 
the steps required to create the security configuration used for Common Criteria Certification. 

1.  During initial setup, make sure that NTP is setup correctly and servers are reachable from the 

appliance. 

2.  Change the default passwords for command line for each appliance by following 

Change the 

Default Account Passwords

3.  Change the default passwords for admin GUI account (provided in the Quick Start Card) for each 

K2. 

4.  Configure password strength (

Password Strength Requirements

) and account lockout due to 

requirements for failed login attempts. 

5.  Create a user with system administrator privileges. 

6.  Log in as the system administrator user and create user accounts for each person who will use the 

K2. The admin account should not be used anymore. 

7.  Ensure that session timeouts are set for command line (

Command Line Session Inactivity 

Timeout

) and GUI access (

GUI Session Inactivity Timeout

). 

8.  Create a custom login banner. Refer to 

Custom Login Banner

9.  If you are using LDAP, you must configure it to communicate using TLS. Refer to chapter 13 in the 

User Guide

10.  Enable FIPS 140-2 compliant encryption for the K2 database. Refer to 

Encrypted Storage

11.  Before registering any components, obtain X509 certificates as described in 

Security Certificates

 

and install them on the K2 (

Installing a K2 Certificate

) and all the components being registered to 

the K2 (

Installing Certificates for Inter-Component Communications

). 

12.  Enable sending syslog to a remote server over TLS using configuration described in 

Enable Client 

Authentication

at Security Practices. 

13.  Enable TLS auditing. At System / Components / K2/ Config / Audit, select everything for TLS 

Handshake. 

14.  To perform system updates, see 

Common Criteria Compliant Published Hash

 on published 

hash as a common criteria compliant trusted system update. 

Summary of Contents for Common Criteria

Page 1: ...Fidelis Network Common Criteria Configuration Guide Version 9 0 3 ...

Page 2: ...ts original electronic form and print copies for personal use This document cannot be modified or converted to any other electronic or machine readable form in whole or in part without prior written approval of Fidelis Cybersecurity While we have done our best to ensure that the material found in this document is accurate Fidelis Cybersecurity makes no guarantee that the information contained here...

Page 3: ...cess 4 Change the Default Account Passwords 4 Command Line Session Inactivity Timeout 4 Configure Password Requirements for Local Users 5 Enhanced Information for Common Criteria Configuration of 1 7 Appendix C Common Criteria 7 Common Criteria Compliant Configuration 7 Common Criteria Compliant Trusted Channels to External Components 8 System Updates 8 Digital Signatures for Updates 8 Common Crit...

Page 4: ...de 1 The information in the following sections is new or corrected information related to the Enterprise Setup and Configuration Guide 1 reproduced as entire sections in this document This document provides or references all the necessary instructions to configure monitor and maintain Fidelis Network as certified by Common Criteria This Configuration Guide is applicable to Fidelis Network Version ...

Page 5: ...ck user name at the top of the GUI For iLO the user ID and password are on the unit s label on top of the server Once the user connects to the iLO via a web browser these credentials are needed After logging in the user ID and password can be changed For IMM account and initial password are Account Initial password How to reset USERID PASSW0RD with a zero not the letter O Click Login Settings in t...

Page 6: ... 5 After configuration is complete type exit to log out Appendix A Security Certificates and Common Access Cards Obtaining and Importing a Certificate Follow instructions in this section to generate a Certificate Signing Request CSR obtain a certificate CA certificates CRL import these for use by a Fidelis Network component Run all commands in this section as root In all commands subsystem is the ...

Page 7: ... the certificate For example the component with IPv4 address 192 168 1 40 hostname sensor1 and domain mycompany local should have Subject Alternative Name as follows X509v3 extensions X509v3 Subject Alternative Name IP Address 191 168 1 40 IP Address 0 0 0 0 0 FFFF C0A8 128 DNS sensor1 DNS sensor1 mycompany local In Common Criteria compliant mode of operation the verifyhost parameter in configurat...

Page 8: ...length is administrator configurable from 1 to 999 characters Recommended value is 8 Fidelis Network components utilize Linux Pluggable Authentication Module PAM which provides dynamic authentication support for component applications and services To configure minimum password length for logging into the component via the console the pam cracklib module minlen parameter must be set to the desired ...

Page 9: ...alue and includes the number of characters in the password as well as complexity factors from the password itself For example if and how many capitals numbers or special characters it has In addition to the number of characters in the new password credit of 1 in length is given for each different kind of character other upper lower and digit The default for this parameter is 9 ...

Page 10: ...m administrator privileges 6 Log in as the system administrator user and create user accounts for each person who will use the K2 The admin account should not be used anymore 7 Ensure that session timeouts are set for command line Command Line Session Inactivity Timeout and GUI access GUI Session Inactivity Timeout 8 Create a custom login banner Refer to Custom Login Banner 9 If you are using LDAP...

Page 11: ...d LDAP servers with TLS enabled communications Refer to Enable Client Authentication Refer to chapter 13 of User Guide System Updates Digital Signatures for Updates Fidelis checks for software updates available on the Fidelis Insight Cloud using HTTPS connections A software update is available as a tar package along with its digital signature created using RSA secret key Fidelis will download both...

Page 12: ...verification check failure Power on Self Tests and Process Manager Each system daemon that utilizes Cryptographic Module of the component openssl 1 0 1e fips performs Power on Self Test POST upon initialization In case of POST failure the process or service will fail to initialize and the Cryptographic Module initialization failure messages are entered in var log messages for example Jun 3 23 01 0...

Page 13: ...s and Auditable Events SFR Event Additional Information Sample Log FAU_GEN 1 Start up of audit functions None Sep 8 11 38 12 10 42 212 199 localhost syslog ng 2368 syslog ng starting up version 3 7 3 Sep 8 14 25 43 localhost FSS audit 2423 System startup Shutdown of audit functions None Sep 8 11 34 59 10 42 212 199 04 localhost syslog ng 2369 syslog ng shutting down version 3 7 3 Sep 8 14 23 17 lo...

Page 14: ...ailure Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fopen No such file or directory Aug 10 10 31 28 localhost error 2006D080 BIO routines BIO_new_file no such file Aug 10 10 31 28 localhost error 0B084002 x509 certificate routines X509_load_cert_crl_file system lib FCS...

Page 15: ...TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routines SSL3_GET_CLIENT_CERTIFI CATE no certificate returned FIA_AFL 1 Unsuccessful login attempts limit is met or exceeded Administrator identity and the origin of the login attempt e g IP address Sep 8 11 26 18 localhost FSS audit 106367 k2admin failed attempt to login from 10 89 184 30 calling login Sep 8 11 26 28 lo...

Page 16: ... Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fidelissecurity com Aug 11 13 34 33 localhost Subject C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and D evelpoment CN VF RCA1 Server1 emailAddress VF RCA1 Server1 fidelissecurity com Aug 11 13 34 33 localhost TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routin...

Page 17: ...F data TSF data affected by the change Sep 8 15 07 43 localhost FSS audit 21670 FSS etc login cf changed pw_minlen from 0 to 10 Sep 8 15 12 58 localhost FSS audit 24675 New file FSS jail FPDATA k2admin contentfinger print big txt created FMT_MTD 1 CryptoKeys Management of cryptographic keys Key Management action generation destruction import and Critical Security Parameter CSP identification Sep 8...

Page 18: ...T Sep 8 23 40 11 localhost SHA 256 fingerprint AA 20 D3 46 F7 5D 08 58 E5 86 6 C 41 E6 14 7B A1 E4 6B FA A7 EB 38 A1 2F D1 4B F8 A4 70 73 C B 4C FPT_ITT 1 Initiation of the trusted channel Termination of the trusted channel Failure of the trusted channel functions Identification of the initiator and target of failed trusted channels establishment attempt Mar 29 16 18 37 localhost FSS audit 77497 a...

Page 19: ...w York New time Fri Sep 8 17 46 40 UTC 2017 EST5EDT Set by localhost FPT_TUD_E XT 1 Initiation of update Identification of the initiator software update version and target s of update Feb 21 10 47 03 localhost FSS audit 32671 admin started install of version 9 0 3 20180221 for components linux90col Result of the update attempt success or failure Target of update distributed TOE component identific...

Page 20: ...111 time_reopen 10 FTP_TRP 1 Admin Initiation of the trusted channel Identification of the claimed user identity Mar 17 09 52 00 10 42 209 241 FSS audit admin logged on from 10 42 29 155 Termination of the trusted channel Identification of the claimed user identity Mar 17 10 00 07 10 42 209 241 FSS audit admin logged out from 10 42 209 241 Failure of the trusted channel functions Identification of...

Page 21: ...b Proxy and processes it for policy violations Making Configuration Changes The vi editor bin vi may be used when making manual changes to files on a Fidelis Network system Set Up FIPS 140 2 Certificates Fidelis Network ships with FIPS 140 2 mode for communication enabled by default Users must install and set up FIPS 140 2 compliant certificates and enable FIPS 140 2 encryption for data storage on...

Page 22: ...1 Failure to establish a TLS session due to misconfiguration CA certificate file is not found CRL file is not found Verify that correct CA certificate and CRL files are installed in the path specified by the error message Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fo...

Page 23: ...r and or TLS Client set as appropriate Aug 11 13 34 33 localhost FSS audit 42996 TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 Certificate verification error 26 unsupported certificate purpose Aug 11 13 34 33 localhost Depth 0 Aug 11 13 34 33 localhost Issuer C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fid...

Page 24: ...nnection is first established upon successful registration of the component to K2 test functions are available to verify proper connections However network connections may fail for many reasons Fidelis Network will continually attempt to reestablish the connection until working order is restored Messages are available from log files to indicate any detected errors in communications After restoring...

Page 25: ...iguration Guide Version 9 0 3 22 www fidelissecurity com References 1 Fidelis Cybersecurity Fidelis Network Version 9 0 3 Enterprise Setup and Configuration Guide 2017 2 Fidelis Cybersecurity Fidelis Network Version 9 0 3 User Guide 2017 ...

Reviews:

No comments

Related manuals for Common Criteria

Ubiquiti M900 Quick Start Manual preview
M900
Brand: Ubiquiti Pages: 24
GE 90-30 PLC User Manual preview
90-30 PLC
Brand: GE Pages: 93
Cabletron Systems MMAC-5FNB Overview And Setup Manual preview
MMAC-5FNB
Brand: Cabletron Systems Pages: 21
H3C S5500-HI Switch Series Fundamentals Configuration Manual preview
S5500-HI Switch Series
Brand: H3C Pages: 180
H3C S3610 Series Quick Start Manual preview
S3610 Series
Brand: H3C Pages: 84
H3C S3600V2 SERIES Layer 2-Lan Switching Configuration Manual preview
S3600V2 SERIES
Brand: H3C Pages: 281
H3C S12500R-2L Preparing For Installation preview
S12500R-2L
Brand: H3C Pages: 8
H3C S12500R Series Manual preview
S12500R Series
Brand: H3C Pages: 9
H3C S12500R Series Installation, Quick Start preview
S12500R Series
Brand: H3C Pages: 33
H3C S12500R Series Hardware Reference Manual preview
S12500R Series
Brand: H3C Pages: 42
H3C S12500R Series Installation Manual preview
S12500R Series
Brand: H3C Pages: 102
H3C S12500CR Series Preparing For Installation preview
S12500CR Series
Brand: H3C Pages: 9
H3C RA200 Manual preview
RA200
Brand: H3C Pages: 15
H3C H3C S7500E Series Command Manual preview
H3C S7500E Series
Brand: H3C Pages: 1565
H3C MSR810 Installation, Quick Start preview
MSR810
Brand: H3C Pages: 4
Yamaha mLAN Driver Manual Book preview
mLAN Driver
Brand: Yamaha Pages: 24
Yamaha DSP1D Supplementary Manual preview
DSP1D
Brand: Yamaha Pages: 5
Commell LS-570 User Manual preview
LS-570
Brand: Commell Pages: 58

Brands by name

Popular brands

Load more brands