manualshive.com logo in svg

Fidelis Common Criteria, Configuration Manual

"Introducing Fidelis Common Criteria – an advanced Configuration Manual designed to simplify the setup process. This comprehensive manual provides step-by-step instructions, ensuring easy understanding of the product's features and functionalities. Download the free manual from our website manualshive.com and get started with Fidelis today."

Share
Download
background image

 

 

Fidelis Network Common Criteria Configuration Guide Version 9.0.3   

 

18

 

        

www.fidelissecurity.com

 

 

Component 

Process Name 

Privilege 

Description 

K2 

netspool 

Runs with 
setuid 

Accepts alert and statistical data 
from the different components 
configured 

K2 

httpd 

Runs as root 

Web server for spawning GUI for 
users 

Direct Sensor 

sniffer 

Runs as root 

Captures packets from the sniffing 
interfaces configured and 
reassembles them into transport 
protocol sessions 

Collector 

sesdbd 

Runs with 
setuid 

Receives metadata sent from 
sensors and writes it into the 
database 

Mail (Milter) 

mailer 

Runs with 
setuid 

Receives emails for processing 
from an MTA and processes them 
for policy violations 

Mail (MTA) 

postfix 

Runs as root 

Serves as a MTA that receives, 
analyzes and forwards email traffic  

Web Sensor 

icapd 

Runs with 
setuid 

Receives ICAP traffic from a Web 
Proxy and processes it for policy 
violations. 

 

 

 

 

 
Making Configuration Changes 

The vi editor (/bin/vi) may be used when making manual changes to files on a Fidelis Network system. 

 
Set Up FIPS 140-2 Certificates  

Fidelis Network ships with FIPS 140-2 mode for communication enabled by default. Users must install 
and set up FIPS 140-2-compliant certificates and enable FIPS 140-2 encryption for data storage on K2. 
To install and set up FIPS 140-2-compliant certificates, refer to Appendix A in the 

Enterprise Setup and 

Configuration Guide

[1]. 

The Common Criteria-compliant Random Number Generation (RNG), cipher suites, DH and RSA key 
sizes, hash algorithms, NIST elliptic curves, and TLS version 1.2 

are configured by default and do not 

require user intervention

, when the procedures in Appendix A of the 

Enterprise Setup and 

Configuration Guide

 [1] are followed. For example, when generating a Certificate Signing Request (CSR), 

no additional configuration is required to generate a new RSA private key. A new RSA key of 3072-bit 
length is generated by default . 

Summary of Contents for Common Criteria

Page 1: ...Fidelis Network Common Criteria Configuration Guide Version 9 0 3 ...

Page 2: ...ts original electronic form and print copies for personal use This document cannot be modified or converted to any other electronic or machine readable form in whole or in part without prior written approval of Fidelis Cybersecurity While we have done our best to ensure that the material found in this document is accurate Fidelis Cybersecurity makes no guarantee that the information contained here...

Page 3: ...cess 4 Change the Default Account Passwords 4 Command Line Session Inactivity Timeout 4 Configure Password Requirements for Local Users 5 Enhanced Information for Common Criteria Configuration of 1 7 Appendix C Common Criteria 7 Common Criteria Compliant Configuration 7 Common Criteria Compliant Trusted Channels to External Components 8 System Updates 8 Digital Signatures for Updates 8 Common Crit...

Page 4: ...de 1 The information in the following sections is new or corrected information related to the Enterprise Setup and Configuration Guide 1 reproduced as entire sections in this document This document provides or references all the necessary instructions to configure monitor and maintain Fidelis Network as certified by Common Criteria This Configuration Guide is applicable to Fidelis Network Version ...

Page 5: ...ck user name at the top of the GUI For iLO the user ID and password are on the unit s label on top of the server Once the user connects to the iLO via a web browser these credentials are needed After logging in the user ID and password can be changed For IMM account and initial password are Account Initial password How to reset USERID PASSW0RD with a zero not the letter O Click Login Settings in t...

Page 6: ... 5 After configuration is complete type exit to log out Appendix A Security Certificates and Common Access Cards Obtaining and Importing a Certificate Follow instructions in this section to generate a Certificate Signing Request CSR obtain a certificate CA certificates CRL import these for use by a Fidelis Network component Run all commands in this section as root In all commands subsystem is the ...

Page 7: ... the certificate For example the component with IPv4 address 192 168 1 40 hostname sensor1 and domain mycompany local should have Subject Alternative Name as follows X509v3 extensions X509v3 Subject Alternative Name IP Address 191 168 1 40 IP Address 0 0 0 0 0 FFFF C0A8 128 DNS sensor1 DNS sensor1 mycompany local In Common Criteria compliant mode of operation the verifyhost parameter in configurat...

Page 8: ...length is administrator configurable from 1 to 999 characters Recommended value is 8 Fidelis Network components utilize Linux Pluggable Authentication Module PAM which provides dynamic authentication support for component applications and services To configure minimum password length for logging into the component via the console the pam cracklib module minlen parameter must be set to the desired ...

Page 9: ...alue and includes the number of characters in the password as well as complexity factors from the password itself For example if and how many capitals numbers or special characters it has In addition to the number of characters in the new password credit of 1 in length is given for each different kind of character other upper lower and digit The default for this parameter is 9 ...

Page 10: ...m administrator privileges 6 Log in as the system administrator user and create user accounts for each person who will use the K2 The admin account should not be used anymore 7 Ensure that session timeouts are set for command line Command Line Session Inactivity Timeout and GUI access GUI Session Inactivity Timeout 8 Create a custom login banner Refer to Custom Login Banner 9 If you are using LDAP...

Page 11: ...d LDAP servers with TLS enabled communications Refer to Enable Client Authentication Refer to chapter 13 of User Guide System Updates Digital Signatures for Updates Fidelis checks for software updates available on the Fidelis Insight Cloud using HTTPS connections A software update is available as a tar package along with its digital signature created using RSA secret key Fidelis will download both...

Page 12: ...verification check failure Power on Self Tests and Process Manager Each system daemon that utilizes Cryptographic Module of the component openssl 1 0 1e fips performs Power on Self Test POST upon initialization In case of POST failure the process or service will fail to initialize and the Cryptographic Module initialization failure messages are entered in var log messages for example Jun 3 23 01 0...

Page 13: ...s and Auditable Events SFR Event Additional Information Sample Log FAU_GEN 1 Start up of audit functions None Sep 8 11 38 12 10 42 212 199 localhost syslog ng 2368 syslog ng starting up version 3 7 3 Sep 8 14 25 43 localhost FSS audit 2423 System startup Shutdown of audit functions None Sep 8 11 34 59 10 42 212 199 04 localhost syslog ng 2369 syslog ng shutting down version 3 7 3 Sep 8 14 23 17 lo...

Page 14: ...ailure Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fopen No such file or directory Aug 10 10 31 28 localhost error 2006D080 BIO routines BIO_new_file no such file Aug 10 10 31 28 localhost error 0B084002 x509 certificate routines X509_load_cert_crl_file system lib FCS...

Page 15: ...TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routines SSL3_GET_CLIENT_CERTIFI CATE no certificate returned FIA_AFL 1 Unsuccessful login attempts limit is met or exceeded Administrator identity and the origin of the login attempt e g IP address Sep 8 11 26 18 localhost FSS audit 106367 k2admin failed attempt to login from 10 89 184 30 calling login Sep 8 11 26 28 lo...

Page 16: ... Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fidelissecurity com Aug 11 13 34 33 localhost Subject C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and D evelpoment CN VF RCA1 Server1 emailAddress VF RCA1 Server1 fidelissecurity com Aug 11 13 34 33 localhost TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routin...

Page 17: ...F data TSF data affected by the change Sep 8 15 07 43 localhost FSS audit 21670 FSS etc login cf changed pw_minlen from 0 to 10 Sep 8 15 12 58 localhost FSS audit 24675 New file FSS jail FPDATA k2admin contentfinger print big txt created FMT_MTD 1 CryptoKeys Management of cryptographic keys Key Management action generation destruction import and Critical Security Parameter CSP identification Sep 8...

Page 18: ...T Sep 8 23 40 11 localhost SHA 256 fingerprint AA 20 D3 46 F7 5D 08 58 E5 86 6 C 41 E6 14 7B A1 E4 6B FA A7 EB 38 A1 2F D1 4B F8 A4 70 73 C B 4C FPT_ITT 1 Initiation of the trusted channel Termination of the trusted channel Failure of the trusted channel functions Identification of the initiator and target of failed trusted channels establishment attempt Mar 29 16 18 37 localhost FSS audit 77497 a...

Page 19: ...w York New time Fri Sep 8 17 46 40 UTC 2017 EST5EDT Set by localhost FPT_TUD_E XT 1 Initiation of update Identification of the initiator software update version and target s of update Feb 21 10 47 03 localhost FSS audit 32671 admin started install of version 9 0 3 20180221 for components linux90col Result of the update attempt success or failure Target of update distributed TOE component identific...

Page 20: ...111 time_reopen 10 FTP_TRP 1 Admin Initiation of the trusted channel Identification of the claimed user identity Mar 17 09 52 00 10 42 209 241 FSS audit admin logged on from 10 42 29 155 Termination of the trusted channel Identification of the claimed user identity Mar 17 10 00 07 10 42 209 241 FSS audit admin logged out from 10 42 209 241 Failure of the trusted channel functions Identification of...

Page 21: ...b Proxy and processes it for policy violations Making Configuration Changes The vi editor bin vi may be used when making manual changes to files on a Fidelis Network system Set Up FIPS 140 2 Certificates Fidelis Network ships with FIPS 140 2 mode for communication enabled by default Users must install and set up FIPS 140 2 compliant certificates and enable FIPS 140 2 encryption for data storage on...

Page 22: ...1 Failure to establish a TLS session due to misconfiguration CA certificate file is not found CRL file is not found Verify that correct CA certificate and CRL files are installed in the path specified by the error message Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fo...

Page 23: ...r and or TLS Client set as appropriate Aug 11 13 34 33 localhost FSS audit 42996 TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 Certificate verification error 26 unsupported certificate purpose Aug 11 13 34 33 localhost Depth 0 Aug 11 13 34 33 localhost Issuer C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fid...

Page 24: ...nnection is first established upon successful registration of the component to K2 test functions are available to verify proper connections However network connections may fail for many reasons Fidelis Network will continually attempt to reestablish the connection until working order is restored Messages are available from log files to indicate any detected errors in communications After restoring...

Page 25: ...iguration Guide Version 9 0 3 22 www fidelissecurity com References 1 Fidelis Cybersecurity Fidelis Network Version 9 0 3 Enterprise Setup and Configuration Guide 2017 2 Fidelis Cybersecurity Fidelis Network Version 9 0 3 User Guide 2017 ...

Reviews:

No comments

Related manuals for Common Criteria

A-Link WNAP4G Quick Installaion Manual preview
WNAP4G
Brand: A-Link Pages: 6
Xinje XG Series User Manual preview
XG Series
Brand: Xinje Pages: 76
TE Connectivity InterReach Fusion ADCP-77-044 Manual preview
InterReach Fusion ADCP-77-044
Brand: TE Connectivity Pages: 236
Intel NetStructure ZT 5515 Product Specification preview
NetStructure ZT 5515
Brand: Intel Pages: 90
Allied Telesis AT-9424Ts/XP AC Datasheet preview
AT-9424Ts/XP AC
Brand: Allied Telesis Pages: 3
KEMP Technologies LoadMaster 1500 Installation And Configuration Manual preview
LoadMaster 1500
Brand: KEMP Technologies Pages: 71
Ensemble Designs Avenue Express Control Panel Data Pack preview
Avenue Express Control Panel
Brand: Ensemble Designs Pages: 19
LogLogic LX 1010 Quick Start Manual preview
LX 1010
Brand: LogLogic Pages: 30
Mercusys MR30G Quick Installation Manual preview
MR30G
Brand: Mercusys Pages: 35
Teac HD-35NAS User Manual preview
HD-35NAS
Brand: Teac Pages: 20
Maple Systems cMT-FHDX Series Installation Instruction preview
cMT-FHDX Series
Brand: Maple Systems Pages: 2
NETGEAR Powerline 100 Installation Manual preview
Powerline 100
Brand: NETGEAR Pages: 2
Ericsson Marconi OMS 1200 Product Description preview
Marconi OMS 1200
Brand: Ericsson Pages: 136
JUMO iTRON B 70.2040 Operating Instructions Manual preview
iTRON B 70.2040
Brand: JUMO Pages: 41
Isee IGEPv2 BOARD Hardware Reference Manual preview
IGEPv2 BOARD
Brand: Isee Pages: 68
Hunter Pro-C Series Programming Instructions preview
Pro-C Series
Brand: Hunter Pages: 2
Aaeon FWS-7150 Manual preview
FWS-7150
Brand: Aaeon Pages: 57
Juniper NSM4000 Hardware Manual preview
NSM4000
Brand: Juniper Pages: 196

Brands by name

Popular brands

Load more brands