Fidelis Common Criteria Скачать руководство пользователя страница 22 | Manualshive

Страница: 22 / 25

background image

Fidelis Network Common Criteria Configuration Guide Version 9.0.3

19

www.fidelissecurity.com

TLS

When setting up TLS communications using certificates, following guidance instructions is crucial, as it
will help to avoid potential TLS Handshake problems, such as TLS certificate verification failures,
common cipher negotiation failures, TLS version mismatch, etc. Examples of these failures are given in
the table: SFRs and Auditable Events for SFRs FCS_TLSC_EXT.1, FCS_TLSC_EXT.2,
FCS_TLSS_EXT.1, FCS_TLSS_EXT.2.
Recovery steps for TLS failures are common for all TOE interfaces utilizing TLS as secure transport layer,
whether the TOE acts a TLS client or a TLS server, or both, and apply to K2 Web Server, K2 LDAP TLS
client, syslog-ng TLS client, the Fidelis Insight Server TLS client, and distributed TOE intercomponent
TLS communications.

Table 1. Common TLS Errors and Recovery Options

SFR

Error

Recovery
Steps

Sample Log

FCS_TLSC_
EXT.1

Failure to
establish a TLS
session due to
misconfiguration.
CA certificate file
is not found. CRL
file is not found.

Verify that
correct CA
certificate and
CRL files are
installed in the
path specified
by the error
message.

Aug 10 10:31:28 localhost FSS
audit[91999]: Sensor <linux90s-sensor>
Error loading CA file:
/FSS/etc/pki/cacert.pem
Aug 10 10:31:28 localhost TLS ERROR:
error:02001002:system library:fopen:No
such file or directory
Aug 10 10:31:28 localhost
error:2006D080:BIO
routines:BIO_new_file:no such file
Aug 10 10:31:28 localhost
error:0B084002:x509 certificate
routines:X509_load_cert_crl_file:system
lib

FCS_TLSC_
EXT.2

Failure to
establish a TLS
Session due to
peer
misconfiguration.
Peer is configured
for Anonymous
Diffie-Hellman and
not authenticated
TLS. Or peer is
configured with
wrong CA
certificate. Or peer
is not configured
with correct end
point certificate.
No peer certificate
is returned.

Verify that peer
is configured
with correct CA
and end point
certificate(s).

Aug 10 10:22:04 localhost FSS
audit[85359]: Sensor <linux90col> TLS
ERROR: Local: 10.89.184.32, Remote:
10.89.184.31, Failed to obtain peer
certificate

«
...
20
21
22
23
24
...
»

Содержание Common Criteria

Страница 1: ...Fidelis Network Common Criteria Configuration Guide Version 9 0 3 ...

Страница 2: ...ts original electronic form and print copies for personal use This document cannot be modified or converted to any other electronic or machine readable form in whole or in part without prior written approval of Fidelis Cybersecurity While we have done our best to ensure that the material found in this document is accurate Fidelis Cybersecurity makes no guarantee that the information contained here...

Страница 3: ...cess 4 Change the Default Account Passwords 4 Command Line Session Inactivity Timeout 4 Configure Password Requirements for Local Users 5 Enhanced Information for Common Criteria Configuration of 1 7 Appendix C Common Criteria 7 Common Criteria Compliant Configuration 7 Common Criteria Compliant Trusted Channels to External Components 8 System Updates 8 Digital Signatures for Updates 8 Common Crit...

Страница 4: ...de 1 The information in the following sections is new or corrected information related to the Enterprise Setup and Configuration Guide 1 reproduced as entire sections in this document This document provides or references all the necessary instructions to configure monitor and maintain Fidelis Network as certified by Common Criteria This Configuration Guide is applicable to Fidelis Network Version ...

Страница 5: ...ck user name at the top of the GUI For iLO the user ID and password are on the unit s label on top of the server Once the user connects to the iLO via a web browser these credentials are needed After logging in the user ID and password can be changed For IMM account and initial password are Account Initial password How to reset USERID PASSW0RD with a zero not the letter O Click Login Settings in t...

Страница 6: ... 5 After configuration is complete type exit to log out Appendix A Security Certificates and Common Access Cards Obtaining and Importing a Certificate Follow instructions in this section to generate a Certificate Signing Request CSR obtain a certificate CA certificates CRL import these for use by a Fidelis Network component Run all commands in this section as root In all commands subsystem is the ...

Страница 7: ... the certificate For example the component with IPv4 address 192 168 1 40 hostname sensor1 and domain mycompany local should have Subject Alternative Name as follows X509v3 extensions X509v3 Subject Alternative Name IP Address 191 168 1 40 IP Address 0 0 0 0 0 FFFF C0A8 128 DNS sensor1 DNS sensor1 mycompany local In Common Criteria compliant mode of operation the verifyhost parameter in configurat...

Страница 8: ...length is administrator configurable from 1 to 999 characters Recommended value is 8 Fidelis Network components utilize Linux Pluggable Authentication Module PAM which provides dynamic authentication support for component applications and services To configure minimum password length for logging into the component via the console the pam cracklib module minlen parameter must be set to the desired ...

Страница 9: ...alue and includes the number of characters in the password as well as complexity factors from the password itself For example if and how many capitals numbers or special characters it has In addition to the number of characters in the new password credit of 1 in length is given for each different kind of character other upper lower and digit The default for this parameter is 9 ...

Страница 10: ...m administrator privileges 6 Log in as the system administrator user and create user accounts for each person who will use the K2 The admin account should not be used anymore 7 Ensure that session timeouts are set for command line Command Line Session Inactivity Timeout and GUI access GUI Session Inactivity Timeout 8 Create a custom login banner Refer to Custom Login Banner 9 If you are using LDAP...

Страница 11: ...d LDAP servers with TLS enabled communications Refer to Enable Client Authentication Refer to chapter 13 of User Guide System Updates Digital Signatures for Updates Fidelis checks for software updates available on the Fidelis Insight Cloud using HTTPS connections A software update is available as a tar package along with its digital signature created using RSA secret key Fidelis will download both...

Страница 12: ...verification check failure Power on Self Tests and Process Manager Each system daemon that utilizes Cryptographic Module of the component openssl 1 0 1e fips performs Power on Self Test POST upon initialization In case of POST failure the process or service will fail to initialize and the Cryptographic Module initialization failure messages are entered in var log messages for example Jun 3 23 01 0...

Страница 13: ...s and Auditable Events SFR Event Additional Information Sample Log FAU_GEN 1 Start up of audit functions None Sep 8 11 38 12 10 42 212 199 localhost syslog ng 2368 syslog ng starting up version 3 7 3 Sep 8 14 25 43 localhost FSS audit 2423 System startup Shutdown of audit functions None Sep 8 11 34 59 10 42 212 199 04 localhost syslog ng 2369 syslog ng shutting down version 3 7 3 Sep 8 14 23 17 lo...

Страница 14: ...ailure Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fopen No such file or directory Aug 10 10 31 28 localhost error 2006D080 BIO routines BIO_new_file no such file Aug 10 10 31 28 localhost error 0B084002 x509 certificate routines X509_load_cert_crl_file system lib FCS...

Страница 15: ...TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routines SSL3_GET_CLIENT_CERTIFI CATE no certificate returned FIA_AFL 1 Unsuccessful login attempts limit is met or exceeded Administrator identity and the origin of the login attempt e g IP address Sep 8 11 26 18 localhost FSS audit 106367 k2admin failed attempt to login from 10 89 184 30 calling login Sep 8 11 26 28 lo...

Страница 16: ... Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fidelissecurity com Aug 11 13 34 33 localhost Subject C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and D evelpoment CN VF RCA1 Server1 emailAddress VF RCA1 Server1 fidelissecurity com Aug 11 13 34 33 localhost TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 error 140890B2 SSL routin...

Страница 17: ...F data TSF data affected by the change Sep 8 15 07 43 localhost FSS audit 21670 FSS etc login cf changed pw_minlen from 0 to 10 Sep 8 15 12 58 localhost FSS audit 24675 New file FSS jail FPDATA k2admin contentfinger print big txt created FMT_MTD 1 CryptoKeys Management of cryptographic keys Key Management action generation destruction import and Critical Security Parameter CSP identification Sep 8...

Страница 18: ...T Sep 8 23 40 11 localhost SHA 256 fingerprint AA 20 D3 46 F7 5D 08 58 E5 86 6 C 41 E6 14 7B A1 E4 6B FA A7 EB 38 A1 2F D1 4B F8 A4 70 73 C B 4C FPT_ITT 1 Initiation of the trusted channel Termination of the trusted channel Failure of the trusted channel functions Identification of the initiator and target of failed trusted channels establishment attempt Mar 29 16 18 37 localhost FSS audit 77497 a...

Страница 19: ...w York New time Fri Sep 8 17 46 40 UTC 2017 EST5EDT Set by localhost FPT_TUD_E XT 1 Initiation of update Identification of the initiator software update version and target s of update Feb 21 10 47 03 localhost FSS audit 32671 admin started install of version 9 0 3 20180221 for components linux90col Result of the update attempt success or failure Target of update distributed TOE component identific...

Страница 20: ...111 time_reopen 10 FTP_TRP 1 Admin Initiation of the trusted channel Identification of the claimed user identity Mar 17 09 52 00 10 42 209 241 FSS audit admin logged on from 10 42 29 155 Termination of the trusted channel Identification of the claimed user identity Mar 17 10 00 07 10 42 209 241 FSS audit admin logged out from 10 42 209 241 Failure of the trusted channel functions Identification of...

Страница 21: ...b Proxy and processes it for policy violations Making Configuration Changes The vi editor bin vi may be used when making manual changes to files on a Fidelis Network system Set Up FIPS 140 2 Certificates Fidelis Network ships with FIPS 140 2 mode for communication enabled by default Users must install and set up FIPS 140 2 compliant certificates and enable FIPS 140 2 encryption for data storage on...

Страница 22: ...1 Failure to establish a TLS session due to misconfiguration CA certificate file is not found CRL file is not found Verify that correct CA certificate and CRL files are installed in the path specified by the error message Aug 10 10 31 28 localhost FSS audit 91999 Sensor linux90s sensor Error loading CA file FSS etc pki cacert pem Aug 10 10 31 28 localhost TLS ERROR error 02001002 system library fo...

Страница 23: ...r and or TLS Client set as appropriate Aug 11 13 34 33 localhost FSS audit 42996 TLS ERROR Local ffff 10 89 184 31 Remote ffff 10 89 184 32 Certificate verification error 26 unsupported certificate purpose Aug 11 13 34 33 localhost Depth 0 Aug 11 13 34 33 localhost Issuer C US ST MD L Bethesda O Fidelis Cybersecurity OU Research and De velpoment CN Vadim Fidelis RootCA1 emailAddress VF RootCA1 fid...

Страница 24: ...nnection is first established upon successful registration of the component to K2 test functions are available to verify proper connections However network connections may fail for many reasons Fidelis Network will continually attempt to reestablish the connection until working order is restored Messages are available from log files to indicate any detected errors in communications After restoring...

Страница 25: ...iguration Guide Version 9 0 3 22 www fidelissecurity com References 1 Fidelis Cybersecurity Fidelis Network Version 9 0 3 Enterprise Setup and Configuration Guide 2017 2 Fidelis Cybersecurity Fidelis Network Version 9 0 3 User Guide 2017 ...

Отзывы:

Нет отзывов

Похожие инструкции для Common Criteria

Бренд: dbx Страницы: 2

Бренд: dbx Страницы: 17

Бренд: Jetter Страницы: 35

Бренд: Ubiquiti Страницы: 22

Бренд: Ublox Страницы: 17

Бренд: TFortis Страницы: 86

ADSL 2/2+ Router with USB Port ADE-3410v2

Бренд: Planet Страницы: 62

Бренд: Black Box Страницы: 37

Бренд: Patton electronics Страницы: 12

Surround Dongle

Бренд: Sennheiser Страницы: 18

InterReach Fusion SingleStar

Бренд: LGC wireless Страницы: 154

WGR614 - Wireless-G Router Wireless

Бренд: NETGEAR Страницы: 116

Бренд: B&B Electronics Страницы: 2

Бренд: Digisol Страницы: 22

Бренд: NBase Страницы: 18

Бренд: Gearlinx Страницы: 23

Бренд: VideoWave Страницы: 12

Бренд: National Instruments Страницы: 121

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды