National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
FireEye MAS and MPS 2000, 4000, and 7000 Series with
Central Management System v.5.0
Report Number: CCEVS-VR-VID10420-2010
Version 1.0
October 11, 2010
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6757
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6757
®
TM
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
ii
Table of Contents
1 EXECUTIVE SUMMARY................................................................................................................................3
2 EVALUATION DETAILS ................................................................................................................................3
2.1 THREATS TO SECURITY ....................................................................................................................................4
3 IDENTIFICATION ...........................................................................................................................................5
4 SECURITY POLICY ........................................................................................................................................5
4.1 SECURITY AUDIT .............................................................................................................................................5
4.2 IDENTIFICATION AND AUTHENTICATION..........................................................................................................5
4.3 SECURITY MANAGEMENT ................................................................................................................................6
4.4 PROTECTION OF THE TSF.................................................................................................................................6
4.5 ENCRYPTED COMMUNICATIONS.......................................................................................................................6
4.6 INTRUSION DETECTION SYSTEM ......................................................................................................................7
5 ASSUMPTIONS.................................................................................................................................................7
5.1 INTENDED USAGE ASSUMPTIONS .....................................................................................................................7
5.2 PERSONNEL ASSUMPTIONS ..............................................................................................................................7
5.3 PHYSICAL ASSUMPTIONS .................................................................................................................................8
6 CLARIFICATION OF SCOPE........................................................................................................................8
6.1 SYSTEM REQUIREMENTS..................................................................................................................................8
7 ARCHITECTURAL INFORMATION............................................................................................................9
7.1 TOE COMPONENTS ........................................................................................................................................10
7.1.1 Config ..................................................................................................................................................10
7.1.2 CLI.......................................................................................................................................................10
7.1.3 WebUI..................................................................................................................................................10
7.1.4 Linux Kernel v.2.6.32...........................................................................................................................10
7.1.5 Analysis Environment ..........................................................................................................................10
7.1.6 Signature Matching..............................................................................................................................11
7.1.7 Events Storage .....................................................................................................................................11
7.1.8 Alerts....................................................................................................................................................11
7.1.9 Internet.................................................................................................................................................11
7.1.10 Monitored Network .........................................................................................................................11
7.1.11 NTP Server......................................................................................................................................11
7.1.12 FireEye Malware Analysis and Exchange (MAX) Network ............................................................11
7.1.13 USB.................................................................................................................................................11
8 DOCUMENTATION.......................................................................................................................................12
9 TOE ACQUISITION.......................................................................................................................................12
10 IT PRODUCT TESTING................................................................................................................................12
10.1 TEST METHODOLOGY.........................................................................................................................13
10.1.1 Vulnerability Testing.......................................................................................................................13
10.1.2 Vulnerability Results.......................................................................................................................14
11 RESULTS OF THE EVALUATION..............................................................................................................15
12 VALIDATOR COMMENTS/RECOMMENDATIONS...............................................................................16
12.1 SECURE INSTALLATION AND CONFIGURATION DOCUMENTATION.............................................................16
13 SECURITY TARGET .....................................................................................................................................16
14 LIST OF ACRONYMS....................................................................................................................................16
15 TERMINOLOGY ............................................................................................................................................17
16 BIBLIOGRAPHY ............................................................................................................................................18
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
3
1 Executive Summary
The Target of Evaluation (TOE) is FireEye MAS and MPS 2000, 4000, and 7000 Series
with Central Management System v.5.0. The TOE was evaluated by the Booz Allen
Hamilton Common Criteria Test Laboratory (CCTL) in the United States and was
completed in October 2010. The evaluation was conducted in accordance with the
requirements of the Common Criteria, Version 3.1 Revision 3 and the Common
Methodology for IT Security Evaluation (CEM), Version 3.1 Revision 3. The evaluation
was for Evaluation Assurance Level 2 (EAL2) augmented with ALC_FLR.2 (Flaw
Remediation - Flaw reporting procedures). The evaluation was consistent with National
Information Assurance Partnership (NIAP) Common Criteria Evaluation and Validation
Scheme (CCEVS) policies and practices as described on their web site
(www.niap.ccevs.org).
FireEye detects malware by analyzing suspicious network flows in virtual victim
machines. The FireEye appliance identifies malicious attacks, including those targeting
web browsers. It secures against both widespread and targeted network malware without
relying on manual IT analysis. Signature matching is used in the IDS process, but the IDS
process does not rely on the signature matching components or updated signatures to
function properly. After definitively confirming a targeted malware attack, the FireEye
appliance is integrated into a network to block the attack, quarantine the infected host and
alert Administrators to the incident.
The FireEye appliance, when configured as specified in the installation guides and user
guides, satisfies all of the security functional requirements stated in the TOE’s Security
Target.
The cryptography used in this product has not been FIPS-certified, nor has it been
analyzed or tested to conform to cryptographic standards during this evaluation. All
cryptography has only been asserted as tested by the vendor.
The technical information included in this report was largely derived from the Evaluation
Technical Report and associated test reports produced by the evaluation team. The
FireEye Security Target version 1.2, dated 30 August 2010 identifies the specific version
and build of the evaluated TOE. This Validation Report applies only to that ST and is not
an endorsement of the FireEye appliance by any agency of the US Government and no
warranty of the product is either expressed or implied.
2 Evaluation Details
Evaluated Product
FireEye MAS and MPS 2000,
4000, and 7000 Series with
Central Management System
v.5.0
Sponsor & Developer FireEye, Milpitas, CA
CCTL Booz Allen Hamilton,
Linthicum, Maryland
Completion Date October 2010
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
4
CC Common Criteria for
Information Technology
Security Evaluation, Version
3.1 Revision 3, July 2009
Interpretations None.
CEM Common Methodology for
Information Technology
Security Evaluation, Version
3.1 Revision 3, July 2009
Evaluation Class EAL2 Augmented ALC_FLR.2
Description The TOE is the FireEye
appliance, which is a security
software product developed by
FireEye, Inc. as an Intrusion
Detection System.
Disclaimer The information contained in
this Validation Report is not an
endorsement of the FireEye
product by any agency of the
U.S. Government, and no
warranty of the IDS product is
either expressed or implied.
PP US Government Protection
Profile Intrusion Detection
System System for Basic
Robustness Environments v.1.7
Evaluation Personnel Christopher Gugel
Kevin Micciche
Derek Scheer
Amit Sharma
Emmanuel Apau
Validation Body NIAP CCEVS
2.1 Threats to Security
Table 2 summarizes the threats that the evaluated product addresses.
Table 2 – Threats
An unauthorized user may attempt to compromise the integrity of the data collected and
produced by the TOE by bypassing a security mechanism.
An unauthorized user may attempt to disclose the data collected and produced by the TOE by
bypassing a security mechanism.
An unauthorized user may attempt to remove or destroy data collected and produced by the TOE.
An unauthorized user may attempt to compromise the continuity of the System’s collection and
analysis functions by halting execution of the TOE.
An unauthorized user may gain access to the TOE and exploit system privileges to gain access to
TOE security functions and data.
An unauthorized user may inappropriately change the configuration of the TOE causing potential
intrusions to go undetected.
An unauthorized user may cause malfunction of the TOE by creating an influx of data that the
TOE cannot handle.
Unauthorized attempts to access TOE data or security functions may go undetected.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
5
A malicious user could eavesdrop on network traffic to gain unauthorized access to TOE data.
Improper security configuration settings may exist in the IT System the TOE monitors.
Users could execute malicious code on an IT System that the TOE monitors which causes
modification of the IT System protected data or undermines the IT System security functions.
Vulnerabilities may exist in the IT System the TOE monitors.
The TOE may fail to react to identified or suspected vulnerabilities or inappropriate activity.
The TOE may fail to recognize vulnerabilities or inappropriate activity based on IDS data
received from each data source.
The TOE may fail to identify vulnerabilities or inappropriate activity based on association of IDS
data received from all data sources.
Unauthorized accesses and activity indicative of misuse may occur on an IT System the TOE
monitors.
Inadvertent activity and access may occur on an IT System the TOE monitors.
Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT
System the TOE monitors.
3 Identification
The product being evaluated is FireEye MAS and MPS 2000, 4000, and 7000 Series
with Central Management System v.5.0.
4 Security Policy
4.1 Security Audit
The MPS, Malware-Analysis, and CMS instances all perform their own auditing. Each
appliance audits its own behavior and stores its syslog, or audit data in its respective
internal database. CMS receives detections of audit events from all other instances and
can display the aggregated audit data through reports via the CLI. Audit data can only be
reviewed via the CLI, and only Administrators can access the audit data. Administrators
can either use the CLI on each instance of FireEye to view and sort audit data for that
particular appliance, or they use the CLI on the CMS to view audit data for all FireEye
appliances. Audit data can be sorted based on the following: date and time, subject
identity, event type, and outcome of event. Audit data is provided to the Administrator as
columnar results as Linux syslog file data.
All user actions and cryptographic actions on the TOE are audited by the CLI. The CLI
is a universal backend for WebUI and LCD commands, which are translated into CLI
commands and forwarded to the TOE component where they are executed, Config or
Events Storage.
4.2 Identification and Authentication
All users must be identified and authenticated to the TOE via username and password
before being allowed to perform any actions on the TOE. The exception to this is that
users are allowed to perform TOE functions via the password protected LCD panel
without identifying themselves to the TOE. Since a username is not required to
authenticate to the LCD panel, it is assumed that individuals with physical access to the
TOE will also be users of the TOE. The LCD panel is meant for initial setup only, and as
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
6
such is not part of the TSF for the evaluated configuration. The TOE maintains specific
security attributes about users in order to correctly identify them with their TOE-
associated abilities as well as for future authentication attempts. If a user enters incorrect
credentials multiple times, he or she is forbidden from re-attempting to authenticate until
a set amount of time has elapsed. The number of incorrect attempts allowed is pre-
determined by the Administrator. In addition, the TOE appliances authenticate to the
MAX Network and the MAX Network authenticates to the TOE appliances in order to
pass updates to the Updates component. This authentication is performed through the use
of vendor supplied username and password and through the use of certificates.
4.3 Security Management
The TOE maintains two roles – Administrator and Monitor. Users under the
Administrator role have the ability to perform all administrative functions (e.g. user
management, audit management) and monitoring functions.
Users under the Monitor role are able to perform all changes pertaining to monitoring
functionality, but are not allowed to perform any other administrative functionality (i.e.
user management, audit configuration). Users can perform limited configuration
functions via the LCD panel. All functions performed from the LCD panel can also be
performed from the WebUI or CLI once the user has authenticated to the WebUI or CLI.
The LCD panel is meant for initial setup only, and therefore is not included in the
evaluated configuration. Additionally, most functions performed from the CLI can also
be performed from the Web UI, with the exception of reviewing audit data.
4.4 Protection of the TSF
The TOE is expected to ensure the security and integrity of all data that is stored locally
and accessed remotely. The TOE ensures that all local system data is available to any
remote trusted IT products (i.e. other TOE components). Additionally, the transmitted
and received data is protected against unauthorized viewing by third parties through the
use of encryption. All data transferred is monitored for changes during transmission, and
integrity verification measures are taken if modifications have been detected. Time
stamps are added to all audit logs and system events in order to maintain accurate
records. The system clock time is kept accurate by automatically getting accurate time
readings from the NTP Server to which the FireEye appliance is connected.
4.5 Encrypted Communications
The TOE is expected to utilize sufficient security measures to protect its data in
transmission, which means it needs to utilize cryptographic methods and trusted
channels. The TOE generates cryptographic keys to protect transmitted data. The TOE is
also responsible for destroying these same keys when they are no longer needed.
Administrators and Monitors who access the TOE remotely rely on a trusted path to
secure their communication with the TOE via the WebUI. This trusted path is established
using OpenSSL 0.9.8e. OpenSSL is also used for protected communication to/from the
MAX Network. Additionally, users who access the TOE via the CLI must use OpenSSH
3.8.1p1 functionality to secure their communications with the TOE. OpenSSH
functionality is also used for protection of data transferred between TOE components.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
7
4.6 Intrusion Detection System
The TOE monitors the network’s traffic for detected malicious code, service requests,
and service configuration, among other information. Anything that the TOE determines
is malicious becomes an event. General information is recorded for each event, and each
type of event has more specific classifications that are recorded. See Section 9.1.6 for
more information on the data that is collected by the TOE.
The TOE analyzes recorded data on a statistical, signature, virtual machine, and/or
heuristic basis. Each analytical result is recorded with basic information, as well as
changes in the OS or network, and whether or not a buffer overflow was attempted.
Administrators and Monitors are able to view the data via the WebUI or CLI. Once a
threat has been detected, the system sends an alarm to the Administrator or Monitor.
Depending on the deployment (inline or SPAN/tap), the TOE is also capable of dropping
the traffic that was shown to represent a threat.
Data in the system is protected from unauthorized deletion or modification. System data
is archived to a local file once the predefined number of events has been recorded to the
internal database. An alarm is used to alert Administrators and Monitors of this issue.
5 Assumptions
5.1 Intended Usage Assumptions
Table 1 – Intended Usage Assumptions
5.2 Personnel Assumptions
Table 2– Personnel Assumptions
There will be one or more competent individuals assigned to manage the TOE and the
security of the information it contains.
The authorized administrators are not careless, willfully negligent, or hostile, and will
follow and abide by the instructions provided by the TOE documentation.
The TOE can only be accessed by authorized users.
The TOE has access to all the IT System data it needs to perform its functions.
The TOE will be managed in a manner that allows it to appropriately address changes in
the IT System the TOE monitors.
The TOE is appropriately scalable to the IT System the TOE monitors.
There are no general-purpose computing capabilities (e.g., the ability to execute
arbitrary code or applications) on the TOE.
The TOE will connect to the MAX Network for signature updates and to upload
detected malware.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
8
5.3 Physical Assumptions
Table 3 – Physical Assumptions
The TOE hardware and software critical to security policy enforcement will be
protected from unauthorized physical modification.
The processing resources of the TOE will be located within controlled access facilities,
which will prevent unauthorized physical access.
6 Clarification of Scope
The TOE includes all the code that enforces the policies identified (see Section 4).
The evaluated configuration of the TOE includes the FireEye MAS and MPS 2000,
4000, and 7000 Series with Central Management System v.5.0 product that is
comprised of the following:
2000 Series Appliance
4000 Series Appliance
7000 Series Appliance
CMS running on 4000 Series Appliance
6.1 System Requirements
The following components are provided on the appliances for the TOE:
Hardware Components
FireEye running on a 2000 Series appliance
Traffic Monitoring Ports: 2
Physical Appliance Size: 1U half-depth
LCD Panel: No
Throughput: 20-45 Mbps
FireEye running on a 4000 Series appliance
Traffic Monitoring Ports: 4
Physical Appliance Size: 1U half-depth
LCD Panel: Yes
Throughput: 250 Mbps
FireEye running on a 7000 Series appliance
Traffic Monitoring Ports: 4
Physical Appliance Size: 2U half-depth
LCD Panel: Yes
Throughput: 1 Gbps
FireEye CMS running on a 4000 Series appliance
Traffic Monitoring Ports: N/A
Physical Appliance Size: 1U half-depth
LCD Panel: Yes
Throughput: N/A
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
9
Note: Software Requirements are not needed as the product is shipped on hardware. All
software is provided with the TOE and no additional software can be added.
In the evaluated configuration, the TOE will consist of three machines running the
analysis and central management functions of the TOE. No non-TOE software is required
to run the TOE.
7 Architectural Information
The TOE’s boundary has been defined in Figure 1 and Figure 2.
LEGEND
TOE
Component
Kernel TOE
Component
Environment
TOE
Linux Kernel
2.6.32
Alerts
Internet
WebUI
Analysis
Environment
Events Storage
Config
Signature Matching
Monitored
Network
USB
Drive
SSL
CLI
MAX
Network
Updates
NTP
Server
SSL and SSH
SSL
Administrator/
Monitor SSH
SMTP
Firewall
User
LCD
Excluded
Component
Figure 1 – TOE Boundary for MPS and Malware-Analysis Appliances
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
10
Linux Kernel
2.6.32
WebUI
Events Storage
Config
Administrator/
Monitor
SSL
CLI
SSH
Web
Product
OS
Product
Malware
Product
LEGEND
TOE
Component
Kernel TOE
Component
Environment
NTP Server
SSH
Excluded
Component
LCD
User
Figure 2 – Central Management System TOE Boundary
7.1 TOE Components
7.1.1 Config
Component of FireEye that contains and modifies all FireEye system configurations, user
configurations and auditing options.
7.1.2 CLI
Command-line interface that uses OpenSSL SSH functionality and allows Administrators
to perform administrative functions. Monitors do not have access to the CLI.
7.1.3 WebUI
Browser-based interface that OpenSSL and allows Administrators to perform
administrative functions, and allows both Administrators and Monitors to perform
monitoring functions.
7.1.4 Linux Kernel v.2.6.32
The Kernel is Linux v2.6.32 and holds basic system functionality that is important in the
TOE. The kernel is physically contained in the FireEye appliance and provides OS
functionality to the rest of the TOE, including capture, clock, and audit functionalities.
The basic functionality of the operating system beyond this is not security relevant for the
evaluated configuration.
7.1.5 Analysis Environment
Creates and manages virtual machines that are used for simulated traffic to determine if
suspicious traffic and binaries are malicious in nature.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
11
7.1.6 Signature Matching
This checks data against known malware and botnet traffic to determine if the traffic
needs to be run by the analysis environment.
7.1.7 Events Storage
Records information regarding infections and callbacks on systems within the network,
and applies basic identifying information.
7.1.8 Alerts
This is the mechanism for notifying Administrators or Monitors in the event of a detected
infection or callback.
7.1.9 Internet
The Internet contains the Monitored Network, the NTP Server, and the MAX Network.
Additionally, the TOE can configure alerts to be sent to the Internet via SMTP, SNMP,
and HTTP POST methods. The command line SMTP client used for email notifications
is v2.5.1.
7.1.10 Monitored Network
In the evaluated configuration, all internet traffic passing through the switch FireEye is
connected to is also passed into FireEye. This data gets sent through the Statistical,
Signature, and Heuristic analysis. If the traffic is determined to be suspicious from using
any of the previous analysis methods, then the traffic is sent through Virtual Machine
analysis. All data transferred, including but not limited to URLs, executables, and code, is
evaluated.
7.1.11 NTP Server
FireEye appliances utilize NTP Servers by default. An NTP Server keeps the system up
to date with the latest system time from their servers. In this case, it is used for accurate
timestamps on audit and system data.
7.1.12 FireEye Malware Analysis and Exchange (MAX) Network
The FireEye MAX Network circulates the latest malware analysis intelligence to
participating FireEye appliances, ensuring customer data, intellectual property, and
resources are safeguarded from the threat of network malware and botnets. The ability
to connect to the MAX Network to receive signature updates and to upload detected
malware is included in the evaluated configuration. The MAX Network itself is a
component of the operational environment in the evaluated configuration because it is a
server that sits in a server room at FireEye HQ. It's a trusted IT product with which the
TOE can interact, but it's not considered part of the TOE since it belongs to the vendor
and not the customer.
7.1.13 USB
While system updates can come from the Internet, a user can also load the updates onto a
USB drive and plug it into the FireEye appliance physically. This allows users an
alternate way to install updates, which must be encrypted on upload and decrypted on
install. USB drives also cannot be mounted to install untrusted software to FireEye.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
12
8 Documentation
The following end-user documents were evaluated under the ASE and AGD classes:
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management
System v.5.0 Security Target, Version 1.2
FireEye Appliance Operator’s Guide Version 5.0
FireEye CMS Operator’s Guide Version 5.0
FireEye CLI Command Reference Guide Version 5.0
FireEye™ Appliance Quick Start Guide
Evaluated Configuration for FireEye 2000, 4000, and 7000 Series MAS and MPS
with Central Management System v.5.0, dated August 2010
9 TOE Acquisition
The NIAP-certified FireEye product is acquired via normal sales channels, and
physical delivery of the TOE is coordinated with the end customer by FireEye, Inc.
10 IT Product Testing
The test team's test approach is to test the security mechanisms of the FireEye MAS and
MPS 2000, 4000, and 7000 Series with Central Management System v.5.0 by exercising
the external interfaces to the TOE and viewing the TOE behavior on the platform. Each
TOE external interface is described in FireEye design documentation (e.g., FSP) in terms
of the relevant claims on the TOE that can be tested through the external interface. The
ST, TOE Design (TDS), Functional Specification (FSP), Security Architecture (ARC)
and the vendor's test plans used to demonstrate test coverage of all EAL2 requirements
for all security relevant TOE external interfaces. TOE external interfaces that will be
determined to be security relevant are interfaces that
change the security state of the product,
permit an object access or information flow that is regulated by the security
policy,
are restricted to subjects with privilege or behave differently when executed by
subjects with privilege,
invoke or configure a security mechanism, or
provide IDS functionality to the TOE.
Security functional requirements determined to be appropriate to a particular interface if
the behavior of the TOE that supported the requirement could be invoked or observed
through that interface.
The evaluation team created a test plan that contained a sample of the vendor functional
test suite, and supplemental functional testing of the vendors’ tests. Booz Allen also
performed vulnerability assessment and penetration testing.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
13
10.1 TEST METHODOLOGY
10.1.1 Vulnerability Testing
The evaluation team created a set of vulnerability tests to attempt to subvert the security
of FireEye. These tests were created based upon the evaluation team's review of the
vulnerability analysis evidence and independent research. The Evaluation Team
conducted searches for public vulnerabilities related to the TOE. A few notable resources
consulted include securityfocus.com, the cve.mitre.org, and the nvd.nist.gov.
Upon the completion of the vulnerability analysis research, the team had identified
several generic vulnerabilities upon which to build a test suite. These tests were created
specifically with the intent of exploiting these vulnerabilities within the TOE or its
configuration.
The team tested the following areas:
Eavesdropping on Communications
In this test, the evaluators manually inspected network traffic to and from the
TOE in order to ensure that no useful or confidential information could be
obtained by a malicious user on the network. This test was specialized for the
following interfaces:
o WebUI
o CLI
Port Scanning
Remote access to the TOE should be limited to the standard TOE interfaces and
procedures. This test attempted to find ways to bypass these standard interfaces
of the TOE and open any other vectors of attack.
Vulnerability Scanner (Nessus)
This test used the Nessus Vulnerability scanner to test any and all open interfaces
on any applicable systems of the TOE. The scanner probes a wide range of
vulnerabilities that includes but is not limited to the following:
Backdoors
CGI abuses
Denial of Service
Finger abuses
Firewalls
FTP
Gain a shell remotely
Gain root remotely
General
Miscellaneous
Netware
NIS
Port scanners
Remote file access
RPC
Settings
SMTP Problems
SNMP
Untested
Useless services
TCP Malformed Packet Flooding
This test attempted to shutdown TOE resources by flooding the network with
large amounts of malformed tcp packets.
Unauthenticated Access / Directory Traversal Attack
This test used “URL hacking” to attempt to access protected TOE resources by
injecting unexpected input into requests that were sent to the TOE. This was done
using two different approaches to URL exploitation.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
14
o The first part attempted to access protected TOE resources as an
unauthenticated outsider.
o The second part attempted to access local TOE resources that should be
protected from any remote access (unauthenticated and authenticated).
SQL Injection / Cross Site Scripting Attack / Cross Site Request Forgery (Paros,
WebScarab)
This test executed automated SQL Injection and Cross Site Scripting attacks
against the TOE. The evaluators determined any fields or variables that could be
prone to attack. They then used a scanner, which contained a large database of
standard strings that are used for testing SQL Injection and Cross Site Scripting
issues. These strings were input into the various fields and variables and the
output was analyzed for inconsistencies.
Web Server Vulnerability Scanner (Nikto)
This test used the Nikto web server vulnerability scanner to test for any known
vulnerabilities that could be present in the TOE’s web interfaces. This scanner
probed a wide range of vulnerabilities that included the following:
File Upload.
Interesting File / Seen in logs.
Misconfiguration / Default File.
Information Disclosure.
Injection (XSS/Script/HTML).
Remote File Retrieval
Denial of Service.
Command Execution / Remote Shell.
SQL Injection.
Authentication Bypass.
Software Identification
Remote source inclusion.
Vulnerability Scanner (Retina)
This test uses the Retina Vulnerability scanner to test any and all open interfaces
on any applicable systems of the TOE.
The scanner probes a wide range of vulnerabilities that includes but is not limited
to the following:
Accounts
Anti-Virus
Backdoors
CGI Scripts
Database Issues
DoS
IP Services
Registry
Remote Access
RPC Services
Service Control
Spyware
Web Services
CVE Issues
SecurityFocus BID
Issues
10.1.2 Vulnerability Results
The following lists any issues that were discovered as a result of the vulnerability testing
process. These issues, along with the related guidance for mitigation, have been met in
the “Evaluated Configuration for FireEye MAS and MPS 2000, 4000, and 7000 Series
with Central Management System v.5.0” through patching and are included in all releases
of the TOE. These issues have been broken up into the following categories:
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
15
10.1.2.1 Fixed in CC Version Based on Testing Results
Cross Site Scripting Vulnerability
There existed a cross site scripting vulnerability in the notice field of the WebUI
page.
The vendor has fixed this issue in a new release (patch 36 and later) of the product
and the fix was provided to the CC as a solution to this vulnerability. The issue no
longer exists in the CC version of the product. Additionally, this has been patched in
the general release of the product.
Cipher Suite Lockdown
There existed a list of enabled cipher suites that were not leveraged by the TOE and
were requested to be disabled.
The vendor has fixed this issue in a new release (patch 36 and later) of the product
and the fix was provided to the CC as a solution to this vulnerability. The issue no
longer exists in the general release of the product.
10.1.2.2 Additional Guidance for Security
Configuration to place the TOE in Disconnected Mode
The TOE can manually or automatically update patches to the TOE along with
security content information. Steps are provided within the admin guidance
supplement documenting how to place the TOE in disconnected mode and manually
update the product.
SNMP Disable
The TOE allowed for incoming SNMP traffic which can be disabled. An
administrator can connect to the TOE through the CLI and enter the command “no
snmp enable.”
11 Results of the Evaluation
The evaluation was carried out in accordance with the Common Criteria Evaluation and
Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System
v.5.0 TOE meets the security requirements contained in the Security Target.
The criteria against which the FireEye TOE was judged are described in the Common
Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3, July
2009. The evaluation methodology used by the evaluation team to conduct the evaluation
is the Common Methodology for Information Technology Security Evaluation, Version
3.1 Revision 3, July 2009. The Booz Allen Hamilton Common Criteria Test Laboratory
determined that the evaluation assurance level (EAL) for the FireEye MAS and MPS
2000, 4000, and 7000 Series with Central Management System v.5.0 TOE is EAL2
augmented with ALC_FLR.1. The TOE, configured as specified in the installation guide,
satisfies all of the security functional requirements stated in the Security Target.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
16
The evaluation was completed in November 2010. Results of the evaluation and
associated validation can be found in the Common Criteria Evaluation and Validation
Scheme Validation Report.
12 Validator Comments/Recommendations
12.1 Secure Installation and Configuration Documentation
The “Evaluated Configuration for FireEye MAS and MPS 2000, 4000, and 7000 Series
with Central Management System v.5.0” define the recommendations and secure usage
directions for the TOE as derived from testing.
13 Security Target
The security target for this product’s evaluation is FireEye MAS and MPS 2000, 4000,
and 7000 Series with Central Management System v.5.0 Security Target, Version 1.2, 30
August 2010.
14 List of Acronyms
Acronym Definition
CC Common Criteria
CCEVS
Common Criteria Evaluation and Validation
Scheme
CCIMB
Common Criteria Interpretations Management
Board
CLI Command-line Interface
CMS Central Management System
COTS Commercial Off the Shelf
DHCP Dynamic Host Configuration Protocol
DNS Domain Name System
GUI Graphical User Interface
EAL Evaluation Assurance Level
FTP File Transfer Protocol
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol Secure
IDS Intrusion Detection System
IP Internet Protocol
IRC Internet Relay Chat
IT Information Technology
LCD Liquid Crystal Display
MAS Malware Analysis System
MAX Malware Analysis and Exchange
MPS Malware Protection System
NIAP National Information Assurance Partnership
OS Operating System
OSI Open System Interconnection
PCM Platform Configuration and Management
PP Protection Profile
SNMP Simple Network Management Protocol
SMTP Same Message Transfer Protocol
SSH Secure Shell
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
17
SSL Secure Sockets Layer
ST Security Target
TCP Transmission Control Protocol
TFTP Trivial File Transfer Protocol
TOE Target of Evaluation
TSF TOE Security Function
UI User Interface
URL Uniform Resource Locator
VM Virtual Machine
15 Terminology
Terminology Definition
Administrator User of the TOE who has access to both administrative functions and
monitor functions.
Analyzer IDS component that performs analysis functions on suspicious data or
traffic to determine threats.
Attack A botnet or malware callback event on the system.
Attacker An entity that attempts to send malicious code or traffic to a system on the
installed network.
Botnet Set of software “robots” or “zombies” that are controlled remotely by a
command and control server.
Botnet Server Command and control server that directs the operation of a botnet.
Callback Event Callback events are generated when the appliance observes outbound
communications associated with a remote Command and Control server
(C&C). This could include botnet command and control communications,
uploads of confidential information as well as downloads of secondary
payloads (such as keyloggers or spyware). Callback events indicate that
there is an established communication between a bot-infected host and its
C&C Server.
Command-Line Interface The FireEye appliance has a CLI for administering the appliance.
Central Management
System
Has a web-based graphical user interface for managing multiple FireEye
appliances.
Event Indicates a type of security intrusion or attack.
Guest Image Software image for an operating system and applications that is run in a
virtual machine to analyze suspicious or captured traffic.
Graphical User Interface The FireEye appliance has a web-based GUI for managing the appliance.
Heuristic Analysis Expert-based analysis that determines the susceptibility of a system towards
particular threats using various decision rules or weighing methods.
Infection When a machine on the network has malware or botnet programs.
Malware Malicious software used by attackers to disrupt, cause data loss, or gain
unauthorized access to computer systems.
MAX Network A multi-enterprise alliance focused on protecting customers from botnets
and other stealthy, targeted malware. The ability to connect to the MAX
Network to receive signature updates and to upload detected malware is
included in the evaluated configuration. The MAX Network itself is a
component of the operational environment in the evaluated configuration
because it is a server that sits in a server room at FireEye HQ. It's a trusted
IT product with which the TOE can interact, but it's not considered part of
the TOE since it belongs to the vendor and not the customer.
Monitor User of the TOE who only has access to monitoring functions.
Role Assigned to a user, allows users controlled access to TOE components. In
this case, the three roles are Administrator, Monitor, and LCD panel
administrator.
VALIDATION REPORT
FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management System with v.5.0
18
rsyslog An open source program for forwarding log messages in an IP network for
UNIX and Unix-like systems.
Sandbox A closed environment in which malware is submitted and its effects on
virtual machines are reported.
Scanner IDS component that actively looks through data flows and traffic to find
suspicious items.
Sensor IDS component that views data flows and traffic passing through to find
suspicious items.
System Administrator See Authorized System Administrator.
User In the evaluated configuration, a user is a global term for Administrators
and Monitors.
Virtual Machine A software program that runs an instance of an operating system. The
operating system runs on top of a program that emulates a hardware system.
In the evaluated configuration, each VM is isolated by address space and
their virtual connections are isolated by bridges.
Zero-Day Attack An attack by malware that exploits unknown or newly discovered
vulnerabilities in software before they become known or before security
patches are applied to fix them.
External IT Entity Any IT product or system, trusted or not, outside of the TOE that interacts
with the TOE.
Role A predefined set of rules establishing the allowed interactions between an
end user and the TOE.
TOE Security Functions
(TSF)
A set consisting of all hardware, software, and firmware of the TOE that
must be relied upon for the correct enforcement of the TSP.
User Any entity (human user or external IT entity) outside the TOE that interacts
with the TOE.
16 Bibliography
1. Common Criteria for Information Technology Security Evaluation, Version 3.1
Revision 3.
2. Common Evaluation Methodology for Information Technology Security
Evaluation, Version 3.1 Revision 3.
3. FireEye MAS and MPS 2000, 4000, and 7000 Series with Central Management
System v.5.0 Security Target, Version 1.2, August 30, 2010
4. Evaluation Technical Report for a Target of Evaluation “FireEye MAS and MPS
2000, 4000, and 7000 Series with Central Management System v.5.0” Evaluation
Technical Report v0.3 dated 30 August 2010.