Common Criteria configuration
Common Criteria is an international standard for computer security certification. This topic describes how to deploy Deep Security in a Common Criteria Evaluation Assurance Level 2+ certified configuration (CC EAL2+). Use it in conjunction with the Deep Security 11.0 Security Target document, available from the Common Criteria website.
To deploy the CC EAL2+ certified configuration, follow the steps below. All steps are mandatory, unless otherwise noted.
- Step 1: Install Deep Security
- Step 2: Enable FIPS mode
- Step 3: Harden Deep Security to prevent unauthorized access
- Step 4: Enforce a strong password policy
- Step 5: Disable the APIs
- Step 6: Create a 'Full Access No API' role
- Step 7: Configure users with the 'Full Access No API' and Auditor roles
- Step 8: Configure email notifications for alerts
- Next steps (operating in the certified configuration)
Begin by installing and configuring the Deep Security software as you normally would following the instructions in other sections of this Help Center.
When installing, make sure that:
- the facility housing Deep Security Manager, its database, Deep Security Virtual Appliances, ESXi servers, vCenter, vShield Manager, and NSX Manager are all physically secure.
- the Deep Security Manager is not running on a machine with other major applications, and is hardened in accordance with your organization's best practices.
- the Deep Security Manager computer is located within an isolated network segment where inbound and outbound traffic is strictly controlled.
- only authorized users with the correct administrative permissions can access the manager computer.
- only authorized users can access the agent and relay computers, if those users have administrative permissions on those machines.
- the environment provides reliable and secure domain name server (DNS) service and Network Time Protocol (NTP) service.
- the VMware virtual infrastructure (ESXi servers, vCenter, vShield Manager, NSX Manager) is sufficiently strong and protected against theft.
- the Deep Security Virtual Appliance's management interfaces exist on a segregated, internal-only network (restricted access).
- the Deep Security Virtual Appliance provides Anti-Malware only. If you need other modules, such as Intrusion Prevention (IPS), use the Deep Security Agent and appliance in combined mode. See Choose agentless vs. combined mode protection.
- the Domain Name Server (DNS) response time is reasonable. There is a known issue in Deep Security 11.0 that allows some malware to go undetected if the DNS response time is very slow.
Use of Shift JIS (Shift_JIS) character encoding for the Japanese language is not supported by the Common Criteria configuration.
The remaining steps in this topic describe the modifications you must make to your initial installation and configuration to arrive at a Common Criteria evaluated configuration.
You must configure Deep Security to operate in FIPS 140-2 mode. See FIPS 140-2 support for instructions. There are quite a few steps, restrictions, and requirements. For example, the Deep Security Scanner (integration with SAP Netweaver) is not supported. All FIPS steps, restrictions, and requirements apply.
In addition to the completing the tasks outlined on the FIPS 140-2 support page, you must also:
- Limit TLS to version 1.2 on SQL Server. See https://support.microsoft.com/kb/3135244 for details.
- Enable FIPS mode for the operating system being protected. For instructions on enabling FIPS mode on Windows, see this Microsoft article.
You must harden Deep Security components to reduce their surface of vulnerability and prevent unauthorized access. Follow the links below to harden your system. You might have already completed some of these tasks when you set up FIPS mode.
Mandatory hardening tasks:
- Encrypt communication between Deep Security Manager and the database
- Harden the Deep Security database—if you're using SQL Server, go to this article
- Replace the Deep Security Manager TLS certificate
- Protect Deep Security Manager with an agent
- Review the release notes on the Deep Security Software page to avoid security-related known issues
Optional hardening tasks:
- Bind Deep Security Agent to a specific manager
- Enable or disable agent self-protection (optionally, enable it)
You must enforce a strong password policy. See Enforce user password rules for details. The policy must have these characteristics, at a minimum:
- the User password minimum length must be no less than the default of eight
- the Number of incorrect sign-in attempts allowed (before lock out) must be no greater than the default of five
You must disable the SOAP and Status Monitoring APIs as follows:
- In Deep Security Manager, click Administration > System Settings > Advanced.
- In the SOAP Web Service API section, select Disabled.
- In the Status Monitoring API section, select Disabled.
- Click Save.
Deep Security Manager comes with a built-in Full Access role that is hard-coded to allow access to the SOAP, REST, and Status Monitoring APIs. This role should not be used with the CC EAL2+ certified configuration since API access is not permitted. Instead, you must create a duplicate of the Full Access role and turn off API access on that role. We call this role the Full Access No API role in this article. You can later assign the Full Access No API role to users instead of the Full Access role.
To create the Full Access No API role:
- In Deep Security Manager, click Administration at the top.
- On the left, expand User Management > Roles.
- In the main pane, right-click the Full Access role and select Duplicate.
- Right-click the duplicated role and select Properties.
- Rename the role to Full Access No API or another descriptive name of your choosing.
- Deselect the Allow Access to web services API check box. This disables access to the APIs.
- Click OK.
You have now created a Full Access No API role.
You must make sure you have the following two users in Deep Security Manager, at a minimum:
- The first user must have the Full Access No API role that you created in Step 6: Create a 'Full Access No API' role. This user is responsible for administering and configuring Deep Security as well as activating new Deep Security Agents and Deep Security Virtual Appliances.
- The second user must have the Auditor role. Make sure to deselect the Allow Access to web services API check box on this role. This user is able to view system information and changes made by the Full Access user.
For details on creating users, see Add or edit an individual user.
If you have existing users, you must find which ones have the Full Access role and reassign them the Full Access No API role:
- Still on the Roles pane, right-click the Full Access role and select Properties.
- Click the Assigned To tab.
- If any users appear, click any one of them to display their properties.
- In the Role drop-down list, select the Full Access No API role.
- Click Save and then Close.
- Continue to assign the Full Access No API role to each user that has the Full Access role.
You must configure an email address to which all notifications will be sent. See Set up email notification for alerts. By default, Deep Security Manager sends an email notification for every alert. Do not disable any of the default alert notifications.
To use Deep Security in the certified configuration, make sure you:
- stop using the master administration (MasterAdmin) account
This account (by default called MasterAdmin) was created when you installed Deep Security Manager. This account should no longer be used. You can either delete it or keep it for backup purposes only, and then use another account for ongoing administration and configuration tasks.
- stop using Deep Security Manager's command line interface (dsm_c)
This interface is permitted for the initial installation and configuration of the manager, but should not be used thereafter because it is not included in the CC EAL2+ certified configuration.
- stop using the Deep Security Agent's command line interfaces (dsa_control and dsa_query)
These interfaces are permitted during the initial installation and configuration of the agent, but should not be used thereafter because they are not included in the CC EAL2+ certified configuration.
- stop using the Full Access role
This role enables access to the APIs, which is not permitted in the CC EAL2+ certified configuration. If you want to create new users with full access privileges, assign the Full Access No API role instead. You created this role in Step 6: Create a 'Full Access No API' role.
- when creating new roles, make sure the Allow Access to web services API check box is deselected
As mentioned previously, API access is not permitted in the CC EAL2+ certified configuration, so you must ensure that new roles don't allow access to these APIs.
- never shut down the Deep Security Virtual Appliance during normal operations.
If the appliance appears to be offline for an unknown reason, always investigate the cause.