Common Criteria configuration

Deep Security 20 has been issued a Common Criteria certificate. Common Criteria is an international standard for computer security certification. This topic describes how to deploy Deep Security in a Common Criteria Evaluation Assurance Level 2+ certified configuration (CC EAL2+). Use it in conjunction with the Deep Security 20 Security Target documentation.

Direct links to the Deep Security 20 Certification Report and the Deep Security 20 Security Target can be found here:

Deep Security 20 Certification Report.

Deep Security 20 Security Target.

As part of Common Criteria standards, it is expected that Deep Security administrators have a good understanding of their organization's security policies and procedures, are trained in how to use Deep Security, and are able to configure Deep Security in accordance with the guidance provided in this article and the rest of the Deep Security 20 documentation.

To deploy the CC EAL2+ certified configuration, follow the steps below. All steps are mandatory, unless otherwise noted.

• Step 1: Install Deep Security
• Step 2: Enable FIPS mode
• Step 3: Harden Deep Security to prevent unauthorized access
• Step 4: Enforce a strong password policy
• Step 5: Disable the legacy APIs
• Step 6: Configure email notifications for alerts
• Next steps (operating in the certified configuration)

Step 1: Install Deep Security

Begin by installing and configuring the Deep Security software as you normally would following the instructions in other sections of this Help Center. To deploy in the Common Criteria certified configuration, download and install the evaluated software versions from the Deep Security Download Center.

When installing, make sure that:

• the facility housing Deep Security Manager, its database, Deep Security Virtual Appliances, ESXi servers, vCenter, vShield Manager, and NSX Manager are all physically secure.
• the Deep Security Manager is not running on a machine with other major applications, and is hardened in accordance with your organization's best practices.
• the Deep Security Manager computer is located within an isolated network segment where inbound and outbound traffic is strictly controlled.
• only authorized users with the correct administrative permissions can access the manager computer.
• only authorized users can access the agent and relay computers, if those users have administrative permissions on those machines.
• the environment provides reliable and secure domain name server (DNS) service and Network Time Protocol (NTP) service.
• the VMware virtual infrastructure (ESXi servers, vCenter, vShield Manager, NSX Manager) is sufficiently strong and protected against theft.
• the Deep Security Virtual Appliance's management interfaces exist on a segregated, internal-only network (restricted access).
• the Deep Security Virtual Appliance provides Anti-Malware only. If you need other modules, such as Intrusion Prevention (IPS), use the Deep Security Agent and appliance in combined mode. See Choose agentless vs. combined mode protection.
• the Domain Name Server (DNS) response time is reasonable. There is a known issue in Deep Security that allows some malware to go undetected if the DNS response time is very slow.

Use of Shift JIS (Shift_JIS) character encoding for the Japanese language is not supported by the Common Criteria configuration.

The remaining steps in this topic describe the modifications you must make to your initial installation and configuration to arrive at a Common Criteria evaluated configuration.

Step 2: Enable FIPS mode

You must configure Deep Security to operate in FIPS 140 mode. See FIPS 140 support for instructions. There are quite a few steps, restrictions, and requirements. For example, the Deep Security Scanner (integration with SAP Netweaver) is not supported. All FIPS steps, restrictions, and requirements apply.

In addition to the completing the tasks outlined on theFIPS 140 support page, you must also:

• Limit TLS to version 1.2 on SQL Server. For details, see KB3135244 - TLS 1.2 support for Microsoft SQL Server from Microsoft.
• Enable FIPS mode for the operating system being protected. For instructions on enabling FIPS mode on Windows, see FIPS 140 Validation from Microsoft.

Step 3: Harden Deep Security to prevent unauthorized access

You must harden Deep Security components to reduce their surface of vulnerability and prevent unauthorized access. Follow the links below to harden your system. You might have already completed some of these tasks when you set up FIPS mode.

Mandatory hardening tasks:

• Encrypt communication between the Deep Security Manager and the database
• Harden the Deep Security database—if you're using SQL Server, see Securing SQL Server from Microsoft
• Replace the Deep Security Manager TLS certificate
• Protect Deep Security Manager with an agent
• Review the Deep Security release notes to avoid security-related known issues

Optional hardening tasks:

• Bind Deep Security Agent to a specific manager
• Enable or disable agent self-protection on Windows (optionally, enable it)

Step 4: Enforce a strong password policy

You must enforce a strong password policy. See Enforce user password rules for details. The policy must have these characteristics, at a minimum:

• the User password minimum length must be no less than the default of eight
• the Number of incorrect sign-in attempts allowed (before lock out) must be no greater than the default of five

Step 5: Disable the legacy APIs

You must disable the SOAP and Status Monitoring APIs as follows:

1. In Deep Security Manager, click Administration > System Settings > Advanced.
2. In the SOAP Web Service API section, select Disabled.
3. In the Status Monitoring API section, select Disabled.
4. Click Save.

Step 6: Configure email notifications for alerts

You must configure an email address to which all notifications will be sent. See Set up email notification for alerts. By default, Deep Security Manager sends an email notification for every alert. Do not disable any of the default alert notifications.

Next steps (operating in the certified configuration)

To use Deep Security in the certified configuration, make sure you:

• create accounts for additional users
  

  An administration account (by default named MasterAdmin) was created when you installed Deep Security Manager. Create new accounts for additional users so that the MasterAdmin account is only (rarely) used as a backup by the original administrator responsible for Deep Security installation. Use the other accounts for ongoing administration and configuration tasks.

• stop using Deep Security Manager's command line interface (dsm_c)

  This interface is permitted for the initial installation and configuration of the manager, but should not be used thereafter because it is not included in the CC EAL2+ certified configuration.

• stop using the Deep Security Agent's command line interfaces (dsa_control and dsa_query)

  These interfaces are permitted during the initial installation and configuration of the agent, but should not be used thereafter because they are not included in the CC EAL2+ certified configuration.

• never shut down the Deep Security Virtual Appliance during normal operations.

  If the appliance appears to be offline for an unknown reason, always investigate the cause.