© 2007 Network Chemistry
Network Chemistry
RFprotectTM
Distributed v6.1.2,
RFprotectTM
Sensor v6.1.22, and
RFprotectTM
Mobile v6.1.2
Security Target
Evaluation Assurance Level: EAL 2
Document Version: 1.0
Prepared for: Prepared by:
Network Chemistry, Inc. Corsec Security, Inc.
1804 Embarcadero Road, Suite 201
Palo Alto, CA 94303
10340 Democracy Lane, Suite 201
Fairfax, VA 22030
Phone: (650) 858-3120 Phone: (703) 267-6050
http://www.networkchemistry.com http://www.corsec.com
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 2 of 51
© 2007 Network Chemistry
Revision History
Version Modification Date Modified By Description of Changes
0.1 2006-03-23 Nathan Lee Initial draft.
0.2 2006-09-12 Christie Kummers Updates to include new security functionality.
0.3 2007-01-22 Teresa MacArthur Addressed first round of verdicts.
0.4 2007-03-28 Greg Milliken Minor administrative changes.
1.0 2007-04-16 Amy Nicewick Final revisions for submission to CB.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 3 of 51
© 2007 Network Chemistry
Table of Contents
REVISION HISTORY................................................................................................................................................2
TABLE OF CONTENTS ............................................................................................................................................3
TABLE OF FIGURES ................................................................................................................................................4
TABLE OF TABLES ..................................................................................................................................................4
1 SECURITY TARGET INTRODUCTION........................................................................................................6
1.1 OVERVIEW......................................................................................................................................................6
1.2 SECURITY TARGET, TOE AND CC IDENTIFICATION AND CONFORMANCE ......................................................6
1.3 CONVENTIONS, ACRONYMS, AND TERMINOLOGY ..........................................................................................7
1.3.1 Conventions ...........................................................................................................................................7
1.3.2 Acronyms ...............................................................................................................................................7
2 TOE DESCRIPTION..........................................................................................................................................8
2.1 PRODUCT TYPE...............................................................................................................................................8
2.2 PRODUCT DESCRIPTION..................................................................................................................................8
2.2.1 RFprotect Sensor ...................................................................................................................................8
2.2.2 RFprotect Server....................................................................................................................................8
2.2.3 RFprotect Client ....................................................................................................................................9
2.2.4 RFprotect Mobile...................................................................................................................................9
2.3 TOE BOUNDARIES AND SCOPE.......................................................................................................................9
2.3.1 Physical Boundary.................................................................................................................................9
2.3.2 Logical Boundary ................................................................................................................................10
3 TOE SECURITY ENVIRONMENT ...............................................................................................................13
3.1 ASSUMPTIONS ..............................................................................................................................................13
3.1.1 Intended Usage Assumptions...............................................................................................................13
3.1.2 Physical Assumptions ..........................................................................................................................13
3.1.3 Personnel Assumptions........................................................................................................................13
3.1.4 Connectivity Assumption......................................................................................................................13
3.2 THREATS TO SECURITY.................................................................................................................................13
3.2.1 TOE Threats.........................................................................................................................................14
3.2.2 IT System Threats ................................................................................................................................14
3.3 ORGANIZATIONAL SECURITY POLICIES ........................................................................................................15
4 SECURITY OBJECTIVES ..............................................................................................................................16
4.1 TOE SECURITY OBJECTIVES.........................................................................................................................16
4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT...........................................................................................16
4.2.1 Non-IT Objectives................................................................................................................................16
4.2.2 IT Objectives........................................................................................................................................17
5 IT SECURITY REQUIREMENTS..................................................................................................................18
5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS .............................................................................................18
5.1.1 Class FAU: Security Audit...................................................................................................................19
5.1.2 Class FIA: Identification and Authentication ......................................................................................22
5.1.3 Class FMT: Security Management ......................................................................................................23
5.1.4 Class FPT: Protection of the TSF........................................................................................................24
5.1.5 Class IDS: IDS Functionality ..............................................................................................................25
5.2 SECURITY FUNCTIONAL REQUIREMENTS ON THE IT ENVIRONMENT ............................................................27
5.2.1 Class FPT: Protection of the TSF........................................................................................................27
5.3 ASSURANCE REQUIREMENTS........................................................................................................................28
6 TOE SUMMARY SPECIFICATION..............................................................................................................29
6.1 TOE SECURITY FUNCTIONS..........................................................................................................................29
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 4 of 51
© 2007 Network Chemistry
6.1.1 Security Audit.......................................................................................................................................29
6.1.2 Identification and Authentication ........................................................................................................30
6.1.3 Security Management ..........................................................................................................................30
6.1.4 Protection of the TSF...........................................................................................................................31
6.1.5 IDS Component Requirements.............................................................................................................32
6.2 TOE SECURITY ASSURANCE MEASURES......................................................................................................33
6.2.1 ACM_CAP.2: Configuration Management Document.........................................................................34
6.2.2 ADO_DEL.1: Delivery and Operation Document...............................................................................34
6.2.3 ADO_IGS.1: Installation Guidance, AGD_ADM.1: Administrator Guidance, AGD_USR.1: User
Guidance34
6.2.4 ADV_FSP.1: Informal Functional Specification, ADV_HLD.1: High Level Design, ADV_RCR.1:
Representation Correspondence..........................................................................................................................34
6.2.5 ATE_COV.1: Test Coverage Analysis, ATE_FUN.1: Functional Testing, ATE_IND.2: Independent
Testing 34
6.2.6 AVA_VLA.1: Vulnerability Analysis, AVA_SOF.1: Strength of Function Analysis.............................35
7 PROTECTION PROFILE CLAIMS...............................................................................................................36
7.1 PROTECTION PROFILE REFERENCE ...............................................................................................................36
8 RATIONALE.....................................................................................................................................................37
8.1 SECURITY OBJECTIVES RATIONALE..............................................................................................................37
8.1.1 Security Objectives Rationale Relating to Threats ..............................................................................37
8.1.2 Security Objectives Rationale Relating to Assumptions ......................................................................40
8.1.3 Security Objectives Rationale Relating to Policies..............................................................................41
8.2 SECURITY FUNCTIONAL REQUIREMENTS RATIONALE ..................................................................................43
8.3 SECURITY FUNCTIONAL REQUIREMENT REFINEMENT RATIONALE...............................................................46
8.4 SECURITY ASSURANCE REQUIREMENTS RATIONALE....................................................................................46
8.5 RATIONALE FOR EXPLICITLY STATED REQUIREMENTS.................................................................................46
8.6 RATIONALE FOR STRENGTH OF FUNCTION ...................................................................................................46
8.7 DEPENDENCY RATIONALE............................................................................................................................47
8.8 TOE SUMMARY SPECIFICATION RATIONALE................................................................................................47
8.8.1 TOE Summary Specification Rationale for the Security Functional Requirements.............................47
8.8.2 TOE Summary Specification Rationale for the Security Assurance Requirements..............................48
8.9 STRENGTH OF FUNCTION..............................................................................................................................50
9 ACRONYMS......................................................................................................................................................51
Table of Figures
FIGURE 1 - PHYSICAL TOE BOUNDARY........................................................................................................................10
FIGURE 2 - TOE LOGICAL BOUNDARY .........................................................................................................................11
Table of Tables
TABLE 1 - ST, TOE, AND CC IDENTIFICATION AND CONFORMANCE..............................................................................6
TABLE 2 – TOE SECURITY FUNCTIONAL REQUIREMENTS ............................................................................................18
TABLE 3 – AUDITABLE EVENTS....................................................................................................................................19
TABLE 4 – TOE ENVIRONMENT SFRS ..........................................................................................................................27
TABLE 5 – ASSURANCE REQUIREMENTS.......................................................................................................................28
TABLE 6 – MAPPING OF TOE SECURITY FUNCTIONS TO SECURITY FUNCTIONAL REQUIREMENTS...............................29
TABLE 7 – ASSURANCE MEASURES MAPPING TO TOE SECURITY ASSURANCE REQUIREMENTS (SARS).....................33
TABLE 8 – RELATIONSHIP OF SECURITY THREATS TO OBJECTIVES ..............................................................................37
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 5 of 51
© 2007 Network Chemistry
TABLE 9 – RELATIONSHIP OF SECURITY ASSUMPTIONS TO OBJECTIVES ......................................................................40
TABLE 10 – RELATIONSHIP OF SECURITY POLICIES TO OBJECTIVES.............................................................................42
TABLE 11 – RELATIONSHIP OF SECURITY REQUIREMENTS TO OBJECTIVES ..................................................................43
TABLE 12 – FUNCTIONAL REQUIREMENTS DEPENDENCIES ..........................................................................................47
TABLE 13 – MAPPING OF SECURITY FUNCTIONAL REQUIREMENTS TO TOE SECURITY FUNCTIONS.............................47
TABLE 14 – ACRONYMS ...............................................................................................................................................51
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 6 of 51
© 2007 Network Chemistry
1 Security Target Introduction
This section identifies the Security Target (ST), Target of Evaluation (TOE), ST conventions, ST conformance
claims, and the ST organization. The subjects of evaluation are the Network Chemistry RFprotect Distributed
v6.1.2, RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2, and will hereafter be referred to as the TOE
throughout this document. The TOE is a wireless intrusion detection and intrusion prevention system.
1.1 Overview
This ST contains the following sections to provide a mapping of the Security Environment to the Security
Requirements that the TOE meets in order to remove, diminish, or mitigate the defined threats:
• Security Target Introduction (Section 1) – Provides a brief summary of the content of the ST and describes
the organization of other sections of this document.
• TOE Description (Section 2) – Provides an overview of the TOE security functions and describes the
physical and logical boundaries for the TOE.
• TOE Security Environment (Section 3) – Describes the threats and assumptions that pertain to the TOE and
its environment.
• Security Objectives (Section 4) – Identifies the security objectives that are satisfied by the TOE and its
environment.
• IT Security Requirements (Section 5) – Presents the Security Functional Requirements (SFRs) and Security
Assurance Requirements (SARs) met by the TOE and by the TOE’s environment.
• TOE Summary Specification (Section 6) – Describes the security functions provided by the TOE to satisfy
the security requirements and objectives.
• Protection Profile Claims (Section 7) – Provides the identification of any ST Protection Profile claims as
well as a justification to support such claims.
• Rationale (Section 8) – Presents the rationale for the security objectives, requirements, and the TOE
summary specifications as to their consistency, completeness, and suitability.
• Acronyms (Section 9) – Defines the acronyms used within this ST.
1.2 Security Target, TOE and CC Identification and Conformance
Table 1 - ST, TOE, and CC Identification and Conformance
ST Title Network Chemistry RFprotect
TM
v6.1.2, RFprotect
TM
Sensor v6.1.22, RFprotect
TM
Mobile
v6.1.2 Security Target
ST Version Version 1.0
Author Corsec Security, Inc.
TOE Identification Network Chemistry RFprotect
TM
v6.1.2 build 13, RFprotect
TM
Sensor v6.1.22, RFprotect
TM
Mobile v6.1.2 build 13
Common Criteria (CC)
Identification and
Conformance
Common Criteria for Information Technology Security Evaluation, Version 2.3; CC Part 2
extended, CC Part 3 conformant; Parts 2 and 3 Interpretations from the Interpreted CEM
as of September 6, 2006 were reviewed, and no interpretations apply to the claims made
in this ST.
PP Identification None
Evaluation Assurance
Level
EAL 2
Keywords Wireless IDS, Wireless IPS, IDS, IPS, Wireless, Intrusion Detection, Intrusion Prevention
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 7 of 51
© 2007 Network Chemistry
1.3 Conventions, Acronyms, and Terminology
1.3.1 Conventions
There are several font variations used within this ST. Selected presentation choices are discussed here to aid the
Security Target reader.
The CC allows for several operations to be performed on security requirements: assignment, refinement, selection,
and iteration. All of these operations are used within this ST. These operations are presented in the same manner in
which they appear in Parts 2 and 3 of the CC with the following exceptions:
• Completed assignment statements are identified using [italicized text within brackets].
• Completed selection statements are identified using [underlined italicized text within brackets].
• Refinements are identified using bold text. Any text removed is stricken (Example: TSF Data) and should
be considered as a refinement.
• Iterations are identified by appending a letter in parenthesis following the component title. For example,
FAU_GEN.1(a) Audit Data Generation would be the first iteration and FAU_GEN.1(b) Audit Data
Generation would be the second iteration.
1.3.2 Acronyms
The acronyms used within this ST are described in Section 9 – “Acronyms.â€
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 8 of 51
© 2007 Network Chemistry
2 TOE Description
This section provides a general overview of the TOE as an aid to understanding the general capabilities and security
requirements provided by the TOE. The TOE description provides a context for the TOE evaluation by identifying
the product type and describing the evaluated configuration.
2.1 Product Type
The Network Chemistry RFprotect suite is a wireless intrusion detection system (IDS) coupled with intrusion
prevention functionality. This system uses wireless network Sensors to detect and respond to suspicious activity and
to determine the impact of network attacks, based on collected forensic data. It analyzes the authorized wireless
network, checking for and responding to identified vulnerabilities. Wireless intrusion prevention capabilities allow
the RFprotect system to prevent “rogue†wireless stations (including wireless access points, wireless network
clients, and ad-hoc wireless devices) from operating within the range of the product, and to neutralize threats after
identification of an attack by terminating an attacker’s wireless session.
2.2 Product Description
The product is a wireless intrusion detection and prevention system which uses wireless Sensors to collect
information about target systems and networks. The system contains an analyzer component to support analysis of
the data and to initiate actions in response to its findings.
There are three TOE components which combine to form the two evaluated TOE configurations. These three TOE
components are:
• RFprotect Sensor
• RFprotect Server
• RFprotect Client
These TOE components can be instantiated on separate inter-dependent devices to form the first TOE configuration,
or they can be combined onto one device (typically a mobile laptop workstation) to form the second TOE
configuration (called RFprotect Mobile). RFprotect Mobile can operate independently of or in conjunction with
standalone Sensors, Servers, and Clients.
2.2.1 RFprotect Sensor
The RFprotect Sensor is a self-contained appliance which is used to scan the channels defined in the 802.11 wireless
networking specifications for unauthorized, malicious, or otherwise suspicious traffic, report its findings back to the
RFprotect Server, and respond to unauthorized or undesirable network traffic as directed by the Server. It can detect
all 802.11 wireless devices within the Sensor’s scan range, as well as anomalies such as malformed network
protocol headers and network traffic patterns which may indicate malicious probes, attacks, denial of service
attempts, or other types of wireless network abuse.
Along with typical intrusion detection capabilities the RFprotect Sensor can also be used to respond to identified
attacks or unauthorized network traffic by terminating or controlling the wireless connections of any wireless
stations within its scanning range.
2.2.2 RFprotect Server
The RFprotect Server is a software package which is installed on standard server hardware and functions as the
central management and analysis server for the RFprotect system. The Server provides scanning policies to the
RFprotect Sensors deployed on the local network and receives wireless traffic reports from them. The Server stores
the reports from all of the Sensors on the network and continuously analyzes the complete wireless traffic dataset. If
the complete dataset indicates that suspicious or malicious activity is or may be occurring, the Server may be
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 9 of 51
© 2007 Network Chemistry
configured to respond by instructing one or more Sensors to take appropriate actions to mitigate the threat. The
Server allows authorized users to view events generated by the Sensors via the RFprotect Client software.
2.2.3 RFprotect Client
The RFprotect Client is a software package which is installed on standard Personal Computer (PC) hardware. It is
used to manage the Server and the Sensors and to view reports on wireless network activity. The Client provides a
Graphical User Interface (GUI) to manage users and their associated roles, system policies, and alarms associated
with specific events. It also provides a means to view the status of all deployed Sensors and can display reports
generated by the Server to provide summary information about attacks, activity graphs, and analysis of event trends.
2.2.4 RFprotect Mobile
The RFprotect Mobile software is made up of functionality from RFprotect Sensor, RFprotect Server and RFprotect
Mobile Client. It is installed on a standard PC workstation, typically a laptop computer, to provide mobility. In the
evaluated configuration of the RFprotect Mobile product, the Sensor functionality is provided by a wireless network
adapter and the RFprotect Agent software module installed on the host laptop. The RFprotect Agent software that
controls the wireless network adapter is included in the TOE, but the wireless network adapter hardware is not. The
RFprotect Mobile configuration is architecturally similar to the separate Sensor, Server, and Client configuration;
however, in the evaluated configuration, the RFprotect Mobile configuration communicates only with the local
Sensor. Please see Figure 2 below for more information about this configuration.
2.3 TOE Boundaries and Scope
The TOE comprises both hardware and software. This section addresses what physical (hardware) and logical
(software) components of the TOE are included in evaluation.
2.3.1 Physical Boundary
Figure 1 illustrates the physical scope and the physical boundary of the overall solution and ties together all of the
components of the TOE and the constituents of the TOE Environment. The physical components that compose the
TOE in the evaluated configuration are:
• The RFprotect Sensor
The following physical components are excluded from the TOE boundary, but are part of the Information
Technology (IT) environment in the TOE’s evaluated configuration:
• The computer hardware running the RFprotect Server software
• The computer hardware running the RFprotect Client software
• The computer hardware running the RFprotect Mobile software (including the 802.11 a/b/g wireless
network adapter hardware)
In addition, the Packetyzer is not included as part of the TOE.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 10 of 51
© 2007 Network Chemistry
Figure 1 - Physical TOE Boundary
2.3.2 Logical Boundary
The logical boundaries of each of the components of the TOE are shown in Figure 2 below. The logical boundaries
of the Server, Client, and Mobile TOE components include the RFprotect software components but not the
underlying OS. The logical boundary of the Sensor includes the radio, the RFprotect software, and the underlying
operating system.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 11 of 51
© 2007 Network Chemistry
802.11a/b/g
Radio
RFprotect
Server
RFprotect
Agent
RFprotect
Client
Figure 2 - TOE Logical Boundary
2.3.2.1 RFprotect Sensor
The ipOS 6.8 operating system used in the RFprotect Sensor is licensed from Ubicom, Inc. Ubicom also makes the
IP3000 family processors used in the sensors. The Ubicom ipOS is the only OS supported by the hardware. Three
models of sensors can be used: model ND-10, ND-20, and ND-30.
2.3.2.2 RFprotect Mobile
RFprotect Mobile is fitted with a Peripheral Component Interconnect (PCI) card as part of the TOE environment.
This is currently a commercial-off-the-shelf card with the Atheros AR5004X chipset; however any Atheros chipset
may be used to communicate with the modified version of the Atheros driver used in RFprotect Mobile.
The evaluated version of RFprotect Mobile may be installed on any of the following OSs:
• Windows XP Professional Service Pack 2
• Windows 2003 Server Service Pack 1
2.3.2.3 RFprotect Server
Any of the following OSs may be used for the evaluated version of the RFprotect Server platform:
• Windows (XP Professional Service Pack 2 or Windows 2003 Server Service Pack 1)
• Linux (Redhat Enterprise 9, Fedora Core 3, or SUSE Enterprise 9.1)
2.3.2.4 RFprotect Client
The OS for the evaluated version of RFprotect Client (on the Management Workstation) may be any of the
following:
• Windows XP Professional Service Pack 2
• Windows 2003 Server Service Pack 1
The Logical Boundaries of the TOE embody security functions that it implements. These TOE security functions
are usefully grouped under the following Security Function Classes:
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 12 of 51
© 2007 Network Chemistry
• Security Audit
• Identification and Authentication
• Security Management
• Protection of the TSF
• IDS Component Requirements
Please refer to Section 6.1 for descriptions of these Security Function Classes.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 13 of 51
© 2007 Network Chemistry
3 TOE Security Environment
This section describes the security aspects of the environment in which the TOE will be used and the manner in
which the TOE is expected to be employed. It provides the statement of the TOE security environment, which
identifies and explains all:
• assumptions about the secure usage of the TOE, including physical, personnel and connectivity aspects,
• known and presumed threats countered by either the TOE or by the security environment,
• Organizational Security Policies (OSPs) with which the TOE must comply.
3.1 Assumptions
This section contains assumptions regarding the security environment and the intended usage of the TOE. The
following specific conditions are required to ensure the security of the TOE and are assumed to exist in an
environment where this TOE is employed.
3.1.1 Intended Usage Assumptions
A.ACCESS The TOE has access to all the IT System data it needs to perform its functions.
A.DYNMIC The TOE will be managed in a manner that allows it to appropriately address changes in the IT
System the TOE monitors.
A.ASCOPE The TOE is appropriately scalable to the IT System the TOE monitors.
3.1.2 Physical Assumptions
A.PROTCT The TOE hardware and software critical to security policy enforcement will be protected from
unauthorized physical modification.
A.LOCATE The processing resources of the TOE will be located within controlled access facilities, which will
prevent unauthorized physical access.
3.1.3 Personnel Assumptions
A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of
the information it contains.
A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will follow and
abide by the instructions provided by the TOE documentation.
A.NOTRST The TOE can only be accessed by authorized users.
3.1.4 Connectivity Assumption
A.CONNECT The TOE will be installed such that all network traffic will flow through the TOE.
3.2 Threats to Security
The following are threats identified for the TOE and the IT System the TOE monitors. The assumed level of
expertise of the attacker for all the threats is unsophisticated.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 14 of 51
© 2007 Network Chemistry
3.2.1 TOE Threats
T.COMINT An unauthorized user may attempt to compromise the integrity of the data collected and produced
by the TOE by bypassing a security mechanism.
T.COMDIS An unauthorized user may attempt to disclose the data collected and produced by the TOE by
bypassing a security mechanism.
T.LOSSOF An unauthorized user may attempt to remove or destroy data collected and produced by the TOE.
T.NOHALT An unauthorized user may attempt to compromise the continuity of the System’s collection and
analysis functions by halting execution of the TOE.
T.PRIVIL An unauthorized user may gain access to the TOE and exploit system privileges to gain access to
TOE security functions and data.
T.IMPCON An unauthorized user may inappropriately change the configuration of the TOE causing potential
intrusions to go undetected.
T.INFLUX An unauthorized user may cause malfunction of the TOE by creating an influx of data that the
TOE cannot handle.
T.FACCNT Unauthorized attempts to access TOE data or security functions may go undetected.
T.BLIND An attacker may blind the TOE by physically shielding or damaging TOE antennas.
T.MSQERADE A network attacker may attempt to imitate a client system in order to gain information about the
vulnerabilities of the client system.
3.2.2 IT System Threats
The following identifies threats to the IT System that may be indicative of vulnerabilities in or misuse of IT
resources.
T.SCNCFG Improper security configuration settings may exist in the IT System the TOE monitors.
T.SCNMLC Users could execute malicious code on an IT System that the TOE monitors which causes
modification of the IT System protected data or undermines the IT System security functions.
T.SCNVUL Vulnerabilities may exist in the IT System the TOE monitors.
T.FALACT The TOE may fail to react to identified or suspected vulnerabilities or inappropriate activity,
thereby resulting in a threat to the IT system.
T.FALREC The TOE may fail to recognize vulnerabilities or inappropriate activity based on IDS data received
from each data source, thereby resulting in a threat to the IT system.
T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on association of IDS
data received from all data sources, thereby resulting in a threat to the IT system.
T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT System the TOE
monitors.
T.INADVE Inadvertent activity and access may occur on an IT System the TOE monitors.
T.MISACT Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT System
the TOE monitors.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 15 of 51
© 2007 Network Chemistry
3.3 Organizational Security Policies
An organizational security policy is a set of rules, practices, and procedures imposed by an organization to address
its security needs. This section identifies the organizational security policies applicable to the TOE.
P.DETECT Static configuration information that might be indicative of the potential for a future intrusion or
the occurrence of a past intrusion of an IT System or events that are indicative of inappropriate
activity that may have resulted from misuse, access, or malicious activity of IT System assets must
be collected.
P.ANALYZ Analytical processes and information to derive conclusions about intrusions (past, present, or
future) must be applied to IDS data and appropriate response actions taken.
P.MANAGE The TOE shall only be managed by authorized users.
P.ACCESS All data collected and produced by the TOE shall only be used for authorized purposes.
P.ACCACT Users of the TOE shall be accountable for their actions within the IDS.
P.INTGTY Data collected and produced by the TOE shall be protected from modification.
P. PROTCT The TOE shall be protected from unauthorized accesses and disruptions of TOE data and
functions.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 16 of 51
© 2007 Network Chemistry
4 Security Objectives
This section identifies the security objectives of the TOE and its supporting environment. The security objectives
identify the responsibilities of the TOE and its environment in meeting the security needs.
4.1 TOE Security Objectives
The following are the TOE security objectives:
O.PROTCT The TOE must protect itself from unauthorized modifications and access to its functions and data.
O.IDSCAN The TOE must collect and store static configuration information that might be indicative of the
potential for a future intrusion or the occurrence of a past intrusion of an IT System.
O.IDSENS The TOE must collect and store information about all events that are indicative of inappropriate
activity that may have resulted from misuse, access, or malicious activity of IT System assets.
O.IDANLZ The TOE must accept data from Sensors and then apply analytical processes and information to
derive conclusions about intrusions (past, present, or future).
O.RESPON The TOE must respond appropriately to analytical conclusions.
O.EADMIN The TOE must include a set of functions that allow effective management of its functions and
data.
O.ACCESS The TOE must allow authorized users to access only appropriate TOE functions and data.
O.IDAUTH The TOE must be able to identify and authenticate users prior to allowing access to TOE functions
and data.
O.OFLOWS The TOE must appropriately handle potential audit and System data storage overflows.
O.AUDITS The TOE must record audit records for data accesses and use of the System functions.
O.INTEGR The TOE must ensure the integrity of all audit and System data.
O.EXPORT When any IDS component makes its data available to another IDS component, the TOE will
ensure the confidentiality of the System data.
4.2 Security Objectives for the Environment
The TOE’s operating environment must satisfy the following objectives.
4.2.1 Non-IT Objectives
These objectives do not levy any IT requirements but are satisfied by procedural or administrative measures.
OE.INSTAL Those responsible for the TOE must ensure that the TOE is delivered, installed, managed, and
operated in a manner which is consistent with IT security.
OE.PHYCAL Those responsible for the TOE must ensure that those parts of the TOE critical to security policy
are protected from any physical attack.
OE.CREDEN Those responsible for the TOE must ensure that all access credentials are protected by the users in
a manner which is consistent with IT security.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 17 of 51
© 2007 Network Chemistry
OE.PERSON Personnel working as authorized administrators shall be carefully selected and trained for proper
operation of the System.
OE.INTROP The TOE is interoperable with the IT System it monitors.
4.2.2 IT Objectives
OE.TIME The IT Environment will provide reliable timestamps to the TOE.
OE.PROTECT The IT Environment will protect itself and the TOE from external interference or tampering.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 18 of 51
© 2007 Network Chemistry
5 IT Security Requirements
This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs)
met by the TOE as well as Security Functional Requirements met by the TOE IT environment. These requirements
are presented following the conventions identified in Section 1.3.1.
5.1 TOE Security Functional Requirements
This section specifies the SFRs for the TOE. This section organizes the SFRs by CC class. Table 2 identifies all
SFRs implemented by the TOE.
Table 2 – TOE Security Functional Requirements
SFR ID Description
FAU_GEN.1 Audit data generation
FAU_SAR.1 Audit review
FAU_STG.1 Protected audit trail storage
FIA_ATD.1 User attribute definition
FIA_UAU.1 Timing of authentication
FIA_UID.1 Timing of identification
FMT_MOF.1 Management of security functions behaviour
FMT_MTD.1 Management of TSF data
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FPT_ITT.1 Basic internal TSF data transfer protection
FPT_RVM.1(1) Non-bypassability of the TSP
FPT_SEP.1(1) TSF domain separation
FPT_STM.1(1) Reliable time stamps
IDS_NDC.1 Network data collection
IDS_ANL.1 Analyzer analysis
IDS_RCT.1 Analyzer react
IDS_RDR.1 Restricted data review
IDS_STG.1 Guarantee of System data availability
Section 5.1 contains the functional components from the Common Criteria (CC) Part 2 with the operations
completed. For the conventions used in performing CC operations please refer to Section 1.3.1.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 19 of 51
© 2007 Network Chemistry
5.1.1 Class FAU: Security Audit
FAU_GEN.1 Audit data generation
Hierarchical to: No other components.
FAU_GEN.1.1
The TSF shall be able to generate an audit record of the following auditable events:
a) Start-up and shutdown of the audit functions;
b) All auditable events, for the [not specified] level of audit; and
c) [auditable events listed in Table 3].
FAU_GEN.1.2
The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity, and the outcome (success or failure) of the
event; and
b) For each audit event type, based on the auditable event definitions of the functional components included
in the PP/ST, [no other information].
Dependencies: FPT_STM.1 Reliable time stamps
Table 3 – Auditable Events
Auditable Event
Alert unacknowledged by user
Alert deleted by user
Location record deleted
Location record moved
User logged on to database
All alerts from expert acknowledged
All alerts from expert unacknowledged
Expert alert acknowledged
Expert alert unacknowledged
Expert alert deleted
KnownStation record deleted
KnownStation record updated
Ignore status for known station changed
Cleared all events from event log
Database cleared by user
Built-in Sensor properties edited
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 20 of 51
© 2007 Network Chemistry
Auditable Event
Station deleted
Notification record created
Notification record deleted
Notification record edited
License key removed
License key added
Report generated
Sensor properties edited
New StationTemplate record created/edited
Sensor template deleted
Sensor template enabled
Sensor template disabled
Sensor record created
Sensor record deleted
Sensor edited
Sensor enabled
Sensor disabled
User added to the Account Manager
User deleted from the Account Manager
New KnownStation record created
FAU_SAR.1 Audit review
Hierarchical to: No other components.
FAU_SAR.1.1
The TSF shall provide [users with the SysDBA and/or Administrator roles] with the capability to read [all
audit data] from the audit records.
FAU_SAR.1.2
The TSF shall provide the audit records in a manner suitable for the user to interpret the information.
Dependencies: FAU_GEN.1 Audit data generation
FAU_STG.1 Protected audit trail storage
Hierarchical to: No other components.
FAU_STG.1.1
The TSF shall protect the stored audit records from unauthorised deletion.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 21 of 51
© 2007 Network Chemistry
FAU_STG.1.2
The TSF shall be able to [prevent] unauthorised modifications to the audit records in the audit trail.
Dependencies: FAU_GEN.1 Audit data generation
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 22 of 51
© 2007 Network Chemistry
5.1.2 Class FIA: Identification and Authentication
FIA_ATD.1 User attribute definition
Hierarchical to: No other components.
FIA_ATD.1.1
The TSF shall maintain the following list of security attributes belonging to individual users: [user ID,
hashed password, user role].
Dependencies: No dependencies
FIA_UAU.1 Timing of authentication
Hierarchical to: No other components.
FIA_UAU.1.1
The TSF shall allow [user identification, access to online help] on behalf of the user to be performed before
the user is authenticated.
FIA_UAU.1.2
The TSF shall require each user to be successfully authenticated before allowing any other TSF-mediated
actions on behalf of that user.
Dependencies: FIA_UID.1 Timing of identification
FIA_UID.1 Timing of identification
Hierarchical to: No other components.
FIA_UID.1.1
The TSF shall allow [access to online help] on behalf of the user to be performed before the user is
identified.
FIA_UID.1.2
The TSF shall require each user to be successfully identified before allowing any other TSF-mediated
actions on behalf of that user.
Dependencies: No dependencies
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 23 of 51
© 2007 Network Chemistry
5.1.3 Class FMT: Security Management
FMT_MOF.1 Management of security functions behaviour
Hierarchical to: No other components.
FMT_MOF.1.1
The TSF shall restrict the ability to [modify the behaviour of] the functions [of System data collection,
analysis, and reaction] to [authorised System administrators].
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_MTD.1 Management of TSF data
Hierarchical to: No other components.
FMT_MTD.1.1
The TSF shall restrict the ability to [query, modify, delete, clear] the [System data] to [the SysDBA and
Administrator roles].
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of management functions
Hierarchical to: No other components.
FMT_SMF.1.1
The TSF shall be capable of performing the following security management functions: [TSF data
management and security function management].
Dependencies: No Dependencies
FMT_SMR.1 Security roles
Hierarchical to: No other components.
FMT_SMR.1.1
The TSF shall maintain the roles [SysDBA, Administrator, Viewer].
FMT_SMR.1.2
The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 Timing of identification
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 24 of 51
© 2007 Network Chemistry
5.1.4 Class FPT: Protection of the TSF
FPT_ITT.1 Basic internal TSF data transfer protection
Hierarchical to: No other components.
FPT_ITT.1.1
The TSF shall protect TSF data from [disclosure, modification] when it is transmitted between Sensors
and the Server separate parts of the TOE.
Dependencies: No dependencies
FPT_RVM.1(1) Non-bypassability of the TSP
Hierarchical to: No other components.
FPT_RVM.1(1).1
The TSF shall ensure that TSP enforcement functions are invoked and succeed before each function within
the TSC is allowed to proceed.
Dependencies: No dependencies
FPT_SEP.1(1) TSF domain separation
Hierarchical to: No other components.
FPT_SEP.1(1).1
The TSF shall maintain a security domain for its own execution that protects it from interference and
tampering by untrusted subjects.
FPT_SEP.1(1).2
The TSF shall enforce separation between the security domains of subjects in the TSC.
Dependencies: No dependencies
FPT_STM.1(1) Reliable time stamps
Hierarchical to: No other components.
FPT_STM.1(1).1
The TSF shall be able to provide reliable time stamps for its own use.
Dependencies: No dependencies
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 25 of 51
© 2007 Network Chemistry
5.1.5 Class IDS: IDS Functionality
IDS_NDC.1 Network data collection (EXP)
IDS_NDC.1.1
The System shall be able to collect the following information from the targeted network:
a) [identification and authentication events, data accesses, service requests, network traffic, data
introduction, detected known vulnerabilities, radio frequency characteristics and anomalies]; and
b) [no other events]. (EXP)
IDS_NDC.1.2
At a minimum, the System shall collect and record the following information:
• Date and time of the event, type of event, and subject identity; and
• Specific service, Protocol, source address, and destination address. (EXP)
IDS_ANL.1 Analyzer analysis (EXP)
IDS_ANL.1.1
The System shall perform the following analysis function on all IDS data received:
a) [statistical, signature]; and
b) [no other functions]. (EXP)
IDS_ANL.1.2
The System shall record within each analytical result at least the following information:
a) Date and time of the result, type of result, identification of data source; and
b) [no other information]. (EXP)
IDS_RCT.1 Analyzer react (EXP)
IDS_RCT.1.1
The System shall send an alarm to [the authorized administrator via the RFprotect Console] and [create a
System data record] when an intrusion is detected. (EXP)
IDS_RDR.1 Restricted data review (EXP)
IDS_RDR.1.1
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 26 of 51
© 2007 Network Chemistry
The System shall provide [the SysDBA and/or Administrator roles] with the capability to read [all System
data] from the System data. (EXP)
IDS_RDR.1.2
The System shall provide the System data in a manner suitable for the user to interpret the information.
(EXP)
IDS_RDR.1.3
The System shall prohibit all users read access to the System data, except those users that have been
granted explicit read-access. (EXP)
IDS_STG.1 Guarantee of System data availability (EXP)
IDS_STG.1.1
The System shall protect the stored System data from unauthorized deletion. (EXP)
IDS_STG.1.2
The System shall protect the stored System data from unauthorized modification. (EXP)
IDS_STG.1.3
The System shall ensure that [the previously recorded] System data will be maintained when the following
conditions occur: [System data storage exhaustion]. (EXP)
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 27 of 51
© 2007 Network Chemistry
5.2 Security Functional Requirements on the IT Environment
This section specifies the SFRs for the TOE environment. This section organizes the SFRs by CC class. Table 4
identifies all SFRs implemented by the TOE environment and indicates the ST operations performed on each
requirement.
Table 4 – TOE Environment SFRs
SFR ID Description
FPT_RVM.1(2) Non-bypassability of the TSP
FPT_SEP.1(2) TSF domain separation
FPT_STM.1(2) Reliable time stamps
5.2.1 Class FPT: Protection of the TSF
FPT_RVM.1(2) Non-bypassability of the TSP
FPT_RVM.1.1(2)
The environment shall ensure that TSP enforcement functions are invoked and succeed before each
function within the TSC is allowed to proceed.
FPT_SEP.1(2) TSF domain separation
FPT_SEP.1.1(2)
The environment shall maintain a security domain for the RFprotect Server’s, RFprotect Sensor’s, and
RFprotect Mobile’s execution that protects them from interference and tampering by untrusted subjects.
FPT_SEP.1.2(2)
The environment shall enforce separation between the security domains of subjects in the TSC.
FPT_STM.1(2) Reliable time stamps
FPT_STM.1.1(2)
The environment of the RFprotect Server shall be able to provide reliable time stamps for the RFprotect
Server’s and RFprotect Sensor’s use.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 28 of 51
© 2007 Network Chemistry
5.3 Assurance Requirements
This section defines the EAL 2 assurance requirements for the TOE. Assurance requirements are taken from the CC
Part 3 and are summarized in Table 5 below.
Table 5 – Assurance Requirements
Assurance Requirements
Class ACM: Configuration management ACM_CAP.2 Configuration items
ADO_DEL.1 Delivery procedures
Class ADO: Delivery and operation
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
Class ADV: Development
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
Class AGD: Guidance documents
AGD_USR.1 User guidance
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
Class ATE: Tests
ATE_IND.2 Independent testing – sample
AVA_SOF.1 Strength of TOE security function evaluation
Class AVA: Vulnerability assessment
AVA_VLA.1 Developer vulnerability analysis
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 29 of 51
© 2007 Network Chemistry
6 TOE Summary Specification
This section details how the TOE meets the functional and assurance requirements described in previous sections of
this ST.
6.1 TOE Security Functions
Each of the security requirements and the associated descriptions correspond to the security functions. Hence, each
function is described by how it specifically satisfies each of its related requirements. This serves to both describe
the security functions and rationalize that the security functions are suitable to satisfy the necessary requirements.
Table 6 – Mapping of TOE Security Functions to Security Functional Requirements
TOE Security
Function
SFR ID Description
FAU_GEN.1 Audit data generation
FAU_SAR.1 Audit review
Security Audit
FAU_STG.1 Protected audit trail storage
FIA_ATD.1 User attribute definition
FIA_UAU.1 Timing of authentication
Identification and
Authentication
FIA_UID.1 Timing of identification
FMT_MOF.1 Management of security functions behaviour
FMT_MTD.1 Management of TSF data
FMT_SMF.1 Specification of management functions
Security Management
FMT_SMR.1 Security roles
FPT_ITT.1 Basic internal TSF data transfer protection
FPT_RVM.1 Non-bypassability of the TSP
FPT_SEP.1 TSF domain separation
Protection of the TSF
FPT_STM.1 Reliable time stamps
IDS_NDC.1 Network data collection
IDS_ANL.1 Analyzer analysis
IDS_RCT.1 Analyzer react
IDS_RDR.1 Restricted data review
IDS Component
Requirements
IDS_STG.1 Guarantee of System data availability
6.1.1 Security Audit
The TOE generates two types of audit data; audit records which contain information regarding the administration
and management of the TOE, and IDS event records which contain IDS information received from the sensors and
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 30 of 51
© 2007 Network Chemistry
other local network devices1
. This security function addresses the generation, storage and viewing of audit records.
The separate TOE security function called “IDS Component Requirements†covers the generation, storage, and
viewing of the IDS event records. IDS Event Records are discussed in Section 6.1.5.
The TOE administrators interact with the TOE through the RFprotect Console client software (hereafter referred to
as the “Consoleâ€) and the EngineManager2
client software interfaces. Both TOE administrator interfaces are
mechanisms for interacting with the RFprotect Server (hereafter referred to as the “Serverâ€) and as such all audited
administrator actions made through either interface are recorded in the Server. The TOE creates an audit record
when a TOE administrator causes any of the events in Table 3 above to occur. Audit records are stored within a
database which is a subcomponent of the Server. Audit records include the date and time of the event, type of event,
subject identity, and the outcome (success or failure) of the event3
. TOE administrators do not have direct access to
the database. TOE administrators can read audit records only through the TOE’s administrative interfaces, and only
when authenticated as described below. TOE administrators are never given write access to the audit records.
Only TOE administrators can read the audit data.
Security Functional Requirements Satisfied: FAU_GEN.1, FAU_SAR.1, FAU_STG.1
6.1.2 Identification and Authentication
This section describes the TOE controls on user access and the user attributes employed by the TOE to make access
control decisions. TOE administrators can properly access the TOE in two ways; via the Console client or via the
EngineManager client. TOE administrators do not directly access the Sensors. For both methods of access, the
identification and authentication mechanism is provided by the Server. The Server stores a username, a hashed
password (i.e. authentication data), and the role associated with the administrator (i.e. authorizations), for each TOE
administrator. An administrator is authenticated when the hash of the password that has been entered matches the
stored hashed password. No actions are allowed on behalf of the administrator prior to identification and
authentication of an administrator. Any user attempting to interact with the TOE is presented only with a login
screen until successful identification and authentication is completed. A role is assigned to an administrator when
the administrator account is created. Login is not permitted if there is no associated role for the administrator.
TOE Security Functional Requirements Satisfied: FIA_ATD.1, FIA_UAU.1, FIA_UID.1
6.1.3 Security Management
This section describes the role definition and role management functionalities of the TOE. The TOE maintains three
(3) roles which are identified in FMT_SMR.1. The roles determine an administrator’s level of access to security
management functions provided by the TOE. These security management functions are the management of all audit
and event records, management of access control, and management of IDS functions used to collect, react to, and
analyze data. An administrator can be assigned one role from the list of available roles.
User attempts to manage TOE security functionality and change, query, modify, or delete security attributes
originate at the Console or the EngineManager interfaces. All requests for services from either of these interfaces
1
The TOE’s “RogueCheck†function probes the local protected network to determine whether or not a rogue
wireless access point is physically connected to the protected local area network. This probe involves
communication with various network devices which form the infrastructure of the protected network, such as routers
and switches.
2
EngineManager is run locally on the Server and allows administrators to start, stop, and manage the Server engine.
3
In some cases, “success†of an event is indicated by the existence of an audit record, and “failure†of an event is
indicated by the non-existence of an audit record.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 31 of 51
© 2007 Network Chemistry
are passed to the Server, which mediates the access control to those functions. The Server makes the access control
decision by comparing the administrator’s role and the privilege requirement for the type of request made.
TOE Security Functional Requirements Satisfied: FMT_MOF.1, FMT_MTD.1,FMT_SMF.1, FMT_SMR.1
6.1.4 Protection of the TSF
The TOE provides several mechanisms for protecting its security functions. The TOE protects all TOE Security
Function (TSF) data from disclosure when it is transmitted between Sensors and the Server by using direct
protection via Network Chemistry’s implementation of AES. The Sensors and Server are configured with a shared
secret to validate their identity and protect their communications.
The TOE consists of four architecturally separate components that are listed below. Each physical TOE component
ensures that security mechanisms cannot be bypassed; however, all TOE components rely on the TOE environment
to enforce domain separation.
• RFprotect Server
• RFprotect Console
• RFprotect Sensor
• RFprotect Mobile
The RFprotect Server is a software application which runs on a standard server. This component of the TOE
ensures that the security mechanisms cannot be bypassed. The security mechanisms cannot be bypassed because all
management and configuration functions of the TOE are carried out only by Authorized TOE Users. All
management and configuration operations are conducted in the context of an associated management session. This
management session is established only after an administrator has successfully authenticated. Sessions ensure that
all future communications within the context of that session are logically linked to the original authentication. All
management and configuration operations are checked for conformance to the granted level of access and rejected if
non-conformant. The management session is destroyed when the corresponding TOE User logs out of that session.
No management functions can be executed by a non-authenticated administrator. This ensures that security
protection enforcement functions are invoked and succeed before each function within the TSF scope of control is
allowed to proceed.
Protection of the TOE from physical tampering is ensured by its environment. It is the responsibility of the
administrator to ensure that the physical connections made to the TOE remain intact and unmodified. The Server
runs on standard PC/server hardware on a general purpose operating system; the combination of Server application,
the operating system, and the hardware and firmware provide all the services necessary to implement the Server-
supported TSFs. The environment (that is, the hardware and operating system hosting the Server) maintains a
security domain for the Server’s own execution that protects it from interference and tampering by untrusted
subjects. The underlying assumption regarding the operation of the Server is that it is maintained in a physically
secure environment. Using kernel/user mode switching, the underlying OS controls the execution of each process
and ensures that all the information used for management purposes is protected from direct access by any other
process. Furthermore, in order to ensure the correct execution of each process, the OS protects each process’s
private information (executable code, data, and stack) from uncontrolled interferences from other processes. These
features ensure that the TSF maintains a security domain for its own execution that protects it from interference and
tampering by untrusted subjects.
The RFprotect Console application does not directly enforce any security mechanisms; therefore non-bypassability
is not applicable. The RFprotect Console operates in its own domain of execution provided by the underlying
operating system and hardware (the environment), which is not part of the TOE.
The RFprotect Sensor is a software application which runs on a dedicated appliance with a proprietary operating
system. It contains a wireless network interface which scans the available radio channels in promiscuous mode, i.e.
it receives and analyses all network traffic which reaches its antennas on the channel which it is currently scanning.
This component of the TOE enforces domain separation and ensures that the security mechanisms cannot be
bypassed. The tight control of the ability to make configuration changes on the Server ensures that the Sensor
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 32 of 51
© 2007 Network Chemistry
cannot be disabled by an attacker. The logic of wireless protocol processing on the Sensor ensures that all activities
indicative of intrusions are reported to the Server; therefore, the sensor will detect and react to all appropriate
network traffic and is non-bypassable. All management and configuration operations are conducted in the context of
an associated management session. This management session is established only after an administrator has
successfully authenticated to the Server and/or to the Sensor. No management functions can be executed by a non-
authenticated administrator; this ensures that security protection enforcement functions are invoked and succeed
before each function within the TSF scope of control is allowed to proceed. These mechanisms are linked deeply
into the operating system (OS) access control, process management, and Transmission Control Protocol (TCP)
session management mechanisms. These mechanisms operate correctly because they are protected by the Domain
Separation mechanisms.
The RFprotect Mobile TOE component is a self-contained combination of the RFprotect Server software, the
RFprotect Sensor software, and the RFprotect Console software running on a standard PC with a general purpose
operating system. The Mobile component has a network interface operating in promiscuous mode, i.e. it receives
and analyzes all network traffic. The Server software and the Console software are configured and implemented
exactly as described above; the Sensor software is also configured and implemented as described above, except that
the Sensor is not a self-contained appliance, but rather the Sensor software runs on a general purpose operating
system.
The Server provides reliable timestamps for its own use. The Server receives time information from the local
operating system.
TOE Security Functional Requirements Satisfied: FPT_ITT.1, FPT_RVM.1(1), FPT_SEP.1(1), FPT_STM.1(1)
6.1.5 IDS Component Requirements
The TOE provides intrusion detection functions that include collection of data from sensor and scanner functions as
well as analysis functions found within the Server.
The Sensor is used to scan, monitor, and regulate local wireless networks. The Sensor can detect suspicious events
by monitoring network traffic from visible network stations. The Sensor collects information about wireless events
and sends this information back to the Server which then analyzes the data and generates IDS event records as
necessary. The Server provides functionality to view collected IDS event records as well as to determine summary
information.
6.1.5.1 Data Collection and Analysis by the RFprotect Sensor
The RFprotect Sensor’s primary purpose is to scan various radio frequencies (“channelsâ€) via its built-in radio,
receive data packets, perform pre-processing on those packets, and send the results to the Server.
The Sensor uses an adaptive algorithm to spend more time on the channels which are currently seeing traffic and
less time on the channels that are not seeing traffic. The administrator specifies a default amount of time to spend
watching each channel, and the Sensor then adapts this default time based on the traffic that is currently seen on
various channels – channels with heavy traffic patterns will get more time, and channels with little traffic will get
less time. When the Sensor sees a data packet on a channel, it collects and generates statistical data about the packet
and transmits this information to the Server in bursts.
6.1.5.2 Data Collection and Analysis by the RFprotect Server
The RFprotect Server stores all the IDS event records generated by the sensors components of the TOE in a central
location for analysis and viewing. The Server stores the IDS event records in a dedicated database. TOE
administrators in appropriate roles can read and delete IDS event records through the Server. Alerts are generated
and stored in the database for viewing via the RFprotect Console.
The RFprotect Console processes event data from the Server and displays it in a human readable format. It provides
tools for sorting, scoring, and listing events.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 33 of 51
© 2007 Network Chemistry
TOE Security Functional Requirements Satisfied: IDS_NDC.1, IDS_ANL.1, IDS_RCT.1, IDS_RDR.1,
IDS_STG.1
6.2 TOE Security Assurance Measures
EAL 2 was chosen to provide a basic level of independently assured security. This section of the Security Target
maps the assurance requirements of the TOE for a CC EAL 2 level of assurance to the assurance measures used for
the development and maintenance of the TOE. The following table provides a mapping of the appropriate
documentation to the TOE assurance requirements.
Table 7 – Assurance Measures Mapping to TOE Security Assurance Requirements (SARs)
Assurance
Component
Assurance Measure
ACM_CAP.2 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
Configuration Management
ADO_DEL.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
Secure Delivery
ADO_IGS.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 -
Installation Guide Supplement
ADV_FSP.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
TOE Architecture: High Level Design, Functional
Specification, and Representation Correspondence
ADV_HLD.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
TOE Architecture: High Level Design, Functional
Specification, and Representation Correspondence
ADV_RCR.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
TOE Architecture: High Level Design, Functional
Specification, and Representation Correspondence
AGD_ADM.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2
Administrator Guidance Supplement
AGD_USR.1 [User Guides]
ATE_COV.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
Functional Tests and Coverage
ATE_FUN.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
Functional Tests and Coverage
ATE_IND.1 Generated by Common Criteria Testing Laboratory
AVA_SOF.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
Vulnerability Assessment
AVA_VLA.1 Network Chemistry RFprotect Distributed v6.1.2,
RFprotect Sensor v6.1.22, and RFprotect Mobile v6.1.2 –
Vulnerability Assessment
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 34 of 51
© 2007 Network Chemistry
6.2.1 ACM_CAP.2: Configuration Management Document
The Configuration Management document provides a description of the various tools used to control the
configuration items and how they are used internally at Network Chemistry. This document provides a complete
configuration item list and a unique referencing scheme for each configuration item. Additionally, the configuration
management system is described including procedures that are used by developers to control and track changes that
are made to the TOE. The documentation further details the TOE configuration items that are controlled by the
configuration management system.
6.2.2 ADO_DEL.1: Delivery and Operation Document
The Delivery and Operation document provides a description of the secure delivery procedures implemented by
Network Chemistry to protect against TOE modification during product delivery. The Installation Documentation
provided by Network Chemistry details the procedures for installing the TOE and placing the TOE in a secure state
offering the same protection properties as the master copy of the TOE. The Installation Documentation provides
guidance to the TOE Users(s) on configuring the TOE and how they affect the TSF.
6.2.3 ADO_IGS.1: Installation Guidance, AGD_ADM.1: Administrator Guidance,
AGD_USR.1: User Guidance
The installation guidance document provides the procedures necessary for the secure installation, generation, and
start-up of the TOE for administrators and users of the TOE.
The administrator guidance documentation provides detailed procedures for the administration of the TOE and
description of the security functions provided by the TOE.
The User Guidance documentation provided directs users on how to operate the TOE in a secure manner.
Additionally, User Guidance explains the user-visible security functions and how they need to be exercised.
6.2.4 ADV_FSP.1: Informal Functional Specification, ADV_HLD.1: High Level
Design, ADV_RCR.1: Representation Correspondence.
The Network Chemistry design documentation consists of several related design documents that address the
components of the TOE at different levels of abstraction. The following design documents address the Development
Assurance Requirements:
• The Functional Specification provides a description of the security functions provided by the TOE
and a description of the external interfaces to the TSF. The Functional Specification covers the
purpose and method of use and a list of effects, exceptions, and errors message for each external TSF
interface.
• The High-Level Design provides a top level design specification that refines the TSF functional
specification into the major constituent parts (subsystems) of the TSF. The high-level design
identifies the basic structure of the TSF, the major elements, a listing of all interfaces, and the
purpose and method of use for each interface.
• The Representation Correspondence demonstrates the correspondence between each of the TSF
representations provided. This mapping is performed to show the functions traced from the ST
description to the High-Level Design.
6.2.5 ATE_COV.1: Test Coverage Analysis, ATE_FUN.1: Functional Testing,
ATE_IND.2: Independent Testing
There are a number of components that make up the Test documentation. The Coverage Analysis demonstrates that
testing is performed against the functional specification. The Coverage Analysis demonstrates the extent to which
the TOE security functions were tested as well as the level of detail to which the TOE was tested. Test Plans and
Test Procedures, which detail the overall efforts of the testing effort and break down the specific steps taken by a
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 35 of 51
© 2007 Network Chemistry
tester, are also provided in order to meet the assurance requirement Functional Testing. Independent Testing will be
performed by EWA in order to determine whether the TOE behaves as specified, and to gain confidence in the
developer’s test results by performing a sample of the developer’s tests.
6.2.6 AVA_VLA.1: Vulnerability Analysis, AVA_SOF.1: Strength of Function
Analysis
A Vulnerability Assessment is provided to demonstrate ways in which an entity could violate the TOE Security
Policy (TSP) and provide a list of identified vulnerabilities. Additionally, this document provides evidence of how
the TOE is resistant to obvious attacks.
The Strength of TOE Security Function Analysis demonstrates the strength of the probabilistic or permutational
mechanisms employed to provide security functions within the TOE and how they exceed the minimum Strength of
Function (SOF) requirements.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 36 of 51
© 2007 Network Chemistry
7 Protection Profile Claims
This section provides the identification and justification for any Protection Profile conformance claims.
7.1 Protection Profile Reference
There are no protection profile claims for this security target.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 37 of 51
© 2007 Network Chemistry
8 Rationale
This section provides the rationale for the selection of the security requirements, objectives, assumptions, and
threats. In particular, it shows that the security requirements are suitable to meet the security objectives, which in
turn are shown to be suitable to cover all aspects of the TOE security environment.
8.1 Security Objectives Rationale
This section provides a rationale for the existence of each assumption, threat, and policy statement that compose the
Security Target.
8.1.1 Security Objectives Rationale Relating to Threats
Table 8 demonstrates the mapping between the threats and the security objectives is complete. The following
discussion provides detailed evidence of coverage for each threat.
Table 8 – Relationship of Security Threats to Objectives
TOE Environment
Objectives
Threats
O.PROTCT
O.IDSCAN
O.IDSENS
O.IDANLZ
O.RESPON
O.EADMIN
O.ACCESS
O.IDAUTH
O.OFLOWS
O.AUDITS
O.INTEGR
O.EXPORT
OE.INSTAL
OE.PHYCAL
OE.CREDEN
OE.PERSON
OE.INTROP
OE.PROTECT
OE.TIME
T.COMINT �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
T.COMDIS �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
T.LOSSOF �
�
�
� �
�
�
� �
�
�
� �
�
�
�
T.NOHALT �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
T.PRIVIL �
�
�
� �
�
�
� �
�
�
�
T.IMPCON �
�
�
� �
�
�
� �
�
�
� �
�
�
�
T.INFLUX �
�
�
�
T.FACCNT �
�
�
�
T.BLIND �
�
�
�
T.MSQERADE �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
T.SCNCFG �
�
�
�
T.SCNMLC �
�
�
�
T.SCNVUL �
�
�
�
T.FALACT �
�
�
�
T.FALREC �
�
�
�
T.FALASC �
�
�
�
T.MISUSE �
�
�
� �
�
�
�
T.INADVE �
�
�
� �
�
�
�
Threats
T.MISACT �
�
�
� �
�
�
�
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 38 of 51
© 2007 Network Chemistry
T.COMINT An unauthorized user may attempt to compromise the integrity of the data collected and
produced by the TOE by bypassing a security mechanism.
The O.IDAUTH objective provides for authentication of users prior to any TOE data access. The
O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized users to
access TOE data. The O.INTEGR objective ensures no TOE data will be modified. The
O.PROTCT objective addresses this threat by providing TOE self-protection. The OE.PROTECT
objective supports the meeting of this policy by ensuring that the environment protects the TOE
from bypass attacks.
T.COMDIS An unauthorized user may attempt to disclose the data collected and produced by the TOE
by bypassing a security mechanism.
The O.IDAUTH objective provides for authentication of users prior to any TOE data access. The
O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized users to
access TOE data. The O.EXPORT objective ensures that confidentiality of TOE data will be
maintained. The O.PROTCT objective addresses this threat by providing TOE self-protection.
The OE.PROTECT objective supports the meeting of this policy by ensuring that the environment
protects the TOE from bypass attacks.
T.LOSSOF An unauthorized user may attempt to remove or destroy data collected and produced by the
TOE.
The O.IDAUTH objective provides for authentication of users prior to any TOE data access. The
O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized users to
access TOE data. The O.INTEGR objective ensures no TOE data will be deleted. The
O.PROTCT objective addresses this threat by providing TOE self-protection.
T.NOHALT An unauthorized user may attempt to compromise the continuity of the System’s collection
and analysis functions by halting execution of the TOE.
The O.IDAUTH objective provides for authentication of users prior to any TOE function accesses.
The O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized
users to access TOE functions. The O.IDSCAN, O.IDSENS, and O.IDANLZ objectives address
this threat by requiring the TOE to collect and analyze System data, which includes attempts to
halt the TOE.
T.PRIVIL An unauthorized user may gain access to the TOE and exploit system privileges to gain
access to TOE security functions and data.
The O.IDAUTH objective provides for authentication of users prior to any TOE function accesses.
The O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized
users to access TOE functions. The O.PROTCT objective addresses this threat by providing TOE
self-protection.
T.IMPCON An unauthorized user may inappropriately change the configuration of the TOE causing
potential intrusions to go undetected.
The OE.INSTAL objective states the authorized administrators will configure the TOE properly.
The O.EADMIN objective ensures the TOE has all the necessary administrator functions to
manage the product. The O.IDAUTH objective provides for authentication of users prior to any
TOE function accesses. The O.ACCESS objective builds upon the O.IDAUTH objective by only
permitting authorized users to access TOE functions.
T.INFLUX An unauthorized user may cause malfunction of the TOE by creating an influx of data that
the TOE cannot handle.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 39 of 51
© 2007 Network Chemistry
The O.OFLOWS objective counters this threat by requiring the TOE handle data storage
overflows.
T.FACCNT Unauthorized attempts to access TOE data or security functions may go undetected.
The O.AUDITS objective counters this threat by requiring the TOE to audit attempts for data
accesses and use of TOE functions.
T.BLIND An attacker may blind the TOE by physically shielding or damaging TOE antennas.
The OE.PHYCAL objective counters this threat by requiring those responsible for the TOE to
ensure that the TOE is protected from any physical attack.
T.MSQERADE A network attacker may attempt to imitate a client system in order to gain information
about the vulnerabilities of the client system.
The O.IDAUTH objective provides for authentication of users prior to any TOE data access. The
O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized users to
access TOE data. The O.EXPORT objective ensures that confidentiality of TOE data will be
maintained. The O.PROTCT objective addresses this threat by providing TOE self-protection.
The OE.PROTECT objective supports the meeting of this policy by ensuring that the environment
protects the TOE from bypass attacks.
T.SCNCFG Improper security configuration settings may exist in the IT System the TOE monitors.
The O.IDSCAN objective counters this threat by requiring a TOE, that contains a Scanner, collect
and store static configuration information that might be indicative of a configuration setting
change. The ST will state whether this threat must be addressed by a Scanner.
T.SCNMLC Users could execute malicious code on an IT System that the TOE monitors which causes
modification of the IT System protected data or undermines the IT System security
functions.
The O.IDSCAN objective counters this threat by requiring a TOE, that contains a Scanner, collect
and store static configuration information that might be indicative of malicious code. The ST will
state whether this threat must be addressed by a Scanner.
T.SCNVUL Vulnerabilities may exist in the IT System the TOE monitors.
The O.IDSCAN objective counters this threat by requiring a TOE, that contains a Scanner, collect
and store static configuration information that might be indicative of a vulnerability. The ST will
state whether this threat must be addressed by a Scanner.
T.FALACT The TOE may fail to react to identified or suspected vulnerabilities or inappropriate
activity.
The O.RESPON objective ensures the TOE reacts to analytical conclusions about suspected
vulnerabilities or inappropriate activity.
T.FALREC The TOE may fail to recognize vulnerabilities or inappropriate activity based on IDS data
received from each data source.
The O.IDANLZ objective provides the function that the TOE will recognize vulnerabilities or
inappropriate activity from a data source.
T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on association of
IDS data received from all data sources.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 40 of 51
© 2007 Network Chemistry
The O.IDANLZ objective provides the function that the TOE will recognize vulnerabilities or
inappropriate activity from multiple data sources.
T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT System the TOE
monitors.
The O.AUDITS and O.IDSENS objectives address this threat by requiring a TOE, that contains a
Sensor, collect audit and Sensor data.
T.INADVE Inadvertent activity and access may occur on an IT System the TOE monitors.
The O.AUDITS and O.IDSENS objectives address this threat by requiring a TOE, that contains a
Sensor, collect audit and Sensor data.
T.MISACT Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT
System the TOE monitors.
The O.AUDITS and O.IDSENS objectives address this threat by requiring a TOE, that contains a
Sensor, collect audit and Sensor data.
8.1.2 Security Objectives Rationale Relating to Assumptions
Table 9 demonstrates the mapping between the threats and the security objectives is complete. The following
discussion provides detailed evidence of coverage for each assumption.
Table 9 – Relationship of Security Assumptions to Objectives
TOE Environment
Objectives
Assumptions
O.PROTCT
O.IDSCAN
O.IDSENS
O.IDANLZ
O.RESPON
O.EADMIN
O.ACCESS
O.IDAUTH
O.OFLOWS
O.AUDITS
O.INTEGR
O.EXPORT
OE.INSTAL
OE.PHYCAL
OE.CREDEN
OE.PERSON
OE.INTROP
OE.PROTECT
OE.TIME
A.ACCESS �
�
�
�
A.DYNMIC �
�
�
� �
�
�
�
A.ASCOPE �
�
�
�
A.PROTCT �
�
�
�
A.LOCATE �
�
�
�
A.MANAGE �
�
�
�
A.NOEVIL �
�
�
� �
�
�
� �
�
�
�
A.NOTRUST �
�
�
� �
�
�
�
Assumptions
A.CONNECT �
�
�
� �
�
�
�
A.ACCESS The TOE has access to all the IT System data it needs to perform its functions.
The OE.INTROP objective ensures the TOE has the needed access.
A.DYNMIC The TOE will be managed in a manner that allows it to appropriately address changes in the
IT System the TOE monitors.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 41 of 51
© 2007 Network Chemistry
The OE.INTROP objective ensures the TOE has the proper access to the IT System. The
OE.PERSON objective ensures that the TOE will be managed appropriately.
A.ASCOPE The TOE is appropriately scalable to the IT System the TOE monitors.
The OE.INTROP objective ensures the TOE has the necessary interactions with the IT System it
monitors.
A.PROTCT The TOE hardware and software critical to security policy enforcement will be protected
from unauthorized physical modification.
The OE.PHYCAL provides for the physical protection of the TOE hardware and software.
A.LOCATE The processing resources of the TOE will be located within controlled access facilities, which
will prevent unauthorized physical access.
The OE.PHYCAL provides for the physical protection of the TOE.
A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the
security of the information it contains.
The OE.PERSON objective ensures all authorized administrators are qualified and trained to
manage the TOE.
A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will follow
and abide by the instructions provided by the TOE documentation.
The OE.INSTAL objective ensures that the TOE is properly installed and operated and the
OE.PHYCAL objective provides for physical protection of the TOE by authorized administrators.
The OE.CREDEN objective supports this assumption by requiring protection of all authentication
data.
A.NOTRST The TOE can only be accessed by authorized users.
The OE.PHYCAL objective provides for physical protection of the TOE to protect against
unauthorized access. The OE.CREDEN objective supports this assumption by requiring
protection of all authentication data.
A.CONNECT The TOE will be installed such that all network traffic will flow through the TOE.
The OE.INSTAL objective provides for the correct installation of the TOE. The O.IDSENS
objective ensures that that TOE is installed in a way that will allow it to monitor and collect all
relevant network data.
8.1.3 Security Objectives Rationale Relating to Policies
Table 10 demonstrates the mapping between the threats and the security objectives is complete. The following
discussion provides detailed evidence of coverage for each policy.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 42 of 51
© 2007 Network Chemistry
Table 10 – Relationship of Security Policies to Objectives
TOE Environment
Objectives
Policies
O.PROTCT
O.IDSCAN
O.IDSENS
O.IDANLZ
O.RESPON
O.EADMIN
O.ACCESS
O.IDAUTH
O.OFLOWS
O.AUDITS
O.INTEGR
O.EXPORT
OE.INSTAL
OE.PHYCAL
OE.CREDEN
OE.PERSON
OE.INTROP
OE.PROTECT
OE.TIME
P.DETECT �
�
�
� �
�
�
� �
�
�
� �
�
�
�
P.ANALYZ �
�
�
�
P.MANAGE �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
P.ACCESS �
�
�
� �
�
�
� �
�
�
�
P.ACCACT �
�
�
� �
�
�
� �
�
�
�
P.INTGTY �
�
�
�
OSPs
P.PROTCT �
�
�
� �
�
�
� �
�
�
�
P.DETECT Static configuration information that might be indicative of the potential for a future
intrusion or the occurrence of a past intrusion of an IT System or events that are indicative
of inappropriate activity that may have resulted from misuse, access, or malicious activity of
IT System assets must be collected.
The O.AUDITS, O.IDSENS, and O.IDSCAN objectives address this policy by requiring
collection of audit, Sensor, and Scanner data. Where required these objectives are supported by
OE.TIME, the objective that the environment provide reliable timestamps.
P.ANALYZ Analytical processes and information to derive conclusions about intrusions (past, present,
or future) must be applied to IDS data and appropriate response actions taken.
The O.IDANLZ objective requires analytical processes be applied to data collected from Sensors
and Scanners.
P.MANAGE The TOE shall only be managed by authorized users.
The OE.PERSON objective ensures competent administrators will manage the TOE and the
O.EADMIN objective ensures there is a set of functions for administrators to use. The
OE.INSTAL objective supports the OE.PERSON objective by ensuring administrator follow all
provided documentation and maintain the security policy. The O.IDAUTH objective provides for
authentication of users prior to any TOE function accesses. The O.ACCESS objective builds upon
the O.IDAUTH objective by only permitting authorized users to access TOE functions. The
OE.CREDEN objective requires administrators to protect all authentication data. The O.PROTCT
objective addresses this policy by providing TOE self-protection.
P.ACCESS All data collected and produced by the TOE shall only be used for authorized purposes.
The O.IDAUTH objective provides for authentication of users prior to any TOE function accesses.
The O.ACCESS objective builds upon the O.IDAUTH objective by only permitting authorized
users to access TOE functions. The O.PROTCT objective addresses this policy by providing TOE
self-protection.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 43 of 51
© 2007 Network Chemistry
P.ACCACT Users of the TOE shall be accountable for their actions within the IDS.
The O.AUDITS objective implements this policy by requiring auditing of all data accesses and use
of TOE functions. The O.IDAUTH objective supports this objective by ensuring each user is
uniquely identified and authenticated. Where required these objectives are supported by
OE.TIME.
P.INTGTY Data collected and produced by the TOE shall be protected from modification.
The O.INTEGR objective ensures the protection of data from modification.
P. PROTCT The TOE shall be protected from unauthorized accesses and disruptions of TOE data and
functions.
The O.OFLOWS objective counters this policy by requiring the TOE handle disruptions. The
OE.PHYCAL objective protects the TOE from unauthorized physical modifications. The
OE.PROTECT objective supports the meeting of this policy by ensuring that the environment
protects the TOE from external entities.
8.2 Security Functional Requirements Rationale
Table 11 and the following discussion provides detailed evidence of coverage for each security objective.
Table 11 – Relationship of Security Requirements to Objectives
TOE Env.
Objectives
Requirements
O.PROTCT
O.IDSCAN
O.IDSENS
O.IDANLZ
O.RESPON
O.EADMIN
O.ACCESS
O.IDAUTH
O.OFLOWS
O.AUDITS
O.INTEGR
O.EXPORT
OE.PROTECT
OE.TIME
FAU_GEN.1 �
�
�
�
FAU_SAR.1 �
�
�
�
FAU_STG.1 �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
FIA_ATD.1 �
�
�
�
FIA_UAU.1 �
�
�
� �
�
�
�
FIA_UID.1 �
�
�
� �
�
�
�
FMT_MOF.1 �
�
�
� �
�
�
� �
�
�
�
FMT_MTD.1(1) �
�
�
� �
�
�
� �
�
�
� �
�
�
�
FMT_SMF.1 �
�
�
� �
�
�
� �
�
�
� �
�
�
�
FMT_SMR.1 �
�
�
�
FPT_ITT.1 �
�
�
� �
�
�
�
FPT_RVM.1(1) �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
FPT_SEP.1(1) �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
FPT_STM.1(1) �
�
�
�
IDS_NDC.1 �
�
�
� �
�
�
�
TOE
IDS_ANL.1 �
�
�
�
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 44 of 51
© 2007 Network Chemistry
TOE Env.
IDS_RCT.1 �
�
�
�
IDS_RDR.1 �
�
�
� �
�
�
� �
�
�
�
IDS_STG.1 �
�
�
� �
�
�
� �
�
�
� �
�
�
� �
�
�
�
FPT_RVM.1(2) �
�
�
�
FPT_SEP.1(2) �
�
�
�
Env
FPT_STM.1(2) �
�
�
�
The following discussion provides detailed evidence of coverage for each security objective.
O.PROTCT The TOE must protect itself from unauthorized modifications and access to its functions and
data.
The TOE is required to protect the audit data from deletion [FAU_STG.1]. The System is
required to protect the System data from any modification and unauthorized deletion, as well as
guarantee the availability of the data in the event of storage exhaustion, failure, or attack
[IDS_STG.1]. The TOE should provide facilities to enable the authorized user to manage the
TOE [FMT_SMF.1]. The TOE is required to provide the ability to restrict managing the behavior
of functions of the TOE to authorized users of the TOE [FMT_MOF.1]. Only authorized
administrators of the System may query and add System and audit data, and authorized
administrators of the TOE may query and modify all other TOE data [FMT_MTD.1(1),
FMT_MTD.1(2), FMT_MTD.1(3), FMT_MTD.1(4), FMT_MTD.1(5)]. The TOE must ensure
that all functions are invoked and succeed before each function may proceed [FPT_RVM.1(1)].
The TSF must be protected from interference that would prevent it from performing its functions
[FPT_SEP.1(1)].
O.IDSCAN The Scanner must collect and store static configuration information that might be indicative
of the potential for a future intrusion or the occurrence of a past intrusion of an IT System.
A System containing a Scanner is required to collect and store static configuration information of
an IT System. The type of configuration information collected must be defined in the ST
[IDS_NDC.1].
O.IDSENS The Sensor must collect and store information about all events that are indicative of
inappropriate activity that may have resulted from misuse, access, or malicious activity of IT
System assets and the IDS.
A System containing a Sensor is required to collect events indicative of inappropriate activity that
may have resulted from misuse, access, or malicious activity of IT System assets of an IT System.
These events must be defined in the ST [IDS_NDC.1].
O.IDANLZ The Analyzer must accept data from IDS Sensors or IDS Scanners and then apply analytical
processes and information to derive conclusions about intrusions (past, present, or future).
The Analyzer is required to perform intrusion analysis and generate conclusions [IDS_ANL.1].
O.RESPON The TOE must respond appropriately to analytical conclusions.
The TOE is required to respond accordingly in the event an intrusion is detected [IDS_RCT.1].
O.EADMIN The TOE must include a set of functions that allow effective management of its functions
and data.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 45 of 51
© 2007 Network Chemistry
The TOE must provide the ability to review the audit trail of the System [FAU_SAR.1]. The
System must provide the ability for authorized administrators to view all System data collected
and produced [IDS_RDR.1]. The TOE must ensure that all functions are invoked and succeed
before each function may proceed [FPT_RVM.1(1)]. The TSF must be protected from
interference that would prevent it from performing its functions [FPT_SEP.1(1)].
O.ACCESS The TOE must allow authorized users to access only appropriate TOE functions and data.
The System is required to restrict the review of System data to those granted with explicit read-
access [IDS_RDR.1]. The TOE is required to protect the audit data from deletion [FAU_STG.1].
The System is required to protect the System data from any modification and unauthorized
deletion [IDS_STG.1]. Users authorized to access the TOE are defined using an identification and
authentication process [FIA_UID.1, FIA_UAU.1]. The TOE should provide facilities to enable
the authorized user to manage the TOE [FMT_SMF.1]. The TOE is required to provide the ability
to restrict managing the behavior of functions of the TOE to authorized users of the TOE
[FMT_MOF.1]. Only authorized administrators of the System may query and add System and
audit data, and authorized administrators of the TOE may query and modify all other TOE data
[FMT_MTD.1(1), FMT_MTD.1(2), FMT_MTD.1(3), FMT_MTD.1(4), FMT_MTD.1(5)].
O.IDAUTH The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data.
The System is required to restrict the review of System data to those granted with explicit read-
access [IDS_RDR.1]. The TOE is required to protect the stored audit records from unauthorized
deletion [FAU_STG.1]. The System is required to protect the System data from any modification
and unauthorized deletion, as well as guarantee the availability of the data in the event of storage
exhaustion, failure, or attack [IDS_STG.1]. Security attributes of subjects use to enforce the
authentication policy of the TOE must be defined [FIA_ATD.1]. Users authorized to access the
TOE are defined using an identification and authentication process [FIA_UID.1, FIA_UAU.1].
The TOE should provide facilities to enable the authorized user to manage the TOE
[FMT_SMF.1]. The TOE is required to provide the ability to restrict managing the behavior of
functions of the TOE to authorized users of the TOE [FMT_MOF.1]. Only authorized
administrators of the System may query and add System and audit data, and authorized
administrators of the TOE may query and modify all other TOE data [FMT_MTD.1(1),
FMT_MTD.1(2), FMT_MTD.1(3), FMT_MTD.1(4), FMT_MTD.1(5)]. The TOE must be able to
recognize the different administrative and user roles that exist for the TOE [FMT_SMR.1]. The
TOE must ensure that all functions are invoked and succeed before each function may proceed
[FPT_RVM.1(1)]. The TSF must be protected from interference that would prevent it from
performing its functions [FPT_SEP.1(1)].
O.OFLOWS The TOE must appropriately handle potential System data storage overflows.
The TOE is required to protect the audit data from unauthorized deletion [FAU_STG.1]. The
System is required to protect the System data from any modification and unauthorized deletion, as
well as guarantee the availability of the data in the event of storage exhaustion, failure or attack
[IDS_STG.1].
O.AUDITS The TOE must record audit records for data accesses and use of the System functions.
Security-relevant events must be defined and auditable for the TOE [FAU_GEN.1]. The TOE
must ensure that all functions are invoked and succeed before each function may proceed
[FPT_RVM.1(1)]. The TSF must be protected form interference that would prevent it from
performing its functions [FPT_SEP.1(1)]. Time stamps associated with an audit record must be
reliable [FPT_STM.1(1)].
O.INTEGR The TOE must ensure the integrity of all audit and System data.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 46 of 51
© 2007 Network Chemistry
The TOE is required to protect the audit data from deletion [FAU_STG.1]. The System is
required to protect the System data from any modification and unauthorized deletion
[IDS_STG.1]. The TOE should provide facilities to enable the authorized user to manage the
TOE [FMT_SMF.1]. Only authorized administrators of the System may query or add audit and
System data [FMT_MTD.1(1), FMT_MTD.1(2), FMT_MTD.1(3), FMT_MTD.1(4),
FMT_MTD.1(5)]. The System must protect the collected data from modification and ensure its
integrity when the data is transmitted to another IT product [FPT_ITT.1]. The TOE must ensure
that all functions to protect the data are not bypassed [FPT_RVM.1(1)]. The TSF must be
protected from interference that would prevent it from performing its functions [FPT_SEP.1(1)].
O.EXPORT When any IDS component makes its data available to another IDS components, the TOE
will ensure the confidentiality of the System data.
The TOE must protect all data from modification and ensure its integrity when the data is
transmitted to another IT product [FPT_ITT.1].
OE.TIME The IT Environment will provide reliable timestamps to the TOE
The IT environment of the Sensor is required to provide reliable timestamps to the Sensor
[FPT_STM.1(2)]
OE.PROTECT The IT environment will protect itself and the TOE from external interference or tampering.
The IT environment must ensure that all functions to protect the data are not bypassed
[FPT_RVM.1(2)]. The IT environment must protect the TOE from interference that would
prevent it from performing its functions [FPT_SEP.1(2)].
8.3 Security Functional Requirement Refinement Rationale
FPT_ITT.1.1 was refined to more clearly describe the transmission of data within the TOE.
8.4 Security Assurance Requirements Rationale
EAL 2 was chosen to provide a low to moderate level of assurance that is consistent with good commercial
practices. As such minimal additional tasks are placed upon the vendor assuming the vendor follows reasonable
software engineering practices and can provide support to the evaluation for design and testing efforts. The chosen
assurance level is appropriate with the threats defined for the environment. While the System may monitor a hostile
environment, it is expected to be in a non-hostile position and embedded in or protected by other products designed
to address threats that correspond with the intended environment. At EAL 2, the System will have incurred a search
for obvious flaws to support its introduction into the non-hostile environment.
8.5 Rationale for Explicitly Stated Requirements
A family of IDS requirements was created to specifically address the data collected and analyzed by an IDS. The
audit family of the CC (FAU) was used as a model for creating these requirements. The purpose of this family of
requirements is to address the unique nature of IDS data and provide for requirements about collecting, reviewing
and managing the data. These requirements have no dependencies since the stated requirements embody all the
necessary security functions.
8.6 Rationale for Strength of Function
The TOE minimum strength of function is SOF-basic. The evaluated TOE is intended to operate in commercial and
Department of Defense (DoD) low robustness environments processing unclassified information. This security
function is in turn consistent with the security objectives described in Section 4.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 47 of 51
© 2007 Network Chemistry
8.7 Dependency Rationale
This ST satisfies all the requirement dependencies of the Common Criteria. Table 12 Functional Requirement
Dependencies lists each requirement from the ST with a dependency and indicates whether the dependent
requirement was included. As the table indicates, all dependencies have been met.
Table 12 – Functional Requirements Dependencies
SFR ID Dependencies Dependency
Met
FAU_GEN.1 FPT_STM.1 �
FAU_SAR.1 FAU_GEN.1 �
FAU_STG.1 FAU_GEN.1 �
FIA_UAU.1 FIA_UID.1 �
FMT_MOF.1 FMT_SMF.1 and FMT_SMR.1 �
FMT_MTD.1(1) FMT_SMF.1 and FMT_SMR.1 �
FMT_MTD.1(2) FMT_SMF.1 and FMT_SMR.1 �
FMT_MTD.1(3) FMT_SMF.1 and FMT_SMR.1 �
FMT_MTD.1(4) FMT_SMF.1 and FMT_SMR.1 �
FMT_MTD.1(5) FMT_SMF.1 and FMT_SMR.1 �
FMT_SMR.1 FIA_UID.1 �
8.8 TOE Summary Specification Rationale
8.8.1 TOE Summary Specification Rationale for the Security Functional
Requirements
Each subsection in the TOE Summary Specification (Section 6) describes a security function of the TOE. Each
description is organized by set of requirements with rationale that indicates how these requirements are satisfied by
aspects of the corresponding security function. The set of security functions work together to satisfy all of the
security functions and assurance requirements. Furthermore, all of the security functions are necessary in order for
the TSF to provide the required security functionality. This section, in conjunction with the TOE Summary
Specification section, provides evidence that the security functions are suitable to fulfill the TOE security
requirements.
Table 13 identifies the relationship between security requirements and security functions, showing that all security
requirements are addressed and all security functions are necessary (i.e., they correspond to at least one security
requirement).
The only security mechanism that is realized by a probabilistic or permutational implementation is the password
mechanism. For an analysis of the Strength of Function (SOF), please refer to Section 8.6.
Table 13 – Mapping of Security Functional Requirements to TOE Security Functions
TOE Security Function SFR Rationale
FAU_GEN.1 This requires that appropriate audit records are generated.
Security Audit
FAU_SAR.1
This requires that the audit records are viewable only by authorized
administrators.
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 48 of 51
© 2007 Network Chemistry
TOE Security Function SFR Rationale
FAU_STG.1
This requires that the audit records are protected from unauthorized
deletion.
FIA_ATD.1
This requires that the TOE stores information required to make
identification and authentication decisions.
FIA_UAU.1
Identification and
Authentication
FIA_UID.1
These require that administrators must identify themselves and be
authenticated before being allowed access to the TSF.
FMT_MOF.1
This requires that only authorized administrators can modify the
behaviour of the security functions.
FMT_MTD.1
This requires that only authorized administrators can modify security
attributes.
FMT_SMF.1 This requirement defines what management functions are available.
Security Management
FMT_SMR.1 This requirement defines the roles used for access control.
FPT_ITT.1
This requirement protects the confidentiality and integrity of data flowing
between physically distinct components of the TOE.
FPT_RVM.1(1) This requirement ensures the TSF are not bypassable.
FPT_SEP.1(1) This requirement ensures the TOE has a separate domain of operation.
Protection of the TSF
FPT_STM.1(1) This requirement ensures the TOE provides reliable timestamps.
IDS_NDC.1 This requirement ensures that IDS data is gathered.
IDS_ANL.1 This requirement ensures that IDS data is analyzed.
IDS_RCT.1 This requirement ensures that IDS data is reacted to.
IDS_RDR.1
This requirement ensures that IDS data can only be viewed by
authorized administrators
IDS Component
Requirements
IDS_STG.1 This requirement ensures that IDS data is stored appropriately..
8.8.2 TOE Summary Specification Rationale for the Security Assurance
Requirements
EAL 2 was chosen to provide a basic level of independently assured security. The chosen assurance level is
consistent with the postulated threat environment. Although the system may monitor a hostile environment, it is
expected to be in a non-hostile position and embedded in or protected by other products designed to address threats
that correspond to this environment. Therefore, the threat of malicious attacks is considered to be not greater than
moderate. At EAL 2, the system will have incurred a search for obvious flaws to support its introduction into the
non-hostile environment.
8.8.2.1 Configuration Management
The Configuration Management documentation provides a description of tools used to control the configuration
items and how they are used at Network Chemistry. The documentation provides a complete configuration item list
and a unique reference for each item. Additionally, the configuration management system describes the procedures
that are used by developers to control and track changes that are made to the TOE. The documentation further
details the TOE configuration items that are controlled by the configuration management system.
Corresponding CC Assurance Components:
• Configuration Items
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 49 of 51
© 2007 Network Chemistry
8.8.2.2 Delivery and Operation
The Delivery and Operation documentation provides a description of the secure delivery procedures implemented by
Network Chemistry to protect against TOE modification during product delivery. The Installation Documentation
provided by Network Chemistry details the procedures for installing the TOE and placing the TOE in a secure state.
The Installation Documentation provides guidance to the administrators of the TOE regarding configuration
parameters and how they affect the TSF.
Corresponding CC Assurance Components:
• Delivery Procedures
• Installation, Generation and Start-Up Procedures
8.8.2.3 Development
The Network Chemistry design documentation consists of several related design documents that address the
components of the TOE at different levels of abstraction. The following design documents address the Development
Assurance Requirements:
• The Functional Specification provides a description of the security functions provided by the TOE
and a description of the external interfaces to the TSF. The Functional Specification covers the
purpose and method of use and a list of effects, exceptions, and errors message for each external TSF
interface.
• The High-Level Design provides a top level design specification that refines the TSF functional
specification into the major constituent parts (subsystems) of the TSF. The high-level design
identifies the basic structure of the TSF, the major elements, a listing of all interfaces, and the
purpose and method of use for each interface.
• The Correspondence Analysis demonstrates the correspondence between each of the TSF
representations provided. This mapping is performed to show the functions traced from the ST
description to the High-Level Design.
Corresponding CC Assurance Components:
• Informal Functional Specification
• Descriptive High-Level Design
• Informal Representation Correspondence
8.8.2.4 Guidance Documentation
The Network Chemistry Guidance documentation provides administrator guidance on how to securely operate the
TOE. The administrator Guidance provides descriptions of the security functions provided by the TOE.
Additionally, it provides detailed accurate information for administration of the TOE in a secure manner and how to
effectively use the TSF privileges and protective functions. Network Chemistry provides single versions of
documents which address the administrator Guidance and User Guidance; there are not separate guidance
documents specifically for non-administrator users of the TOE.
Corresponding CC Assurance Components:
• Administrator Guidance
8.8.2.5 Tests
Three components make up the Test documentation. The Coverage Analysis demonstrates the testing performed
against the functional specification. The Coverage Analysis demonstrates the extent to which the TOE security
functions were tested as well as the level of detail to which the TOE was tested. Network Chemistry Test Plans and
Test Procedures, which detail the overall efforts of the testing effort and break down the specific steps taken by a
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 50 of 51
© 2007 Network Chemistry
tester, are also provided. The Common Criteria Testing Laboratory generates and performs a separate test plan in
order to independently verify the accuracy and completeness of the functional testing.
Corresponding CC Assurance Components:
• Evidence of Coverage
• Functional Testing
• Independent Testing
8.8.2.6 Vulnerability and TOE Strength of Function Analyses
A Vulnerability Assessment is provided to demonstrate ways in which an entity could violate the TSP and provide a
list of identified vulnerabilities. Additionally, the document provides evidence of how the TOE is resistant to
obvious attacks. The Strength of TOE Security Function Analysis demonstrates the strength of the probabilistic or
permutational mechanisms employed to provide security functions within the TOE and how they exceed the
minimum SOF requirements.
Corresponding CC Assurance Components:
• Strength of TOE Security Function analysis
• Vulnerability Analysis
8.9 Strength of Function
Strength of function rating of SOF-basic was claimed for this TOE to meet the EAL 2 assurance requirements. This
SOF is sufficient to resist the threats identified in Section 3. Section 4 provides evidence that demonstrates that
TOE threats are countered by the TOE security objectives. Section 8 demonstrates that the security objectives for
the TOE and the TOE environment are satisfied by the security requirements. The evaluated TOE is intended to
operate in commercial and DoD low robustness environments processing unclassified information.
The overall TOE SOF claim is SOF-basic because this SOF is sufficient to resist the threats identified in Section 3.2
Section 8.1 provides evidence that demonstrates that TOE threats are countered by the TOE security objectives.
Section 8.2 demonstrates that the security objectives for the TOE and the TOE environment are satisfied by the
security requirements.
The relevant security function and security functional requirement which has probabilistic or permutational
functions is FIA_UAU.1
�Security Target, Version 1.0 April 16, 2007
Network Chemistry RFprotect Distributed v6.1.2, RFprotect Sensor v6.1.22, and
RFprotect Mobile v6.1.2
Page 51 of 51
© 2007 Network Chemistry
9 Acronyms
Table 14 – Acronyms
Acronym Definition
CC Common Criteria
DoD Department of Defense
EAL Evaluation Assurance Level
GUI Graphical User Interface
IDS Intrusion Detection System
IPS Intrusion Prevention System
ISO International Organization for Standardization
IT Information Technology
OS Operating System
OSP Organizational Security Policy
PC Personal Computer
PCI Peripheral Component Interconnect
SAR Security Assurance Requirement
SFR Security Functional Requirement
SOF Strength of Function
ST Security Target
TCP Transmission Control Protocol
TOE Target of Evaluation
TSF TOE Security Function
TSP TOE Security Policy
�