National Information Assurance Partnership Common Criteria Evaluation and Validation Scheme Common Criteria Evaluation and Validation Scheme Validation Report IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module Report Number: CCEVS-VR-VID10320-2011 Dated: 31 May 2011 National Institute of Standards and Technology National Security Agency Information Technology Laboratory Information Assurance Directorate 100 Bureau Drive 9800 Savage Road STE 6940 Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940 IBM ISS Enterprise Scanner Validation Report 2 ACKNOWLEDGEMENTS Validation Team Kenneth Elliott Mario Tinto Common Criteria Testing Laboratory COACT CAFÉ Laboratory Columbia, Maryland 21046-2587 IBM ISS Enterprise Scanner Validation Report 3 Table of Contents Executive Summary __________________________________________________________ 5 1 Identification __________________________________________________________ 7 1.1 Applicable Interpretations ___________________________________________________ 8 2 TOE Description _______________________________________________________ 9 3 Assumptions__________________________________________________________ 10 4 Threats ______________________________________________________________ 10 5 Clarification of Scope __________________________________________________ 12 6 Security Functions ____________________________________________________ 14 6.1 Security Audit Function ____________________________________________________ 14 6.2 Identification and Authentication Function ____________________________________ 14 6.3 Security Management Function ______________________________________________ 14 6.4 Traffic Analysis Function ___________________________________________________ 14 6.5 Protection of Management Function __________________________________________ 14 7 Architecture Information_______________________________________________ 15 8 Product Delivery ______________________________________________________ 17 8.1 Delivery of Downloadable Components________________________________________ 18 8.2 SiteProtector Download Procedure ___________________________________________ 18 8.3 Verifying Integrity of Downloaded Components ________________________________ 18 9 IT Product Testing ____________________________________________________ 20 9.1 Evaluator Functional Test Environment_______________________________________ 20 9.2 Functional Test Results_____________________________________________________ 22 9.3 Evaluator Independent Testing ______________________________________________ 22 9.4 Evaluator Penetration Tests _________________________________________________ 23 9.5 Test Results ______________________________________________________________ 23 10. Results of the Evaluation _______________________________________________ 25 11. Validator Comments___________________________________________________ 26 12. Security Target _______________________________________________________ 27 13. List of Acronyms______________________________________________________ 28 14. Bibliography _________________________________________________________ 29 IBM ISS Enterprise Scanner Validation Report 4 List of Figures Figure 1 - Test Configuration/Setup....................................................................................... 20 List of Tables Table 1 - Evaluation Identifier................................................................................................. 7 Table 2 - Assumptions............................................................................................................. 10 Table 3 - Threats ..................................................................................................................... 10 Table 4 - Hardware and Software Requirements for IT Environment ............................. 15 Table 5 - Test Configuration Overview................................................................................. 20 Table 6 - SP-DBMS Details .................................................................................................... 21 Table 7 - AD-DNS Details....................................................................................................... 21 Table 8 - GX6116 Details........................................................................................................ 22 Table 9 - Windows Attack PC Details................................................................................... 22 Table 10 - Linux Attack PC Details..................................................................................... 22 Table 11 - Target PC Details................................................................................................ 22 IBM ISS Enterprise Scanner Validation Report 5 Executive Summary This report documents the NIAP Validators’ assessment of the CCEVS evaluation of the IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module at EAL2. It presents the evaluation results, their justifications, and the conformance result. The evaluation was performed by the CAFE Laboratory of COACT Incorporated, located in Columbia, Maryland. The evaluation was completed on 1 June 2010. The information in this report is largely derived from the Evaluation Technical Report (ETR) written by COACT and submitted to the Validators. The evaluation determined the product conforms to the CC Version 3.1, Revision 2, Part 2 and Part 3 to meet the requirements of Evaluation Assurance Level (EAL) 2+ Augmented with ALC_FLR.2 resulting in a “pass” in accordance with CC Part 1 paragraph 175. The TOE is the IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module. The TOE is an automated real-time intrusion detection system designed to protect network segments from unauthorized activity. The GX6116 features two copper 10/100/1000Mbps ports for management, one for console access, and sixteen (1,000 TX/SX/LX) network ports for detection of potential security violations, which are reported to a managed central console called SiteProtector. The TOE unobtrusively analyses and responds to activity across computer networks. The TOE is comprised of two components: 1. The Proventia GX6116 TOE component (hereafter referred to as the appliance, Sensor, Agent, or as stated) provides IDS security functionality. This component includes the Proventia GX6116 appliance hardware, the appliance resident Red Hat Operating System (OS) and the Proventia GX application software image. 2. The SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module component of the TOE (hereafter referred to as SiteProtector or as stated) is a software product that runs on a Microsoft Windows-based workstation and enables administrators to monitor and manage the Sensor components of the TOE. The Proventia GX6116 TOE component provides the IDS functionality; it monitors a network or networks and compares incoming packet or packets against known packets and packet patterns that indicate a potential security violation. If a match occurs, the Proventia GX6116 will create an audit record. The SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module TOE component provides management, monitoring and configuration functions to administrators. The SiteProtector management workstation connects to the appliance via TLS session, and this workstation is only used by authorized administrators for the management of the appliance. Proventia GX Sensors monitor packets on a sensed, monitored network or networks and compare the incoming packets against signatures. Signatures are known packets or packet patterns that indicate a possible attack or intrusion against hosts or network segments. If a match occurs, the Sensors create an event (system data record). This data is sent to the TOE’s SiteProtector which enables an administrator to view and analyze the information. IBM ISS Enterprise Scanner Validation Report 6 Signatures are configured on the Sensors by Policy Files. Policy Files identify a sub-set of signatures based on attack type. At TOE installation time, the SiteProtector is installed with a set of Policy Files and the Sensors are configured with one default Policy File and the signature files that apply to all Policy Files. SiteProtector enables an administrator to disable/enable signatures in a Sensor’s current Policy File or select and apply a new Policy File selected from the set of Policy Files. The SiteProtector is used as the central controlling point for Sensors deployed on the network. The SiteProtector performs the following functionality:  Manages and monitors Sensors and SiteProtector sub-components;  Enables an administrator to view TOE component configuration data;  Displays audit and system data records; and  Monitors the network connection between SiteProtector and the Sensors it is configured to monitor. SiteProtector Console – The SiteProtector Console is a graphical user interface (GUI) that provides an interface that enables an Administrator to configure and monitor the Sensors. The add-on Reporting Module provides the ability to generate a wide range of reports in a variety of formats, including the following: o Vulnerability Assessment reports o Attack Activity reports o User Audit reports o Content Filtering reports o User Permission reports SiteProtector Event Collector – The SiteProtector Event Collector is a software process that is responsible for receiving data from the Sensors and storing the data in the database via the DBMS. SiteProtector Application Server – The SiteProtector Application Server is a software process that is responsible for providing the communication path between the DBMS and all other SiteProtector software components. SiteProtector Sensor Controller – The SiteProtector Sensor Controller is a software process that is responsible for processing command and control information from the SiteProtector Console and the database (via the SiteProtector Application Server) and sending the command and control information to the Sensors or the SiteProtector Event Collector. 1 Identification The CCEVS is a joint National Security Agency (NSA) and National Institute of Standards and Technology (NIST) effort to establish commercial facilities to perform trusted product evaluations. Under this program, security evaluations are conducted by commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs) using the Common Evaluation Methodology (CEM) for Evaluation Assurance Level (EAL) 1 through EAL 4 in accordance with National Voluntary Laboratory Assessment Program (NVLAP) accreditation. The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality and consistency across evaluations. Developers of information technology products desire a security evaluation contract with a CCTL and pay a fee for their product’s evaluation. Upon successful completion of the evaluation, the product is added to NIAP CCEVS’ Validated Products List. Table 1 provides information needed to completely identify the product, including:  The Target of Evaluation (TOE): the fully qualified identifier of the product as evaluated.  The Security Target (ST), describing the security features, claims, and assurances of the product.  The conformance result of the evaluation.  The organizations and individuals participating in the evaluation. Table 1 - Evaluation Identifier IBM Proventia GX6116 Security Appliance Version 2.2 and SiteProtector 2.0 Service Pack 7.0 with Reporting Module Evaluation Scheme United States NIAP Common Criteria Evaluation and Validation Scheme TOE IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module Protection Profile Intrusion Detection System System for Basic Robustness Environments, Version 1.7, July 25, 2007 (IDSPP). Security Target IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module Security Target, dated November 10, 2010. Evaluation Technical ReportEvEvaluation Technical Report for the IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module , Document No. F2-1210-001, Dated 3 February 2011. Conformance Result Part 2 conformant and EAL2 Part 3 conformant Version of CC CC Version 3.1 [1], [2], [3], [4] and all applicable NIAP and International Interpretations effective on December 17, 2008. Version of CEM CEM Version 3.1 and all applicable NIAP and International Interpretations effective on December 17, 2008. Sponsor IBM Internet Security Systems, Inc. 6303 Barfield Road IBM ISS Enterprise Scanner Validation Report 8 IBM Proventia GX6116 Security Appliance Version 2.2 and SiteProtector 2.0 Service Pack 7.0 with Reporting Module Atlanta, GA 30328 Developer IBM Internet Security Systems, Inc. 6303 Barfield Road Atlanta, GA 30328 Evaluator(s) COACT Incorporated Bob Roland Greg Beaver Pascal Patin Brian Pleffner Validator(s) NIAP CCEVS Kenneth Eggers Kenneth Elliott Mario Tinto 1.1 Applicable Interpretations The following NIAP and International Interpretations were determined to be applicable when the evaluation started. NIAP Interpretations I-0418 – Evaluation of the TOE Summary Specification: Part 1 Vs Part 3 I-0426 – Content of PP Claims Rationale I-0427 – Identification of Standards International Interpretations None IBM ISS Enterprise Scanner Validation Report 9 2 TOE Description The TOE is an automated real-time intrusion detection system (IDS) designed to monitor and protect up to eight in-line Network Intrusion Protection System (NIPS) network segments or sixteen passive mode (IDS) network segments. The TOE unobtrusively analyses and responds to activity across computer networks. The TOE is comprised of two components: 1. The Proventia GX6116 TOE component (hereafter referred to as the appliance, Sensor, Agent, or as stated) provides IDS security functionality. This component includes the Proventia GX6116 appliance hardware, the appliance resident Red Hat operating system (OS) and the Proventia GX application software image. 2. The SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module component of the TOE (hereafter referred to as SiteProtector or as stated) is a software product that runs on a Microsoft Windows-based workstation and enables administrators to monitor and manage the Sensor components of the TOE. The Proventia GX6116 TOE component provides the IDS functionality; it monitors a network or networks and compares incoming packet or packets against known packets and packet patterns that indicate a potential security violation. If a match occurs, the Proventia GX6116 will create an audit record. The SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module TOE component provides management, monitoring and configuration functions to administrators. The SiteProtector management workstation connects to the appliance via TLS session, and this workstation is only used by authorized administrators for the management of the appliance. IBM ISS Enterprise Scanner Validation Report 10 3 Assumptions The assumptions listed below are assumed to be met by the environment and operating conditions of the system. Table 2 - Assumptions A.ACCESS The TOE has access to all the IT System data it needs to perform its functions A.DYNMIC The TOE will be managed in a manner that allows it to appropriately address changes in the IT System the TOE monitors. A.ASCOPE The TOE is appropriately scalable to the IT System the TOE monitors. A.PROTCT The TOE hardware and software critical to security policy enforcement will be protected from unauthorized physical modification. A.LOCATE The processing resources of the TOE will be located within controlled access facilities, which will prevent unauthorized physical access. A.MANAGE There will be one or more competent individuals assigned to manage the TOE and the security of the information it contains. A.NOEVIL The authorized administrators are not careless, wilfully negligent or hostile, and will follow and abide by the instructions provided by the TOE documentation. A.NOTRST The TOE can only be accessed by authorized users. 4 Threats The threats identified in the following table sections are addressed by the TOE and/or Operating Environment. The following threats are addressed by the TOE and IT environment, respectively. Table 3 - Threats T.SCNCFG Improper security configuration settings may exist in the IT System the TOE monitors. T.SCNMLC Users could execute malicious code on an IT System that the TOE monitors which causes modification of the IT System protected data or undermines the IT System security functions. T.SCNVUL Vulnerabilities may exist in the IT System the TOE monitors. T.FALACT The TOE may fail to react to identified or suspected vulnerabilities or inappropriate activity. T.FALREC The TOE may fail to recognize vulnerabilities or inappropriate activity based on IDS data received from each data source. T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on association of IDS data received from all data sources. T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT System the TOE monitors. T.INADVE Inadvertent activity and access may occur on an IT System the TOE monitors. T.MISACT Malicious activity, such as introductions of Trojan horses and viruses, may occur on an IT System the TOE monitors. T.COMINT An unauthorized user may attempt to compromise the integrity of the data collected and produced by the TOE by bypassing a security mechanism. T.COMDIS An unauthorized user may attempt to disclose the data collected and produced by the TOE by bypassing a security mechanism. T.LOSSOF An unauthorized user may attempt to remove or destroy data collected and produced by the TOE. T.NOHALT An unauthorized user may attempt to compromise the continuity of the System’s collection and analysis functions by halting execution of the TOE. IBM ISS Enterprise Scanner Validation Report 11 T.PRIVIL An unauthorized user may gain access to the TOE and exploit system privileges to gain access to TOE security functions and data. T.IMPCON An unauthorized user may inappropriately change the configuration of the TOE causing potential intrusions to go undetected. T.INFLUX An unauthorized user may cause malfunction of the TOE by creating an influx of data that the TOE cannot handle. T.FACCNT Unauthorized attempts to access TOE data or security functions may go undetected. IBM ISS Enterprise Scanner Validation Report 12 5 Clarification of Scope The Proventia GX6116 and SiteProtector TOE components are described in the following sections: Proventia GX6116 Proventia GX Sensors monitor packets on a sensed, monitored network or networks and compare the incoming packets against signatures. Signatures are known packets or packet patterns that indicate a possible attack or intrusion against hosts or network segments. If a match occurs, the Sensors create an event (system data record). This data is sent to the TOE’s SiteProtector which enables an administrator to view and analyze the information. Signatures are configured on the Sensors by Policy Files. Policy Files identify a sub-set of signatures based on attack type. At TOE installation time, the SiteProtector is installed with a set of Policy Files and the Sensors are configured with one default Policy File and the signature files that apply to all Policy Files. SiteProtector enables an administrator to disable/enable signatures in a Sensor’s current Policy File or select and apply a new Policy File selected from the set of Policy Files. SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module The SiteProtector is used as the central controlling point for Sensors deployed on the network. The SiteProtector performs the following functionality:  Manages and monitors Sensors and SiteProtector sub-components;  Enables an administrator to view TOE component configuration data;  Displays audit and system data records; and  Monitors the network connection between SiteProtector and the Sensors it is configured to monitor. The SiteProtector is divided into the following software sub-components:  SiteProtector Console – The SiteProtector Console is a graphical user interface (GUI) that provides an interface that enables an Administrator to configure and monitor the Sensors. The add-on Reporting Module provides the ability to generate a wide range of reports in a variety of formats, including the following: o Vulnerability Assessment reports o Attack Activity reports o User Audit reports o Content Filtering reports o User Permission reports IBM ISS Enterprise Scanner Validation Report 13  SiteProtector Event Collector – The SiteProtector Event Collector is a software process that is responsible for receiving data from the Sensors and storing the data in the database via the DBMS.  SiteProtector Application Server – The SiteProtector Application Server is a software process that is responsible for providing the communication path between the DBMS and all other SiteProtector software components. SiteProtector Sensor Controller – The SiteProtector Sensor Controller is a software process that is responsible for processing command and control information from the SiteProtector Console and the database (via the SiteProtector Application Server) and sending the command and control information to the Sensors or the SiteProtector Event Collector. IBM ISS Enterprise Scanner Validation Report 14 6 Security Functions The TOE’s Security Functions are: 6.1 Security Audit Function The TOE’s Audit Security Functionality combines both audit data record and system data records functionality. The Audit Security Function includes audit and system data generation; audit data selective generation; audit and system data viewing; audit and system data selective viewing; audit and system data storage; and viewing of TOE generated alerts. 6.2 Identification and Authentication Function The TOE requires operators to be successfully authenticated before any actions can be performed. User accounts must be defined in Windows (in the IT Environment). SiteProtector collects userid and password information through a GUI and passes that information to Windows to authenticate the user. If Windows indicates that the user is authenticated, SiteProtector looks up that userid in its database to determine the permissions associated with the user. If Windows indicates that the user is not authenticated, SiteProtector terminates the session. 6.3 Security Management Function The TOE’s Management Security Function provides administrator support functionality that enables a human user to manage the TOE via a GUI interface (SiteProtector Console). After installation, all management of the TOE components occurs through SiteProtector. 6.4 Traffic Analysis Function The TOE continuously monitors network traffic and compares the packets to signatures identified in the Sensor’s Policy File. Signatures identify packet and packet patterns that indicate a potential security violation to a device accessible by the Sensor’s monitored network. The Sensors are shipped with a default Policy File that includes pre-defined signatures that include detection of denial of service, unauthorized access attempts, pre-attack probes, and suspicious activity. 6.5 Protection of Management Function TLS 1.0 is used to protect communication between the Sensors and SiteProtector. The TLS implementation (via OpenSSL 1.1.2) is included in the TOE boundary. The cipher suite used for the TLS session is TLS_RSA_WITH_3DES_EDE_CBC_SHA. The Sensor initiates the connection with SiteProtector. SiteProtector responds with its RSA certificate (tested by CCTL); the Sensors authenticate the server (SiteProtector) by comparing the SiteProtector-supplied certificate to the certificate saved on the Server during installation. The pre-master secret is generated with the Sensor’s random number generator and sent back to SiteProtector encrypted with the public key from the certificate, then both sides complete the key establishment phase. Subsequent data traffic is encrypted with TDES operating with 168 bit keys in CBC mode (tested by CCTL). SHA-1 (tested by CCTL) is used for message integrity checking. Session keys held in memory are zeroized (tested by CCTL) when a session ends. RSA certificates are generated by the IT Environment during installation of the TOE. IBM ISS Enterprise Scanner Validation Report 15 7 Architecture Information The TOE’s evaluated configuration requires one or more instances of a Sensor TOE component (Proventia GX6116) and one instance of a workstation running SiteProtector 7.0. The following list itemizes configuration options for the TOE for the evaluated configuration: 1. Telnet server support in the Sensors is not included. Incidents and Exceptions are disabled. 2. The evaluated configuration of SiteProtector does not have Internet access to the ISS website. An automatic retrieve is disabled. Therefore, SiteProtector will not periodically check the ISS website for new software updates and automatically retrieve and store the updates on the SiteProtector system. 3. SiteProtector components are resident on one workstation (a remote SiteProtector Console is not supported in the evaluated configuration). 4. SiteProtector components and the DBMS implementation reside on one workstation. 5. Proventia GX and SiteProtector communicate via TLS. 6. After the initial configuration, management via local console is not included in the evaluated configuration. 7. SiteProtector must run on a Common Criteria evaluated version of Microsoft Windows. 8. The Console Port must not be used after the initial configuration. All subsequent configuration occurs via SiteProtector. 9. Management via Proventia Manager is not included in the evaluation, and Proventia Manager should not be used in evaluated configuration. All management of the TOE occurs through the SiteProtector application. 10. The SiteProtector Reporting Module add-on must be installed and configured. Note that the SiteProtector runs on a dedicated workstation; applications not essential to the operation of the TOE are not installed on the workstation. The following table identifies the minimum hardware and software requirements for components provided by the IT Environment: Table 4 - Hardware and Software Requirements for IT Environment Component Minimum Requirement Processor 1 GHz Pentium III Memory 1 GB Disk Space 8 GB IBM ISS Enterprise Scanner Validation Report 16 Component Minimum Requirement Operating System 1  Windows Server 2003 with Service Pack 1 or Service Pack 2  Windows Server 2003 R2  Windows Server 2003 R2 with Service Pack 2  Windows Enterprise Server 2003 with Service Pack 1 or Service Pack 2  Windows Enterprise Server 2003 R2  Windows Enterprise Server 2003 R2 with Service Pack 2  Windows 2000 Server with Service Pack 4 or later (only supported for upgrades to SiteProtector 2.0, Service Pack 7.0)  Windows 2000 Advanced Server with Service Pack 4 or later (only supported for upgrades to SiteProtector 2.0, Service Pack 7.0) Additional Software  Sun Java 2 Runtime Environment (J2RE), Standard Edition, Version 1.6.0_03 (required to run the SiteProtector Console GUI)  Internet Explorer 6.0 or 7.0 for Windows Server 2003 and Windows Enterprise Server 2003 users  Internet Explorer 6.0 with Service Pack 1 or later for all other users  Adobe Acrobat Reader 6.0 or later  SQL Server 2000 with Service Pack 4 (only supported for upgrades to SiteProtector 2.0, Service Pack 7.0) OR SQL Server 2005, Standard and Enterprise editions, with Service Pack 2 or earlier Network Configuration Static IP address Disk Partition Formats NTFS IBM ISS Enterprise Scanner Validation Report 17 8 Product Delivery The GX6116 component is delivered to the customer’s location either by FedEx or UPS. Signature confirmation of delivery is required. The following steps outline the internal process of shipping a GX6116 product to a customer: 1. Affix ISS sticker to the Proventia GX product associated with the part number (PN) and serial number (SN) of the product being shipped. 2. Package all products shipped to customer in ISS imprinted boxes. Regardless of the shipping carrier chosen to ship the GX6116, the appliance and supporting materials are packaged in boxes that are imprinted with the ISS trademarked logo. Imprinted boxes with the ISS trademarked logo are used so customers have confidence that either the GX6116 product was packaged and shipped by an ISS distribution center. 3. Affix an ISS sticker to the shipping box associated with the PN and SN of the product being shipped in the shipping box. A sticker is applied to one of the sides of the shipping box that contains the Proventia GX product. The sticker is imprinted with the ISS trademarked logo. The sticker contains two fields. The first field is a product number (PN). The PN imprinted on the label is both in human readable characters and as a bar scan. The PN imprinted on the sticker is also included in the e-mail sent to the customer who orders the product. The PN allows the end customer to determine if they have received a GX6116. The second field is a serial number (SN). The SN is imprinted on the sticker in both human readable characters and as a bar code. The SN imprinted on the sticker is also included in the e-mail sent to the customer who orders the product. The end customer may determine if they have received a GX6116 product by looking at the first character of the PN. 4. Place the GX6116 in the shipping box such that the PN and SN sticker on the product corresponds to the PN and SN sticker applied to the shipping box. 5. Seal all shipping boxes with clear packaging tape and staples. The top, bottoms, and all corners of the shipping box except one are sealed using clear packaging tape. One corner side seam of the box is stapled shut. 6. Transfer package to third party shipping company. 7. Send a product shipment confirmation e-mail to the customer’s e-mail address. After shipment, the customer is sent an e-mail by ISS which itemizes the product(s) purchased. The FedEx or UPS shipment tracking numbers are included. The e-mail contains the full SN and PN of the products that they have ordered. The full PN and SN are included in the e-mail sent to the customer so that this information can be used to check that the PN and SN in the e-mail match the PN and SN on the sticker applied to the packing box(es) as well as the sticker(s) on the appliance(s) to determine that they have received the proper product(s). The customer should note that it is possible that the sticker applied to the appliance with the PN and SN may be difficult to locate. The customer should look at the inside ridges back by the power cord if the sticker is not in plain view on any of the sides of the delivered appliance. If the customer finds a discrepancy with any PN or SN in the shipment, ISS must be contacted immediately. IBM ISS Enterprise Scanner Validation Report 18 8.1 Delivery of Downloadable Components For the remaining delivery procedures, the customer is instructed to download components from the ISS website. Software products are delivered to the customer via download after purchase of the software from ISS. Customers who order software components are sent an e-mail message containing details of their access to the Internet Security Systems True Blue Customer Portal, ISS Customer Portal. The e-mail contains a user id (the registered e-mail of the customer receiving the product), a temporary password, and a link that allows the receiving customer of the e-mail to register with the ISS Customer Portal. On the initial login the customer password must be changed. The ISS Customer Portal is protected by 128-bit SSL encryption. The certificate that is being used to help implement the 128-bit SSL can be verified as an ISS certificate through the security features of the web browser used to connect to the ISS Customer Portal. For example, using Microsoft’s Internet Explorer (IE) the customer can double click on the pad lock icon on the tool bar at the bottom of the browser on the far right to see the certificate information. The user must keep their user ID and password, to whatever they changed it to, so that they can download the software they desire. To download any of the product components described in the sections below, the customer must login to the ISS website. From the main ISS page click on the Downloads link at the top. From there, click Sign into the Download Center in the Business Security Products box which takes the customer to the login screen at https://www.iss.net/issEn/MYISS/login.jhtml?action=download. 8.2 SiteProtector Download Procedure In order to comply with the TOE configuration, the only following should be used: . If the pre- loaded software version differs from the version required for the TOE configuration, the administrator should load the correct version: 1. Log in to the ISS support site at https://webapp.iss.net/myiss/login.jsp 2. Select Downloads from the menu 3. Choose NIAP EAL2PP - Prov. GX6116 ver.2.2, Site Protector 2.0 Service Pack 7.0 from the Select a Product dropdown menu and then select Go 4. Select NIAP - GX6116 version 2.2 from the Version dropdown menu then select Go 5. Select Other Updates and select Continue next to the bundle listing for the software 6. Accept the Export Agreement and the End User License and select Submit 7. Download DeploymentManager-Setup.exe (SiteProtector Installation), Proventia_Network_IPS_FW2.2_Readme.htm, and GX6116Bootsrv.2.2_2008.0523_14.17.00.iso (the GX6116 software) 8.3 Verifying Integrity of Downloaded Components Once the customer has finished downloading the components they should verify the MD5 or SHA-1 hashes to ensure integrity of the components. The hash values are presented for convenience on the DLC. The customer should use an MD5 or SHA-1 hash utility on the system they have downloaded the components to in order to compute the hash values of the downloaded software components. Computing the hash value on the downloaded software component serves two purposes. It determines if the integrity of the downloaded software component is compromised IBM ISS Enterprise Scanner Validation Report 19 and it also allows the customer to identify that they have the proper software that was evaluated. SHA-1 and MD5 hash values should then be compared to the DLC. If the customer finds a problem when verifying the hashes, they should be instructed to contact ISS immediately. IBM ISS Enterprise Scanner Validation Report 20 9 IT Product Testing Testing was completed on May 25, 2010 at the COACT CCTL in Columbia, Maryland. COACT employees performed the tests. 9.1 Evaluator Functional Test Environment Testing was performed on a test configuration consisting of the following test bed configuration. Figure 1 - Test Configuration/Setup An overview of the purpose of each of these systems is provided in the following table. Table 5 - Test Configuration Overview Component Purpose SP-DBMS This system provides the single instance of SiteProtector. It also hosts the DBMS and SiteProtector Console software. The system should be configured per the figure above, with the Active Directory and DNS servers both configured as coactlab. AD-DNS In DNS, records should be configured for each of the systems shown in the figure above. The name GX6116 maps to address 10.1.13.163. The name SP-DBMS maps to the address 10.1.13.164. GX6116 The Proventia Intrusion Detection System. Port 10.1.13.163 is the management port. Windows Attack PC This is the PC that will be used to attack the Target PC. The IBM ISS Enterprise Scanner Validation Report 21 Component Purpose Windows Attack PC will have two network cards. The two network cards will permit communication on the Target Network and the Internet LAN Network. Linux Attack PC This is the PC that will be used to attack the Target PC. Target PC This is the PC that will be the receipitant of the attacks. Switch NetGear GS716T - The switch is configured for three separate VLANs. Router LinkSys RVS4000 – The router will connect the network to the simulated Internet. IP Address – Target Network 10.3.0.2 IP Address – Internet LAN Network 10.4.0.1 Specific configuration details for each of the systems are provided in the tables below. Table 6 - SP-DBMS Details Item Purpose Hardware Processor: 1 GHz Pentium 4 Memory: 1 GB Disk Space: 8 GB Installed software Microsoft Windows 2000 Server SP4 Microsoft Data Access Components (MDAC) Version 2.8 SQL Server 2000 Desktop Engine (MSDE) with Service Pack 3a and Security Patch 03-031 Microsoft Internet Explorer 6.0 SP1 Microsoft Data Access Components (MDAC) 2.8 or later Sun Java 2 Runtime Environment (J2RE), Standard Edition, Version 1.6.020 Adobe Acrobat Reader Version 8.0 WinZip Version 10.0 or later SnagIt 8 Version 2.0 Service Pack 7.0 with Reporting Module Outlook Express Microsoft Visual Studio 2005 Configuration Static IP address 10.1.13.164 DNS Server 10.1.13.254 FQDN SP-DBMS.CoactLab.com Table 7 - AD-DNS Details Item Purpose Installed software Microsoft Windows 2000 Server SP4 Configuration Static IP address 10.1.13.254 FQDN: AD-DNS.CoactLab.com Primary Domain Controller for CoactLab.com DNS Server for CoactLab.com with records for all systems identified in the test configuration CoactLab\Users defined for SPAdmin, SPAudit, SPView1and SPView2 IBM ISS Enterprise Scanner Validation Report 22 Table 8 - GX6116 Details Item Purpose Installed software Proventia GX Version 2.2 Configuration Static IP address 10.1.13.163 FQDN: GX6116.CoactLab.com Table 9 - Windows Attack PC Details Item Purpose Hardware Processor: 1 GHz Pentium 4 Memory: 1 GB Disk Space: 8 GB Installed software Windows 2000 Professional SP4 Internet Explorer 6.0 SP1 WinZip 10 ZENMAP GUI 4.68 NMAP 4.68 NEWT 3 SnagIt 8 WireShark 1.0.2 Nessus Version 3.0.6.1 Paros Proxy 3.2.13 Configuration Static IP address 10.3.0.66 Static IP Address 10.4.0.66 Table 10 - Linux Attack PC Details Item Purpose Installed software Linux RHE 3.0 Metasploit 3.3 Configuration Static IP address 10.4.0.67 Table 11 - Target PC Details Item Purpose Installed software Windows 2000 Professional SP4 WireShark 1.0.8 Configuration Static IP address 10.3.0.1 9.2 Functional Test Results The repeated developer test suite includes all of the developer functional tests. Additionally, each of the Security Function and developer tested TSFI are included in the CCTL test suite. Results are found in the IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module Test Report, dated May 25, 2010 9.3 Evaluator Independent Testing The tests chosen for independent testing allow the evaluation team to exercise the TOE in a different manner than that of the developer’s testing. The intent of the independent tests is to IBM ISS Enterprise Scanner Validation Report 23 give the evaluation team confidence that the TOE operates correctly in a wider range of conditions than would be possible purely using the developer’s own efforts, given a fixed level of resource. The selected independent tests allow for a finer level of granularity of testing compared to the developer’s testing, or provide additional testing of functions that were not exhaustively tested by the developer. The tests allow specific functions and functionality to be tested. The tests reflect knowledge of the TOE gained from performing other work units in the evaluation. The test environment used for the evaluation team’s independent tests was identical with the test configuration used to execute the vendor tests. 9.4 Evaluator Penetration Tests The evaluator examined each of the obvious vulnerabilities identified during the developer’s vulnerability analysis. After consulting the sources identified by the developer used during the initial vulnerability analysis, the evaluator consulted other vulnerability relevant sources of information to verify that the developer considered all available information when developing the non-exploitation rationale. These additional sources include: a) The Open Source Vulnerabilities Database (OSVDB) (http://www.osvdb.org/) b) Common Vulnerabilities and Exposures (CVE) (http://cve.mitre.org/) c) Secunia (http://secunia.com/advisories/ d) SecurityFocus (http://www.securityfocus.com/bid/) e) US-CERT United States Emergency Readiness Team (http://www.kb.cert.org/vuls/) f) ICAT Metabase (http://icat.nist.gov/) g) SecurityTracker (http://www.securitytracker.com/) The vendor used the following keywords to perform their Internet vulnerability search. a) Proventia GX b) Proventia G c) SiteProtector After verifying that the developer’s analysis approach sufficiently included all of the necessary available information regarding the identified vulnerabilities, the evaluator made an assessment of the rationales provided by the developer indicting that the vulnerability is non-exploitable in the intended environment of the TOE. While verifying the information found in the developer’s vulnerability assessment the evaluators conducted a search to verify if additional obvious vulnerabilities exist for the TOE. Additionally, the evaluator examined the provided design documentation and procedures to attempt to identify any additional vulnerabilities. The evaluator determined that the rationales provided by the developer indicate that the vulnerabilities identified are non-exploitable in the intended environment of the TOE. 9.5 Test Results The end result of the testing activities was that all tests gave expected (correct) results. The successful completion of the evaluator penetration tests demonstrated that the TOE was properly resistant to all the potential vulnerabilities identified by the evaluator. The testing found that the product was implemented as described in the functional specification and did not IBM ISS Enterprise Scanner Validation Report 24 uncover any undocumented interfaces or other security vulnerabilities in the final evaluated version. The evaluation team tests and vulnerability tests substantiated the security functional requirements in the ST. IBM ISS Enterprise Scanner Validation Report 25 10.Results of the Evaluation The evaluator devised a test plan and a set of test procedures to test the TOE’s mitigation of the identified vulnerabilities by testing the product for selected developer identified vulnerabilities. The results of the testing activities were that all tests gave expected (correct) results. No vulnerabilities were found to be present in the evaluated TOE. The results of the penetration testing are documented in the vendor and CCTL proprietary report, IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module Test Report, dated May 25, 2010. The evaluation determined that the product meets the requirements for EAL 2+ Augmented with ALC_FLR.2. The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled by COACT Inc. IBM ISS Enterprise Scanner Validation Report 26 11.Validator Comments The CCTL testing for the signatures covered less than 1% of the total signatures recognized by the product. While the vendor claims to have comprehensive test suites that cover all of the signatures recognized by the product, these were not made available to the CCTL during the evaluation process. IBM ISS Enterprise Scanner Validation Report 27 12.Security Target IBM Internet Security Systems GX6116 Security Appliance Version 2.2 and SiteProtector Version 2.0 Service Pack 7.0 with Reporting Module Security Target, dated November 3, 2009. IBM ISS Enterprise Scanner Validation Report 28 13. List of Acronyms CC …………………………………………………………………………………Common Criteria EAL2 ……………………………………………………………………Evaluation Assurance Level 2 IT …………………………………………………………………………..Information Technology NIAP …………………………………………………..National Information Assurance Partnership PP ………………………………………………………………………………….Protection Profile SF ………………………………………………………………………………….Security Function SFP …………………………………………………………………………..Security Function Policy SOF ………………………………………………………………………………Strength of Function ST …………………………………………………………………………………….Security Target TOE ………………………………………………………………………………Target of Evaluation TSC …………………………………………………………………………….TSF Scope of Control TSF …………………………………………………………………………..TOE Security Functions TSFI ………………………………………………………………………………………TSF Interface TSP ………………………………………………………………………………TOE Security Policy IBM ISS Enterprise Scanner Validation Report 29 14. Bibliography The following list of standards was used in this evaluation:  Common Criteria for Information Technology Security Evaluation, Part 1 Introduction and General Model, Version 3.1, Revision 2, dated September 2007  Common Criteria for Information Technology Security Evaluation, Part 2 Security Functional Requirements, Version 3.1, Revision 2, dated September 2007  Common Criteria for Information Technology Security Evaluation, Part 3 Security Assurance Requirements, Version 3.1, Revision 2, dated September 2007  Common Methodology for Information Technology Security Evaluation, Part 1, Version 3.1, Revision 2, dated September 2007  Common Methodology for Information Technology Security Evaluation, Part 2, Version 3.1, Revision 2, dated September 2007  Guide for the Production of PPs and STs, Version 0.9, dated January 2000