Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Intrusion, Incorporated
SecureNet Proâ„¢ Intrusion Detection System
Version 4.1 SP 1
Report Number: CCEVS-VR-02-0032
23 December 2002
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6740
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
3
ACKNOWLEDGEMENTS
Validation Team
Maureen Cheheyl
Franklin Haskell
The MITRE Corporation
Bedford, Massachusetts
Alton W. Lewis
National Security Agency
Linthicum, Maryland
Common Criteria Testing Laboratory
COACT CAFE Lab
Columbia, Maryland
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
5
1. Executive Summary
This report documents the NIAP validators’ assessment of the CCEVS evaluation of the
Intrusion, Incorporated, SecureNet Proâ„¢ Intrusion Detection System Version 4.1 Service
Pack (SP) 1. It presents the evaluation results, their justifications, and the conformance
result.
The evaluation was performed by the COACT Incorporated CAFE Laboratory and was
completed on 20 December 2002. The information in this report is largely derived from
the Evaluation Technical Report (ETR) written by COACT and submitted to the
validators. The evaluation determined that the product conforms to the Common Criteria
Version 2.1, Part 2 and Part 3, to meet the requirements of Evaluation Assurance Level
(EAL) 2, resulting in a “pass” in accordance with CC Part 1 paragraph 175.
The TOE is the SecureNet Proâ„¢ Intrusion Detection System Version 4.1 SP 1, which is a
network monitoring and intrusion detection software-based application. The SecureNet
Proâ„¢ Intrusion Detection System is deployed as a two-tier architecture consisting of a
single Sensor and a single Administrative Console. (The optional three-tier architecture,
including a Provider Manager, was not evaluated, nor was the use of more than one
Sensor or more than one Administrative Console.) The Sensor performs intrusion
detection and analysis functions. The Administrative Console enables the Administrator
to monitor, configure, and administer Sensors remotely, view Sensor monitoring sessions,
replay archived sessions, and generate reports. Although the SecureNet Pro product ships
with hardware and operating system for the Sensor, only the Sensor and Administrative
Console software has been evaluated.
The validation team monitored the activities of the evaluation team, observed evaluation
testing activities, provided guidance on technical issues and evaluation processes, and
reviewed the individual work units and successive versions of the ETR. The validation
team found that the evaluation showed that the product satisfies all of the functional
requirements and assurance requirements stated in the Security Target (ST). Therefore
the validation team concludes that COACT’s findings are accurate, the conclusions
justified, and the conformance results correct.
Disclaimers: The information contained in this Validation Report is not an endorsement
of SecureNet Proâ„¢ by any agency of the U.S. Government, and no warranty of
SecureNet Proâ„¢ is either expressed or implied.
2. Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of
Standards and Technology (NIST) effort to establish commercial facilities to perform
trusted product evaluations. Under this program, security evaluations are conducted by
commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs)
using the Common Evaluation Methodology (CEM) for Evaluation Assurance Level
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
6
(EAL) 1 through EAL 4 in accordance with National Voluntary Laboratory Assessment
Program (NVLAP) accreditation.
The NIAP Validation Body assigns validators to monitor the CCTLs to ensure quality
and consistency across evaluations. Developers of information technology products
negotiate a security evaluation contract with a CCTL and pay a fee for their product’s
evaluation. Upon successful completion of the evaluation, the product is added to NIAP’s
Validated Products List. The table below provides information needed to completely
identify the product, including:
• The Target of Evaluation (TOE): the fully qualified identifier of the product as
evaluated
• The Security Target (ST), describing the security features, claims, and assurances
of the product
• The conformance result of the evaluation
• The organizations and individuals participating in the evaluation
Item Identifier
Evaluation Scheme
United States NIAP Common Criteria Evaluation and Validation
Scheme
Target of Evaluation
SecureNet Proâ„¢ Intrusion Detection System Version 4.1 Service
Pack (SP) 1
Protection Profile None
Security Target
Intrusion, Inc. SecureNet Proâ„¢ Intrusion Detection System Version
4.1 SP1 Security Target, F2-1202-004, dated December 20, 2002
Evaluation Technical Report
Intrusion, Inc. SecureNet Proâ„¢ Evaluation Technical Report, F2-
0902-001(1), October 30, 2002, with Addenda.
Conformance Result Part 2 conformant and Part 3 EAL 2 conformant
CC Version
CC Version 2.1 and all applicable National and International
Interpretations effective on 6 December 2001
CEM Version
CEM Version 1.0 and all applicable National and International
Interpretations effective on 6 December 2001
Sponsor Intrusion, Incorporated
Developer Intrusion, Incorporated
Evaluators
COACT CAFE Lab: Eric J. Grimes, William R. Knight, Robert J.
West, Jennifer A. Arthur, Thomas J. Fisher, Tonya D. Dawkins
Validators
Maureen Cheheyl (The MITRE Corporation)
Franklin Haskell (The MITRE Corporation)
Alton W. Lewis (NSA)
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
7
3. Security Policy
The Security Target does not state a security policy for SecureNet Pro.
The Security Objectives for the TOE state that
• The Administrative Console will manage the Sensor and its functions
• The Sensor will monitor the environment and detect intrusion attempts to the
network or systems on the network by monitoring all data sent across the network
• The Sensor will respond to detected events by sending alerts of intrusion attempts
or inappropriate activity occurring on the network or systems on the network to
the Administrative Console.
• The Sensor will collect and store information about all events that are indicative
of intrusion attempts or inappropriate activity occurring on the network or
systems on the network that the Sensor is monitoring.
4. Assumptions and Clarification of Scope
Usage Assumptions
A.CONSOL The Administrative Console software application will be installed,
configured and operated on a dedicated host that meets the system requirements specified
to support the Administrative Console software application supplied as part of the
SecureNetâ„¢ CC7345 delivery package.
A.INTER The Operating System that runs the Administrative Console environment
provides the Administrator with an interface to the TOE through an X Windows GUI
application.
A.UNAUTH Unauthorised access to the TOE is prevented by the security features of
the Operating System, external to the TOE.
A.ATCKSIG The Administrator is responsible for obtaining the latest signature pack
from the Intrusion, Inc. web site for use by the TOE.
A.CONFIG The Administrator will run the configuration executables at system
initialisation to build the trusted Sensor and trusted Administrative Console configuration
files. The Administrator will follow all administrative guidance procedures supplied in
the SecureNetâ„¢ CC7345 delivery package to ensure proper configuration of these files.
A.INSTALL The Administrator will follow all administrative guidance procedures
supplied in the SecureNetâ„¢ CC7345 delivery package to ensure proper installation of the
Administrative Console software application.
A.IPADD The Administrator will configure all IP addresses to be monitored by the
Sensor.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
8
A.NOEVIL The Administrator is not careless, willfully negligent, or hostile, and will
follow and abide by the instructions provided by the TOE documentation.
Environmental Assumptions
A.OPSYS The Sensor is run on the Pilot 2.3 SP2 Operating System [which is a
vendor-supplied version of Red Hat Linux6.2].
A.SENSOR The SecureNetâ„¢ CC7345 delivery package is provisioned and includes all
hardware and software necessary to run the Sensor software application. The Sensor
software application is delivered to the customer in a pre-installed and operational state.
A.SUPPORT The Pilot 2.3 SP2 Operating System will provide necessary support for the
Sensor. The Red Hat Linux 6.2 Operating System will provide necessary support for the
Administrative Console.
A.CC7345 The SecureNetâ„¢ CC7345 delivery package will be purchased from
Intrusion, Inc. and delivered to the customer with all specified hardware and software
necessary to ensure the TOE’s compliance with the requirements outlined in this ST.
A.DEPLOY The Administrative Console requires a dedicated host for execution and is
deployed on a secure LAN that has no direct links to untrusted LANs.
A.LOCATE The Administrative Console and the Sensor are located in a physically
secure area.
Clarification of Scope
The TOE is designed solely to detect and respond (in a limited fashion) to attacks against
the network the sensor is monitoring and the systems attached to that network. It relies to
a large extent upon the environment and underlying operating system to supply almost all
the protections one would consider necessary in a network environment.
As one would expect at EAL2, little effort was expended to search for and test for
obvious vulnerabilities. The evaluators did examine a denial of service attack, though.
The product resisted the attack the evaluators created, but no further attacks were created
to probe the limits. Since the evaluation did not include multiple sensors, no guidance can
be offered concerning, for example, configuration of Ethernet switches to divide the
traffic in an attempt to defeat such attacks.
5. Architectural Information
The SecureNet Proâ„¢ product consists of hardware and a CD containing the SNP
software, operating system software, and documentation. The TOE consists wholly of
software. Its components are deployed on separate pieces of (unevaluated) hardware with
(unevaluated) operating systems as a sensor and a console that communicate with each
other. The evaluated configuration includes a single Sensor and a single Administrative
Console.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
9
Sensor Subsystem
The Sensor performs intrusion detection and analysis functions. It detects the attacks
described in its database and communicates this information to the console when
requested.
It is the SNPd program that does all of the real work. It uses a NIC running in
promiscuous mode to receive all the packets being broadcast on that Ethernet segment. It
decodes and analyzes each packet, comparing the contents against its database of attack
signatures. When an attack is detected, the Sensor records information about the attack
and sends alerts to the Console.
The SNPt program also receives notifications from SNPd, reformats them into SNMP
traps, and transmits the traps to agents designated to receive them.
Console Subsystem
The Administrative Console enables the administrator to monitor, configure, and
administer the sensor remotely; to view sensor monitoring sessions; to replay archived
sessions; and to generate reports.
The SNPc program runs on console systems using the X display. It receives alerts from
the sensor and transmits instructions to it to change its operating parameters, including
what to alert on and how much data to store.
The SNPreport program generates reports from the sensor data using filters and
formatting.
Configuration
The evaluated configuration includes a single Sensor and a single Administrative
Console, communicating over a private LAN distinct from the one being monitored.
The Administrative Console is deployed on a dedicated host connected to a secure LAN
with no direct links to untrusted LANs. The minimum platform requirements for the
Administrative Console software application are as follows: X86-based hardware
platform, Red Hat 6.2 Operating System running Linux kernel 2.2.19-17, Pentium III 500
MHz CPU, 256 MB RAM, 8 GB disk space, 100-Mbps NIC, with an X Windows System
and application software.
The Sensor, running on the SecureNetâ„¢ CC7345 hardware platform delivered with the
SNP product, is connected to the same secure LAN from one connection and to the
monitored network from another connection. The secure LAN is used only for
communications between the Sensor and the Administrative Console.
The evaluated configuration is pictured in Section 8 below.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
10
6. Documentation
The SecureNet Pro product is delivered with two CDs that contain the following files:
• READmeFIRST.txt describes the contents of the CD- ROM.
• Readme_SNP41_Gig_SP1.txt provides information about the SecureNet Pro™
Sensor updates.
• SecureNet Pro™ QSG.pdf is the SecureNet Pro™ Quick Start in Adobe Portable
Document Format (PDF).
• SecureNet Pro™ 4.1 SP1 User_Guide.pdf is the PDF version of the SecureNet
Proâ„¢ 4.1 SP1 Software User Guide, Rev. A.
• SecureNet 5745&Gig2 Quick Start.pdf is the PDF version of the SecureNet 5745
Quick Start and SecureNet Proâ„¢ Quick Start guides.
• PDS Pilot API Guide.pdf is the PDF version of the Pilot API Reference Guide.
• Software_Licence_Agreement contains the Intrusion Software License
Agreement.
• License.txt contains the Adobe Acrobat Reader End User License Agreement.
7. IT Product Testing
The evaluators ran the vendor’s suite of tests and then created and ran a test of their own.
They also looked for obvious vulnerabilities. The following test configuration was used.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
11
This configuration is adequate to generate the various kinds of traffic the product could
be expected to handle, though not the volume. Note that, while it contains two sensors
and two consoles, those are not tested simultaneously.
8. Evaluated Configuration
The TOE is deployed on (unevaluated) hardware and operating system as Sensors and
Consoles that communicate with each other.
Sensor
The Sensor is the SecureNetâ„¢ CC7345 hardware platform built by Intrusion, Inc., with a
vendor-supplied version of Red Hat Linux6.2 Operating System (known by the vendor as
the Pilot 2.3 SP2 Operating System) and the SecureNet Pro Sensor software installed.
Console
The Console is a hardware platform conforming to the specifications set forth in the
SecureNet Proâ„¢ Intrusion Detection System Version 4.1 SP1 Security Target with the
SecureNet Pro Administrative Console software installed. The minimum platform
requirements for the Administrative Console are as follows: X86-based hardware
platform, Red Hat 6.2 Operating System running Linux kernel 2.2.19-17, Pentium III 500
MHz CPU, 256 MB RAM, 8 GB disk space, 100-Mbps NIC, with an X Windows System
and application software.
Evaluated Configuration
The figure below represents the evaluated configuration as described in the SecureNet
Proâ„¢ Intrusion Detection System Version 4.1 SP1 Security Target.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
12
9. Results of the Evaluation
The evaluation was conducted based upon the Common Criteria (CC), Version 2.1, dated
August 1999 [1,2,3]; the Common Evaluation Methodology (CEM), Version 1.0, dated
August 1999 [5]; and all applicable National and International Interpretations in effect on
6 December 2001. The evaluation confirmed the product as being Part 2 conformant and
Part 3 EAL 2 compliant. The details of the evaluation are recorded in the Evaluation
Technical Report, which is controlled by the COACT CAFE Laboratory.
The validation team followed the procedures outlined in the Common Criteria Evaluation
Scheme [CCEVS] publication number 3 for Technical Oversight and Validation
Procedures. The validation team has observed that the evaluation and all of its activities
were in accordance with the Common Criteria, the Common Evaluation Methodology,
and the CCEVS. The validation team therefore concludes that the evaluation and its
results of pass are complete.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
13
The evaluation provides for Assurance at the EAL 2 level with assurance components as
shown in the table below:
Assurance class Assurance components
Class ACM: Configuration management ACM_CAP.2 Configuration items
ADO_DEL.1 Delivery procedures
Class ADO: Delivery and operation
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
Class ADV: Development
ADV_RCR.1 Informal correspondence demonstration
AGD_ADM.1 Administrator guidance
Class AGD: Guidance documents
AGD_USR.1 User guidance
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
Class ATE: Tests
ATE_IND.2 Independent testing - sample
AVA_SOF.1 Strength of TOE security function evaluation
Class AVA: Vulnerability assessment
AVA_VLA.1 Developer vulnerability analysis
Evaluation of the Intrusion Inc. SecureNet Pro 4.1 Security Target (ST)
(ASE)
The evaluation team applied each EAL 2 ASE CEM work unit. Evaluation team action
during the course of the ST evaluation ensured that the ST contained a description of the
environment in terms of threats, assumptions and policies; a statement of security
requirements claimed to be met by the Intrusion Inc. SecureNet Pro product that are
consistent with the Common Criteria; and product security function descriptions that
support the requirements.
Evaluation of the Configuration Management capabilities (ACM)
The evaluation team applied each EAL 2 ACM CEM work unit. The ACM evaluation
ensures that the integrity of the TOE is adequately preserved; in particular, that
configuration management provides confidence to the consumer that the TOE and
documentation used for evaluation are the ones prepared for distribution. It also ensures
that the TOE is accurately and uniquely identified such that the consumer is able to
identify the evaluated TOE and discern one version from another. Configuration
Management (CM) systems are put in place to ensure the integrity of the portions of the
TOE that they control, by providing a method of tracking changes and by ensuring that
all changes are authorized. The Evaluation Team identified and analyzed the CM process
to ensure that its documented procedures were followed and the procedures were
employed during the course of this evaluation. The evaluation team ensured that the
following items were considered configuration items: TOE implementation, design
documentation, test documentation, and user guidance.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
14
Evaluation of the Delivery and Operation documents (ADO)
The evaluation team applied each EAL 2 ADO CEM work unit. The ADO evaluation
ensured the adequacy of the procedures to securely deliver, install, configure, and
operationally use the TOE; and ensured that the security protection offered by the TOE
was not compromised during these events.
Evaluation of the Development (ADV)
The evaluation team applied each EAL 2 ADV CEM work unit. The evaluation team
assessed the design documentation and found it adequate to aid in understanding how the
TSF implements/employs the security functions. The design documentation consists of a
functional specification and a high-level design document. The evaluation team also
ensured that the correspondence analysis between the design abstractions correctly
demonstrated that the lower abstraction was a correct and complete representation of the
higher abstraction.
Evaluation of the Guidance Documents (AGD)
The evaluation team applied each EAL 2 AGD CEM work unit. The evaluation team
ensured the adequacy of the administrator guidance in describing how to securely
administer the TOE.
Evaluation of the Test Documentation and the Test Activity (ATE)
The evaluation team applied each EAL 2 ATE CEM work unit. The evaluation team
ensured that the TOE performed as described in the functional specification and as stated
in the TOE security functional requirements. The evaluation team performed a sample of
the vendor test suite, and devised an independent set of team tests and penetration tests.
The vendor tests, team tests, and penetration tests substantiated the security functional
requirements in the ST.
Vulnerability Assessment Activity (AVA)
The evaluation team applied each EAL 2 AVA CEM work unit. The evaluation team
ensured that the TOE does not contain obvious vulnerabilities that can be exploited in the
evaluated configuration, based upon the developer strength of function analysis and the
developer vulnerability analysis as well as the evaluation team’s performance of
penetration tests.
Summary of Evaluation Results
The evaluation team’s assessment of the evaluation evidence demonstrates that the claims
in the ST are met. Additionally, the evaluation team’s performance of a subset of the
vendor test suite, the independent tests, and the penetration test also demonstrates the
accuracy (or veracity) of the claims in the ST.
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
15
10. Validator Comments and Recommendations
The security goals for the product, described in Section 3 above, are modest. As pointed
out in Section 4, the TOE is designed solely to detect and respond (in a limited fashion)
to attacks against the network the sensor is monitoring and the systems attached to that
network. It relies to a large extent upon the environment and underlying operating system
to supply the protections one would consider necessary in a network environment.
Furthermore, the evaluated configuration is limited to a single sensor and a single
administrative console. With an assurance level of EAL 2, testing and analysis is also
minimal.
The validators believe that the product meets the claims of the Security Target, but users
should be aware of the bounds of the evaluation when preparing to install and use the
product.
11. Security Target
Intrusion, Inc. SecureNet Proâ„¢ Intrusion Detection System Version 4.1 SP1 Security
Target
December 20, 2002
Document No. F2-1202-004
12. Bibliography
Criteria, Methodology, and Program Scheme Documentation
1. Common Criteria for Information Technology Security Evaluation, Part 1
Introduction and General Model, Version 2.1, dated August 1999
2. Common Criteria for Information Technology Security Evaluation, Part 2 Security
Functional Requirements, Version 2.1, dated August 1999
3. Common Criteria for Information Technology Security Evaluation, Part 3 Security
Assurance Requirements, Version 2.1, dated August 1999
4. Common Methodology for Information Technology Security Evaluation, Part 1,
Version 0.6, dated January 1997
5. Common Methodology for Information Technology Security Evaluation, Part 2,
Version 1.0, dated August 1999
6. Guide for the Production of PPs and STs, Version 0.9, dated January 2000
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
16
Developer Documentation
7. Intrusion, Inc. Procedure for Document Revision Control, Rev. C, dated 06/01/01
8. Intrusion, Inc. Procedure for Approval, Release, and Control of Product
Documents, Rev. D, dated 06/01/01
9. Intrusion, Inc. SecureNet Proâ„¢ Software User Guide, Rev. A, dated July 2001
10. Intrusion, Inc. SecureNet Proâ„¢ Security Functions Reference, Version 4.3, dated
April 2002
11. Intrusion, Inc. SecureNet Proâ„¢ Testing and Vulnerability Analysis Reference,
Version 3.3, dated April 2002
12. Intrusion, Inc. SecureNet CCâ„¢ Drawing Tree, Revision C, dated 03/12/02
13. Intrusion, Inc. SecureNet 5745 Quick Start (Part of Delivery package, on CD or
Hardcopy), revision A, dated February 2002
14. Intrusion, Inc. SecureNet Proâ„¢ Quick Start (Part of Delivery package, on CD or
Hardcopy), revision A, dated February 2002
15. Intrusion, Inc. READmeFIRST.txt (Part of Delivery package, on CD or Hardcopy),
revision A, dated February 2002
16. Intrusion, Inc. Readme_SNP41_Gig_SP1.txt (Part of Delivery package, on CD or
Hardcopy), revision A, dated February 2002
17. Intrusion, Inc. SecureNet Proâ„¢ 4.1 SP1 Documentation (Part of Delivery package,
on CD or Hardcopy), revision A, dated February 2002
18. Intrusion, Inc. 750-1006-101_c.tif, revision C, dated 08/09/02 (Part 1 of the Bill of
Materials for the SNP product)
19. Intrusion, Inc. 714-1024-102_a.bmp, revision A, dated 08/09/02 (Part 2 of the Bill
of Materials for the SNP product)
20. Intrusion, Inc. Pilot API Reference Guide (Part of Delivery package, on CD or
Hardcopy), revision A, dated February 2002
13. Glossary
BOM Bill of Materials
CC Common Criteria
CCEVS Common Criteria Evaluation and Validation Scheme
CCTL Common Evaluation Testing Laboratory
CEM Common Evaluation Methodology
Validation Report
SECURENET PROâ„¢ INTRUSION DETECTION SYSTEM VERSION 4.1 SP 1
17
CM Configuration Management
EAL Evaluation Assurance Level
IDS Intrusion Detection System
IT Information Technology
LAN Local Area Network
NIAP National Information Assurance Partnership
NIDS Network Intrusion Detection System
NIST National Institute of Science & Technology
NSA National Security Agency
NVLAP National Voluntary Laboratory Assessment Program
PDF Portable Document Format
PP Protection Profile
RAM Random Access Memory
SF Security Function
SFP Security Function Policy
SFR Security Functional Requirements
SNP SecureNet Proâ„¢
SOF Strength of Function
SP Service Pack
ST Security Target
TCP Transmission Control Protocol
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSFI TSF Interface
TSP TOE Security Policy
WAN Wide Area Network