KECS-CR-07-24
NOWCOM SNIPER IPS V6.0.e
Certification Report
Certification No. : KECS-NISS-0083-2007
Apr. 2008
National Intelligence Service
IT Security Certification Center
Alteration/Amendment History
No. Alteration Date Page Description
00
01
02
2007.12.21
2008. 2.18
2008. 4.11
-
-
14p
First written
Change in company name (Wins Technet.
Co.,Ltd Æ Nowcom Co., Ltd.)
Security Target Version altered
(1.03Æ1.04)
Certification Validity Maintenance
(Alteration approved) Added
This document is the certification report for SNIPER IPS V6.0.e of the NOWCOM Co.,
Ltd.
Certification Committee
Ministry of Information and Communication (Chong Jong-Ki), National Security
Technology Lab (Park Jong-Wook), Korea Institute of Science and Technology (Cha
Sung-Duk), Yonsei University (Song Joo-suk) Korea University (Lee Dong-hoon),
Sungshin Women’s University (Seo Dong-soo), Hannam University (Lee Kang-soo),
Soonchunhyang University (Lee Im-young), Electronics and Telecommunication
Research Institute (Chong Kyo-il)
Certification Body
National Intelligence Service IT Security Certification Center
Evaluation Body
Korean Information Security Agency
Table of Contents
1. Overview ………………………………………………………………………….1
2. TOE Identification...………………………………………………………………2
3. Security Policy…………………………………………………………………….4
4. TOE Assumptions and Scope.…………………………………………………….4
5. TOE Information..….………………………….…………………….…………….5
6. Guidance...……..…………………………….……………………………………5
7. TOE Test……….….……………………….……………………………………...8
8. Evaluation Configuration………...………………………………………………..9
9. Evaluation Result……………...…………………………………………………10
10. Recommendations…………..……………………………………………………11
11. Acronyms and Glossary………………………………………………………….12
12. Reference…………………………...……………………………………………13
1. Overview
This report is for the certification body to describe the certification result, which
inspects the result and the conformance of the EAL4 evaluation of SNIPER IPS V6.0.e
with regard to the Common Criteria for Information and Technology Security Evaluation
(May 21, 2005)(hereunder referred to as ‘Common Criteria’).
The Korea Information Security Agency (KISA) has finished the evaluation of the
SNIPER IPS V6.0.e on Nov. 30, 2008. This report is written based on the Evaluation
Technical Report (ETR) produced and provided by KISA. The evaluation concludes that
the TOE satisfies the CC V2.2 part 2 and EAL4 of the CC V2.2 part 3 assurance
requirements; thus, it is assigned the verdict “pass” on the basis of the paragraph 191 of
the CC V2.2 part 1. In addition, the TOE satisfies the Network Intrusion Prevention
System Protection Profile V1.1 (Dec. 21, 2005).
SNIPER IPS V6.0.e is a hardware integrated product developed by NOWCOM Co., Ltd.
that provides intrusion detecting/blocking functions. The TOE is installed in an In-Line
mode at the network section where it targets to protect, and is managed via the web-based
Graphic User Interface (GUI).
The TOE provides the following security functions:
- Security Audit (WFAU)
- USER Data Protection (WFDP)
- Identification and Authentication (WFIA)
- Security Management (WFMT)
- TSF Protection (WFPT)
The certification body has examined the evaluation activities and testing procedures,
provided the guidance regarding the technical problems and evaluation procedures, and
reviewed each evaluation work package and evaluation technical report. In conclusion,
the certification body has confirmed that the evaluation results gave assurance that the
TOE meets all security functional requirements and assurance requirements described in
the Security Target (ST). As a result, the certification body has certified that the
evaluator’s observations and evaluation results were accurate and reasonable, and his
verdict on each package was correct.
Certification Validity: The information contained in this certification report does not
mean that the use of SNIPER IPS V6.0.e is approved or its quality is guaranteed by
government agency of the Republic of Korea.
2. TOE Identification
The following [Table 1] indicates the information of the TOE identification.
[Table 1] TOE Identification
Evaluation Guide
Korea IT Security Evaluation and Certification Guidance
(May 21, 2005)
Korea IT Security Evaluation and Certification Scheme (Apr.
15, 2007)
TOE SNIPER IPS V6.0.e
Protection Profile
Network Intrusion Prevention System PP V1.1 (Dec. 21,
2005)
Security Target Security Target V1.04 (Jan. 16, 2008), NOWCOM Co., Ltd.
ETR SNIPER IPS V6.0.e ETR, V1.0 (Nov. 30, 2007)
Evaluation Result
Satisfies the CC part 2
Satisfies the CC part 3
Evaluation Criteria
Common Criteria for Information Technology Security
Evaluation V2.3 (Aug. 2005)
Evaluation Methodology
Common Methodology for Information Technology Security
Evaluation V2.3 (Aug. 2005)
Sponsor NOWCOM Co., Ltd.
Developer NOWCOM Co., Ltd.
Evaluation Team
KISA Evaluation Center, Evaluation Team II
Yongsuk Oh, Hyunmi Park
Certification Body National Intelligence Service
Underlying Hardware specifications are stated in the [Table 2].
[Table 2] SNIPER IPS V6.0.e Server and Client Specifications
Category Specification
Model E2000 E4000
CPU
Intel Xeon DP CPU
3.0GHz * 2
Intel Xeon DP CPU
3.6GHz * 2
Memory 2G DDR-II 2G DDR-II
HDD SATA 200GB 3.5” 73GB(SCSI) * 2
Hardware
DOM 512MB 512MB
No. of port 10/100/1000Mbps 1port 10/100/1000Mbps 1port
HA 10/100/1000Mbps 1port 10/100/1000Mbps 1port
L7 HA . 10/100/1000Mbps 2port
Port
Monitoring 1000 Mbps 4port 1000 Mbps 4port
Server
Software OS SNIPER OS V1.0 (Proprietary OS)
CPU Intel Pentium IV 1.8GHz or higher
Memory 512MB
HDD 40GB or more
H/W
No. of port 10/100 NIC 1 or more
S/W OS MS Windows XP professional
Client
Characteristics
Since the SNIPER Client is automatically installed
as downloading OCXs from the SNIPER Server,
the administrator PC needs to have IE 7.0 or higher
installed.
Also, the administrator PC needs to have 1024x768
and higher resolution, sound card, and speaker.
3. Security Policy
The TOE operation conforms to the security policies stated below.
Name Description
Audit In order to trace responsibilities regarding all actions related to
the security, security related events shall be recorded and
maintained, and the recorded data shall be examined.
Secure manage An authorized administrator shall manage the TOE in a secure
manner.
SSL (Certificate
management
SNIPER shall securely generate the SSL Certificate and therefore
store, manage it.
4. TOE Assumptions and Scope
4.1 Assumptions
The TOE installation and operation should conform to the assumptions stated below.
Name Description
A.Physical security
The TOE shall locate in a physically secure environment where
only authorized administrators are allowed to access.
A.Security
Maintenance
When the local network environment goes through any changes due
to the alterations of the network structure, increase or decrease of
hosts/services, the new changes are immediately noted and security
policies are configured in accordance with the TOE operational
policy to maintain the same level of security as before.
A.Trusted
administrator
Trusted administrators ensure reliability and stability of the
operation system by eliminating all services or means that are not
necessary for the TOE and by providing the OS vulnerability
patches.
A.Hardened OS
The underlying OS of the TOE ensures the reliability and stability
by eliminating all services or means that are not necessary for the
TOE and by providing the OS vulnerability patches.
A.Single
Connection Point
The TOE, when installed and operated in a network, separates the
network into remote and local sections. All traffic between the
remote and the local sections pass through the TOE.
A.TIME
The IT environment of the TOE is provided with a reliable
Timestamp from the NTP server which conforms to RFC 1305 or
from the OS.
A.TOE SSL
Certificate
The TOE, when installing the certificate that is to be used for the
SSL authentication, generates in advance and stores at the TOE.
SSL Certificate of the TOE is safely generated and managed.
4.2 Scope to Counter a Threat
The TOE provides a means to countermeasure the security threats including asset
violation attempts of the TOE itself that is under protection. The TOE provides means to
protect the local network from the attacks exploiting new vulnerabilities or the attacks
capable to bypass the security. The TOE provides a countermeasure for the
logical/physical attacks caused by the malicious user possessing low-level expertise,
resources, and motivation.
All security objectives and security policies are described to provide a means to counter
an identified security threat.
5. TOE Information
The TOE supports the security function of intrusion detection and firewall.
Operation environment is illustrated in the following [Image 1], and the basic structure
follows the [Image 2] below.
[Image 1] SNIPER IPS V6.0.e Operation network environment
[Image 2] SNIPER IPS V6.0.e Basic structure
The TOE consists of the following main subsystems.
ƒ Audit (WFAU)
Security audit subsystem operates the function of audit data generation (WFAU_GEN)
and audit data inquiry (WFAU_SAR). In order to check whether a system operates
efficiently, by gathering, analyzing the record history, audit records generated through the
audit detect/block intrusions to the computer system and are used for detecting the misuse
for the system.
ƒ User Data Protection (WFDP)
User Data Protection sub-system operates Firewall function (WFDP_FFU), Blackhole
blocking (WFDP_BLK), QoS blocking (WFDP_QOS), Intrusion Detecting function
(WFDP_DET), Intrusion Analyzing function (WFDP_ALS), and Intrusion
Countermeasure function (WFDP_ACT). This function controls the flow of network data
according to the permission or blocking rule to protect the target network that is to be
protected from internal or external attackers. Also it collects information to detect
intrusion and react to an intrusion in case it is identified, and stores the analysis result so
that the administrator can check.
ƒ Identification and Authentication (WFIA)
Identification and Authentication sub-system operates user identification and
authentication process (WFIA_ACCESS). Only authorized administrators are allowed to
access key functions that are essential to the regular operation of SNIPER such as
changing, deleting and adding policies and retrieving log files. In order to control the
access to SNIPER perfectly, every access attempt through an administrator interface are
examined to identify and authentication appropriate administrator. The communication
between SNIPER Client and the engine is encrypted using SSL and its integrity is
verified through SHA-1 to prevent any modification or exposure of the data. Even with
the access of an authorized administrator, if not operate for a certain period of time;
protect the TOE during the inactive terms of an authorized administrator by locking up
the interacting sessions.
ƒ Security Management (WFMT)
Security Management sub-system operates Security Audit Management(WFMT_AUDIT),
OS Configuration(WFMT_CONFIG), Management of Security Violation
List(WFMT_POLDET), Firewall function Management(WFMT_POLFW), Management
of Interoperation between ESM and the Control Server regarding security violation
events(WFMT_ESM), Update(WFMT_UPD), and QoS Policy(WFMT_POLQOS).
Security Management function provides the rules for detection/prevention SNIPER
performs and the managerial actions retrieving and modifying information related to the
state and configuration of SNIPER.
ƒ TSF Protection (WFPT)
TSF Protection sub-system operates TSF stored data Integrity
check(WFPT_INTSTDATA), TSF transmitting data Integrity
check(WFPT_INTTRDATA), Prevention of audit data loss(WFPT_CHKDB), Abstract
machine testing(WFPT_ATM), and IPS status information(WFPT_CHKSYS). TSF
Protection provides a regular check function to assure that the security assumptions
related to the underlying abstract machine are properly operating. It performs checking
when initially started, periodically during normal operation, and upon request of an
authorized user to decide whether the main components running on the TOE system are
normally operating in order. It also preserves a secure state when failure occurred and
ensures safe operation of the TOE by periodical monitoring. In cases where components
of the TOE interact remotely through internal communication channels, Server and Client
identify and authenticate the nodes of the other side to ensure safe channels between
TSFs.
6. Guidance
The TOE includes following documents.
ƒ SNIPER IPS V6.0.e Administrator Guidance V1.02, 2007. 10. 2
ƒ SNIPER IPS V6.0.e Delivery documentation V1.01, 2007. 7. 18
ƒ SNIPER IPS V6.0.e Installation Manual V1.1, 2007. 10. 5
7. TOE Test
Developer’s Test
ƒ Testing Method
The developer produced the test considering the security function of the TOE. Each test
is described in test documentation including the following items in detail.
- Test No./Tester: The identifier of the test and the developer who participated in testing
- Purpose of the test: Describes the purpose of the test including security function and
security module to be tested.
- Test configuration: Detailed environment where the test is carried out
- Detailed test procedure: Detail procedure to test security functions.
- Expected result: Test result expected when performing the test procedure.
- Actual result: Test result acquired when the test is performed.
- Comparison of the expected result and the actual result:
The evaluator performed a thorough evaluation of the validity such as the test
configuration, test procedure, test scope analysis, and the low-level design test. The
evaluator verified that the developer’s test and its results were adequate for the evaluation
configuration.
ƒ Test configuration
The test configuration described in the test documentation includes the detailed
configuration such as the organization of network for the test, the TOE, the
internal/external network. In addition, it describes detailed test configuration such as test
tools required to perform each test.
ƒ Test Scope Analysis/Low-level Design Test
The detailed evaluation results are described in the ATE_COV and ATE_DPT
evaluation result.
ƒ Test Result
The test documentation describes the expected and the actual result of each test. The
actual result is confirmed through the audit record as well as the GUI TOE.
Evaluator’s Test
The evaluator installed the TOE using the evaluation configuration and evaluation tools
identical to those of the developer test and performed testing for the overall tests provided
by the developer. The evaluator confirmed that the actual result of every test was
consistent with the expected result.
Moreover, the evaluator devised and performed additional evaluator’s tests on the basis
of the developer’s test, and confirmed that the actual test result was consistent with the
expected test result.
The evaluator carried out the vulnerability test and confirmed that there was no
exploitable vulnerability in the evaluation configuration.
The evaluator’s test result assured that the TOE worked normally as described in the
design documentation.
8. Evaluation Configuration
For testing, the evaluator composed the following test configuration that corresponds to
the environment structure specified on the Security Target.
[Image 3] TOE test configuration
9. Evaluation Result
The evaluation is on the basis of the Common Criteria for Information Technology
Security Evaluation, Common Methodology for Information Technology Security
Evaluation. It concludes that the TOE satisfies the CC part 2 and EAL4 of the CC part 3
assurance requirements. The detailed information regarding the evaluation is described in
the ETR.
ƒ ST Evaluation (ASE)
The evaluator applied the ASE sub-activities described in the CEM V2.2 to the
evaluation of the ST of the TOE. The ST provides a logical description of the TOE; that it
is internally consistent and consistent with other parts of the ST. The TOE security
environment provides definition of the consistent, complete security issues that are
induced from the TOE and the TOE security environment. The security objectives are
also described completely and consistently. The security objectives counter the identified
threats, achieve the organizational security policies, and satisfy the stated assumptions.
The TOE security requirements and the security requirements for the IT environment are
described completely and consistently and provide an adequate basis for the development
of a TOE that will achieve its security objectives.
TOE summary specification provides security function and assurance standard with an
accurate and consistent superior level definition, satisfies described TOE security
requirements. Also, it accurately substantializes Protection Profile that the Security
Target accepts.
ƒ Configuration Management Evaluation (ACM)
The evaluator applied the ACM sub-activities described in the CEM V2.2 to the
evaluation of the configuration management of the TOE. The evaluator verified that the
configuration management specifies the configuration list, configuration identification,
version endowment, configuration modification control and that all development
documentations and source files were developed applying the configuration management
system. He also confirmed that the generation and modification of the configuration
items are achieved through the configuration management organization and the
configuration management system.
ƒ Delivery and Operation Evaluation (ADO)
The evaluator applied the ACM sub activities described in the CEM V2.2 to the
evaluation of the development of the TOE. The Delivery and Operation describes
measures and procedures of the secure delivery, installation, and operation. Thus, it
ensures that the security is not being damaged while the TOE is transmitted, installed,
operated, and it verifies that the contents of the document are being actually applied
according to the results of inspections.
ƒ Development Evaluation (ADV)
The evaluator applied the ADV sub-activities described in the CEM V2.2 to the
evaluation of the development of the TOE.
Development evaluation defines as it specifies the TOE security functional requirements
from the TOE summary specification to the actual implementation stage, using functional
specification, high-level design, low-level design, and implementation representation.
The security policy modeling clearly and consistently describes the rules and
characteristics of the security policies; this description corresponds with the security
functions described in the functional specification.
ƒ Guidance Evaluation (AGD)
The evaluator applied the AGD sub-activities in the CEM V2.2 to the evaluation of the
guidance of the TOE. The administrator guidance describes the method of how the
administrator may access to the security management interface. It also describes the
guidelines and rules regarding the each provided menu by giving examples. The
administrator guidance has verified that the contents described are being accurately
operated. Also, as the TOE does not request the user guidance for security requirements,
it is impossible to apply user guidance evaluation.
ƒ Life Cycle Support Evaluation (ALC)
The evaluator applied the ALC sub-activities described in the CEM V2.2 to the
evaluation of the life cycle support of the TOE. The life cycle support evaluation clearly
describes that it protects the development environment using security measures, such as
procedures, policies, tools and methods regarding the every stage of the TOE
development. Through the actual inspection process of the institutions, it verified that the
above statements were actually being applied.
ƒ Tests Evaluation (ATE)
The evaluator applied the ATE sub-activities described in the CEM V2.2 to the
evaluation of the test of the TOE. The test documentation predicts the result and
describes the objectives of the test, progressive test procedures, and the test results
regarding the security functions specified on the ST. By performing module test and the
provided development functional test repeatedly, the evaluator verified that the contents
of the test described in the test documentation was accurate and that the security
functional actions implemented during the development were consistent. Also, by
performing independent testing, the evaluator confirmed accuracy of the developer’s test.
ƒ Vulnerability Assessment Evaluation (AVA)
The evaluator applied the AVA sub-activities described in the CEM V2.2 to the
evaluation of the vulnerability assessment of the TOE. The vulnerability analysis
document reasonably and specifically describes the identified vulnerabilities of the TOE
and appropriate countermeasures, analysis and countermeasures of the misuse. Also, by
conducting independent vulnerability analysis, the evaluator confirmed the accuracy of
the vulnerability analysis. Also, the strength of TOE security function analysis describes
that the strength of TOE security function satisfies the functional strength permit level
defined at the PP/ST.
10. Recommendation
ƒ In order for the SNIPER Client to operate under a normal condition, administrator pc
shall be installed with the Windows Explorer 7.0 or higher version. Furthermore,
even though not included in the evaluation scope, administrator pc needs to have
Crystal Report, Tee Chart, Quick Report, Microsoft Excel installed to make the full
use out of the security functions that the SNIPER Client provides.
ƒ In this evaluation report, SNIPER IPS V6.0.e has performed a thorough evaluation on
the 2 models, E2000 and E4000. E4000 includes an additional HA function, which
enables transmission of the sessions to the backup device, allowing continuous active
operation of the network protection.
ƒ A1000, A2000, and A4000 models are the prototypes of the current E-series. All A-
series support the SPAN mode, an IPS function that allows bypassing the inline mode.
SNIPER IPS V6.0.e does not support the SPAN mode.
ƒ Since the malicious traffic can inbound due to the incorrectly configured threshold
value, it is crucial that the administrator configure the threshold value most suitable
for the network environment.
ƒ SNIPER provides live update function for updating the latest attack patterns.
Administrator needs to perform periodical pattern updates to maintain
ƒ SNIPER automatically alarms the administrator if the traffic exceeds the threshold
value. However, we highly recommend that the administrator shall periodically check
the status of the storage space and make sure whether it has enough room for saving
audit records.
11. Acronyms and Glossary
The following acronyms are used in this certification report.
(1) Acronyms
CC Common Criteria
EAL Evaluation Assurance Level
PP Protection Profile
SOF Strength of Function
ST Security Target
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSP TOE Security Policy
(2) Glossary
TOE
An IT product or system and its associated guidance documentation that is the subject of
evaluation.
Audit record
Audit data to save an auditable event relevant to the security of the TOE.
User
Any entity (either human or external IT entity) outside the TOE that interacts with the
TOE
Authorized administrator
Authorized user that can manage the TOE in accordance with the TSP
Authorized user
User that can run functions of the TOE in accordance with the TSP
Identity
A representation uniquely identifying an authorized user
Authentication data
Information used to verify the claimed identity of a user
External IT entity
Any IT product or system, either trusted or untrusted, outside the TOE that interacts with
the TOE
Assets
Information and resources to be protected by the security measures of the TOE
Intrusion Prevention System
IT product to detect and block an attack from outside so the network to be protected (i.e.
internal network) can be safe from attack
NTP
Protocol used for synchronizing time
12. Reference
The certification body has used the following documents to produce this certification
report;
[1] Common Criteria for Information Technology Security Evaluation (May 21, 2005)
[2] Common Methodology for Information Technology Security Evaluation V2.3
[3] Network Intrusion Prevention System Protection Profile V1.1 (Dec. 21, 2005)
[5] Korea IT Security Evaluation and Certification Guidance (May 21, 2005)
[6] Korea IT Security Evaluation and Certification scheme (Jan. 1, 2007)
[7] NOWCOM SNIPER IPS V6.0.e Security Target V1.04 (Jan. 16, 2008)
[8] NOWCOM SNIPER IPS V6.0.e Certification Report, release V1.0 (Nov. 30, 2007)
※ Certification Validity Maintenance History
1. SNIPER IPS V6.0.e Alteration Authentication (Apr. 11, 2008)
ƒ Alteration History
Category Certified Products Alteration Authenticated Products
Model E2000 E4000 E1000 E2000(Y11/K
11)
E4000(Y11/K
11)
CPU Intel Xeon
DP CPU
3.0 GHz x
2
Intel Xeon
DP CPU
3.6 GHz x
2
Intel Xeon
Quad Core
1.6
Intel Xeon
Dual Core 2.0
x 2
Intel Xeon
Dual Core 3.0
x 2
Main
Memo
ry
2GB DDR-
II
2GB DDR-
II
2GB DDR-
II
4GB DDR-II 4GB DDR-II
HDD 200GB 73GB(SCS
I) x 2
250GB 250GB 250GBx2
DOM 512MB 512MB 1GB 1GB 1GB
Serv
er
NIC 6 ports
(Managem
ent 1, HA
1,
Monitoring
4)
8 ports
(Managem
ent 1, HA
1, L7 HA
2,
Monitoring
4)
4 ports
(Managem
ent 1, HA
1,
Monitoring
2)
6 ports
(Management
1, HA 1,
Monitoring 4)
8 ports
(Management
1, HA 1, L7
HA 2,
Monitoring 4)
ƒ Review Result
As a result of the test regarding SNIPER IPS V6.0.e performed after the alterations of the
H/W requirements (CPU, Memory, NIC, and etc.), it was verified that the alterations had
no affects on the security functions and assurance scope of the TOE.