PREMIER MINISTRE Secretariat General for National Defence Central Directorate for Information Systems Security Certification Report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Paris, 27th of November 2008 Courtesy Translation Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 2 out 16 CER/F/07.5 Warning This report is designed to provide sponsors with a document enabling them to assess the security level of a product under the conditions of use and operation defined in this report for the evaluated version. It is also designed to provide the potential purchaser of the product with the conditions under which he may operate or use the product so as to meet the conditions of use for which the product has been evaluated and certified; that is why this certification report must be read alongside the evaluated user and administration guidance, as well as with the product security target, which presents threats, environmental assumptions and the supposed conditions of use so that the user can judge for himself whether the product meets his needs in terms of security objectives. Certification does not, however, constitute a recommendation product from DCSSI (Central Directorate for Information Systems Security), and does not guarantee that the certified product is totally free of all exploitable vulnerabilities. Any correspondence about this report has to be addressed to: Secrétariat Général de la Défense Nationale Direction Centrale de la Sécurité des Systèmes d'Information Centre de certification 51, boulevard de la Tour Maubourg 75700 PARIS cedex 07 SP France certification.dcssi@sgdn.gouv.fr Reproduction of this document without any change or cut is authorised. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 3 out 16 Certification report reference DCSSI-2008/38 Product name ExaProtect Security Management Solution (SMS) Product reference Version 2.7.3.5 Protection profile conformity None Evaluation criteria and version Common Criteria version 2.3 compliant with ISO 15408:2005 Evaluation level EAL 2 augmented ADV_HLD.2, ADV_IMP.1*, ADV_LLD.1*, ALC_DVS.1, ALC_FLR.3, ALC_TAT.1*, AVA_MSU.1, AVA_VLA.2 *applied to FCS functional requirements Developer(s) ExaProtect 149 boulevard Stalingrad, 69100 Villeurbanne, France Sponsor ExaProtect 149 boulevard Stalingrad, 69100 Villeurbanne, France Evaluation facility Oppida 4-6 avenue du vieil étang, Bâtiment B, 78180 Montigny le Bretonneux, France Phone: +33 (0)1 30 14 19 00, email : cesti@oppida.fr Recognition arrangements CCRA SOG-IS Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 4 out 16 CER/F/07.5 Introduction The Certification Security certification for information technology products and systems is governed by decree number 2002-535 dated April, 18th 2002, and published in the "Journal Officiel de la République Française". This decree stipulates that: • The central information system security department draws up certification reports. These reports indicate the features of the proposed security targets. They may include any warnings that the authors feel the need to mention for security reasons. They may or may not be transmitted to third parties or made public, as the principals desire (article 7). • The certificates issued by the Prime Minister certify that the copies of the products or systems submitted for evaluation fulfil the specified security features. They also certify that the evaluations have been carried out in compliance with applicable rules and standards, with the required degrees of skill and impartiality (article 8). The procedures are available on the Internet site www.ssi.gouv.fr. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 5 out 16 Content 1. THE PRODUCT........................................................................................................................... 6 1.1. PRESENTATION OF THE PRODUCT........................................................................................... 6 1.2. EVALUATED PRODUCT DESCRIPTION ..................................................................................... 6 1.2.1. Product identification.................................................................................................... 6 1.2.2. Security services............................................................................................................ 7 1.2.3. Architecture................................................................................................................... 7 1.2.4. Life cycle ....................................................................................................................... 9 1.2.5. Evaluated configuration.............................................................................................. 10 2. THE EVALUATION.................................................................................................................. 11 2.1. EVALUATION REFERENTIAL ................................................................................................. 11 2.2. EVALUATION WORK ............................................................................................................. 11 2.3. CRYPTOGRAPHIC MECHANISMS ROBUSTNESS ANALYSIS..................................................... 11 3. CERTIFICATION...................................................................................................................... 12 3.1. CONCLUSION........................................................................................................................ 12 3.2. RESTRICTIONS...................................................................................................................... 12 3.3. RECOGNITION OF THE CERTIFICATE..................................................................................... 13 3.3.1. European recognition (SOG-IS).................................................................................. 13 3.3.2. International common criteria recognition (CCRA)................................................... 13 ANNEX 1. EVALUATION LEVEL OF THE PRODUCT.......................................................... 14 ANNEX 2. EVALUATED PRODUCT REFERENCES .............................................................. 15 ANNEX 3. CERTIFICATION REFERENCES ........................................................................... 16 Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 6 out 16 CER/F/07.5 1. The product 1.1. Presentation of the product The evaluated product is « ExaProtect Security Management Solution (SMS), Version 2.7.3.5 » developed by ExaProtect. The ExaProtect SMS product enables to answer to the security supervision needs. These needs can be summarize as follows: - to manage a high number of security devices divided on the whole information system; - to process the lot of information generated by the devices; - to improve the events (reduction of false positives, take into account of the “trade” context); - to correlate the events coming from different devices and to generate alerts; - to automate the diagnosis process; - to call attention to the human expertise on the most important threat; - to propose counter measures when it is possible; - to provide a synthetic and global view on the risk and on the threat. These services are realized by the two main components ExaProtect Security Management Agent (SMA) and ExaProtect Security Management Platform (SMP). The security events analysis and the solution configuration are realized via the ExaProtect Security Management Console (SMC) from a work station with a Web browser. 1.2. Evaluated product description The security target [ST] defines the evaluated product, its evaluated security functionalities and its operation environment. 1.2.1. Product identification The configuration list [CONF] identifies the product’s constituent elements. The certified version of the product can be identified by the following elements: - version: 2.7.3.5; - build number: 390; - commit number: 16754. This information is available via the window « About » of the SMC console. The version number of the product is also indicated on the SMC console home page. The installed agents’ version is available on the file version which is in the ExaProtect Technology\ESMA 2.7.3.3\config\ directory on the work station where the agent is installed. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 7 out 16 1.2.2. Security services The product mainly provides the following security services: - identification and authentication of users who connect to the ExaProtect SMS product console in order to manage alerts; - users profiles management and rights agreement according to a rights table; - protection and access control to the server configuration files; - protection and access control to the tables of the server data-bases; - collection of equipment events and raw logs as well as internal ones within the agent operation; - collection of internal events in the SMP server operation; - audit of collected events at agents and SMP server level; - synchronization of the agents’ configuration at startup and also at an authorized user request; - prevention of a breaking link with the agent; - confidentiality and integrity of exchanges between the server and its agents; - confidentiality and integrity of exchanges between the console and the server; - confidentiality and integrity of raw log archiving. 1.2.3. Architecture The figure below presents a global view of the ExaProtect SMS concept and the services provided by the product: Figure 1 - TOE use cases Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 8 out 16 CER/F/07.5 The scheme below presents the evaluation scope associated to the product components: Figure 2 - TOE architecture SGDB in the figure above corresponds to the data bases management system. The evaluation scope is the following one: - the collection of events and raw logs by the SMP server sent by the SMA agent; - the application of events’ correlation rules in order to generate security alerts; - the security alerts analysis through audit functions accessible via the SMC console; - the communications between agents and the server; - the communications between the console and the server, including the users authentication mechanism and the access control; - the archiving of raw logs coming from equipment units. The following elements are out of the scope of the evaluation: - the “reporting” mechanisms from events and security alerts stored in the data base; - the collection of log entries on the equipment, their communication toward an agent and their tranformation into events and raw logs; - the relevance of rules and heuristics used par the correlation engine to manage the alerts. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 9 out 16 1.2.4. Life cycle The product has been developed on the following site: ExaProtect Innovation 149 boulevard Stalingrad 69100 Villeurbanne France The equipment and certificates delivery process is described in the figure bellow. The certificate enables a customer to download patches, updates and product documentation. Figure 3 - Delivery process Customer’s order Equipment quotation request Order of the equipment Reception of the equipment at Lyon’s technical centre Equipment preparation for the delivery Documents preparation for the delivery Sending of the equipment to the customer Equipment received by the customer who has to configure the network parameters Certificate request Sending of the certificate to the customer Customer’s order Order of the equipment Preparation of the delivery at the customer Delivery of the equipment Delivery of the certificate Customer service Customer service Technical centre Technical centre Technical centre Customer Customer service Technical centre Customer service Customer’s order Equipment quotation request Order of the equipment Reception of the equipment at Lyon’s technical centre Equipment preparation for the delivery Documents preparation for the delivery Sending of the equipment to the customer Equipment received by the customer who has to configure the network parameters Certificate request Sending of the certificate to the customer Customer’s order Order of the equipment Preparation of the delivery at the customer Delivery of the equipment Delivery of the certificate Customer service Customer service Technical centre Technical centre Technical centre Customer Customer service Technical centre Customer service Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 10 out 16 CER/F/07.5 In the evaluation context, the evaluator has considered as “product administrators” the “administrators” who visualize/acknowledge the alerts, activate/configure the agents and configure the correlation rules, and the “superusers” who have the same privileges that the “administrators” but can also create/configure users/administrators accounts. The evaluator has also considered as “product users” the “viewers” who visualize the alerts and the “analysts” who visualize/ acknowledge the alerts and can also activate/deactivate an agent (but they cannot configure it). 1.2.5. Evaluated configuration The SMP server comes in the form of an appliance composed of the Red Hat Enterprise Linux 3.0 operating system, as well as the following applications: - application SMP 2.7.3.5; - server Tomcat 5.5.17; - data-base MySQL 5.0.38; - Java SDK 1.5.0-08; - application GnuPG 1.2.1-20. A SMA agent is composed of the following elements: - application SMA 2.7.3.5 (identical Java application, whatever the system is); - Java runtime JRE 1.5.0-06 (executable file dependent on the system on which the agent is installed). The SMA agents are supported by the following operating systems: - Linux : RedHat 7.1 or superior, RedHat Enterprise Linux 3.0 or superior, Debian 3.0 (kernel 2.4) or superior; - Windows XP, 2000, 2003 ; - SUN-Solaris 2.8 or superior; - DEC TRU64 4.0f or superior; - IBM-AIX 5.1 or superior. The SMC console is accessible from a web browser like Mozilla Firefox 1.5 or superior or Internet Explorer 6.0. The evaluator has realized his tests from a Mozilla Firefox 2.0.0.5 web browser. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 11 out 16 2. The evaluation 2.1. Evaluation referential The evaluation has been performed in compliance with Common Criteria version 2.3 [CC], with the Common Evaluation Methodology [CEM]. 2.2. Evaluation work The evaluation technical report [ETR], delivered to DCSSI the 30th September 2008, provides details on the work performed by the evaluation facility and assesses that all evaluation tasks are “passed”. 2.3. Cryptographic mechanisms robustness analysis The robustness of cryptographic mechanisms has been analyzed by DCSSI. The results are stated in the cryptographic analysis report [ANA-CRY]. They reveal the DSA algorithm used for the signature of archived data does not achieve the standard level. In order to remedy this, a recommendation is in the guides [GUIDES] indicating to escrow the signature public key of the archiving in a secure way. All of the other results of the cryptographic analysis report [ANA-CRY] have been taken into account in the evaluator analysis of independent vulnerabilities. They did not highlight any exploitable vulnerability for the aimed VLA level. Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 12 out 16 CER/F/07.5 3. Certification 3.1. Conclusion The evaluation was carried out according to the current rules and standards, with the required competency and impartiality for a licensed evaluation facility. All the work performed permits the release of a certificate in conformance with the decree 2002-535. This certificate testifies that the product “ExaProtect Security Management Solution (SMS), Version 2.7.3.5” submitted for evaluation fulfils the security features specified in its security target [ST] for the evaluation level EAL 2 augmented. 3.2. Restrictions This certificate only applies on the product specified in chapter 1.2 of this certification report. The user of the certified product shall respect the summarized operational environmental security objectives specified in the security target [ST] and shall respect the recommendations in the guides [GUIDES], in particular: 1. OE.PROTECT_HARDWARE. The SMC console access work station and the SMP server shall be installed in secure premises. 2. OE.EXPORT_BASE. As part of the raw logs archiving service, it is supposed that the ways which enable the deciphering and the checking of the archives signature out of the TOE are managed in a secure way. 3. OE.TRUE_AGENT. The TOE shall rely on agents which transform in a reliable and consistent way the log entries related back by the equipment units. 4. OE.ADM_NO_EVIL. The organization shall recruit trustworthy staff as administrators for operating systems hosting the SMA ExaProtect agents and as administrators for the SMP ExaProtect server. 5. OE.HOST_CLEAN. The equipment on which the SMA agents are installed shall be made secure according to stiffening processes and updated according to specific vulnerabilities discovered on the operating system and the applications installed on these equipment units. 6. OE.SERVER_CLEAN. The appliance on which the SMP server is installed shall not contain other services (third applications) that the ones which are initially installed. 7. OE.USR_AWARE. The TOE users shall be trained to the use of the TOE and be sensitized to security, in particular to the consequences of their acts when they handle and acknowledge alerts. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 13 out 16 8. OE.CRYPTO. The TOE shall use cryptographic mechanisms complying with the DCSSI referential for qualified products at the « standard » level. 9. OE.QUALIF. The TOE shall be evaluated at the EAL2+ level corresponding to a qualification at the standard level. 10. OE.TIME. The TOE time reference shall be synchronized with a time basis available by the environment. 11. OE.FIREWALL. The TOE environment shall include a communication filtering device located in front of the ExaProtect SMP server. 12. OE.CTL_AGENT_ASSETS. The systems on which the agents are installed shall implement an access control on agents’ resources (configuration files, bi-key). 3.3. Recognition of the certificate 3.3.1. European recognition (SOG-IS) This certificate is issued in accordance with the provisions of the SOG-IS agreement [SOG- IS]. The European Recognition Agreement made by SOG-IS in 1999 allows recognition from Signatory States of the agreement1 , of ITSEC and Common Criteria certificates. The European recognition is applicable up to ITSEC E6 and CC EAL7 levels. The certificates that are recognized in the agreement scope are released with the following marking: 3.3.2. International common criteria recognition (CCRA) This certificate is released in accordance with the provisions of the CCRA [CC RA]. The Common Criteria Recognition Arrangement allows the recognition, by signatory countries2 , of the Common Criteria certificates. The mutual recognition is applicable up to the assurance components of CC EAL4 level and also to ALC_FLR family. The certificates that are recognized in the agreement scope are released with the following marking: 1 The signatory countries of the SOG-IS agreement are: Finland, France, Germany, Greece, Italy, The Netherlands, Norway, Spain, Sweden and United Kingdom. 2 The signatory countries of the CCRA arrangement are: Australia, Austria, Canada, Czech Republic, Denmark, Finland, France, Germany, Greece, Hungary, India, Israel, Italy, Japan, the Republic of Korea, Malaysia, Netherlands, New-Zealand, Norway, Singapore, Spain, Sweden, Turkey, the United Kingdom and the United States of America. Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 14 out 16 CER/F/07.5 Annex 1. Evaluation level of the product Components by assurance level Assurance level of the product Class Family EAL 1 EAL 2 EAL 3 EAL 4 EAL 5 EAL 6 EAL 7 EAL 2+ Name of the component ACM_AUT 1 1 2 2 ACM_CAP 1 2 3 4 4 5 5 2 Configuration items ACM Configuration management ACM_SCP 1 2 3 3 3 ADO_DEL 1 1 2 2 2 3 1 Delivery procedures ADO Delivery and operation ADO_IGS 1 1 1 1 1 1 1 1 Installation, generation and start-up procedures ADV_FSP 1 1 1 2 3 3 4 1 Informal functional specification ADV_HLD 1 2 2 3 4 5 2 Security enforcing high-level design ADV_IMP 1 2 3 3 1* Subset of the implementation of the TSF ADV_INT 1 2 3 ADV_LLD 1 1 2 2 1* Descriptive low-level design ADV_RCR 1 1 1 1 2 2 3 1 Informal correspondence demonstration ADV Development ADV_SPM 1 3 3 3 AGD_ADM 1 1 1 1 1 1 1 1 Administrator guidance AGD Guidance AGD_USR 1 1 1 1 1 1 1 1 User guidance ALC_DVS 1 1 1 2 2 1 Identification of security measures ALC_FLR 3 Systematic Flow remediation ALC_LCD 1 2 2 3 ALC Life-cycle support ALC_TAT 1 2 3 3 1* Well-defined development tools ATE_COV 1 2 2 2 3 3 1 Evidence coverage ATE_DPT 1 1 2 2 3 ATE_FUN 1 1 1 1 2 2 1 Functional testing ATE Tests ATE_IND 1 2 2 2 2 2 3 2 Independent testing – sample AVA_CCA 1 2 2 AVA_MSU 1 2 2 3 3 1 Guidance examination AVA_SOF 1 1 1 1 1 1 1 Strength of TOE security function evaluation AVA Vulnerability assessment AVA_VLA 1 1 2 3 4 4 2 Independent vulnerability analysis *applied to FCS functional requirements. ExaProtect Security Management Solution (SMS) Certification report DCSSI-2008/38 Page 15 out 16 Annex 2. Evaluated product references [ST] Reference security target for the evaluation: Cible de sécurité ExaProtect Security Management Solution Reference SMSSecurityTarget.fr, version 1.8, 15/07/2008 ExaProtect [ETR] Evaluation technical report – Projet JOUBARBE Reference: OPPIDA/CESTI/JOUBARBE/RTE/1.0, 30/09/2008 OPPIDA [ANA-CRY] Cotation des mécanismes cryptographiques – Projet JOUBARBE, N°1228/SGDN/DCSSI/SDS/Crypto, 26/05/2008 SGDN/DCSSI [CONF] Liste de configuration de la version 2.7.3 Reference: ConfigListSMS273-fr, version 1.3, 22/09/2008 ExaProtect [GUIDES] Installation guidance: - SMA Installation Guide Reference : udoc-00616-en, version 6, 23/04/2008 ExaProtect - SMP Installation Guide Reference : udoc-00614-en, version 7, 23/04/2008 ExaProtect Administration guidance: - SMS Administration Guide Reference : udoc-00632-en, version 3, 23/04/2008 ExaProtect User guidance: - SMA User Guide Reference : udoc-00613-en, version 6, 22/04/2008 ExaProtect Certification report DCSSI-2008/38 ExaProtect Security Management Solution (SMS) Page 16 out 16 CER/F/07.5 Annex 3. Certification references Decree number 2002-535 dated 18th April 2002 related to the security evaluations and certifications for information technology products and systems. [CER/P/01] Procedure CER/P/01 - Certification of the security provided by IT products and systems, DCSSI. [CC] Common Criteria for Information Technology Security Evaluation: Part 1: Introduction and general model, August 2005, version 2.3, ref CCMB-2005-08-001; Part 2: Security functional requirements, August 2005, version 2.3, ref CCMB-2005-08-002; Part 3: Security assurance requirements, August 2005, version 2.3, ref CCMB-2005-08-003. The content of Common Criteria version 2.3 is identical to the international ISO/IEC 15408:2005. [CEM] Common Methodology for Information Technology Security Evaluation: Evaluation Methodology, August 2005, version 2.3, ref CCMB-2005-08-004. The content of CEM version 2.3 is identical to the international ISO/IEC 18045:2005. [CC RA] Arrangement on the Recognition of Common criteria certificates in the field of information Technology Security, May 2000. [SOG-IS] «Mutual Recognition Agreement of Information Technology Security Evaluation Certificates», version 2.0, April 1999, Management Committee of Agreement Group. [REF-CRY] Cryptographic mechanisms - Rules and recommendations about the choice and parameters sizes of cryptographic mechanisms with standard robustness level version 1.10, 14th of September 2007, No. 1904/SGDN/DCSSI/SDS/LCR