National Information Assurance Partnership
®
TM
Common Criteria Evaluation and Validation Scheme
Validation Report
McAfee IntruShield Intrusion Prevention System
Report Number: CCEVS-VR-VID10169-2009
Dated: 13 January 2009
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6757
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6757
i
ACKNOWLEDGEMENTS
Validation Team
Jandria S. Alexander
Richard Murphy
Common Criteria Testing Laboratory
SAIC Common Criteria Testing Laboratory
Columbia, Maryland
ii
iii
Table of Contents
1 Executive Summary.................................................................................................... 1
2 Identification............................................................................................................... 2
Table 1: Evaluation Identifiers............................................................................................ 3
3 Security Policy............................................................................................................ 4
4 Assumptions................................................................................................................ 4
4.1 Personnel Assumptions....................................................................................... 4
4.2 Physical Assumptions......................................................................................... 4
4.3 IT Environment Assumptions............................................................................. 4
5 Architectural Information ........................................................................................... 5
Figure 2: McAfee IntruShield Architecture........................................................................ 5
6 Documentation............................................................................................................ 6
7 IT Product Testing ...................................................................................................... 9
7.1 Developer Testing............................................................................................... 9
7.2 Evaluation Team Independent Testing ............................................................... 9
8 Evaluated Configuration........................................................................................... 10
9 Validator Comments................................................................................................. 10
10 Security Target...................................................................................................... 10
11 Glossary ................................................................................................................ 11
12 Bibliography ......................................................................................................... 12
1 Executive Summary
This document is intended to assist the end-user of this product with determining the
suitability of the product in their environment. End-users should review both the Security
Target (ST) which is where specific security claims are made, and this Validation Report
(VR) which described how those security claims were evaluated.
This report documents the National Information Assurance Partnership (NIAP)
assessment of the evaluation of the McAfee Incorporated IntruShield Product Family. It
presents the evaluation results, their justifications, and the conformance results. This
Validation Report is not an endorsement of the Target of Evaluation (TOE) by any
agency of the U.S. Government and no warranty of the TOE is either expressed or
implied.
The evaluation of the McAfee Incorporated IntruShield Product Family was performed
by the SAIC Common Criteria Testing Laboratory in the United States and was
completed during November 2008. The information in this report is largely derived from
the Evaluation Technical Report (ETR) and associated test report, both written by SAIC.
The evaluation team determined the product to be Part 2 extended and Part 3
conformant, and concluded that the Common Criteria Version 2.3 requirements for
Evaluation Assurance Level (EAL) 3 have been met.
The McAfee IntruShield Product Family is a network Intrusion Prevention System (IDS)
that provides real-time network intrusion detection and prevention. The TOE consists of
the following components:
• One or more McAfee Incorporated IntruShield Sensors,
o IntruShield 1200 appliance, Rev. 3 or earlier
o IntruShield 1400 appliance, Rev. 3 or earlier
o IntruShield 2600 appliance, Rev. 7 or earlier
o IntruShield 2700 appliance, Rev. 1
o IntruShield 3000 appliance, Rev. 6 or earlier
o IntruShield 4000 appliance, Rev. 7 or earlier
o IntruShield 4010 appliance, Rev. 6 or earlier
• IntruShield Security Management System (ISM) Version 3.1.5.13
• The Sensor Builds Version 3.1.40.6
The sensor components are dedicated systems that monitor network traffic on a
designated network segment. They process traffic using signature information
downloaded from the ISM (which obtains this information from the Update Server.) The
ISM receives event and alert information from the sensors and provides a web-based user
1
interface for display of event data and alerts, configuration of sensors, and updates of
sensor information.
The sensors perform statefull inspection of network packets in order to detect and prevent
intrusions, misuse, denial of service attacks, and distributed denial of service attacks. The
seven sensor products differ only in their bandwidth capacity and deployment strategies
and provide the same security functions.
The following figure provides a high-level representation of the TOE.
S
e
n
s
o
r
Manager
Update
Server
Browser
(Administrator
and user
interface)
Network
TOE
Collection
Figure 1 – High-Level TOE Representation
The validation team determined that the evaluation team showed that the product satisfies
all of the functional and assurance requirements defined in the Security Target for an
EAL 3 evaluation. Therefore the validation team concludes that the SAIC CCTL
findings are accurate, and the conclusions justified.
2 Identification
The CCEVS is a joint National Security Agency (NSA) and National Institute of
Standards and Technology (NIST) effort to establish commercial facilities to perform
trusted product evaluations. Under this program, security evaluations are conducted by
commercial testing laboratories called Common Criteria Testing Laboratories (CCTLs)
using the Common Evaluation Methodology (CEM) for EAL 1 through EAL 4 in
accordance with National Voluntary Laboratory Assessment Program (NVLAP)
accreditation.
2
The NIAP Validation Body assigns Validators to monitor the CCTLs to ensure quality
and consistency across evaluations. Developers of information technology products
desiring a security evaluation contract with a CCTL and pay a fee for their product’s
evaluation. Upon successful completion of the evaluation, the product is added to
NIAP’s Validated Products List.
Table 1 provides information needed to completely identify the product, including:
• The Target of Evaluation (TOE): the fully qualified identifier of the product as
evaluated;
• The Security Target (ST), describing the security features, claims, and assurances
of the product;
• The conformance result of the evaluation;
• The organizations and individuals participating in the evaluation.
Table 1: Evaluation Identifiers
Item Identifier
Evaluation Scheme
United States NIAP Common Criteria Evaluation and
Validation Scheme
Target of Evaluation
McAfee Incorporated IntruShield Intrusion Prevention
System
Security Target
IntruShield Product Family Intrusion Prevention System
Security Target, v1.21, August 11, 2008
Evaluation Technical
Report
Evaluation Technical Report for IntruShield Product
Family; v1.0 October 28, 2008.
Conformance Result CC Part 2 Extended, CC Part 3 conformant, EAL 3
Sponsor
McAfee Incorporated
3965 Freedom Circle
Santa Clara, CA 95054
Common Criteria Testing
Lab (CCTL)
Science Applications International Corporation
Common Criteria Testing Laboratory
7125 Columbia Gateway Drive, Suite 300
Columbia, Maryland 21046
CCEVS Validator(s)
Richard Murphy
Jandria Alexander
3
3 Security Policy
The TOE implements an intrusion detection and prevention Security Policy by the use of
stateful inspection of network traffic on designated network segments. The TOE
implements an IDS policy as specified in the Security Target. These specify requirements
for data collection, analysis, event response, and review of captured event information.
4 Assumptions
4.1 Personnel Assumptions
ƒ There will be one or more competent System Managers assigned to manage the
TOE and the security of the information maintained by the TOE.
ƒ The system administrators are not careless, willfully negligent, or hostile. The
administrators are assumed to follow guidance, and do not attempt to attack or
subvert the TOE and its policy.
ƒ Only authorized users are able to access the TOE.
4.2 Physical Assumptions
ƒ The TOE hardware and software are protected from unauthorized physical
modifications.
ƒ The TOE is located within a controlled access facility which will prevent
unauthorized physical access.
4.3 IT Environment Assumptions
ƒ The TOE has access to all the IT System data that it needs to perform its
functions.
ƒ The TOE will be managed in a manner that allows it to appropriately address
changes in the IT System the TOE monitors.
ƒ The TOE is appropriately scalable to the IT System the TOE monitors.
ƒ The Windows 2000/2003 operating system, which is a part of the environment,
shall provide reliable time stamps for the TOE.
4
5 Architectural Information
The components of the IntruShield IDS TOE are the Collection Subsystem and the
Manager Subsystem. These subsystems are depicted in Figure 2 and are summarized in
the text below.
Manager Sub System
Home
Page
System
Health
Config
Page
Alert
Manager
Collection Sub System
Detection
Mechanism
Monitor and
Analyze
Sensor:
Update Server
Figure 2: McAfee IntruShield Architecture
a) Collection Subsystem: The Collection Subsystem is provided by the IntruShield
Sensor appliance. The primary function of the IntruShield sensor is to analyze
traffic on selected network segments and to respond when an attack is detected.
The sensor examines the header and data portion of every network packet,
looking for patterns and behavior in the network traffic that indicate malicious
activity. The sensor examines packets according to user-configured policies, or
rule sets, which determine what attacks to watch for, and how to react with
countermeasures if an attack is detected. If an attack is detected, the sensor raises
an alert to describe the event, and responds according to its configured policy.
Sensors can perform many types of attack responses, including generating alerts
and packet logs, resetting TCP connections, “scrubbing” malicious packets, and
even dropping packets entirely before they reach their target. A sensor may be
connected to multiple network segments in multiple operating modes.
5
b) Manager Subsystem: The ISM is the Manager Subsystem. The ISM server is a
dedicated Windows 2000/2003 platform running the ISM software. The ISM is
also referred to as The Manager. There are three versions of the ISM system,
which differ only in the number of sensors supported. Functionally, the products
are otherwise identical. The Security Target uses the term “ISM” to describe any
of the versions. The ISM provides a web-based user interface for managing and
configuring the IntruShield Sensors. Components of the ISM include:
a. Home Page (formerly known as Network Console) is the first screen
displayed after the user logs on to the system. The Network Console
displays system health—i.e., whether all components of the system are
functioning properly, the number of unacknowledged alerts in the system
and the configuration options available to the current user. Options
available within the Network Console are determined by the current user’s
assigned role(s).
b. System Health Viewer displays the status of the ISM, database, and any
deployed sensors; including all system faults.
c. System Configuration Tool provides all system configuration options, and
facilitates the configuration of sensors, administrative domains, users,
roles, attack policies and responses, user-created signatures, and system
reports. Access to various activities, such as user management, system
configuration, or policy management is based on the current user’s role(s)
and privileges.
d. Alert Manager displays detected security events that violate your
configured security policies. The Alert Manager provides powerful drill-
down capabilities to enable you to see all the details on a particular alert,
including its type, source and destination addresses,
The ISM operates on a dedicated Windows 2000/2003 workstation using a MySQL
database for event storage.
6 Documentation
Following is a list of the evaluation evidence, each of which was issued by the developer
(and sponsor).
Design documentation:
• IntruShield Functional Specification Document (ADV_FSP)
• IntruShield High-Level Design Document (ADV_HLD)
• IntruShield Informal Correspondence Document
• McAfee® IntruShield® IPS System IntruShield Security Management System
version 3.1, Manager Configuration Guide, revision 4.0
Guidance documentation:
6
• McAfee® IntruShield® IPS System IntruShield Security Management System
version 3.1:
o Manager Installation Guide, revision 4.0
o Manager Configuration Guide, revision 4.0
o Getting Started Guide, revision 3.0
o IntruShield Sensor 4010 Product Guide, revision 4.0
o IntruShield Sensor 4000 Product Guide, revision 4.0
o IntruShield Sensor 3000 Product Guide, revision 4.0
o IntruShield Sensor 2700 Product Guide, revision 4.0
o IntruShield Sensor 2600 Product Guide, revision 4.0
o IntruShield Sensor 1200 Product Guide, revision 4.0
o IntruShield Sensor 1400 Product Guide, revision 4.0
• McAfee IntruShield IPS System, Release Version 3.1.5, 3.1.5 Release Notes for
Common Criteria Compliance, 09/22/2008
Configuration Management:
• IntruShield IDS System Configuration Management Document
Lifecycle Support:
• Assurance Life Cycle Support Document, (ALC)
Delivery and Operation documentation:
• McAfee IntruShield Order, Delivery, and Billing
• Update Server Delivery Procedure (ADO) Document
• IntruShield Manufacturing Flow Process, Test Plan, & Delivery
• McAfee® IntruShield® IPS System IntruShield Security Management System
version 3.1
o Manager Installation Guide, revision 4.0
o Manager Configuration Guide, revision 4.0
o Getting Started Guide, revision 3.0
o IntruShield Sensor 4010 Product Guide, revision 4.0
o IntruShield Sensor 4000 Product Guide, revision 4.0
o IntruShield Sensor 3000 Product Guide, revision 4.0
7
o IntruShield Sensor 2700 Product Guide, revision 4.0
o IntruShield Sensor 2600 Product Guide, revision 4.0
o IntruShield Sensor 1200 Product Guide, revision 4.0
o IntruShield Sensor 1400 Product Guide, revision 4.0
• McAfee® IntruShield® IPS System version 3.1: Troubleshooting Guide, revision
2.0
• McAfee IntruShield IPS System, Release Version 3.1.5, 3.1.5 Release Notes for
Common Criteria Compliance, 09/22/2008
Test documentation:
• IntruShield IDS System Test (ATE) Document
Vulnerability Assessment documentation:
• McAfee® IntruShield® IPS System IntruShield Security Management System
version 3.1:
o Manager Installation Guide, revision 4.0
o Manager Configuration Guide, revision 4.0
o Getting Started Guide, revision 3.0
o IntruShield Sensor 4010 Product Guide, revision 4.0
o IntruShield Sensor 4000 Product Guide, revision 4.0
o IntruShield Sensor 3000 Product Guide, revision 4.0
o IntruShield Sensor 2700 Product Guide, revision 4.0
o IntruShield Sensor 2600 Product Guide, revision 4.0
o IntruShield Sensor 1200 Product Guide, revision 4.0
o IntruShield Sensor 1400 Product Guide, revision 4.0
• McAfee® IntruShield® IPS System version 3.1: Troubleshooting Guide, revision
2.0
• McAfee IntruShield IPS System, Release Version 3.1.5, 3.1.5 Release Notes for
Common Criteria Compliance, 09/22/2008
• IntruShield Product Family, Intrusion Prevention System Security Target, v1.21,
August 11, 2008
• IntruShield Vulnerability Assessment Document Version 5.1.1, 12/15/07
Security Target
8
• IntruShield Product Family, Intrusion Prevention System Security Target, v1.21,
August 11, 2008
7 IT Product Testing
This section describes the testing efforts of the developer and the evaluation team.
7.1 Developer Testing
The developer tested the interfaces identified in the functional specification and the high
level design and mapped each test to the security function tested. The scope of the
developer tests included all TOE Security Functions: Security Audit, User Data
Protection, Identification and Authentication, Security Management, Protection of TOE
Security Functions, and Intrusion Detection System.
Test depth is addressed by analyzing the functions addressed in the high level design and
associating test cases that cover the addressed functionalities. The high level design
addressed the general functions of the TOE components. Each security function maps to
the appropriate test suite, and the test rationale demonstrates why the test suites provide
adequate test coverage of a given security function.
The evaluation team determined that the developer’s actual test results matched the
vendor’s expected results.
7.2 Evaluation Team Independent Testing
The evaluation team ensured that the TOE performed as described in the design
documentation and demonstrated that the TOE enforces the TOE security functional
requirements. Specifically, the evaluation team ensured that the developer test
documentation sufficiently addresses the security functions as described in the functional
specification and high level design. The evaluation team performed a sample of the
developer’s test suite and devised an independent set of team tests and penetration tests.
Although the evaluation team performed a sample of the developer’s test suite, the
selected tests were representative of the TOE Security Functions.
9
8 Evaluated Configuration
The evaluated configuration consisted of the components identified in the table below.
Component Description
IntruShield 1200 appliance, Rev. 3 or earlier
IntruShield 1400 appliance, Rev. 3 or earlier
IntruShield 2600 appliance, Rev. 7 or earlier
IntruShield 2700 appliance, Rev. 1
IntruShield 3000 appliance, Rev. 6 or earlier
IntruShield 4000 appliance, Rev. 7 or earlier
IntruShield 4010 appliance, Rev. 6 or earlier
Network data collection sensor
IntruShield Security Manager System (ISM)
Version 3.1.5.13
Software to manage and configure the
Sensor subsystems
Table 2 - Hardware and Software Components
9 Validator Comments
This evaluation shows that the evaluated configuration meets the security claims made,
with a certain level of assurance. The product has been evaluated at the assurance level
of EAL 3 and it has been determined that it meets its functional claims.
10 Security Target
IntruShield Product Family Intrusion Prevention System Security Target, v1.21 August
11, 2008.
10
11 Glossary
CC Common Criteria
IDS Intrusion Detection System
ISM IntruShield Security Management
IT Information Technology
NIAP National Information Assurance Partnership
SF Security Function
SFP Security Function Policy
SOF Strength of Function
ST Security Target
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSFI TSF Interface
TSP TOE Security Policy
11
12
12 Bibliography
The Validation Team used the following documents to produce this Validation Report:
• Common Criteria for Information Technology Security Evaluation – Part 1:
Introduction and general model, dated August 2005, Version 2.3.
• Common Criteria, Evaluation and Validation Scheme for Information Technology
Security, Guidance to Validators of IT Security Evaluations, Scheme Publication
#3, Version 1.0, January 2002.
• Common Evaluation Methodology for Information Technology Security – Part 1:
Introduction and general model, version 0.6, 11 January 1997.
• Common Evaluation Methodology for Information Technology Security – Part 2:
Evaluation Methodology, dated August 2005, version 2.3
• Common Evaluation Methodology for Information Technology Security – Part 2:
Evaluation Methodology, Supplement: ALC_FLR - Flaw Remediation, dated
February 2002, version 1.1
• IntruShield Product Family Intrusion Prevention System Security Target, v1.21,
August 11 2008.
• Evaluation Technical Report for the IntruShield Product Family, Version 1.0,
October 28, 2008.