Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
National Information Assurance Partnership
®
TM
Common Criteria Evaluation and Validation
Scheme
Validation Report
National Security Agency
Intrusion Detection System Scanner Protection Profile,
Version 1.1, December 10, 2001
Report Number: CCEVS-VR-02-0014
Dated: 31 January 2002
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6740
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6740
1
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
ACKNOWLEDGEMENTS
Validation Team
Jeffrey Gilliatt
S. Meg Weinberg
Mitretek Systems Inc.,
McLean, VA
Common Criteria Testing Laboratory
Computer Sciences Corporation
Annapolis Junction, MD
2
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
Table of Contents
1 Executive Summary.................................................................................................... 4
2 Identification............................................................................................................... 4
3 Protection Profile Summary........................................................................................ 4
4 Threats......................................................................................................................... 5
4.1 TOE Threats........................................................................................................ 5
4.2 IT System Threats............................................................................................... 6
5 Security Policy............................................................................................................ 6
6 Assumptions................................................................................................................ 7
6.1 Intended Usage Assumptions.............................................................................. 7
6.2 Physical Assumptions......................................................................................... 7
6.3 Personnel Assumptions....................................................................................... 7
7 Security Content of PP................................................................................................ 8
8 Documentation............................................................................................................ 8
9 Results of the Evaluation ............................................................................................ 9
3
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
1 Executive Summary
An evaluation of the Intrusion Detection System Scanner, Protection Profile [IDS_SCN_PP], Version 1.1,
December 10, 2001 commenced on 10 August 2001 and completed on 31 January 2002. The
[IDS_SCN_PP] evaluation was performed by Computer Sciences Corporation in the United States. The
evaluation was conducted in accordance with the requirements drawn from the Common Criteria CCv2.1,
Part 3, Class APE: Protection Profile Evaluation. The assurance activities in this CC class offer confidence
that the [IDS_SCN_PP] contains realistic security objectives that are countered by stated threats. The CC
class also offers confidence that the Protection Profile is internally consistent, coherent and technically
sound. The protection profile identified in this Validation Report has been evaluated at an accredited
testing laboratory using the Common Methodology for IT Security Evaluation (Version 1.0) for
conformance to the Common Criteria for IT Security Evaluation (Version 2.1). This Validation Report
applies only to the specific version of the protection profile as evaluated. The evaluation has been
conducted in accordance with the provision of the NIAP Common Criteria Evaluation and Validation
Scheme and the conclusions of the testing laboratory in the evaluation technical report are consistent with
the evidence adduced. This Validation Report is not an endorsement of the protection profile by any
agency of the U.S. Government and no warranty of the protection profile is either expressed or implied.
Computer Sciences Corporation, the Common Criteria Testing Laboratory [CCTL], is certified by the
NIAP validation body for laboratory accreditation. The CCTL has presented CEM work units and rationale
that are consistent with the CC [Common Criteria], the CEM [The Common Evaluation Methodology] and
CCEVS publication number 4 Guidance to CCEVS Approved Common Criteria Testing Laboratories. The
CCTL team concluded that the requirements of the APE class have been met. Therefore, a pass verdict has
been issued, by the CCTL, for the protection profile assurance family.
The validation team followed the procedures outlined in the Common Criteria Evaluation Scheme
[CCEVS] publication number 3 for Guidance to Validators of IT Security Evaluations. The validation
team has observed that the evaluation and all of its activities were in accordance with the Common Criteria,
the Common Evaluation Methodology [CEM], and CCEVS policy. The validation team concludes that the
evaluation has completed and the evaluation team’s results are valid.
Evaluation Specific Details
Dates of Evaluation: 10 August 2001 – 31 January 2002
Evaluated Product: Intrusion Detection System Scanner, Protection Profile, Version 1.1, December 10,
2001
Developer: Science Applications International Corporation, 7125 Gateway Drive, Suite 300, Columbia,
MD 21046 for National Security Agency, 9800 Savage Road, Fort George G. Meade, MD 20755-6000
CCTL: Computer Sciences Corporation, Annapolis Junction, MD.
Evaluation Class: EAL2
Validation Team: Jeffrey Gilliatt, Mitretek Systems Inc.
S. Meg Weinberg, Mitretek Systems, Inc.
Applicable National and International Interpretations: None
2 Identification
Intrusion Detection System Scanner, Protection Profile, Version 1.1, December 10, 2001.
3 Protection Profile Summary
The [IDS_SCN_PP] specifies a set of security functional and assurance requirements for Information
Technology (IT) products. An Intrusion Detection System (IDS) monitors an IT System for activity that
may inappropriately affect the IT System's assets. An IT System may range from a computer system to a
4
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
computer network. An IDS consists of Sensors, Scanners and Analyzers. Sensors and Scanners collect
information regarding IT System activity and vulnerabilities, and they forward the collected information to
Analyzers. Analyzers perform intrusion analysis and reporting of the collected information.
[IDS_SCN_PP] conformant products support the ability to statically monitor a set of IT resources in order
to identify events that may be indicative of potential vulnerabilities in or misuse of those IT resources.
[IDS_SCN_PP] conformant products also provide the ability to protect themselves and their associated data
from unauthorized access or modification and ensure accountability for authorized actions.
The [IDS_SCN_PP] provides for a level of protection which is appropriate for IT environments that require
detection of malicious and inadvertent attempts to gain inappropriate access to IT resources, where the IDS
can be appropriately protected from hostile attacks. Though products that are [IDS_SCN_PP] conformant
can be used to monitor a system or network in a hostile environment, they are not designed to resist direct,
hostile attacks. The [IDS_SCN_PP] does not fully address the threats posed by malicious administrative or
system development personnel. This profile is also not intended to result in products that are foolproof and
able to detect intrusion attempts by hostile and well-funded attackers. [IDS_SCN_PP] conformant products
are suitable for use in both commercial and government environments.
The [IDS_SCN_PP] is generally applicable to products regardless of whether they are embedded, stand-
alone, centralized, or distributed. However, it addresses only security requirements and not any special
considerations of any particular product design.
It should be noted that just because a Scanner may be conformant with this Protection Profile, that Scanner
should not be assumed to be interoperable with any other IDS component evaluated against a Protection
Profile in the Intrusion Detection System family of Protection Profiles. There are no requirements for
interoperability within the Protection Profiles.
4 Threats
The following are threats identified for the TOE and the IT System the TOE monitors. The TOE itself has
threats and the TOE is also responsible for addressing threats to the environment in which it resides. The
assumed level of expertise of the attacker for all the threats is unsophisticated.
4.1 TOE Threats
T.COMINT An unauthorized user may attempt to compromise the integrity of
the data collected by the TOE by bypassing a security mechanism.
T.COMDIS An unauthorized user may attempt to disclose the data collected by
the TOE by bypassing a security mechanism.
T.LOSSOF An unauthorized user may attempt to remove or destroy data
collected by the TOE.
T.NOHALT An unauthorized user may attempt to compromise the continuity of
the Scanner’s collection functionality by halting execution of the
TOE.
5
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
T.PRIVIL An unauthorized user may gain access to the TOE and exploit
system privileges to gain access to TOE security functions and
data.
T.IMPCON An unauthorized user may inappropriately change the configuration
of the TOE causing potential intrusions to go undetected.
T.INFLUX An unauthorized user may cause malfunction of the TOE by
creating an influx of data that the TOE cannot handle.
T.FACCNT Unauthorized attempts to access TOE data or security functions
may go undetected.
4.2 IT System Threats
The following identifies threats to the IT System that may be indicative of vulnerabilities in or misuse of IT
resources.
T.SCNCFG Improper security configuration settings may exist in the IT System
the TOE monitors.
T.SCNMLC Users could execute malicious code on an IT System that the TOE
monitors which causes modification of the IT System protected data
or undermines the IT System security functions.
T.SCNVUL Vulnerabilities may exist in the IT System the TOE monitors.
5 Security Policy
This section identifies the organizational security policies applicable to the Intrusion Detection System
Scanner Protection Profile.
P.DETECT Static configuration information that might be indicative of the
potential for a future intrusion or the occurrence of a past intrusion
of an IT System must be collected.
P.MANAGE The TOE shall only be managed by authorized users.
P.ACCESS All data collected by the TOE shall only be used for authorized
6
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
purposes.
P.ACCACT Users of the TOE shall be accountable for their actions within the
IDS.
P.INTGTY Data collected by the TOE shall be protected from modification.
P. PROTCT The TOE shall be protected from unauthorized accesses and
disruptions of collection activities.
6 Assumptions
This section contains assumptions regarding the security environment and the intended usage of the TOE.
6.1 Intended Usage Assumptions
A.ACCESS The TOE has access to all the IT System data it needs to perform
its functions.
A.DYNMIC The TOE will be managed in a manner that allows it to
appropriately address changes in the IT System the TOE monitors.
A.ASCOPE The TOE is appropriately scalable to the IT System the TOE
monitors.
6.2 Physical Assumptions
A.PROTCT The TOE hardware and software critical to security policy
enforcement will be protected from unauthorized physical
modification.
A.LOCATE The processing resources of the TOE will be located within
controlled access facilities, which will prevent unauthorized physical
access.
6.3 Personnel Assumptions
A.MANAGE There will be one or more competent individuals assigned to
7
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
manage the TOE and the security of the information it contains.
A.NOEVIL The authorized administrators are not careless, willfully negligent,
or hostile, and will follow and abide by the instructions provided by
the TOE documentation.
A.NOTRST The TOE can only be accessed by authorized users.
7 Security Content of PP
A Scanner product conformant to the [IDS_SCN_PP] will provide the ability to statically monitor a set of
IT resources in order to identify events that may be indicative of potential vulnerabilities in or misuse of
those IT resources. A Scanner product conformant to the [IDS_SCN_PP] also provides the ability to
protect itself and its associated data from unauthorized access or modification and also ensures
accountability for authorized actions. A Scanner product conformant to the [IDS_SCN_PP] must be
capable of performing the following security functions:
• Collect static configuration information about an IT System. Configuration information may
include detected malicious code, access control configuration, service configuration,
authentication configuration, accountability policy configuration, and detected known
vulnerabilities.
• Protect itself and its data from tampering.
• Forward all collected configuration information to an authorised Analyser for data reduction and
analysis.
• Be configured by an authorised user.
• Produce an audit trail (e.g., configuration changes, Scanner and data accesses).
8 Documentation
The evidence used in this evaluation is based solely upon:
[IDS_SCN_PP] Intrusion Detection System Scanner, Protection Profile, Version
1.1, December 10, 2001 (and previous versions leading up to this
document).
The evaluation and validation methodology was drawn from the following:
[CC_PART1] Common Criteria for Information Technology Security Evaluation-
Part 1: Introduction and general model, dated August 1999,
version 2.1.
[CC_PART2] Common Criteria for Information Technology Security Evaluation
Part 2: Security functional requirements, dated August 1999,
version 2.1.
[CC_PART2A] Common Criteria for Information Technology Security Evaluation
Part 2: Annexes, dated August 1999, version 2.1.
8
Validation Report CCEVS-VR-02-0014
Intrusion Detection System Scanner Protection Profile
Version 1.1 – 10 December 2001
[CC_PART3] Common Criteria for Information Technology Security Evaluation
Part 3: Security assurance requirements, dated August 1999,
version 2.1.
[CEM_PART 1] Common Evaluation Methodology for Information Technology
Security – Part 1: Introduction and general model, dated
1 November 1997, version 0.6.
[CEM_PART2] Common Evaluation Methodology for Information Technology
Security – Part 2: Evaluation Methodology, dated August 1999,
version 1.0.
[CCEVS_PUB1] Common Criteria, Evaluation and Validation Scheme for
Information Technology Security, Organization, Management and
Concept of Operations, Scheme Publication #1, Version 2.0 May
1999.
[CCEVS_PUB2] Common Criteria, Evaluation and Validation Scheme for
Information Technology Security, Validation Body Standard
Operating Procedures, Scheme Publication #2, Version 1.5,
May 2000.
[CCEVS_PUB3] Common Criteria, Evaluation and Validation Scheme for
Information Technology Security, Guidance to Validators of IT Security
Evaluations, Scheme Publication #3, Version 1.0,
October 2001.
[CCEVS_PUB 4] Common Criteria, Evaluation and Validation Scheme for
Information Technology Security, Guidance to CCEVS
Approved Common Criteria Testing Laboratories, Scheme
Publication #4, Version 1, March 20, 2001.
[CCEVS_PUB 5] Common Criteria, Evaluation and Validation Scheme for
Information Technology Security, Guidance to Sponsors of
IT Security Evaluations, Scheme Publication #5, Version 1.0,
August 2000.
9 Results of the Evaluation
The Common Criteria Testing Laboratory [CCTL] team conducted the evaluation according to the CC and
the CEM and concluded that the requirements of the APE class were met. Therefore, a pass verdict has
been issued for the protection profile assurance family.
9