Validated Product - Juniper Networks IDP 4.0 and NSM 2006.1

PRODUCT DESCRIPTION

IDP 4.0 provides intrusion detection and prevention capabilities for a network, given the deployment mode chosen. In the Passive Sniffer Mode, the IDP 4.0 appliance provides detection capabilities by passively monitoring traffic on the network. In the Active Gateway Mode, the IDP 4.0 appliance is deployed inline as a gateway on a network requiring all traffic to pass through the IDP 4.0 appliance before reaching the external network and therefore providing the capabilities to detect and prevent intrusions on a network. The determination for network traffic to be considered an intrusion and the preventive actions to be taken on an identified intrusion is dependant upon the configuration of the security policy installed on the IDP 4.0 appliance.

NSM 2006.1 provides a management interface for administrating IDP 4.0 appliances. NSM 2006.1 consists of an NSM Server and NSM User Interface (NSM UI) which allow an administrator access to the system data collected by the Sensor(s). From within NSM 2006.1, policies and attack objects can be managed and uploaded to the IDP 4.0 appliances. In addition, NSM 2006.1 provides the required functionality for reviewing system data collected by the IDP 4.0 appliances, as well as, the audit data collected by NSM 2006.1 with regards to administrator actions performed.

The Sensor monitors the network on which the IDP appliance is installed. The Sensor is a hardware appliance (called the IDP appliance) that runs the Sensor software on a Linux-based kernel. The Sensor's primary task is to detect suspicious and anomalous network traffic based on specific rules defined in IDP rulebases. If the Sensor is running in-line, it can also take a predefined action against malicious traffic.

The NSM Server is software that runs on a Linux or Solaris kernel, and centralizes the logging, reporting, data, and Security Policy management for the IDP appliance. All objects, Security Policies, and log records are stored in the underlying filesystem on the NSM Server and are administered using the NSM UI. The NSM Server communication with the other two tiers of the IDP appliance (the Sensor and NSM UI) is encrypted and authenticated. It provides different types of alerts and messages to enable multiple administrators to be alerted to network anomalies.

The NSM UI is software that provides a graphical environment for centrally managing IDP. The UI is a Java-based software application that can be installed on multiple computers on a network. Multiple users can connect to a single NSM Server

The set of IDP appliances included in the evaluation are IDP50, IDP200, IDP600, IDP600F, IDP1100C, and IDP1100F. The TOE was tested on all platforms by the vendor as part of the evaluation. The evaluation team ran its tests on the IDP 50 and IDP1100F platforms since the security functionality among all the models is identical (as supported by the design.

The NSM Server runs on Sun Solaris 8 and 9, Red Hat Enterprise Linux ES 3.0 with Update 5 or 4.0 with Update 1, or Red Hat Enterprise Linux AS 3.0 with Update 5 or 4.0 with Update 1. The evaluation team tested the NSM Server on one variant of Unix, all of the security code on all of the Unix platforms is identical. The only source code differences among the Unix platforms are Kernel services (process handling, signal handling, network IO, disk IO, etc). The NSM UI runs on the Java Runtime Environment (JRE) version 1.4.2. The NSM UI was tested on a Windows XP platform by the evaluation team. Since the NSM UI relies on Java Runtime Environment (JRE) version 1.4.2, the underlying platform is irrelevant as it is not directly called. The evaluation addressed only those products developed by Juniper Networks and none of the supporting environment.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which IDP 4.0 & NSM 2006.1TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2. The product, when configured as specified in the Juniper Networks IDP 4.0 & NSM 2006.1 Evaluated Configuration Guide, Rev B.2, 8/1/2006 satisfies all of the security functional requirements stated in the Juniper Networks IDP 4.0 & NSM 2006.1Security Target (Version 1.0). The TOE was also found to be compliant with Intrusion Detection System System Protection Profile (IDSSP, Version 1.5). One validator monitored the evaluation carried out by SAIC. The evaluation was completed in August 2006. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-06-0043, dated October 23, 2006) prepared by CCEVS.

ENVIRONMENTAL STRENGTHS

The environmental strengths of the TOE include the following IT Security features for the Sensor, NSM Server, and NSM UI. These IT security features of IDP 4.0 & NSM 2006.1 enable a user to effectively implement and maintain the IDP appliance.

Audit - The Auditing security function is implemented within the Sensor, NSM Server, and NSM UI components of the IDP 4.0 & NSM 2006.1. The Sensor provides the capability to generate audit data and provide a temporary storage of the audit data generated until the audit data is successfully transferred to the NSM Server. The NSM Server provides the capability to generate audit events as well as the capability to store audit event generated by both the Sensor and the NSM Server as well. In addition, the NSM Server provides a means for only authorized users to be allowed to view the audit data stored in an interpretable manner. The NSM UI provides a means for the authorized Read-Only Administrator and the authorized Read/Write Administrator to select data to be audited, as well as, the capability to sort the audit data that may be viewed through the NSM UI.

Identification and Authentication - The Identification & Authentication security function is implemented only within the NSM Server component of the IDP 4.0 & NSM 2006.1. In general, the Identification & Authentication security function provides a means for users to be identified and authenticated using a password.

Security Management - The Security Management security function is implemented only within the NSM Server component of the IDP 4.0 & NSM 2006.1. The NSM UI also supports the Security Management security function by providing an interface to invoke the defined Security Management security function capabilities, with the exception for maintaining the role authorized System administrator. The authorized System administrator role is managed from the NSM Server by establishing an HTTPS connection to the Sensor and invoking the Appliance Configuration Manager (ACM), which allows for authentication data of the admin and root accounts on the Sensor to be modified.

Self-Protection - IDP 4.0 & NSM 2006.1 protects itself and ensures that its policies are enforced in a number of ways. The IDP appliance provides process separation to protect the appliance from the untrusted processes. The NSM Server protects itself by keeping its context separate from that of its users and also by making effective use of the operating system mechanisms to ensure that memory and files used by the NSM Server have the appropriate access settings. The NSM UI provides a security domain for its own execution that protects it from interference and tampering of any untrusted subjects by executing the NSM UI in a sandbox using Java technology.

Intrusion Detection and Prevention - The Intrusion Detection & Prevention security function provides the Sensor the sensing capabilities to collect service requests, network traffic, and security configuration changes. The Intrusion Detection & Prevention security function provides the NSM Server the scanning capabilities to collect detected malicious code, service configuration, and detected known vulnerabilities using the Profiler. The Intrusion Detection & Prevention security function provides the Sensor analyzing capabilities using signature, Protocol Anomaly, Backdoor, Traffic Anomaly, IP Spoofing, Layer 2, and Denial of Service (DoS) analyzing methods on all IDS data collected by the sensor. The Intrusion Detection & Prevention security function, when in any of the Active Gateway Mode configurations, provides the Sensor the capability to alarm an administrator in the event that an intrusion has been detected if the intrusion matches an intrusion in the defined security policy and is tagged to send an alarm. However, the Intrusion Detection & Prevention security function also provides the ability to drop, block, or ignore an intrusion attempt depending on the actions defined within the security policy.