Validated Product - Cisco Security MARS 110 and 110R, Cisco Security MARS 210, and Cisco Security MARS GC2, with Software Version 5.2.4.2487Certificate Date: 07 August 2008 Validation Report Number: CCEVS-VR-VID10181-2008 Product Type: IDS/IPS, Security Management Conformance Claim: EAL2 PP Identifiers: None CC Testing Lab: Arca CCTL
PRODUCT DESCRIPTIONCS-MARS Version 5.2.4.2487 is an intrusion detection system analyzer [security event monitoring product] that collects data from reporting devices within a distributed network, then analyzes the data to detect incidents. The CS-MARS (Cisco Secure Monitoring, Analysis, and Response System) appliance collects events from a long list of compatible devices (specified in the Security Target) that includes routers, switches, firewalls, vulnerability scanners, VPN devices, antivirus applications, Windows, Solaris, RedHat Linux, web servers, web proxies, Oracle database server, Cisco ACS, syslog clients, SNMPv1 clients, host IDS applications, and network IDS sensors. All of these devices act as sensors to the CS-MARS appliance. The CS-MARS appliances receive event messages, or pull raw data in the form of device logs, alerts, events, and NetFlow communications generated by the sensors. In the context of raw data, an ‘event’ or ‘event data’ is an audit record or set of records generated by the reporting device, and is not to be confused with alerts that are generated by the CS-MARS appliance. The CS-MARS appliance compares collected data to security policies created by the CS-MARS administrator to identify possible attacks, security incidents, or other indications of intrusions across the network segments monitored by the reporting devices. CS-MARS is also capable of compiling configuration information from the sensing networking devices to create a network topology to aid administrators in the analysis of events, and to enable modeling of packet flow throughout the entire network. As raw data is received, it is analyzed within the context of the network topology, and events are correlated and matched to the security policies mentioned above to identify security incidents. CS-MARS can send alert notifications, including emails and pages, to immediately notify individuals of incidents as they are detected. A web based interface is available to MARS administrators and operators to view event data, modify the configuration, or generate reports. The web interface visually presents summarized and detailed accounts of each identified security incident. A topology map can be used to indicate hotspots, incidents, the full attack paths, and rule matches. CS-MARS stores raw data collected from sensors to allow for later review, or for generation of reports. Real-time and ad hoc queries can be run that support additional analysis of stored information. Reports can be generated using pre-defined report formats, or customizable formats. The evaluated hardware models are the CS-MARS 110 and 110R, CS-MARS 210, and CS-MARS GC2, all of which support CS-MARS software version 5.2.4.2487. The CS-MARS 5.2.4.2487software includes Oracle database 10.2.0.3, and JBoss application server 3.2.7. The evaluated products can be installed in one of two configurations: one Local Controller (LC) acting alone (also known as a Standalone); or one Global Controller (GC) with one or more LCs. CS-MARS models 110 and 110R, and the CS-MARS 210 can be installed as LCs. The Global Controller is known as CS-MARS GC2. A GC can be used to remotely manage multiple LCs, whereas direct administrative access to an LC only allows for administration of that Controller. A GC collects and compiles incidents from the LCs it has been configured to manage. A primary purpose of the GC is to summarize the findings collected by two or more LCs, as a GC does not collect data directly from remote reporting devices.
The following table identifies supported devices and protocols: Supported Devices
Note: Some of the sensor devices supported by the evaluated product use non-secure protocols (HTTP, Syslog, SNMPv1, OPSEC-LEA, OPSEC-CPMI, POP, MS-RPC, SQLNet) for raw data transfer to CS-MARS. The authorized administrator must ensure that appropriate measures are taken in the IT Environment to protect this data in transit. SECURITY EVALUATION SUMMARYThe evaluation was carried out in accordance with the Arca Common Criteria Test Laboratory processes and procedures that are compliant with the Common Criteria Evaluation and Validation Scheme (CCEVS). The evaluation demonstrated that the Auditing, Identification and Authentication, External Device Communication, Administration, Reporting, Analysis, Reaction, and Self Protection of CS-MARS met the security requirements contained in the Security Target. The criteria against which CS-MARS was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3 Part II and Part III. The evaluation team conducted the evaluation using the Common Methodology for Information Technology Security Evaluation, Version 2.3. Arca CCTL concluded that the Common Criteria requirements for Evaluation Assurance Level (EAL) 2 have been met. The product, configured as outlined in the Secure Installation Guidance (Installation, Generation, and Start-Up Documentation), satisfies all of the security functional requirements stated in the Security Target. A Validation Team, on behalf of CCEVS, monitored the evaluation, which completed in June 2008. Results of the evaluation can be found in the Validation Report prepared by the National Information Assurance Partnership (NIAP) CCEVS Validation Team. ENVIRONMENTAL STRENGTHSRemote administration of Global and Local Controllers requires secure channels using SSLv2 or SSLv3. Connectivity between a Global Controller and Local Controllers uses SSLv3. Note: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor |
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
