PRODUCT DESCRIPTION

The TOE is the Cisco IronPort S-Series Web Security Appliance (WSA) (S160, S360, S660) running IronPort Async Operating System (AsyncOS) 5.6.1. The TOE is an Intrusion Detection System (IDS)/Intrusion Prevention System (IPS) that protects the enterprise against web-based malware and spyware programs, as well as providing protection for standard communication protocols. There are expectations that the environment provides hardware to which the TOE can attach so that monitoring can take place and so that HTTP traffic is routed through the TOE.

The intended hardware environment and suggested configuration are detailed in Figure 1 of section 2.2.2 of the ST. Note, the connection for passive monitoring in the diagram is to illustrate the connection to the TOE itself, not a separate device.

The Web Proxy Services and the L4 Traffic Monitor are independent services which are enabled and configured separately.

Web Proxy Services monitor and control traffic that originates from clients on the internal network. Web Access Policies are a combination of Policy Groups and URL Filters that provide a variety of options for controlling user access to the Internet and impose restrictions inside the intranet domain.  The Policy Groups provide the administrator with a mechanism for grouping users. Membership in groups can be specified based on client IP address, username, or authorization group. URL Filters provide the administrator with a mechanism for determining how the TOE responds to each web request.

The L4 Traffic Monitor scans all ports at wire speed, detecting and blocking malware spyware ‘phone-home’ activity.  The L4 Traffic Monitor tracks all 65,535 TCP and User Datagram Protocol (UDP) ports to block malware that attempts to bypass Port 80 and prevents rogue Peer-to-Peer (P2P) and Internet Relay Chat (IRC) related activity.  The TOE L4 Traffic Monitor allow list is a manually populated list of trusted IP addresses and domain names that the monitor does not need to monitor or block that is configured by an authorized Administrator.  The L4 Traffic Monitor uses and maintains its own internal database that is updated with matched results for IP addresses and domain names. It also receives periodic updates from the vendor by means of an HTTPS connection.

EVALUATED CONFIGURATION

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme.  The criteria against which the Cisco IronPort S-Series Web Security Appliance (WSA) (S160, S360, S660) running AsyncOS 5.6.1TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3.  Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 family of assurance requirements.  The product, when configured as specified in the ASYNCOS™ 5.6.1 USER GUIDE for Web Security Appliances and IronPort Web Security Appliance running AsyncOS™ 5.6.1 COMMON CRITERIA GUIDE for IronPort Appliances, satisfies all of the security functional requirements stated in the Cisco IronPort S-Series Web Security Appliance Security Target, Version 1.0.  Two Validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC.  The evaluation was completed in October 2009.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report, (report number CCEVS-VR-VID10244-2009, dated 22 October 2009) prepared by CCEVS.

SECURITY EVALUATION SUMMARY

The TOE is a commercial product whose users require a low to moderate level of independently assured security.  Cisco IronPort S-Series Web Security Appliance (WSA) (S160, S360, S660) running AsyncOS 5.6.1 is targeted at a relatively benign environment with good physical access security and competent TOE administrators and users.  Within such environments, it is assumed that attackers will have a low attack potential.  

Cisco IronPort S-Series Web Security Appliance (WSA) (S160, S360, S660) running AsyncOS 5.6.1 supports the following five security functions:

Security Audit

The TOE generates audit events for the basic level of audit.  Note that the IDS_SDC and IDS_ANL requirements address the recording of results from IDS scanning, sensing and analyzing tasks (e.g., System data).

Identification and Authentication

The TOE maintains user identities, authentication data, authorizations and groups.  The administrative console provides the single TOE logon mechanisms for authorized Administrator to manage security functions.  No user is allowed access to the security functions without being authenticated and identified by the system.

Security Management

The TOE restricts the ability to administer functions related to auditing, use of the authentication mechanism, user security attributes, information flow control policy, scanning, sensing and analyzing tasks data (e.g., System data) to authorized Administrator.

Protection of the TSF

The TOE provides a reliable timestamp for logging purposes and provides a security domain for its own use.  The TOE also provides the ability to detect modification and to verify the integrity of all signature updates received from a remote update server in the IT environment of the TOE.

Intrusion Detection (EXP)

The TOE monitors network traffic on containing malware and/or reputation policy data, acting as an IDS scanner.  The TOE performs signature and integrity analysis on network traffic, security configuration changes, data introduction, detected known vulnerabilities and detected malware on monitored web traffic and records corresponding event data.

Vendor Information

Cisco Systems, Inc
Laura Stubbs
919-392-4070
ciscopoc@cisco.com

http://www.cisco.com