Compliant Product - IBM Proventia G 1.3 and SiteProtector 2.0 Service Pack 6.1 with Reporting Module
Certificate Date: 04 November 2010
Validation Report Number: CCEVS-VID10276-2010
Product Type: IDS/IPS
Conformance Claim: EAL2
PP Identifier: Intrusion Detection System System Protection Profile, Version 1.6, dated April 4, 2006 (Archived)
CC Testing Lab: COACT Inc. CAFE Laboratory
The TOE is an automated real-time intrusion detection system (IDS) designed to protect 10/100/1000 Mbps copper and 1000 Mbps SX network segments. The TOE unobtrusively analyses and responds to activity across computer networks. The TOE is comprised of two components:
A) Proventia G 1.3 appliance (hereafter referred to as Proventia G 1.3, Proventia GX, Sensor or Agent).
B) SiteProtector 2.0 Service Pack 6.1 with Reporting Module. (hereafter referred to as SiteProtector 2.0 Service Pack 6.1 with Reporting Module or SiteProtector)
The Proventia GX TOE component provides the IDS functionality. This Sensor monitors a network or networks and compares incoming packet or packets against known packets and packet patterns that indicate a potential security violation. If a match occurs, Proventia GX will create an audit record. The SiteProtector 2.0 Service Pack 6.1 with Reporting Module TOE component provides management, monitoring and configuration functions to administrators.
The Proventia GX and SiteProtector TOE components are described in the following sections.
The Sensor monitors one or more 10/100/1000 Mbps copper or 1000 Mbps SX fiber network segments (the sensed, monitored network).
The SiteProtector Version 2.0 Service Pack 6.1 with Reporting Module TOE component provides management, monitoring and configuration functions to administrators. The SiteProtector management workstation connects to the appliance via TLS session, and this workstation is only used by authorized administrators for the management of the appliance
Proventia GX TOE Component
The Proventia GX TOE component provides IDS security functionality. The Proventia GX TOE component consists of Proventia G 1.3 firmware and is made up of one of the following appliances GX4002, GX4004, GX5008 C, CF and SFP (Copper, Copper/Fiber and small form factor pluggable port configuration), GX5208 and GX5108 (C, CF and SFP) appliances. The Proventia GX TOE component includes the Proventia GX appliance hardware, the appliance resident Red Hat operating system (OS) and the Proventia GX application software image.
SiteProtector 2.0 Service Pack 6.1 TOE Component
The SiteProtector 2.0 Service Pack 6.1 with Reporting Module component of the TOE is a software product that runs on a Windows based workstation. The SiteProtector enables administrators to monitor and manage the Sensor components of the TOE. The SiteProtector TOE component includes the SiteProtector 2.0 Service Pack 6.1 with Reporting Module software.
The TOE’s evaluated configuration requires one or more instances of a Sensor TOE component (Proventia G 1.3) and one instance of a workstation running SiteProtector 2.0 Service Pack 6.1.
The following list itemizes configuration options for the TOE for the evaluated configuration:
A) Telnet server support in the Sensors is not included.
B) Incidents and Exceptions are disabled.
C) The evaluated configuration of SiteProtector does not have Internet access to the ISS website. An automatic retrieve is disabled. Therefore, SiteProtector will not periodically check the ISS website for new software updates and automatically retrieve and store the updates on the SiteProtector system.
D) Intrusion Prevention and firewall functionality provided by Proventia GX is not included in the evaluated configuration.
E) SiteProtector components are resident on one workstation (a remote SiteProtector Console is not supported in the evaluated configuration).
F) SiteProtector components and the DBMS implementation reside on one workstation.
G) Proventia GX and SiteProtector communicate via TLS.
H) SSL or encrypted SQL is used for the communication between SiteProtector and the DBMS. SSL encryption can be manually configured by the user for each component that connects to the DB. The SiteProtector documentation includes steps to manually configure SSL. Neither data nor database code is encrypted, encryption occurs only in the communications to the DB.
I) Management via local management or web interface directly to the Proventia GX is not included in the evaluated configuration.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the IBM Proventia G 1.3 and SiteProtector 2.0 Service Pack 6.1 with Reporting Module meets the security requirements contained in the Security Target.
The criteria against which the IBM Proventia G 1.3 and SiteProtector 2.0 Service Pack 6.1 with Reporting Module was judged is described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. The COACT, Inc. CAFE Lab determined that the evaluation assurance level (EAL) for the IBM Proventia G 1.3 and SiteProtector 2.0 Service Pack 6.1 with Reporting Module is EAL 2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target.
A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by the COACT, Inc. CAFE Lab. The evaluation was completed in January 2010. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report.
Audit Security Function The TOE’s Audit Security Function provides audit data generation, selective auditing, audit data viewing and selective audit data viewing.
Intrusion Detection Security Function The TOE provides Intrusion Detection Security Functionality by continuously monitoring network traffic, comparing this traffic to signatures, and reporting any match that may indicate a intrusion.
Self Protection Security Function The TOE Self Protection Security Functionality provides functionality that protects its TSF Data and TOE functions from unauthorized access.
Management Security Function The TOE’s Management Security Function provides an interface that enables an authorized user to manage and monitor the TOE.
Reaction Security Function The TOE’s Reaction Security Function provides the actions taken in response to a detected intrusion attempt.