PRODUCT DESCRIPTION

The Top Layer IDS BalancerT is a passive, non-inline network appliance that sends copies of data traffic to multiple IDS sensors, henceforth referred to as the "IDS", or other types of monitoring sensors such as network analyzers and forensic systems, for different kinds of examination and balances this traffic over one or more IDS for maximum efficiency of resources. The scope of the evaluation includes three models: IDSB3531-CCV1.0, IDSB3532-CCV1.0, and IDSB4508-CCV1.0., which run on the following ASIC-based platforms (AS3531, AS3532, and TL4508, respectively). Each platform runs the same custom developed proprietary set of software and each platform was evaluated and tested. The platforms differ only by the number of ports that they support.

The Top Layer IDS Balancer is a stateful inspection device. This means that the Balancer copies packets from the network, examines them, maintains a state table for traffic exchanges, and is configured by the Administrator to either drop its copy of a packet or deliver the copy of the packet to attached IDS for detailed analysis. The copied traffic is generated by computing systems (clients, servers) communicating with each other over the consumer's network. Communication is based on establishing a logical connection between cooperating systems which is called a session . A session, based on transport protocols such as TCP or UDP, consists of two unidirectional streams of related data packets passing between the systems, e.g., client to server; server to client. A single unidirectional stream of related data packets is called a flow.

The Top Layer IDS Balancer's main function utilizes a Top Layer technique known as flow mirroring. Flow Mirroring directs all copied packets for a flow to a specified IDS for inspection. Being a stateful inspection device, the Balancer ensures that copies of both flows of a session are sent or mirrored to the same IDS to provide full context.

To achieve this, a Top Layer IDS Balancer connects to one or more network segments and mirrors traffic from these segments to one or more IDSs. Multiple input ports, each connected at a different point on the network, may be organized into input groups that direct specific sources of traffic to specific monitor groups, that is, monitor ports organized into one or more groups . There are two types of input groups:

•  Port-based Input Groups: Aggregate traffic from multiple input ports. The Balancer mirrors this traffic based on administrator-defined relationships and destinations.

•  Address-based Input Groups: Aggregate traffic based on the source IP address of the traffic. The Balancer identifies traffic by its source IP address and mirrors it to administrator-defined destinations.

The Top Layer IDS Balancer balances incoming network traffic loads among the monitor ports in a given monitor group. This grouping feature allows the Balancer to separate network traffic for the delivery to different kinds of security devices, for example, network analyzers or forensic systems. Monitor groups also allow for the inspection of network traffic from certain input ports, from specific IP address ranges, or from a set of defined traffic types based on network protocol information (e.g., IP versus non-IP; TCP, UDP, or other IP protocol; and TCP or UDP Port).

The Top Layer IDS Balancer provides the following security functions: Information Flow Control, Identification and Authentication, Security Audit, TOE Access, Security Management, and Protection of TOE Security Functions

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 2.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL 2. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in August 2004.

ENVIRONMENTAL STRENGTHS

The Top Layer IDS Balancer is a self-contained appliance that consists of both a proprietary hardware platform and proprietary software. The IDSB Balancer appliance is a passive device in that it connects to networks via other devices, e.g. LAN switches, mirror ports or via network taps. As such it is not directly part of the network segments it is mirroring from. Also, there is no visible IP address for the device hence it appears transparent to other network nodes and users. Since the IDS Balancer has no IP address, it cannot be subjected to any attacks from the network that require the target to have an IP address. The Top Layer IDS Balancer's protected domain includes the preloaded software residing on the IDS Balancer's SanDisk. The Balancer's software is compiled and built as a single, monolithic entity and is then loaded onto the Balancer's SanDisk. The Balancer has no means for, installing, uninstalling, activating additional applications, or components such as libraries or single files below the level of decomposition of this single monolithic entity.