Compliant Product - NitroSecurity Intrusion Prevention System v8.0.0
Certificate Date: 27 October 2009
Validation Report Number: CCEVS-VR-VID10312-2009
Product Type: IDS/IPS
Conformance Claim: EAL3 Augmented with ALC_FLR.2
CC Testing Lab: SAIC Common Criteria Testing Laboratory
The NitroSecurity Intrusion Prevention System version 8.0.0 TOE is an intrusion detection and prevention system that can detect network intrusion attempts and react by actively recording and/or blocking such attempts. The TOE can pass, drop, and log packets as they arrive, based on administrator-configurable rules. When the TOE is performing intrusion detection, it is said to be operating in an “IDS mode”. When the TOE is performing intrusion prevention, it is said to be operating in an “IPS mode”.
The TOE includes the software and three hardware appliance components called the NitroSecurity IPS (also called “NitroSecurity NitroGuard IPS”, “NitroGuard”, “NitroSecurity Intrusion Prevention System”, or “IPS”), the NitroSecurity ESM (also called “NitroSecurity NitroView ESM”, or “ESM”, or “Enterprise Security Manager”), and the NitroSecurity NitroView Receiver (also called “NitroView Receiver” or just “Receiver”). The evaluated configuration includes one or more ESM, one or more NitroGuards, and one or more Receivers.
The NitroSecurity IPS provides network intrusion detection and prevention services for an enterprise type network. The NitroSecurity ESM provides web-based administrator console interfaces that can be used to manage NitroSecurity IPS services and collected data that are accessible using a web browser in the IT Environment. HTTPS is used to protect the connection between the web browser in the IT Environment and the ESM appliance. The ESM offers HTTP v1.0 and v1.1 using SSL v2.0 and v3.0 or TLS v1.0 to web browsers. It is up to the web browser to request a particular combination of HTTP and SSL/TLS versions. The Receiver enables the collection of network infrastructure, and end station events, and network flow data from multiple vendor sources including firewalls, VPNs, routers, IPS/IDS, NetFlow, sFlow and others. This provides data acquisition functions across multiple vendors’ devices, such as Cisco, Checkpoint and Juniper firewalls, NitroSecurity and McAfee IPS devices, and Cisco and Foundry routers. The NitroView Receiver analyzes the raw acquired data to categorize and normalize it, creates alerts and inserts them into its alerts database.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the NitroSecurity TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 and International Interpretations effective on April 21, 2008
The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Rev 2. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 3 augmented with ALC_FLR.2 assurance requirements. The product, when configured as specified in the installation and user guides, satisfies all of the security functional requirements stated in the Nitro Security Intrusion Prevention System Security Target.
The Nitro Security Intrusion Prevention System meets the assumptions, threats, organizational policies, security objectives and security functional requirements of the Intrusion Prevention System System Protection Profile, Version 1.7, July 25, 2007. The evaluation was completed in October 2009. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for Nitro Security Intrusion Prevention System Product prepared by CCEVS.
For this evaluation, Nitro Security Intrusion Prevention System has chosen to make a developer claim of compliance for the encryption implemented in non-FIPS mode. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.
In FIPS mode, Nitro Security Intrusion Prevention System implements FIPS certified cryptographic algorithms. The FIPS certificate number for the ESM component is 1103, the certificate number for the NitroGuard component is 1097, the certificate number for the NitroView Receiver component is 1104, and the certificate number for the Combo component is 1138.
The NitroSecurity Intrusion Prevention System TOE is a commercial intrusion prevention product that provides the following security functions:
Security audit - NitroSecurity Intrusion Prevention System generates audit records when security-relevant events occur. Audit records are stored in an audit trail on and physically protected by the ESM component of the TOE.
Identification and authentication - The NitroSecurity Intrusion Prevention System can only be accessed after a user successfully logs into the ESM using a username and password. Authentication services can be handled either internally (fixed passwords) or through a RADIUS (Remote Authentication Dial In User Service) authentication server in the IT environment.
Security management - The NitroSecurity Intrusion Prevention System provides a GUI to administer the NitroGuard and Receiver appliances. Administrator console interfaces are provided for managing functions related to system data collection, analysis, and reaction, audit data and users.
TSF protection - The NitroSecurity Intrusion Prevention System protects the security functions it provides through a variety of mechanisms. These mechanisms include the requirement that users must authenticate before any administrative operations can be performed, by encrypting data transferred between the ESM and the NitroGuard and Receiver appliances. The NitroSecurity Intrusion Prevention can be configured to run in FIPS mode and non- FIPS mode. In FIPS mode, the NitroSecurity Intrusion Prevention System tunnels all traffic between the ESM and NitroGuard/Receiver through a FIPS certified VPN tunnel, and encrypts communication between Console, Receiver, and IPS appliances using a proprietary stackless control protocol. The encryptions in non-FIPS mode are vendor asserted.
Intrusion detection - The NitroSecurity Intrusion Prevention System can detect different types of intrusion attempts by performing analysis of network traffic packets depending on location within a network. The TOE supports installation in different locations in the network architecture of the TOE environment by providing the ability to operate in different types of IDS and IPS/alerts-only modes.