Validated Product - LogLogic v4.6.1 Open Log Management Platform

Certificate Date: 09 July 2009

Validation Report Number: CCEVS-VR-VID10333-2009

Product Type: IDS/IPS

Conformance Claim: EAL2 Augmented with ALC_FLR.2

PP Identifier: U.S. Government Protection Profile Intrusion Detection System - Analyzer for Basic Robustness Environments, Version 1.3

CC Testing Lab: Arca CCTL

CC Certificate [PDF]
Security Target [PDF]
Validation Report [PDF]

PRODUCT DESCRIPTION

The TOE is the LogLogic v4.6.1 Open Log Management Platform on the LX and ST families of appliances.  The TOE is compliant with the Intrusion Detection System (IDS) Analyzer protection profile and provides administrative alerts, flexible reporting, and searching on the analyzed data and long term storage of unaltered event logs.

Log data is collected by the TOE from networked third-party sources such as firewalls, VPN concentrators, servers, routers and switches, storage devices, and applications (commercial and custom developed).  When administrator-defined alerts are triggered, the TOE sends alert notifications to the administrative interface or to other servers via SNMP, SMTP or syslog.  The Analyzer data is stored in a database for viewing, searching, and reporting, and in raw unaltered form on the file system for searching and long-term storage. 

The LogLogic v4.6.1 TOE is composed of two families of physically distinct components.  The LX series of appliances normalizes event log data, stores it in a database, and provides analysis, alerting, and reporting through metalog creation.  The LX appliance provides searching and flexible reporting via built-in customizable report templates.  The ST series of appliances archives unaltered logs for long-term retention.  The LX and ST appliances communicate with each other over an encrypted and mutually authenticated TCP tunnel providing for the secure transfer of logs or archiving.  Adding additional appliances scales the solution as the monitored network and log data volume grow. 

 

The full list of excluded functionality is provided in the Security Target as well as in the Validation Report.

EVALUATED CONFIGURATION

The following conditions must be met for the TOE to be deployed in the evaluated configuration:

  1. At least one LogLogic LX Appliance (There can be more than one LX deployed in the evaluated configuration) and
  2. At least one LogLogic ST Appliance (There can be more than one ST deployed in the evaluated configuration.)
  3. When configured to support HA, the TOE consists of a minimum of three network appliances such that at least one ST or LX is part of a HA pair, and the models of the HA pair must have at least 3 network interfaces.

SECURITY EVALUATION SUMMARY

The evaluation of the LogLogic v4.6.1 Open Log Management Platform was performed by the Arca Common Criteria Testing Laboratory (CCTL) in the United States and was completed during May 2009.  The evaluation team determined the product conforms to Common Criteria Version 3.1 Revision 2, Part 2 extended and Part 3 conformant, and meets the requirements for Evaluation Assurance Level (EAL) 2 augmented with ALC_FLR.2.

For this evaluation, it was appropriate for the Security Target to claim compliance with the external standard for RSA, AES, TDES, and Blowfish for the definition of the encryption algorithm. There are many ways of determining compliance with a standard.  LogLogic v4.6.1 Open Log Management platform has chosen to make a developer claim of compliance. This means that there has been no independent verification (by either the evaluators or a third party standards body, such as a FIPS laboratory) that the implementation of the cryptographic algorithms actually meets the claimed standards. Potential users of this product should confirm that the cryptographic capabilities are suitable to meet the user's requirements.

ENVIRONMENTAL STRENGTHS

The LogLogic v4.6.1 Open Log Management Platform is a commercial product that analyzes event logs for network anomalies or security policy breaches and provides Traffic Flow Control (for network traffic sent to the appliances, traffic does not pass through the appliances), Secure Communications (secure communication channels for remote administration, and inter-appliance communication), and High Availability function as well as more standard functions of Auditing, Identification and Authentication, Security Management, and Self-Protection.  To securely provide these functions, the deployed LogLogic appliances must be appropriately protected from physical attacks.

Vendor Information

logo
LogLogic, Inc.
Chima Njaka
888.347.3883
chima@loglogic.com

http://www.loglogic.com