Compliant Product - Sourcefire 3D System (Sourcefire Defense Center: models DC500, DC1000, and DC3000; and Sourcefire 3D Sensor with IPS: models 3D500, 3D1000, 3D2000, 3D2100, 3D2500, 3D3500, 3D3800, 3D4500, 3D5800, 3D6500, and 3D9800) Version 4.8
Certificate Date: 23 June 2010
Validation Report Number: CCEVS-VR-VID10334-2010
Product Type: IDS/IPS
Conformance Claim: EAL2
CC Testing Lab: CygnaCom Solutions, Inc
The Sourcefire 3D System is an Intrusion Detection and Prevention System that combines open-source and proprietary technology. The TOE is used to monitor incoming (and outgoing) network traffic, from either inside or outside a firewall. All packets on the monitored network are scanned, decoded, processed and compared against a set of rules to determine whether inappropriate traffic, such as system attacks, is being passed over the network. The system then notifies a designated TOE administrator of these attempts. The system generates these alerts when deviations of the expected network behavior are detected and when there is a match to a known attack pattern.
The Sourcefire 3D System Version 18.104.22.168 (SEU 259) TOE consists of the following components:
- The Sourcefire 3D Sensor licensed for IPS (3D Sensor with IPS)
- The Sourcefire Defense Center (Defense Center)
Each 3D Sensor with IPS uses rules, decoders, and preprocessors to look for the broad range of exploits that attackers have developed. Sourcefire 3D Sensors that are licensed to use IPS are packaged with a set of intrusion rules developed by the Sourcefire Vulnerability Research Team (VRT). Custom intrusion rules and policies can also be created for a customer’s operating environment.
Note: The evaluation team did not evaluate the Sourcefire supplied rule sets that are bundled with the TOE for suitability to task—only that the tests included in the rule sets work correctly
The Sourcefire 3D Sensor is based on an enhanced version of Snort, which is an open source IDS. Snort is used to read all the packets on the monitored network, and then analyze them against the rule set that has been created by the TOE administrators. The Sourcefire-modified Snort, version 2.8.3, is included in the TOE.
When a 3D Sensor with IPS identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded.
3D Sensors with IPS can be deployed either inline, where "live" traffic passes through the appliance, or passively, in which case traffic is being only monitored. When used inline, IPS can block malicious code and attacks in real-time so that the 3D Sensor with IPS is used as an intrusion prevention device.
The Sourcefire Defense Center provides a centralized management interface for the Sourcefire 3D System. The Defense Center provides the administrative functionality through a web-based GUI (WebUI). The Defense Center is used to manage the full range of sensors that are a part of the Sourcefire 3D System, and to aggregate, analyze, and respond to the threats they detect on the monitored network. The Sourcefire 3D System has the capability of using an external LDAP or RADIUS server for user authentication in a configuration that uses a Defense Center.
Some models of the 3D Sensor with IPS provide a local web interface (WebUI) to create intrusion policies and review the resulting intrusion events and therefore can be run stand-alone, without using a Defense Center for management.
The Sourcefire 3D System is able to audit the use of the administration/management functions. This function records attempts to access the system itself, such as successful and failed authentication, as well as the actions taken by TOE users once they are authenticated
Sourcefire markets an integrated Enterprise Threat Management (ETM) solution. To provide the entire ETM solution, Sourcefire 3D System integrates four core products: Sourcefire IPS, Sourcefire RNA, Sourcefire RUA, and the Sourcefire Defense Center. Sourcefire offers these products as individual components or as a system to a meet a variety of IT security needs and budgets. Each product is sold separately and requires a separate license to run. This evaluation includes two of the four core products: Sourcefire IPS (the Sourcefire 3D Sensor licensed for IPS) and the Sourcefire Defense Center.
The evaluated configuration consists of the Sourcefire 3D Sensor licensed for IPS and the Sourcefire Defense Center appliances installed with the Sourcefire 3D System Version 22.214.171.124 (SEU 259) software, Linux-derived operating system, MySQL database, and supporting 3rd party software as commercially available from the developer.
Testing included configurations that:
- Tested the 3D Sensor with IPS for each category of appliance.
- Tested a stand-alone 3D Sensor with IPS configuration.
- Tested one or more 3D Sensors with IPS managed by a single Defense Center.
- Tested both inline and passive deployments of the 3D Sensors with IPS.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R2.
The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R2.
CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of Evaluation Assurance Level (EAL) 2 augmented with ALC_FLR.2.
A team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in May 2010.
The following security functions are in the scope of the evaluation:
- Security Audit Functions
The TOE is able to audit the use of the administration/management functions of the IDS. This audit is separate from the IDS functionality (recording network traffic), and relates specifically to the management functions of the TOE. Only users with the Administrator Role have access to the audit records and can view and sort the audit records. Suppression lists may be configured during installation and maintenance to limit the events recorded.
When the available audit storage is exhausted, the TOE automatically overwrites the oldest audit events. This ensures that the availability of the most recent audit events is limited only by the size of the audit trail. It is the responsibility of the administrator to perform periodic backups of the audit records (via the WebUI backup function) to prevent loss of data.
- Identification and Authentication Functions
The TOE requires all users to provide unique identification and authentication data before any access to the system is granted. User identification and authentication is done by the TSF though username/password authentication or optionally through the use of an external authentication server (LDAP or RADIUS) for configurations that include a Defense Center.
All authorized TOE users must have a user account with security attributes that control the user’s access to TSF data and management functions. These security attributes include user name, password, and level(s) of authorization (roles) for TOE users. The user account also contains a password strength check attribute. If selected the user’s password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters. The strength check applies only to user authentication done by the TOE for access to the management GUI; it does not apply to user authentications done by an external LDAP or RADIUS server.
- Security Management Functions
The TOE provides a web-based management interface for all run-time TOE administration, including the IDS rule sets, user accounts and roles, and audit functions. The ability to manage various security attributes, system parameters and all TSF data is controlled and limited to those users who have been assigned the appropriate administrative role. The TOE also provides a command line interface used for creating or modifying Audit Suppression Lists.
- Protection of Security Functions
The TOE ensures that data transmitted between separate parts of the TOE are protected from disclosure or modification. This protection is ensured by transmission of data between the TOE Components over a secure, SSL-encrypted TCP tunnel.
Note: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor.
- TOE Access Functions
The TOE enhances the functionality of user session establishment by displaying a warning banner upon user login and by displaying information about a user’s last TOE session after a successful login.
- System Data Collection Functions
The TOE has the ability to set rules to govern the collection of data regarding potential intrusions. Each 3D Sensor with IPS uses rules, decoders, and preprocessors to look for the broad range of exploits that attackers have developed. While the TOE contains default intrusion rules to detect currently known attacks and exploits, new rules can be created to detect attacks most likely to occur in a given environment. This allows the TOE administrators control over the types of traffic that will be monitored. The 3D Sensors with IPS run decoders and preprocessors against detected network traffic to normalize traffic and detect malicious packets.
- System Data Analysis Functions
To analyze the network data collected, the TOE uses signatures, decoders and preprocessors.
Signatures are patterns of traffic that can be used to detect attacks or exploits. Since many attacks or exploits require several network connections to work, the TOE also provides the ability to detect these more complex patterns through decoders and preprocessors that are included in the TOE. Rules are used to embody signatures, decoders and preprocessors in the TOE. The TOE is packaged with default signatures for known exploits, and the TOE administrators can add new signatures at any time. Signature data on the Sourcefire and public Snort websites can be used by the TOE administrators to manually update and create rules and policies. The WebUI provides a graphical rule editor that allows the creation and modification of signatures through the use of standard GUI controls (check boxes, drop down lists …).
Signatures are used for stateless detections, those intrusion attempts that can be detected with individual packets. Signatures cannot be used to detect intrusions that require multiple packets, such as a Denial of Service attack. To detect these types of events, the TOE uses various decoders and preprocessors for stateful inspections, which allow these multi-packet intrusions to be detected. Decoders and preprocessors also provide detection of malformed packets.
When a decoder, a preprocessor or statistical analysis identifies anomalous behavior, or when signature matches are found, they can either be logged for later use or set to trigger an alarm and immediately notify a specific person of critical events via email alerts. The TOE can also be configured to enable logging to syslog facilities or send event data to an SNMP Trap Server.
- System Data Review, Availability and Loss Functions
IDS event logs can only be viewed by authorized TOE users. The data gathered is interpreted into a readable format for the authorized administrators and can then be viewed through the web-based management interfaces. The Defense Center WebUI allows the authorized administrators to view and interpret the aggregation of the collected and analyzed data from multiple 3D Sensors with IPS. The TOE protects the gathered system (event) data logs from unauthorized modification or deletion by presenting only the web-based interface to all users. No users are allowed to edit the logs; they are marked for read-only access, preventing user modification.
The data stores of the raw collection data are constantly monitored and if they become too full, new records will replace the oldest records to prevent active/current data loss. It is the responsibility of the administrator to perform periodic backups of the event logs (via the WebUI backup function) to prevent loss of data.