Validated Product - McAfee Host Intrusion Prevention 8 and ePolicy Orchestrator 4.5Certificate Date: 18 November 2011 Validation Report Number: CCEVS-VR-VID10377-2011 Product Type: IDS/IPS Conformance Claim: EAL2 Augmented with ALC_FLR.2 CC Testing Lab: COACT Inc. CAFE Laboratory
PRODUCT DESCRIPTIONThe TOE is a host-based intrusion prevention system designed to protect system resources and applications, and includes a host based management system that provides management and monitoring functionality. HIP works to intercept system calls prior to their execution and network traffic prior to their processing. If the HIP Agent determines that a call or packet is symptomatic of malicious code, the call or packet can be blocked and/or an audit log record created; if it determines that a call or packet is safe, it is allowed. The McAfee Agent and HIP software is installed on the host to be protected. HIP software is operating system specific; only the Windows version is included in this evaluation. ePO distributes and manages agents that reside on client systems. A centralized but distributed architecture allows the HIP software to be centrally managed and yet decrease network traffic required to manage clients. ePO provides the management interface and functionality for the administrators of the TOE. It also provides centralized audit collection and review functionality. Based upon per-user permissions, users may configure the policies to be enforced on individual systems (executing the HIP software). SECURITY EVALUATION SUMMARYThe evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the McAfee Host Intrusion Prevention 8 and ePolicy Orchestrator 4.5 meets the security requirements contained in the Security Target. The criteria against which the McAfee Host Intrusion Prevention 8 and ePolicy Orchestrator 4.5 was judged is described in the Common Criteria for Information Technology Security Evaluation, Version 3.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1. The COACT, Inc. CAFE Lab determined that the evaluation assurance level (EAL) for the McAfee Host Intrusion Prevention 8 and ePolicy Orchestrator 4.5 is EAL 2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. A Validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by the COACT, Inc. CAFE Lab. The evaluation was completed in August 2011. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report. ENVIRONMENTAL STRENGTHSThe TOE’s Security Functions are: Audit The TOE generates audit records upon detection of a potential security violation or system configuration events. The audit records can be viewed by an authorized user. The TOE audit functionality includes the ability to configure what auditable events generate audit records. Identification and Authentication The TOE requires administrative users to identify and authenticate themselves before accessing the TOE software or before viewing any TSF data or configuring any portion of the TOE. No action can be initiated before proper identification and authentication. Each TOE user has security attributes associated with their user account that defines the functionality the user is allowed to perform. Management The TOE’s Management Security Function provides administrator functionality that enables a human user to configure and manage TOE components. Configuration functionality includes enabling a user to modify TSF Data. Management functionality includes invocation of TOE functions that effect security functions and security function behavior. System Protection The Agents are host based intrusion prevention systems designed to protect system resources and applications from attacks. The Agents accomplish this by intercepting operating system calls and comparing them to signatures symptomatic of known attacks and behavioral rules. The Agents also inspect network traffic by comparing packets to signatures symptomatic of known attacks. If a potential security violation is detected, the system call or network traffic may be allowed to proceed or be blocked. An audit event may also be generated.
|
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
