Compliant Product - Sourcefire 3D System (Sourcefire Defense Center: models DC500, DC1000, and DC3000; Sourcefire 3D Sensor licensed for IPS: models 3D500, 3D1000, 3D2000, 3D2100, 3D2500, 3D3500, 3D4500, 3D6500 and 3D9900; Sourcefire Virtual Defense Center, Sourcefire Virtual 3D Sensor licensed for IPS) Version 184.108.40.206 (SEU 371)
Certificate Date: 06 April 2011
Validation Report Number: CCEVS-VR-VID10406-2011
Product Type: IDS/IPS
Conformance Claim: EAL2 Augmented with ALC_FLR.2
CC Testing Lab: CygnaCom Solutions, Inc
The Sourcefire 3D System is an Intrusion Detection and Prevention System that combines open-source and proprietary technology. The TOE is used to monitor incoming (and outgoing) network traffic, from either inside or outside a firewall. All packets on the monitored network are scanned, decoded, processed and compared against a set of rules to determine whether inappropriate traffic, such as system attacks, is being passed over the network. The system then notifies a designated TOE administrator of these attempts. The system generates these alerts when deviations of the expected network behavior are detected and when there is a match to a known attack pattern.
The Sourcefire 3D System Version 220.127.116.11 (SEU 371) TOE consists of the following components:
- The Sourcefire 3D Sensor licensed for IPS (3D Sensor with IPS) (appliance and software)
- The Sourcefire Defense Center (Defense Center) (appliance and software)
- The Sourcefire Virtual Defense Center (software-only).
- The Sourcefire Virtual 3D Sensor licensed for IPS (software-only).
Each 3D Sensor with IPS (virtual and appliance-based) uses rules, decoders, and preprocessors to look for the broad range of exploits that attackers have developed. Sourcefire 3D Sensors that are licensed to use IPS are packaged with a set of intrusion rules developed by the Sourcefire Vulnerability Research Team (VRT). Custom intrusion rules and policies can also be created for a customer’s operating environment.
Note: The evaluation team did not evaluate the Sourcefire supplied rule sets that are bundled with the TOE for suitability to task—only that the tests included in the rule sets work correctly
The Sourcefire 3D Sensor is based on an enhanced version of Snort, which is an open source IDS. Snort is used to read all the packets on the monitored network, and then analyze them against the rule set that has been created by the TOE administrators. The Sourcefire-modified Snort, version 2.8.6-43, is included in the TOE.
When a 3D Sensor with IPS identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded.
3D Sensors with IPS can be deployed either inline, where "live" traffic passes through the appliance, or passively, in which case traffic is being only monitored. When used inline, IPS can block malicious code and attacks in real-time so that the 3D Sensor with IPS is used as an intrusion prevention device.
The appliance-based models of the 3D Sensor with IPS provide a local web interface (WebUI) to create intrusion policies and review the resulting intrusion events and therefore can be run stand-alone, without using a Defense Center for management.
The Sourcefire Virtual 3D Sensor licensed for IPS is a software-only version of the Sourcefire 3D Sensor licensed for IPS that runs within a VMware virtual environment. The Virtual 3D Sensor with IPS runs on any platform that supports VMware’s ESX/ESXi Version 3.5 or 4.0 hypervisor. There is no embedded graphical user interface (WebUI) on the Virtual 3D Sensor with IPS. It must be managed with a Defense Center (appliance-based or virtual).
The Sourcefire Defense Center provides a centralized management interface for the Sourcefire 3D System. The Defense Center provides the administrative functionality through a web-based GUI (WebUI). The Defense Center is used to manage the full range of sensors (virtual and appliance-based) that are a part of the Sourcefire 3D System, and to aggregate, analyze, and respond to the threats they detect on the monitored network. The Sourcefire 3D System has the capability of using an external LDAP or RADIUS server for user authentication in a configuration that uses a Defense Center.
The Sourcefire Virtual Defense Center is a software-only version of the Sourcefire Defense Center that runs within a VMware virtual environment. The Virtual Defense Center runs on any platform that supports VMware’s ESX/ESXi Version 3.5 or 4.0 hypervisor. A Virtual Defense Center can manage both physical and virtual sensors.
The Sourcefire 3D System is able to audit the use of the administration/management functions. This function records attempts to access the system itself, such as successful and failed authentication, as well as the actions taken by TOE users once they are authenticated.
Sourcefire markets an integrated Enterprise Threat Management (ETM) solution. To provide the entire ETM solution, Sourcefire 3D System integrates four core products: Sourcefire IPS, Sourcefire RNA, Sourcefire RUA, and the Sourcefire Defense Center. Sourcefire offers these products as individual components or as a system to a meet a variety of IT security needs and budgets. Each product is sold separately and requires a separate license to run. This evaluation includes two of the four core products: Sourcefire IPS (the Sourcefire 3D Sensor licensed for IPS and the Sourcefire Virtual 3D Sensor licensed for IPS) and the Sourcefire Defense Center (the appliance-based Sourcefire Defense Center and the Sourcefire Virtual Defense Center).
The evaluated configuration consists of the following:
- The Sourcefire 3D Sensor, Version 18.104.22.168 (SEU 371), licensed to use the Sourcefire Intrusion Prevention System (IPS)
- The Sourcefire Defense Center, Version 22.214.171.124 (SEU 371)
- The Sourcefire Virtual 3D Sensor, Version 126.96.36.199 (SEU 371), licensed to use the Sourcefire Intrusion Prevention System (IPS)
- The Sourcefire Virtual Defense Center, Version 188.8.131.52 (SEU 371)
Testing included configurations that:
- Tested the 3D Sensor with IPS for each category of appliance: SFLinux v4.9 and SFLinux v4.9 (64-bit).
- Tested a stand-alone 3D Sensor with IPS configuration.
- Tested one or more 3D Sensors with IPS and one or more Virtual 3D Sensors with IPS managed by a single Defense Center or Virtual Defense Center.
- Tested both inline and passive deployments of the 3D Sensors with IPS.
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R3.
The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R2.
CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of Evaluation Assurance Level (EAL) 2 augmented with ALC_FLR.2.
A team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in March 2011.
The following security functions are in the scope of the evaluation:
- Security Audit Functions
The TOE is able to audit the use of the administration/management functions of the IDS. This audit is separate from the IDS functionality (recording network traffic), and relates specifically to the management functions of the TOE. Only users with the Administrator Role have access to the audit records and can view and sort the audit records. Suppression lists may be configured during installation and maintenance to limit the events recorded.
When the available audit storage is exhausted, the TOE automatically overwrites the oldest audit events. This ensures that the availability of the most recent audit events is limited only by the size of the audit trail. It is the responsibility of the administrator to perform periodic backups of the audit records (via the WebUI backup function) to prevent loss of data.
- Identification and Authentication Functions
The TOE requires all users to provide unique identification and authentication data before any access to the system is granted. User identification and authentication is done by the TSF though username/password authentication or optionally through the use of an external authentication server (LDAP or RADIUS) for configurations that include a Defense Center.
All authorized TOE users must have a user account with security attributes that control the user’s access to TSF data and management functions. These security attributes include user name, password, and level(s) of authorization (roles) for TOE users. The user account also contains a password strength check attribute. If selected the user’s password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters. The strength check applies only to user authentication done by the TOE for access to the management GUI; it does not apply to user authentications done by an external LDAP or RADIUS server.
- Security Management Functions
The TOE provides a web-based (using HTTPS) management interface for all run-time TOE administration, including the IDS rule sets, user accounts and roles, and audit functions. The ability to manage various security attributes, system parameters and all TSF data is controlled and limited to those users who have been assigned the appropriate administrative role.
The TOE also provides a command line interface the use of which must be restricted. This interface is only used for Security Management when creating or modifying Audit Suppression Lists.
- Protection of Security Functions
The TOE ensures that data transmitted between separate parts of the TOE are protected from disclosure or modification. This protection is ensured by transmission of data between the TOE Components over a secure, SSL-encrypted TCP tunnel.
Note: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor.
- TOE Access Functions
The TOE enhances the functionality of user session establishment by displaying a warning banner upon user login and by displaying information about a user’s last TOE session after a successful login.
- System Data Collection Functions
The TOE has the ability to set rules to govern the collection of data regarding potential intrusions. While the TOE contains default rules to detect currently known vulnerabilities and exploits, new rules can be created to detect new vulnerabilities as well as specific network traffic, allowing the TOE administrators complete control over the types of traffic that will be monitored.
- System Data Analysis Functions
To analyze the data collected by the 3D Sensors with IPS and Virtual 3D Sensors with IPS, the TOE uses statistical analysis, signatures, decoders, and preprocessors. Statistical analysis uses rate-base attack prevention features to detect and block denial-of-service (DoS) and distributed denial of service (DDoS) attacks. Signatures are patterns of traffic that can be used to detect potential attacks or exploits. Since many attacks or exploits require several network connections to work, the IDS also provides the ability to detect these more complex patterns through decoders and preprocessors that are included in the TOE. The TOE embodies statistical analysis, signatures, decoders, and preprocessors in rules that can be designed and exercised by the TOE.
The TOE administrators can manage the data analysis capabilities of the TOE by adding and editing rules to respond to the latest exploits. In addition, based upon results of analysis, the TOE administrators can trigger alarms for the notification of a problem.
- System Data Review, Availability and Loss Functions
IDS event logs can only be viewed by authorized TOE users (users with the Administrator or Intrusion Event Analyst Roles). The data stores of the raw collection data are constantly monitored and if they become too full, new records will replace the oldest records to prevent active/current data loss.
Note: The administrator must perform periodic backups of the event data (via the WebUI backup function) to prevent loss of data.