Compliant Product - Juniper Networks, Inc. STRM Release 2010.0
Certificate Date: 25 April 2011
Validation Report Number: CCEVS-VR-010426-2011
Product Type: IDS/IPS
Conformance Claim: EAL2 Augmented with ALC_FLR.2
CC Testing Lab: Booz Allen Hamilton Common Criteria Testing Laboratory
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
PRODUCT DESCRIPTION
Juniper Networks, Inc. STRM Release 2010.0, (herein referred to as STRM AKA the TOE), is a distributed software only network security management platform that provides situational awareness and compliance support through the combination of flow-based network knowledge, security event correlation, log management and asset-based vulnerability assessment. STRM collects and processes data including logs from security devices, network devices, applications and databases, network activity data (i.e. flows) from network taps, mirror ports or 3rd party flow sources such as NetFlow, and vulnerability assessment data. The product produces security events by real-time event and flow matching and by comparing the collected data to historical flow-based behavior patterns. The security events are then correlated by the product to produce weighted alerts (i.e. Offenses) which can be viewed in the STRM Console User Interface as well as sent to users or other solutions via email, syslog, or SNMP trap.
EVALUATED CONFIGURATION
The TOE was evaluated on the following platforms:
STRM CONSOLE
- OS: CentOS 5.4
- CPU: Intel Core2Duo CPU e4300 1.8GHz Single LGA 775 CPU
- Memory: 8 GB RAM
- Disk Space: 2x500GB RAID 1
MANAGED HOST - EVENTS
- OS: CentOS 5.4
- CPU: Intel Core2Duo CPU e4300 1.8GHz Single LGA 775 CPU
- Memory: 8 GB RAM
- Disk Space: 2x500GB RAID 1
MANAGED HOST - FLOWS
- OS: CentOS 5.4
- CPU: Intel Core2Duo CPU e4300 1.8GHz Single LGA 775 CPU
- Memory: 2 GB RAM
- Disk Space: 2x500GB RAID 1
SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. Juniper STRM was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Revision 3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Revision 3. It has been determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL2 augmented with ALC_FLR.2. Validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed on 07 March 2011.
ENVIRONMENTAL STRENGTHS
Intrusion Detection System
The TOE is an Intrusion Detection System which collects various sets of information from the targeted resources, including but not limited to start-up, shutdown, and network traffic. The collected traffic is distributed into groups by the TOE for analysis and reporting purposes. Users are able to view this data based on their role. For more information on this data, see Tables 7-3 and 7-4 within the ST. The TOE analyzes this data to establish whether a correlation exists with behavior and events. Each analytical result records the date/time of the result, the type of result, the identity of the data source, and the overall analysis of the result. After the analysis has occurred and the TOE determines that an intrusion has been detected, the system sends an alarm to the configured user.
All system data is stored by the TOE and is protected from unauthorized deletion and modification. Once the storage capacity is reached, the TOE ensures that the most recent data is maintained. The TOE overwrites the oldest stored data and sends an alarm to the configured user when this occurs.
Security Management
All management functions and user operations are performed through the STRM Console User Interface. The TOE has three roles: Administrators, System Administrators, and End Users. Administrators have all privileges, which include the managing of user accounts and configuring system data collection standards/protocols. System Administrators only have the privileges to configure system data collection standards/protocols, basic STRM functionality, and to change their own account passwords. Only Administrators and System Administrators roles can create, modify, and delete rules that modify the behavior of the IDS functionality of the TOE.
End users’ roles do not have Admin privileges. End users have the ability to modify their own account passwords and query pre-defined reports. End users may be assigned additional privileges that enable them to perform more operations on the TOE, including Reports, Offense Manager with Customized Rule, Offense Manager, and other privileges as defined by an administrator. For more detailed information on specific privileges users and administrators possess, refer to Section 9.1.3 within the ST.
Identification and Authentication
The TOE identifies and authenticates users via their usernames and passwords. The TOE requires all users to authenticate through a browser to Apache Tomcat on the STRM Console before performing any administrative functions on the TOE. No actions on the TOE can be performed by a user until he or she is identified and authenticated to the TOE. Once authenticated, all users are assigned a role, which is one of the security attributes maintained by the TOE. The role determines what actions the user is authorized to perform on the TOE. The TOE locks out users for a configurable period of time after a configurable number of failed access attempts. The product provides methods of updating patch and signature (event and vulnerability mappings) information coming from the Juniper servers. In the evaluated configuration, the TOE will not download and apply patch updates without an Administrator action.
Security Audit
The TOE creates syslog audit events for actions taken within STRM, which are populated with reliable timestamps provided by the TOE, event types, identity, outcome, and additional information for each type of audit event. The identity of the user changing the TOE is also reflected in the events. The TOE allows a role with System Administrator privileges to read audit information from the event, with sorting options. All other users are not authorized to view the audit information. Users without these privileges are denied access to the audit events. Audit information can also be displayed as reports.
Cryptographic Support
Remote users establish a session with the TOE using a web-based HTTPS session. This secured path is used for user authentication, management and operations of the TOE by authorized users. The TOE generates cryptographic keys to support the use of OpenSSH during communication with remote users and between TOE subsystems.
Protection of the TSF
Administrators of the TOE ensure that all connections between physically separate parts of the TOE (i.e. trusted remote product) are secured using OpenSSH. All data transmitted between TOE subsystems is protected from unauthorized disclosure and modification during transmission. This includes all system data that is passed between TOE subsystems once a scanning session is completed and the data is made. The TOE uses secure hashing to verify the integrity of transmitted data, including detection of any unauthorized modifications of the data.
SEARCH CCEVS
Announcements
Quick Links
» Product Compliant ListAvailable products to assist in making a more secure infrastructure.
» Approved Protection ProfilesApproved protection profiles for use by vendors.
» NIAP Technical CommunitiesNIAP Technical Communities are key to the development of new Protection Profiles.
» Find an Accredited LabFind a lab to evaluate your product.
» NIAP FAQsFind answers to commonly asked questions.
» Getting AccreditedHow to become an NVLAP Accredited Lab.
