NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0325:  Inline mode for Signature-based IPS policies

Publication Date
2018.05.21

Protection Profiles
EP_IPS_V2.11

Other References
IPS_SBD_EXT.1.5

Issue Description

IPS_SBD_EXT.1.5 requires that the product must allow traffic flow or drop the traffic flow in inline mode. This is only possible if the inspection, detection, and drop are performed by signature rule in inline mode (i.e., hardware is designed to always drop malicious attacks).

Resolution

IPS_SBD_EXT.1.5 SFR is replaced with below and its Application Note is unchanged:

IPS_SBD_EXT.1.5 The TSF shall allow the following operations to be associated with signature-based IPS policies:

·         In any mode, for any sensor interface: [selection:

o   allow the traffic flow;

o   send a TCP reset to the source address of the offending traffic;

o   send a TCP reset to the destination address of the offending traffic;

o   send an ICMP [selection: host, destination, port] unreachable message;

o   trigger a non-TOE network device to block the offending traffic pattern]

·         In inline mode:

o    block/drop the traffic flow;

o    and [selection:

§  allow all traffic flow;

§  allow the traffic flow with following exceptions: [assignment: malicious traffic such as but not limited to IPS_EXT.1.3 and IPS_EXT.1.4 if always dropped];

§  modify and forward packets before they pass through the TOE].

Justification

The intent of IPS_SBD_EXT.1.5 is for rules when creating new signatures.  This was not intended for signatures automatically before traffic reaches the signature detection engine. 

 
 
Site Map              Contact Us              Home