Compliant Product - McAfee ATD v4.0
Certificate Date: 2018.03.06CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10888-2018
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0
CC Testing Lab: Gossamer Security Solutions
The ATD hardware appliance implements dynamic and statistical analysis on data transmitted through a network to provide malware detection, assessment and classification.
The ATD processes the files through the down selectors for statistical analysis and provides a sandbox test environment which includes virtual machines running customer environments, anti-virus, anti-malware, local blacklist and whitelists. Files are executed within virtual machine environments that are monitored by the log file. The log file is then used to generate a security report of the potential malware.
For the purpose of evaluation, ATD will be treated as a network device offering CAVP tested cryptographic functions, security auditing, secure administration, trusted updates, self-tests, and secure connections to other servers (e.g., to transmit audit records).
The ATD evaluated configuration includes software version 4.0.2 running on one of the following models:
Since each platform uses the same software and the TOE implements all provided security functions in software, the TOE security behavior remains equivalent on each platform for each of the SFRs defined by the NDcPP. The differences simply relate to performance – number of cores and amount of memory and HD/SSD storage.
The TOE may be accessed and managed through a PC or terminal in the environment which can be remote from or directly connected to the TOE.
Security Evaluation Summary
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4, September 2012. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 4, July 2012. Gossamer Security Solutions determined that the evaluation assurance level (EAL) for the TOE is EAL 1. The product, when delivered and configured as identified in the McAfee Administrator Guidance Instructions, Version 1.3, March 3, 2018 document, satisfies all of the security functional requirements stated in the McAfee, Inc. Advanced Threat Defense running software version 4.0.2 (NDcPP20) Security Target, Version 0.7, March 6, 2018. The project underwent CCEVS Validator review. The evaluation was completed in March 2018. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10888-2018) prepared by CCEVS.
The logical boundaries of the McAfee Advanced Threat Defense are realized in the security functions that it implements. Each of these security functions is summarized below.
The TOE generates audit events associated with identification and authentication, management, updates, and user sessions. The TOE can store the events in a local log or export them to a syslog server using a TLS protected channel.
The TOE provides CAVP certified cryptography in support of its TLS implementation. Cryptographic services include key management, random bit generation, encryption/decryption, digital signature and secure hashing.
Identification and authentication:
The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of reading the login banner. It provides the ability to both assign attributes (user names, passwords and roles) and to authenticate users against these attributes. The TOE also provides X.509 certificate checking for its TLS connections.
The TOE provides a command line (CLI) management interface as well as a graphical user interface (GUI) accessed via the web. The web interface is protected with TLS. The management interface is limited to the authorized administrator (as defined by a role).
Protection of the TSF:
The TOE provides a variety of means of protecting itself. The TOE performs self-tests that cover the correct operation of the TOE. It provides functions necessary to securely update the TOE. It provides a hardware clock to ensure reliable timestamps and can also sync to a NTP server if so configured. It protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an authorized administrator.
The TOE can be configured to display a logon banner before a user session is established. The TOE also enforces inactivity timeouts for local and remote sessions.
The TOE provides a local console which is subject to physical protection. For remote access, the web GUI is protected by TLS thus ensuring protection against modification and disclosure.
The TOE also protects its audit records from modification and disclosure by using TLS to communicate with the syslog server.