Compliant Product - NSM Linux Appliance 22.214.171.124 and NS Sensor appliances 126.96.36.199
Certificate Date: 2019.12.16CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID10991-2019
Product Type: Wireless Monitoring
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.0 + Errata 20180314
Extended Package for Intrusion Prevention Systems Version 2.11
CC Testing Lab: Acumen Security
The TOE is comprised of the McAfee Network Security Platform (NSP) software running on one Network Security Manager (NSM) Linux Appliance and one or more Network Sensors.
The McAfee Network Security Platform (NSP) sensor performs stateful inspection on a per-packet basis to discover and prevent intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. NSP is available in multiple sensor appliances providing different bandwidth and deployment strategies. These models are listed in below.
Network Security Manager (NSM) is used to manage and push configuration data and policies to the sensors. Communication between NSM and sensors uses secure channels that protect the traffic from disclosure and modification. Authorized administrators may access the NSM via a GUI (over HTTPS) or a CLI (via SSH or a local connection). Sensors may be accessed via CLI (via SSH or a local connection) for initial setup. Once initial setup is complete, all management occurs via the NSM.
The NSP sensor’s presence on the network is transparent. The sensor is protected from the monitored networks as the system is configured to not accept any management requests or input from the monitored networks.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which McAfee Network Security Platform (NS Sensor appliances and NSM Linux appliance) is evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 4. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 4. Acumen Security determined that the evaluation is conformant to the collaborative Protection Profile for Network Devices (NDcPP) + Errata 20180314, Version 2.0e and Network Device Collaborative Protection Profile (NDcPP)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package for Intrusion Prevention Systems (v2.11, 15-June-2017) [IPSEP]. The product, when delivered and configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in December 2019. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.
The TOE uses symmetric key cryptography to secure communications between the Sensors and the NSM for the following functionality:
· Exchange of configuration information (including IPS policies)
· Time/date synchronization from the NSM to Sensors
· Transfer of IPS data to the NSM
· Transfer of audit records to the NSM
· Distribution of TOE updates to Sensors
Connections between the NSM and NS Sensors are secured using TLS. Connections between the NSM and the Audit Server (for audit record upload) are secured using TLS.
Sessions between the Management Workstation and the TOE are secured using SSH or HTTPS, authenticated using username and password, and local console connections between the Console Workstation and the TOE are physically secured.
Identification and Authentication
Administrators connecting to the TOE are required to enter an NSP administrator username and password to authenticate the administrative connection prior to access being granted.
The NSM and NS Sensors authenticate to one another through a shared secret that is configured during the initial installation and setup process of the TOE. Individual Sensors must use CA-signed certificates. In the evaluated configuration, the NSM supports self-signed certificates only for the installation process of Sensors before they are in their evaluated configuration.
An administrative CLI can be accessed via the Console port or SSH connection, and an administrative GUI on the NSM may be accessed via HTTPS. These interfaces are used for administration of the TOE, including audit log configuration, upgrade of firmware and signatures, administration of users, configuration of SSH and TLS connections.
Only administrators authenticated to the “Admin” role are considered to be authorized administrators.
Protection of the TSF
The NS Sensors components presence on the network is transparent (other than network packets sent as reactions to configure IPS conditions). The NS Sensors are protected from the monitored networks as the system is configured to not accept any management requests or input via the monitored interfaces.
The TOE users must authenticate to the TOE before any administrative operations can be performed on the system.
The TOE ensures consistent timestamps are used by synchronizing time information on the NS Sensors with the NSM, so that all parts of the NSP system share the same relative time information. Synchronization occurs over a secure communications channel. Time on the NSM may be configured by an administrator.
The administrator can query the currently installed versions of software on the TOE components using the “show” command, which returns details of the software and hardware version. Trusted update of the TOE software can be performed from the command line using the “loadimage scp” command. This loads the image from an SCP server over SSH.
A suite of self-tests is performed by the TOE at power on and conditional self-tests are performed continuously
The TOE monitors local and remote administrative sessions for inactivity and terminates the session when a threshold time is reached. An advisory notice is displayed at the start of each session.
The TSF provides the following trusted communication channels:
· TLS for an audit server
· TLS for communication between NSM and Sensors
· SSH for communication with an SCP Server for updates
The TOE implements TLS/HTTPS and SSH for protection of communications between itself and the administrators.