Compliant Product - McAfee Network Security Platform (NSM Linux Appliance v10.1.19.17 and NS Sensor Appliances v10.1.17.15)
Certificate Date: 2020.11.09CC Certificate Security Target Validation Report
Validation Report Number: CCEVS-VR-VID11079-2020
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Extended Package for Intrusion Prevention Systems Version 2.11
CC Testing Lab: Acumen Security
The TOE is comprised of the McAfee Network Security Platform (NSP) software running on one Network Security Manager (NSM) Linux Appliance and one or more Network Sensors.
The McAfee Network Security Platform (NSP) Sensor performs stateful inspection on a per-packet basis to discover and prevent intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. NSP is available in multiple Sensor appliances providing different bandwidth and deployment strategies. These models are listed below in Table 1.
Network Security Manager (NSM) is used to manage and push configuration data and policies to the Sensors. Communication between NSM and Sensors uses secure channels that protect the traffic from disclosure and modification. Authorized administrators may access the NSM via a GUI (over HTTPS) or a CLI (via SSH or a local connection). Sensors may be accessed via CLI (via SSH or a local connection) for initial setup. Once initial setup is complete, all management occurs via the NSM.
The NS Sensor’s presence on the network is transparent. The Sensor is protected from the monitored networks as the system is configured to not accept any management requests or input from the monitored networks.
Table 1 - TOE Appliance Series and Models
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which McAfee Network Security Platform (NS Sensor appliances and NSM Linux appliance) is evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 rev 5. Acumen Security determined that the evaluation is conformant to the collaborative Protection Profile for Network Devices (v2.1, 11 March 2019) NDcPP and Network Device Collaborative Protection Profile (NDcPP)/Stateful Traffic Filter Firewall Collaborative Protection Profile (FWcPP) Extended Package for Intrusion Prevention Systems (v2.11, 15-June-2017) [IPSEP]. The product, when delivered and configured as identified in the Operational User Guidance and Preparative Procedures, satisfies all the security functional requirements stated in the Security Target. The project underwent CCEVS Validator review. The evaluation was completed in November 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The logical boundary of the TOE includes those security functions implemented exclusively by the TOE.
The TOE generates audit records related to TOE operation and administration. These audit records are stored on the NSM management platform (and stored in a local database) and are also forwarded to an external audit server. The database stores 50,000 audit records. When the database reaches capacity, the oldest audit records are overwritten.
The NS Sensor generates audit records and forwards the audit records to the NSM platform. If the NSM platform is not available, the NS Sensor caches audit records in a local file. When connectivity with NSM is restored, the file is uploaded and then deleted. If the file is reaches capacity, new events are dropped.
Only authenticated users can view audit records.
The TOE uses symmetric key cryptography to secure communications between the Sensors and the NSM for the following functionality:
· Exchange of configuration information (including IPS policies)
· Time/date synchronization from the NSM to Sensors
· Transfer of IPS data to the NSM
· Transfer of audit records to the NSM
· Distribution of TOE updates to Sensors
Connections between the NSM and Sensors are secured using TLS.
Connections between the NSM and the Audit Server (for audit record upload) are secured using TLS.
Connections between the Sensor and the SCP Server is secured using SSH.
Sessions between the Management Workstation and the TOE are secured using SSH or HTTPS and authenticated using username and password. Local console connections between the Console Workstation and the TOE are physically secured. The Sensors also use SSH to securely copy a new image to update the Sensor.
Identification and Authentication
Administrators connecting to the TOE are required to enter an NSP administrator username and password to authenticate the administrative connection prior to access being granted.
The NSM and NS Sensors authenticate to one another through a shared secret that is configured during the initial installation and setup process of the TOE. Individual Sensors must use CA-signed certificates. In the evaluated configuration, the NSM supports self-signed certificates only for the installation process of Sensors before they are in their evaluated configuration.
An administrative CLI can be accessed via the Console port or SSH connection, and an administrative GUI on the NSM may be accessed via HTTPS. These interfaces are used for administration of the TOE, including audit log configuration, upgrade of firmware and signatures, administration of users, configuration of SSH and TLS connections.
Only administrators authenticated to the “Admin” role are considered to be authorized administrators.
Protection of the TSF
The presence of the NS Sensors' components on the network is transparent (other than network packets sent as reactions to configured IPS conditions). The NS Sensors are protected from the monitored networks as the system is configured to not accept any management requests or input via the monitored interfaces.
The TOE users must authenticate to the TOE before any administrative operations can be performed on the system.
The TOE ensures consistent timestamps are used by synchronizing time information on the NS Sensors with the NSM, so that all parts of the NSP system share the same relative time information. Synchronization occurs over a secure communications channel. Time on the NSM may be configured by an administrator.
The administrator can query the currently installed versions of software on the TOE components using the “show” command, which returns details about the software and hardware version. A trusted update of the TOE software can be performed from the NSM UI, which is then pushed out to the Sensors.
A suite of self-tests is performed by the TOE at power on, and conditional self-tests are performed continuously.
The TOE monitors local and remote administrative sessions for inactivity and terminates the session when a threshold time is reached. An advisory notice is displayed at the start of each session.
· TLS for an audit server
· TLS for communication between NSM and Sensors
· SSH for communication with an SCP Server for updates
The TOE implements TLS/HTTPS and SSH for protection of communications between itself and the administrators.
The TOE performs analysis of IP-based network traffic and detects violations of administratively defined IPS policies. The TOE inspects each packet header and payload for anomalies and known signature-based attacks and performs configured actions for policy violations.