Compliant Product - Trend Micro TippingPoint Threat Protection System (TPS) v5.3
Certificate Date: 2022.02.02CC Certificate Security Target * Validation Report
Validation Report Number: CCEVS-VR-VID11206-2022
Product Type: Network Device
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.2e
CC Testing Lab: Leidos Common Criteria Testing Laboratory
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
The Target of Evaluation (TOE) is Trend Micro TippingPoint Threat Protection System (TPS) v5.3. The TOE comprises a range of standalone physical and virtual network appliances that provide threat protection, shielding network vulnerabilities, blocking exploits, and defending against known and zero-day attacks. It provides coverage across various threat vectors, including advanced threats, malware, and phishing attempts. It employs a combination of technologies, such as deep packet inspection, threat reputation, and malware analysis, on a flow-by-flow basis, in order to detect and prevent attacks on the network.
The focus of the evaluation was on functionality meeting the requirements specified in collaborative Protection Profile for Network Devices, Version 2.2e, including: protection of communications between the TOE and trusted external IT entities; identification and authentication of administrators; auditing of security-relevant events; verification of the source and integrity of updates to the TOE; and use of approved cryptographic mechanisms.
The TOE provides authorized administrators with a command line interface (CLI), accessible locally via a direct console connection and remotely via SSH, to manage the TOE and its security functions.
The TOE comprises the following appliances running TPS software v5.3.0:
· TPS 1100TX
· TPS 5500TX
· TPS 8200TX
· TPS 8400TX
The 1100TX includes one I/O module slot, the 5500TX and the 8200TX include two I/O module slots, and the 8400TX includes four I/O module slots. The following standard I/O modules are supported for the 1100TX, 5500TX, 8200TX, and 8400TX security devices.
The vTPS virtual appliance consists of TPS v5.3.0, running on hosts with Intel Xeon CPUs based on Ivy Bridge or newer that support the RDRAND instruction and either:
· an ESXi Hypervisor: Version 5.5 (Patch 3116895), Version 6.0 (Patch 5572656), Version 6.5, or Version 6.7, or
· a RHEL version 7.1 KVM.
The vTPS virtual appliance uses virtual data ports and does not require I/O modules.
The vTPS appliance is provided as one of the following image files:
· vTPS_vmw_5.3.0_xxxx.zip (standard)
· vTPS_vmw_performance_v5.3.0_xxxx.zip (performance).
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, September 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 release 5. The product, when delivered and configured as identified in the guidance documentation, satisfies all of the security functional requirements stated in the Trend Micro TippingPoint Threat Protection System (TPS) v5.3 Security Target. The evaluation was completed in February 2022. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE is able to generate audit records for security relevant events. The TOE can be configured to store the audit records locally on the TOE and can also be configured to send the logs to a designated external log server. The audit records in local audit storage cannot be modified or deleted. In the event the space available for storing audit records locally is exhausted, the TOE deletes the oldest historical log file, renames the current log file to be a historical file, and creates a new current log file. The TOE will write a warning to the audit trail when the space available for storage of audit records drops below 25% capacity.
The TOE is operated in FIPS mode and includes FIPS-approved and NIST-recommended cryptographic algorithms. The TOE provides cryptographic mechanisms for symmetric encryption and decryption, cryptographic signature services, cryptographic hashing services, keyed-hash message authentication services, deterministic random bit generation seeded from a suitable entropy source, and cryptographic key destruction. The cryptographic mechanisms support SSH used for secure communication, both as client and server.
Identification and Authentication
The TOE requires administrators to be successfully identified and authenticated before they can access any of the security management functions provided by the TOE. The TOE offers both a locally connected console and a network accessible interface over SSH to support administration of the TOE.
The TOE supports the local (i.e., on device) definition of administrators with usernames and passwords. When a user is authenticated at the local console, no information about the authentication data (i.e., password) is echoed to the user. Passwords can be composed of any combination of upper and lower case letters, numbers, and the following special characters: “!”; “@”; “#”; “$”; “%”; “^”; “&”; “*”; “(“; “)”; “,”; “.”; “?”; “<”; “>”; and “/”.
The TOE provides authentication failure handling for remote administrator access. When the defined number of unsuccessful authentication attempts has been reached, the remote administrator accessing the TOE via SSH is locked out for an administrator configurable period of time. Authentication failures by remote administrators cannot lead to a situation where no administrator access is available to the TOE since administrator access is still available via the local console.
The TOE provides administrator roles and supports local and remote administration. The TOE supports Super User, Admin, and Operator roles that map to the Security Administrator role in the claimed PP. Each user must be assigned a role in order to perform any management action. The TOE provides authorized administrators with a command line interface (CLI), accessible locally via direct console connection and remotely via SSH, for TOE configuration and to monitor, collect, log, and react in real-time to potentially malicious network traffic.
Protection of the TSF
The TOE protects sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism that ensures reliable time information is available.
The TOE provides mechanisms to view the current version of the TOE and to install updates of the TOE software. TOE updates are initiated manually by the Super User or Admin, who can verify the integrity of the update prior to installation using a digital signature.
The TOE performs tests for software module integrity and cryptographic known-answer tests.
The TOE implements administrator-configurable session inactivity limits for local interactive sessions at the console and for SSH sessions. The TOE will terminate such sessions when the inactivity period expires. In addition, administrators can terminate their own interactive sessions by logging out at the console and SSH.
The TOE supports an administrator-configurable TOE access banner that is displayed prior to a user completing the login process at the CLI. This is implemented for both local and remote management connections.
The TOE protects interactive communication with remote administrators using SSH. SSH ensures confidentiality of transmitted information and detects any loss of integrity.
The TOE also uses SSH to protect the transmission of audit records to an external audit server.