The Sourcefire 3D System is an Intrusion Detection and Prevention System that combines open-source and proprietary technology. The TOE is used to monitor incoming (and outgoing) network traffic, from either inside or outside a firewall. All packets on the monitored network are scanned, decoded, processed and compared against a set of rules to determine whether inappropriate traffic, such as system attacks, is being passed over the network. The system then notifies a designated TOE administrator of these attempts. The system generates these alerts when deviations of the expected network behavior are detected and when there is a match to a known attack pattern.
\r\nThe Sourcefire 3D System Version 4.10.2.4 (SEU 568) TOE consists of the following components:
\r\nEach 3D Sensor with IPS (virtual and appliance-based) uses rules, decoders, and preprocessors to look for the broad range of exploits that attackers have developed. Sourcefire 3D Sensors that are licensed to use IPS are packaged with a set of intrusion rules developed by the Sourcefire Vulnerability Research Team (VRT). Custom intrusion rules and policies can also be created for a customer’s operating environment.
\r\nNote: The evaluation team did not evaluate the Sourcefire supplied rule sets that are bundled with the TOE for suitability to task—only that the tests included in the rule sets work correctl
\r\nThe Sourcefire 3D Sensor is based on an enhanced version of Snort, which is an open source IDS. Snort is used to read all the packets on the monitored network, and then analyze them against the rule set that has been created by the TOE administrators. The Sourcefire-modified Snort, version 2.9.2, is included in the TOE.
\r\nWhen a 3D Sensor with IPS identifies a possible intrusion, it generates an intrusion event, which is a record of the date, time, the type of exploit, and contextual information about the source of the attack and its target. For packet-based events, a copy of the packet or packets that triggered the event is also recorded.
\r\n3D Sensors with IPS can be deployed either inline, where \"live\" traffic passes through the appliance, or passively, in which case traffic is being only monitored. When used inline, IPS can block malicious code and attacks in real-time so that the 3D Sensor with IPS is used as an intrusion prevention device.
\r\nThe 3D500, 3D1000, and 3D2000 appliance-based models of the 3D Sensor with IPS provide a local web interface (WebUI) to create intrusion policies and review the resulting intrusion events and therefore can be run stand-alone, without using a Defense Center for management.
\r\nThe 8000 Series of 3D Sensors with IPS (Models 3D8120, 3D8130, 3D8140 and 3D8250) and the 7000 Series of 3D Sensors with IPS (Models 3D7110 and 3D7120) cannot be run stand-alone and must be managed and licensed with a Defense Center. These sensors have a Limited WebUI, which is accessed in the same manner as the Defense Center WebUI except that user authorization cannot be done by an external authentication server.
\r\nThe Sourcefire Virtual 3D Sensor licensed for IPS is a software-only version of the Sourcefire 3D Sensor licensed for IPS that runs within a VMware virtual environment. The Virtual 3D Sensor with IPS runs on any platform that supports VMware’s ESX/ESXi Version 4.1 hypervisor. There is no embedded graphical user interface (WebUI) on the Virtual 3D Sensor with IPS. It must be managed with a Defense Center (appliance-based or virtual).
\r\nThe Sourcefire Defense Center provides a centralized management interface for the Sourcefire 3D System. The Defense Center provides the administrative functionality through a web-based GUI (WebUI). The Defense Center is used to manage the full range of sensors (virtual and appliance-based) that are a part of the Sourcefire 3D System, and to aggregate, analyze, and respond to the threats they detect on the monitored network. The Sourcefire 3D System has the capability of using an external LDAP or RADIUS server for user authentication in a configuration that uses a Defense Center.
\r\nThe Sourcefire Virtual Defense Center is a software-only version of the Sourcefire Defense Center that runs within a VMware virtual environment. The Virtual Defense Center runs on any platform that supports VMware’s ESX/ESXi Version 4.1 hypervisor. A Virtual Defense Center can manage both physical and virtual sensors.
\r\nThe Sourcefire 3D System is able to audit the use of the administration/management functions. This function records attempts to access the system itself, such as successful and failed authentication, as well as the actions taken by TOE users once they are authenticated.
","evaluation_configuration":"Sourcefire markets an integrated Enterprise Threat Management (ETM) solution. To provide the entire ETM solution, Sourcefire 3D System integrates four core products: Sourcefire IPS, Sourcefire RNA, Sourcefire RUA, and the Sourcefire Defense Center. Sourcefire offers these products as individual components or as a system to a meet a variety of IT security needs and budgets. Each product is sold separately and requires a separate license to run. This evaluation includes two of the four core products: Sourcefire IPS (the Sourcefire 3D Sensor licensed for IPS and the Sourcefire Virtual 3D Sensor licensed for IPS) and the Sourcefire Defense Center (the appliance-based Sourcefire Defense Center and the Sourcefire Virtual Defense Center).
\r\nThe evaluated configuration consists of the following:
\r\nTesting included configurations that:
\r\nThe evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. The TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 3.1 R3.
\r\nThe evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 R3.
\r\nCygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of Evaluation Assurance Level (EAL) 2 augmented with ALC_FLR.2.
\r\nA team of validators, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed on 23 May 2012.
","environmental_strengths":"The following security functions are in the scope of the evaluation:
\r\nThe TOE is able to audit the use of the administration/management functions of the IDS. This audit is separate from the IDS functionality (recording network traffic), and relates specifically to the management functions of the TOE. Only users with the Administrator Role or a Custom User Role with appropriate permissions have access to the audit records and can view and sort the audit records. Suppression lists may be configured during installation and maintenance to limit the events recorded.
\r\nWhen the available audit storage is exhausted, the TOE automatically overwrites the oldest audit events. This ensures that the availability of the most recent audit events is limited only by the size of the audit trail. It is the responsibility of the administrator to perform periodic backups of the audit records (via the WebUI backup function) to prevent loss of data.
\r\nThe TOE requires all users to provide unique identification and authentication data before any access to the system is granted. User identification and authentication is done by the TSF though username/password authentication or optionally through the use of an external authentication server (LDAP or RADIUS) for configurations that include a Defense Center.
\r\nAll authorized TOE users must have a user account with security attributes that control the user’s access to TSF data and management functions. These security attributes include user name, password, and level(s) of authorization (roles) for TOE users. The user account also contains a password strength check attribute. If selected the user’s password must be at least eight alphanumeric characters of mixed case and must include at least one numeric character. It cannot be a word that appears in a dictionary or include consecutive repeating characters. The strength check applies only to user authentication done by the TOE for access to the management GUI; it does not apply to user authentications done by an external LDAP or RADIUS server.
\r\nThe TOE provides a web-based (using HTTPS) management interface for all run-time TOE administration, including the IDS rule sets, user accounts and roles, and audit functions. The ability to manage various security attributes, system parameters and all TSF data is controlled and limited to those users who have been assigned the appropriate administrative role.
\r\nThe TOE also provides a command line interface the use of which must be restricted. This interface is only used for Security Management when creating or modifying Audit Suppression Lists.
\r\nThe TOE ensures that data transmitted between separate parts of the TOE are protected from disclosure or modification. This protection is ensured by transmission of data between the TOE Components over a secure, SSL-encrypted TCP tunnel.
\r\nNote: The cryptography used in this product has not been FIPS certified nor has it been analyzed or tested to conform to cryptographic standards during this evaluation. All cryptography has only been asserted as tested by the vendor.
\r\nThe TOE enhances the functionality of user session establishment by displaying a warning banner upon user login and by displaying information about a user’s last TOE session after a successful login.
\r\nThe TOE has the ability to set rules to govern the collection of data regarding potential intrusions. While the TOE contains default rules to detect currently known vulnerabilities and exploits, new rules can be created to detect new vulnerabilities as well as specific network traffic, allowing the TOE administrators complete control over the types of traffic that will be monitored.
\r\nTo analyze the data collected by the 3D Sensors with IPS and Virtual 3D Sensors with IPS, the TOE uses statistical analysis, signatures, decoders, and preprocessors. Statistical analysis uses rate-base attack prevention features to detect and block denial-of-service (DoS) and distributed denial of service (DDoS) attacks. Signatures are patterns of traffic that can be used to detect potential attacks or exploits. Since many attacks or exploits require several network connections to work, the IDS also provides the ability to detect these more complex patterns through decoders and preprocessors that are included in the TOE. The TOE embodies statistical analysis, signatures, decoders, and preprocessors in rules that can be designed and exercised by the TOE.
\r\nThe TOE administrators can manage the data analysis capabilities of the TOE by adding and editing rules to respond to the latest exploits. In addition, based upon results of analysis, the TOE administrators can trigger alarms for the notification of a problem.
\r\nIDS event logs can only be viewed by authorized TOE users (users with the Administrator or Intrusion Event Analyst Roles). The data stores of the raw collection data are constantly monitored and if they become too full, new records will replace the oldest records to prevent active/current data loss.
\r\nNote: The administrator must perform periodic backups of the event data (via the WebUI backup function) to prevent loss of data.
","features":[]}