Host Intrusion Prevention 6.0.2 EPolicy Orchestrator 3.6.1 (Patch 1)

1y ago
529.89 KB
54 Pages
Last View : 10d ago
Last Download : 5m ago
Upload by : Ronan Garica

Security TargetHost Intrusion Prevention 6.0.2andePolicy Orchestrator 3.6.1 (Patch 1)McAfee System ProtectionIndustry-leading intrusion prevention solutions

Security TargetMcAfee, Incorporatedv9 May 2007TABLE OF CONTENTS1. SECURITY TARGET INTRODUCTION . 11.1 Security Target Reference. 11.1.1 Security Target. 11.1.2 TOE Reference. 11.1.3 Security Target Authors. 11.1.4 Evaluation Assurance Level . 11.1.5 Keywords . 11.2 TOE Overview . 21.2.1 Security Target Organisation . 21.3 Common Criteria Conformance. 21.4 Protection Profile Conformance . 22. TOE DESCRIPTION . 32.1 HIP 6.0.2 Component Overview. 32.1.1 HIP 6.0.2 Windows Agent . 42.1.2 ePolicy Orchestrator (ePO) . 42.2 Physical Boundary . 42.3 Logical Boundary. 52.3.1 System Protection (SYSPROT) . 52.3.2 Audit (AUDIT) . 62.3.3 Identification and Authentication (I&A) . 62.3.4 Management (MGMT). 62.4 HIP 6.0.2 Evaluated Configuration. 62.4.1 Evaluated Configuration . 62.4.2 ePO Configuration . 62.4.3 HIP 6.0.2 Functionality Not Included in the Evaluation . 72.5 TOE Data . 82.6 Rationale for Non-Bypassability and Separation for the TOE . 93. TOE SECURITY ENVIRONMENT. 103.1 Introduction. 103.2 Assumptions. 103.3 Threats. 103.4 Organizational Security Policies. 124. SECURITY OBJECTIVES . 134.1 Security Objectives for the TOE. 134.2 Security Objectives for the IT Environment. 135. IT SECURITY REQUIREMENTS. 155.1 Security Functional Requirements for the TOE. 155.1.1 Security audit (FAU). 165.1.2 Identification and authentication (FIA) . 175.1.3 Security Management (FMT) . 175.1.4 Protection of the TSF (FPT) . 195.1.5 IDS Component Requirements (IDS) . 195.2 Security Functional Requirements for the IT Environment. 21iii

Security TargetMcAfee, Incorporatedv9 May 20075.2.1 Security audit (FAU). 215.2.2 Protection of the TSF (FPT) . 215.2.3 IDS Component Requirements (IDS) . 225.3 Strength of Function for the TOE . 225.4 TOE Security Assurance Requirements. 226. TOE SUMMARY SPECIFICATION . 246.1.1 System Protection (SYSPROT) . 246.1.2 Audit (AUDIT) . 256.1.3 Identification and Authentication (I&A) . 266.1.4 Management (MGMT). 266.2 Assurance Measures. 286.2.1 TOE Security Assurance Requirements. 286.2.2 Rationale for TOE Assurance Requirements. 307. PROTECTION PROFILE CLAIMS. 317.1 Protection Profile Reference . 317.2 Protection Profile Refinements . 317.3 Protection Profile Additions . 318. RATIONALE . 338.1 Rationale for IT Security Objectives . 338.1.1 Rationale Showing Threats to Security Objectives . 348.2 Rationale for Security Functional Requirements (SFRs). 388.2.1 Rationale for Security Functional Requirements of the TOE Objectives. 388.2.2 Rationale for Security Functional Requirements of the IT Environment Objectives. 418.3 Rationale for TOE Summary Specification . 428.4 CC Component Hierarchies and Dependencies. 448.4.1 TOE Security Functional Component Hierarchies and Dependencies . 448.4.2 IT Environment Security Functional Component Hierarchies and Dependencies . 468.5 PP Claims Rationale . 468.6 Strength of Function Rationale . 46iv

Security TargetMcAfee, Incorporatedv9 May 2007LIST OF FIGURESFigure 1 -HIP 6.0.2 Components. 4Figure 2 -Physical Boundary . 5v

Security TargetMcAfee, Incorporatedv9 May 2007LIST OF TABLESTable 1 -Hardware and Network Components Required for ePO Server . 6Table 2 -Software Components and Requirements for the ePO Server . 7Table 3 -TOE Data . 8Table 4 -Intended Usage Assumptions. 10Table 5 -Physical Assumptions . 10Table 6 -Personnel Assumptions. 10Table 7 -TOE Threats. 11Table 8 -IT System Threats . 11Table 9 -Organizational Security Policies. 12Table 10 -Information Technology (IT) Security Objectives . 13Table 11 -Security Objectives of the IT Environment . 13Table 12 -TOE SFRs . 15Table 13 -Auditable Events. 16Table 14 -TSF Data Access Permissions . 18Table 15 -System Data Collection Events and Details. 19Table 16 -System Data Access. 20Table 17 -IT Environment SFRs . 21Table 18 -TOE Security Assurance Requirements. 22Table 19 -Management Capabilities. 27Table 20 -Assurance Measures. 28Table 21 -Threats and Assumptions to Security Objectives Mapping. 33Table 22 -Threats to Security Objectives Rationale. 34Table 23 -TOE SFRs to Security Objectives Mapping . 38Table 24 -TOE Security Objectives to SFR Rationale. 39Table 25 -IT Environment SFRs to Security Objectives Mapping . 41Table 26 -TOE Security Objectives to SFR Rationale. 42Table 27 -SFRs to TOE Security Functions Mapping . 42Table 28 -SFR to SF Rationale. 43Table 29 -TOE SFR Dependency Rationale . 45Table 30 -IT Environment SFR Dependency Rationale . 46vi

Security TargetMcAfee, Incorporatedv9 May 2007ACRONYMS LISTACL. Access Control ListCC . Common CriteriaEAL3. Evaluation Assurance Level 3GUI .Graphical User InterfaceI&A . Identification and AuthenticationIP . Internet ProtocolIT. Information TechnologyNIAP . National Information Assurance PartnershipPP . Protection ProfileSF .Security FunctionSFP. Security Function PolicySOF . Strength of FunctionST. Security TargetTOE. Target of EvaluationTSC . TOE Scope of ControlTSF. TOE Security FunctionTSFI . TSF InterfaceTSP. TOE Security Policyvii

Security TargetMcAfee, Incorporatedv9 May 2007CHAPTER 11. Security Target IntroductionThis Security Target (ST) describes the objectives, requirements and rationale forMcAfee Host Intrusion Prevention (HIP) v6.0.2 and ePolicy Orchestrator (ePO) v3.6.1(Patch 1). The language used in this Security Target is consistent with the CommonCriteria for Information Technology Security Evaluation, Version 2.3, the ISO/IEC JTC1/SC27, Guide for the Production of PPs and STs, Version 0.9, and all internationalinterpretations through November 27, 2006. As such, the spelling of terms is presentedusing the internationally accepted English.1.1 Security Target ReferenceThis section provides identifying information for the McAfee Host Intrusion Prevention(HIP) v6.0.2 and ePolicy Orchestrator (ePO) v3.6.1 (Patch 1) Security Target by definingthe Target of Evaluation (TOE).1.1.1 Security TargetMcAfee Host Intrusion Prevention (HIP) v6.0.2 and ePolicy Orchestrator (ePO) v3.6.1(Patch 1) Security Target, document number SV-0706-001(9), dated April 4, 2007.1.1.2 TOE ReferenceMcAfee Host Intrusion Prevention (HIP) v6.0.2 and ePolicy Orchestrator (ePO) v3.6.1.(Patch 1) The system is hereafter collectively referred to as HIP Security Target AuthorsCOACT, Inc.1.1.4 Evaluation Assurance LevelAssurance claims conform to EAL3 (Evaluation Assurance Level 3) from the CommonCriteria for Information Technology Security Evaluation, Version KeywordsAgent(s)Agent(s) refer to the HIP 6.0.2 Agents for systemsrunning the Windows operating system.ExceptionDefines a set of attributes that instructs the Agent to notenforce a rule or policy, resulting in an Event not beinggenerated.Policy FileEach Signature is assigned a Security Level. ThePolicy File defines the Reaction to take for a specificSecurity Level. Each Policy File entry includes theReaction to take if a signature of that severity leveloccurs.ReactionA Reaction is defined in a Policy File. It defines theaction (Prevent, Log, or Ignore) the Agent is to take perEvent Severity Level (High, Medium, Low,Information).1

Security TargetMcAfee, Incorporatedv9 May 2007Severity LevelThe available Severity Levels available are: High,Medium, Low, or Information.SignatureSignatures are patterns that indicate a potential securityviolation.Signature FileAgents are installed with a Signature File that containsa list of Signatures. The Agents intercept operatingsystem calls and network packets and compare them tothe Signatures File1.2 TOE OverviewThis Security Target defines the requirements for the HIP 6.0.2. The TOE is a host-basedintrusion prevention system, designed to protect system resources and applications andincludes a host based management system that provides management and monitoringfunctionality.1.2.1 Security Target OrganisationChapter 1 of this ST provides introductory and identifying information for the TOE.Chapter 2 describes the TOE and provides some guidance on its use.Chapter 3 provides a security environment description in terms of assumptions, threatsand organisational security policies.Chapter 4 identifies the security objectives of the TOE and of the InformationTechnology (IT) environment.Chapter 5 provides the TOE security and functional requirements, as well asrequirements on the IT environment.Chapter 6 is the TOE Summary Specification, a description of the functions provided bythe HIP 6.0.2 to satisfy the security functional and assurance requirements.Chapter 7 identifies claims of conformance to a registered Protection Profile (PP).Chapter 8 provides a rationale for the security objectives, requirements, TOE summaryspecification and PP claims.1.3 Common Criteria ConformanceThis ST is compliant with the Common Criteria (CC) Version 2.3 assurance requirements(Part 3) for EAL3. This ST uses explicitly stated functional requirements in addition tofunctional requirements drawn from CC Version 2.3 (Part 2).1.4 Protection Profile ConformanceThe TOE claims conformance to the Intrusion Detection System System ProtectionProfile, Version 1.6, dated April 4, 2006.2

Security TargetMcAfee, Incorporatedv9 May 2007CHAPTER 22. TOE DescriptionThis section provides the context for the TOE evaluation by identifying the product typeand describing the evaluated configuration.2.1 HIP 6.0.2 Component OverviewHIP 6.0.2 is a host-based intrusion prevention system designed to protect systemresources and applications. It works to intercept system calls prior to their execution andnetwork traffic prior to their processing. If the HIP Agent determines that a call or packetis symptomatic of malicious code, the call or packet can be blocked and/or an audit logcreated; if it determines that a call or packet is safe, it is allowed.There are two components of the TOE:A)B)HIP 6.0.2 Agents running on any of the following platforms:1)Windows 2000 Advanced Server with Service Pack 1, 2, 3, or 42)Windows 2000 Datacenter Server with Service Pack 1, 2, 3, or 43)Windows 2000 Professional with Service Pack 1, 2, 3, or 44)Windows 2000 Server with Service Pack 1, 2, 3, or 45)Windows NT 4.0 Enterprise Server, with Service Pack 6 or 6a6)Windows NT Server 4.0 with Service Pack 6 or 6a7)Windows NT Workstation 4.0 with Service Pack 6 or 6a8)Windows Server 2003 Enterprise with Service Pack 19)Windows Server 2003 Standard with Service Pack 110)Windows Server 2003 Web with Service Pack 111)Windows XP Home with Service Pack 1 or 212)Windows XP Professional with Service Pack 1 or 2ePolicy Orchestrator (ePO) running on any of the following platforms:1)Windows 2000 Advanced Server with Service Pack 3 or later2)Windows 2000 Server with Service Pack 3 or later3)Windows Server 2003 Enterprise4)Windows Server 2003 Standard5)Windows Server 2003 Web3

Security TargetMcAfee, Incorporatedv9 May 2007Figure 1 - HIP 6.0.2 ComponentsHIP AgentsePO2.1.1 HIP 6.0.2 Windows AgentThe HIP 6.0.2 Windows Agent (hereafter referred to as Agent) provides a protectionlayer that identifies and prevents malicious attempts to compromise a host. Agentsoftware is installed on the host to be protected. Agents are operating system specific;only the Windows Agent is included in this evaluation.2.1.2 ePolicy Orchestrator (ePO)In addition to the Agent, the TOE includes ePolicy Orchestrator (ePO) version 3.6.1(Patch 1). ePO distributes and manages agents that reside on client systems. By usingePO you can manage a large enterprise network. A centralized but distributedarchitecture allows the Agent software to be centrally managed and yet decrease networktraffic required to manage clients. ePO provides the management interface andfunctionality for the administrators of the TOE. It also provides centralized auditcollection and review functionality.2.2 Physical BoundaryThe physical boundary of the TOE includes the Agent software and ePO software.Hardware is not included. The SQL Database and JAVA runtime library, JDBC Driver,HTTP Server and Crystal Reports software that are used by the Management Server arenot included in the TOE. The PGP SDK software used on both the Management Serverand Agent system for TLS is not included in the TOE. The following figure representsthe physical boundary of the TOE. The TOE components are shaded.4

Security TargetMcAfee, Incorporatedv9 May 2007Figure 2 - Physical BoundaryManagement HostBrowserOperatingSystemNetwork DriversePO ServerDBMSJAVA RuntimeEnvironmentePOPGP SDKJDBCDriverCrystalReportse PODatabaseWEBServer(IIS)Windows Server Operating SystemNetwork DriversNetwork DriversAgent HostWindowsAgentPGP SDK2.3 Logical BoundaryThe logical boundaries of the TOE are defined by the functions provided by the TOE andare described in the following sections.2.3.1 System Protection (SYSPROT)The Agents are host based intrusion prevention systems designed to protect systemresources and applications from attacks. The Agents accomplish this by interceptingoperating system calls and comparing them to signatures symptomatic of known attacksand behavioral rules. The Agents also inspect network traffic by comparing packets tosignatures symptomatic of known attacks. If a potential security violation is detected, thesystem call or network traffic may be allowed to proceed or be blocked. An audit eventmay also be generated.5

Security TargetMcAfee, Incorporatedv9 May 20072.3.2 Audit (AUDIT)The TOE generates audit records upon detection of a potential security violation orsystem configuration events. The audit records can be viewed by an authorized user.The TOE audit functionality includes the ability to configure what auditable eventsactually generate audit records.2.3.3 Identification and Authentication (I&A)The TOE requires users to identify and authenticate themselves before accessing the TOEsoftware or before viewing any TSF data or configuring any portion of the TOE. Noaction can be initiated before proper identification and authentication. Each TOE userhas security attributes associated with their user account that defines the functionality theuser is allowed to perform.2.3.4 Management (MGMT)The TOE’s Management Security Function provides administrator functionality thatenables a human user to configure and manage TOE components. Configurationfunctionality includes enabling a user to modify TSF Data used by the TOE’s SecurityFunctional Policies (SFPs). Management functionality includes invocation of TOEfunctions that effect security functions and security function behavior.2.4 HIP 6.0.2 Evaluated Configuration2.4.1 Evaluated ConfigurationThe Agents are available in multiple variants, each running on a different operatingsystem. However, only the Windows variant is included in this evaluation. Theevaluated configuration includes one or more Agents (for one or more of the operatingsystems); an instance of the Management Server installed with both subsystems of theManagement Server software and an additional instance of the Management SystemConsole on a separate system. Specifically the items of the evaluated configuration are:A)One or more HIP 6.0.2 Windows AgentsB)ePO Server – A single dedicated Windows workstation running ePOv3.6.1 (Patch 1)2.4.2 ePO ConfigurationePO operates as a distribution system and management system for a client-serverarchitecture offering components for the server part of the architecture (not the clients).The hardware and network components and configuration requirements for the ePOserver (outside the scope of the TOE) are listed in the following table.Table 1 - Hardware and Network Components Required for ePO ServerHardware and Network Environment RequirementsFree disk space500MBProcessorIntel Pentium II-class or higher; 450MHz or higherMemory512mb RAM6

Security TargetMcAfee, Incorporatedv9 May 2007Hardware and Network Environment RequirementsMonitor1024 x 768; 256 color, VGA monitorNICNetwork Interface Card with 100mb capacityFile systemNTFS partitionIP AddressStatic IP AddressThe ePO server also requires a DBMS that is part of the IT environment.Software and operating system components (outside the scope of the TOE) that arerequired for the ePO server are listed in the following table.Table 2 - Software Components and Requirements for the ePO ServerSoftware Components and Requirements of the EnvironmentMicrosoft SQL Server 2000 Standard with SP 3DBMS (one of the followingis required)Microsoft SQL Server 2000 Enterprise with SP 3Microsoft SQL Server 7 Standard with SP 3 or 4Microsoft SQL Server 7 Enterprise with SP 3 or 4BrowserMicrosoft Internet Explorer v6.0Domain ControllerThe server must have a trust relationship with the Primary DomainController (PDC) on the network.JAVA Runtime EnvironmentJRE 1.4.2 09JDBC DriverjTDS driver 1.2Crystal Reports8.0/8.5Agent-ServerCommunicationApache 2.0.54Web ServerApache 2.0.54Application ServerTomcat 4.1.30TLSPGP SDK 3.5.3In addition, the following configuration options must be selected for the evaluatedconfiguration:A)All user accounts defined in ePO must specify ePO authentication (ratherthan NT authentication)2.4.3 HIP 6.0.2 Functionality Not Included in the EvaluationThe functionality of HIP 6.0.2 that is not included in the evaluation is described below:A)Firewall functionality (some government users require firewallfunctionality to be disabled unless it has been evaluated against one of thefirewall PPs at EAL4 or Medium Robustness). Application Blockingfunctionality is associated with the firewall functionality and is alsoexcluded.7

Security TargetMcAfee, IncorporatedB)Custom signatures and policies.C)Importing configurations.D)HIP Solaris Agents.E)HIP Linux Agents.v9 May 20072.5 TOE DataTOE data consists of both TSF data and user data (information). TSF data consists ofauthentication data, security attributes, and other generic configuration information.Security attributes enable the TOE to enforce the security policy. Authentication dataenables the TOE to identify and authenticate users.Users are administrators that manage the TOE.Table 3 - TOE DataNameDescriptionADUAGEApplicationProtection ListsList of processes that are explicitly enabled or disabledfor performing user-level hookingConsole UserAccountPermissionsList of sites that Site Administrators and Site Reviewersmay accessConsole UserAccount TypeEach user account defined in ePO must be defined as aGlobal Administrator, Global Reviewer, SiteAdministrator or Site Reviewer.Console User IDUserid for a console userConsole UserPasswordPassword for a console userExceptionsMechanism to refine the signature matches to eliminatefalse positivesXIPS OptionsPer-Agent mode for operation of the IPS processing,may be ON for normal operation or configured forAdaptive modeXIPS PoliciesUsed to configure the reaction to signature matchesXIPS ProtectionPoliciesPer-Agent reaction specified for each of the severitylevels that can be specified in signatures.SignaturesCollection of system call events or network trafficindicative of malicious codeSitesLogical grouping of systems that Site Administratorsand Site Reviewers may be granted permissions forSystem EventAuditConfigurationConfiguration to determine which management actionscreate audit eventsTrustedApplicationsMechanism to refine the signature matches to eliminatefalse positivesXXXXXLegend: AD Authentication data; UA User attribute; GE Generic Config. Information8XXX

Security TargetMcAfee, Incorporatedv9 May 20072.6 Rationale for Non-Bypassability and Separation for the TOEThe responsibility for non-bypassability and non-interference is split between the TOEand the IT Environment. HIP components are software only products and therefore thenon-bypassability and non-interference claims are dependent upon hardware and OSmechanisms. The TOE runs on top of the IT Environment supplied OSs.Non-bypassabilityThe TOE ensures that the security policy is applied and succeeds before furtherprocessing is permitted whenever a security relevant interface is invoked: theinterfaces are well defined and insure that the access restrictions are enforced.Non-security relevant interfaces do not interact with the security functionality ofthe TOE. The TOE depends upon OS mechanisms to direct the system calls andnetwork packets to the TOE for examination.Non-interferenceThe TOE is implemented with well defined interfaces that can be categorized assecurity relevan

Security Target McAfee, Incorporated v9 May 2007 CHAPTER 1 1. Security Target Introduction This Security Target (ST) describes the objectives, requirements and rationale for McAfee Host Intrusion Prevention (HIP) v6.0.2 and ePolicy Orchestrator (ePO) v3.6.1 (Patch 1). The language used in this Security Target is consistent with the Common

Related Documents:

Intrusion Prevention: Signature Policies 201 Intrusion Prevention: Signature Policies - New 203 Intrusion Prevention: Sensors 204 Intrusion Prevention: Sensor - New 205 Intrusion Prevention: Sensor - Associating Sensor to a Firewall Policy 206 Intrusion Prevention: Alerts and Reports 208 Intrusion Prevention: View Rule File 210

c. Plan, Deploy, Manage, Test, Configure d. Design, Configure, Test, Deploy, Document 15. What are the main types of intrusion detection systems? a. Perimeter Intrusion Detection & Network Intrusion Detection b. Host Intrusion Detection & Network Intrusion Detection c. Host Intrusion Detection & Intrusion Prevention Systems d.

McAfee System Protection Industry-leading intrusion prevention solutions. Product Guide . McAfee Host Intrusion Prevention is a host-based intrusion detection and prevention .

Intrusion Detection System Objectives To know what is Intrusion Detection system and why it is needed. To be familiar with Snort IDS/IPS. What Is Intrusion Detection? Intrusion is defined as “the act of thrusting in, or of entering into a place or state without invitation, right, or welcome.” When we speak of intrusion detection,

threats to your security policies. And intrusion prevention is the process of per - forming intrusion detection and then stopping the detected incidents. These security measures are available as intrusion detection systems (IDS) and intrusion prevention systems (IPS), which become part of your network to detect and stop potential incidents.

This chapter presents the corresponding research work on the intrusion detection and intrusion prevention in large-scale high-speed network environment and is organized as follows: firstly, a distributed extensible intrusion prevention system is provided, then various packet selection models for intrusion detection systems based-on sampling are

Step 1.1. Create Intrusion Policy To configure Intrusion Policy, login to Adaptive Security Device Manager (ASDM) and complete these steps: Step 1. Navigate to Configuration ASA FirePOWER Configuration Policies Intrusion Policy Intrusion Policy. Step 2. Click the Create Policy. Step 3. Enter the Name of the Intrusion Policy. Step 4.

called as behaviour-based intrusion detection. Fig. 2: Misuse-based intrusion detection process Misuse-based intrusion detection is also called as knowledge-based intrusion detection because in Figure 2. it depicts that it maintains knowledge base which contains the signature or patterns of well-known attacks. This intrusion