1
National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Top Layer Networks IPS 5500 E Version 5.21
Models IPS 5500-150E, IPS 5500-500E, and IPS 5500-1000E
Report Number: CCEVS-VR-VID10302-2009
Dated: April 10, 2009
Version: Version 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6757
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6757
2
ACKNOWLEDGEMENTS
Validation Team
Franklin Haskell
Jean Hung
MITRE Corporation
Bedford, MA
Common Criteria Testing Laboratory
Sai Pulugurtha
Aruna Gandreti
Gary Grainger (Ashton Security Laboratories)
CygnaCom Solutions
McLean, VA
3
Table of Contents
1.0 Executive Summary .................................................................................................................................... 5
2.0 Identification ............................................................................................................................................... 6
3.0 Security Policy ............................................................................................................................................ 7
3.1 Security Audit...................................................................................................................................... 7
3.2 User Data Protection............................................................................................................................ 7
3.3 Identification and Authentication........................................................................................................ 7
3.4 Security Management.......................................................................................................................... 8
3.5 Protection of TOE Security Functions................................................................................................. 8
3.6 Trusted Path/Channels......................................................................................................................... 8
4.0 Assumptions and Clarification of Scope................................................................................................... 10
4.1 Usage Assumptions ........................................................................................................................... 10
4.2 Personnel Assumptions ..................................................................................................................... 10
4.3 Environmental Assumptions ............................................................................................................. 10
4.4 Clarification of Scope........................................................................................................................ 11
5.0 Architectural Information.......................................................................................................................... 11
6.0 Documentation .......................................................................................................................................... 14
7.0 IT Product Testing..................................................................................................................................... 16
7.1 Developer Testing ............................................................................................................................. 17
7.2 Evaluator Independent Testing.......................................................................................................... 17
7.2.1 Test Hardware................................................................................................................................ 17
7.2.2 Test Software................................................................................................................................. 19
7.3 Strategy for Devising Test Subset ..................................................................................................... 19
7.4 Coverage Provided by Devised Test Subset...................................................................................... 20
8.0 Evaluated Configuration............................................................................................................................ 20
9.0 Results of Evaluation................................................................................................................................. 22
10.0 Validator Comments/Recommendations................................................................................................... 24
11.0 Security Target.......................................................................................................................................... 24
4
12.0 List of Acronyms....................................................................................................................................... 24
13.0 Bibliography.............................................................................................................................................. 25
List of Figures
Figure 1— IPS Unit’s Security ........................................................................................................................... 6
Figure 2—TOE Multi-Stage Architecture......................................................................................................... 13
Figure 3- Test Configuration without Cluster................................................................................................... 18
Figure 4- Evaluated Configuration (with High Availability) from ST ............................................................. 21
Figure 5- Evaluated Configuration (without High Availability) from ST ........................................................ 22
List of Tables
Table 1—TOE Security Functional Requirements ...................................................................................... 8
Table 2— Environment Security Functional Requirements....................................................................... 9
Table 3—Acronym and Document Title...................................................................................................... 14
Table 4—Acronym and Document Title...................................................................................................... 24
5
1.0 Executive Summary
This Validation Report (VR) documents the evaluation and validation of the product Top Layer Networks
IPS 5500 E Version 5.21 on Models IPS 5500-150E, IPS 5500-500E, and IPS 5500-1000E.
This VR is not an endorsement of the IT product by any agency of the U.S. Government and no warranty
of the IT product is either expressed or implied.
The Top Layer IPS 5500 E is a single-appliance security gateway Intrusion Protection System. The IPS
Unit provides network-level and application-level protection to a network from good, bad and suspicious
traffic. The TOE acts as an inline single-appliance security gateway providing three-dimensional
protection to stop resource abuse, prohibit access to unauthorized clients and stop malicious content from
entering the protected network. Top Layer’s s ASIC technology and algorithms integrate stateful analysis
techniques with deep packet inspection chip set and DoS (Denial of Service) attack protection to provide
protection from Internet-based and internal threats. The difference between the TOE and a typical IDS is
that the TOE (IPS Unit) is deployed inline and not in an offline or a passive mode.
The TOE may be configured to:
- Handle IP fragments, TCP header and Payload.
- Implement firewall rules.
- Perform protocol analysis.
- Perform deep packet inspections.
- Handle network and security management.
- Process events, logging, and reports.
The primary design goal of the TOE is reliable protection of customer’s critical on-line assets. The IPS
aspect of the TOE security policy may be configured based on the following three types of rules. The
rules guide the following types of security checks:
Firewall Rules — Provide classic firewall blocking for traffic, based on IP addresses,
Layer 4 ports, and segments (port pairs).
IPS Rules — Provide the following types of checks:
• Protocol validation
• Attack Signatures
• Acceptable use of network application
Rate Based Rules — Protect your resources from overuse by legitimate users, as well as
abusive denial-of-service attackers. Provide limits for:
• Client requests
• Connections for both clients and servers
• SYN Flood controls
• Application rate limiting
6
Figure 1— IPS Unit’s Security
The evaluation was performed by the CygnaCom Common Criteria Testing Laboratory (CCTL), and was
completed during February 2009. The information in this report is derived from the Evaluation Technical
Report (ETR) and associated test reports, all written by the CygnaCom CCTL. The evaluation team
determined that the product is Common Criteria version 2.3 [CC] Part 2 extended and Part 3 conformant,
and meets the assurance requirements of EAL 4 from the Common Methodology for Information
Technology Security Evaluation, Version 2.3, [CEM]. The product is not conformant with any published
Protection Profiles, but rather is targeted to satisfying specific security objectives.
The evaluation and validation were consistent with National Information Assurance Partnership (NIAP)
Common Criteria Evaluation and Validation Scheme (CCEVS) policies and practices as described on
their web site www.niap.ccevs.org. The Security Target (ST) is contained within the document ―Top
Layer Networks IPS 5500 E Security Target, Version .1.1‖, dated April 10, 2009.
2.0 Identification
Target of Evaluation: Top Layer Networks IPS 5500 E Version 5.21 software running on an IPS 5500
E series hardware platform.
The IPS 5500 series product line includes the following hardware models:
- IPS 5500-150E,
- IPS 5500-500E and
- IPS 5500-1000E
Evaluated Software: IPS 5500 E Version 5.21
Developer: Top Layer Networks, 2400 Computer Drive, Westboro, MA 01581
CCTL: CygnaCom Solutions
Suite 5200
7
7925 Jones Branch Drive
McLean, VA 22102
Evaluators: Sai Pulugurtha, Aruna Gandreti, Gary Grainger
Validation Scheme: National Information Assurance Partnership CCEVS
Validators: Franklin Haskell, Jean Hung, Brad O’Neill
CC Identification: Common Criteria for Information Technology Security Evaluation,
Version 2.3, August 2005
CEM Identification: Common Methodology for Information Technology Security Evaluation,
Version 2.3, August 2005
3.0 Security Policy
The TOE’s security policy is expressed in the security functional requirements identified in the section
5.1 in the ST. Potential users of this product should confirm that functionality implemented is suitable to
meet the user’s requirements. A description of the principle security policies is as follows:
3.1 Security Audit
During the process of receiving and transmitting traffic, the TOE performs many checks and other
operations. Some of these operations, system events and user-related management interface tasks produce
event messages. The IPS Unit contains a message managing system that makes these messages available
based on the message controls established. These messages are collected as audit records in Alert logs and
Event Log files. The TOE may also be configured to send messages to remote Syslog and SNMP servers.
Only human users with authorized administrator or monitor privileges have the capability to view the
audit data stored on the TOE.
3.2 User Data Protection
The TOE performs user data protection through the rate based security policy, the firewall filtering
security policy and the intrusion prevention security policy. The TOE identifies external IT entities and
remote administrator systems by their presumed IP addresses. Only legitimate external IT entities and
authorized administrator systems are granted access to pass information through the TOE or to the TOE.
3.3 Identification and Authentication
The TOE provides a password based authentication mechanism to administrators and monitors.
The TOE communicates with the remote web browser of the administrator using the HTTPS protocol in
order to encrypt the user id and password authentication data and all configuration information to
maintain secrecy from an attacker. IT Entities are identified by their presumed IP addresses. Access to
security functions and data is prohibited until a user is identified and authenticated.
8
3.4 Security Management
The TOE maintains administrator and monitor user management roles.
The TOE allows only authorized users with appropriate privileges to administer and manage the TOE. An
administrative user can connect through an encrypted web interface using SSL for secrecy. Only
authorized administrators may modify the TSF data related to the TSF, security attributes, and
authentication data.
3.5 Protection of TOE Security Functions
The TOE transfers all the packets passing through the TOE only after processing the traffic based on the
traffic attributes.
The TOE restricts management access to physically separate management interfaces and further by
requiring users to log into the TOE using its GUI. HTTPS is used to protect the connection between the
web browser in the IT Environment and the appliance. The TOE relies on Top Layer appliance hardware
in general to ensure the TSP is enforced and to provide for domain separation. The TOE hardware
appliance includes its own hardware clock, which provides reliable time stamps for use in audit and
collected data records.
3.6 Trusted Path/Channels
The TOE, in conjunction with the IT environment, protects the TSF data from unauthorized disclosure or
modification of TSF data when it is being transmitted between the IPS Unit and the management GUI on
the remote management station.
A summary of the SFRs for the TOE and IT environment are included in the following tables. Note that
_EXP in the SFR ID indicates explicitly specified requirements.
Table 1—TOE Security Functional Requirements
Item SFR ID SFR Title
1
FAU_GEN.1 Audit data generation
2
FAU_GEN.2 User identity association
3
FAU_SAA.1 Potential violation analysis
4
FAU_ARP.1 Security alarms
5
FAU_SAR.1 Audit review
6
FAU_SAR.3 Selectable Audit Review
7
FAU_SEL.1 Selective Audit
8
FAU_STG.1 Protected Audit Trail Storage
9
Item SFR ID SFR Title
9
FDP_IFC.1(1) Subset information flow control (1)
10
FDP_IFF.1(1) Simple security attributes (1)
11
FDP_IFC.1(2) Subset information flow control (2)
12
FDP_IFF.1(2) Simple security attributes (2)
13
FIA_AFL.1 Authentication failure handling
14
FIA_ATD.1 User attribute definition
15
FIA_UAU.1 Timing of Authentication
16
FIA_UAU.7 Protected authentication feedback
17
FIA_UID.2 User identification before any action
18
FMT_MOF.1 Management of security functions behaviour
19
FMT_MSA.3 Static attribute initialization
20
FMT_MSA.1 Management of security attributes
21
FMT_SMF.1 Specification of Management Functions
22
FMT_MTD.1 Management of TSF data
23
FMT_SMR.1 Security roles
24
FPT_TST.1 TSF Self-Testing
25
FPT_FLS.1 Failure with preservation of secure state
26
FPT_RVM_EXP.1 Partial Non-bypassability of the TSP
27
FPT_SEP_EXP.1 Partial TSF domain separation
28
FPT_STM_EXP.1 Reliable time stamps
29
FTP_TRP.1 Trusted Path
Table 2— Environment Security Functional Requirements
Component Component Name
1 1
FAU_STG_ENV.1 Partial protected audit trail storage
2
FIA_UAU_ENV.1 User Authentication before any action
10
Component Component Name
3
FIA_UID_ENV.1 User identification before any action
4
FPT_RVM_ENV.1 Partial non-bypassability of the TSP
5
FPT_SEP_ENV.1 Partial TSF domain separation
6
FPT_STM_ENV.1 Partial reliable time stamps
4.0 Assumptions and Clarification of Scope
4.1 Usage Assumptions
A.CONNECT The TOE is installed and operated on a network and separates the network into external,
internal and management networks. Information cannot flow between the external and
internal networks without passing through the TOE.
A.BACKUP Administrators will back up the audit files, configuration files and monitor disk usage to
ensure audit information is not lost.
4.2 Personnel Assumptions
A.NOEVIL There will be one or more competent individuals assigned to manage the TOE and the
security of the information it contains. The authorized administrators are not careless,
willfully negligent, or hostile, and will follow and abide by the instructions provided by
the TOE documentation.
A.AUTH It is assumed that administrators will protect their authentication data.
4.3 Environmental Assumptions
A.PHYSICAL The TOE hardware and software critical to security policy enforcement will be protected
from unauthorized physical modification and the processing resources of the TOE will be
located within controlled access facilities, which will prevent unauthorized physical
access.
11
4.4 Clarification of Scope
All evaluations (and all products) have limitations, as well as potential misconceptions that need
clarifying. This text covers some of the more important limitations and clarifications of this evaluation.
Note that:
1. As with any evaluation, this evaluation only shows that the evaluated configuration meets the security
claims made, with a certain level of assurance (EAL 4 in this case).
2. This evaluation only covers the specific version identified in this document, and not any earlier or
later versions released or in process.
3. As with all EAL 4 evaluations, this evaluation did not specifically search for, nor seriously attempt to
counter, vulnerabilities that were not ―obvious‖ or vulnerabilities to objectives not claimed in the ST.
The CEM defines an ―obvious‖ vulnerability as one that is easily exploited with a minimum of
understanding of the TOE, technical sophistication and resources.
4. The TOE depends on the IT environment partially to provide the capability to read the audit records,
protect audit information, user identification and authentication before action, run a suite of tests,
reliable time stamps, non-bypassability, and TSF domain separation.
5. The following features do not contribute to meeting any of the Security Functional Requirements
(SFRs) and are not included in the TOE scope:
o VLAN Support
o Management of the IPS with an IPS Controller, Command Line Interface over Telnet and SNMP
(Get function)
o Usage of the TOE with other Top Layer supporting products (Network Security Analyzer, IPS
Controller, TopResponse Software)
Note: The functionality/protocol used by the TopResponse product to automatically update signatures is
included in the scope of the evaluation. The TSFI for this functionality is included in the scope of the
evaluation, documented in the FSP and is verified during testing. Hence the capability of the TOE to
download latest set of ―TopLayer Protection Packs‖ is included in the Scope of the evaluation.
o Usage of Graphs, Reports and Statistics
The ST provides additional information on the assumptions made and the threats countered.
5.0 Architectural Information
The TOE architecture offers network-level and application-level protection along with the flexibility to
integrate application-specific protection mechanisms. Top Layer’s ASIC technology provides the high-
performance base required for protecting against internet based and internal threats. The TOE provides
stateful analysis firewall technology to provide network level protection, identifying undesired access,
illegal packets, illegal headers, and various network attacks. Top Layer’s denial-of-service protection
12
algorithms are used by the TOE to protect against flood-based attacks, such as ICMP, UDP, and TCP
SYN Floods.
The TOE uses a packet inspection chip set to provide application-level protection against exploits of
critical vulnerabilities, including worms and application-level attacks.
The TOE is composed of the following logical subsystems:
- IP/ARP Bad Packet Filters
- L2 Filters
- DDos Filters
- Resource Limit Filters
- Stateful Analysis
- Firewall Filters
- Protocol Validation
- Content Inspection
Each subsystem performs a set of specific checks
These specific checks, or rules, and their associated actions, make up the subsystem’s security policy. The
IPS unit organizes the subsystems in a particular order so that traffic that is filtered by an earlier
subsystem is never seen by the later subsystems. The various subsystems work together to provide the
three-dimensional security protection
13
Figure 2—TOE Multi-Stage Architecture
The TOE depends on the IT Environment for the following security functions:
- Web browser – Used to access TOE administrative interfaces, including displaying alerts, reports,
statistics, diagnostics and security logs
- SMTP, SNMP, Syslog servers – To receive audit events generated by the TOE
- NTP server – Used to set TOE hardware clock
14
The external IT entities send and receive network traffic through the TOE. Packet Capture Systems
receive packets from Capture, Discard and Mirror Ports.
6.0 Documentation
CC Evaluation Evidence:
Note: An asterisk (*) indicates that the document is provided to the customers.
Table 3—Acronym and Document Title
Acronym Document Title
FSP IPS 5500 E-Series: Functional Specification For Common Criteria EAL4 Evaluation
Version 1.2 14-November-2008
Remote Management Protocol for Top Layer Applications April 3, 2008 Version 2.0
HLD, LLD IPS 5500 E-Series:High Level Design Low Level Design For Common Criteria EAL4
Evaluation Version 1.6, 19-November-2008
TAT IPS 5500 E-Series: Development Tools For Common Criteria EAL4 Evaluation Version 0.2
30-June-2008
LCD IPS 5500 E-Series: Developer Life Cycle Model For Common Criteria EAL4 Evaluation
Version 0.6 30-October-2008
COV_DPT IPS 5500 E-Series: Test Coverage (ATE_COV.2) And Depth of Coverage (ATE_DPT.1)
For Common Criteria EAL4 Evaluation Version 0.6 11-November-2008
TP IPS 5500 E-Series: Test Plan For Common Criteria EAL4 Evaluation Version 1.0 14-
November-2008
TE Testing Evidence
15
Acronym Document Title
TC Test Procedures [TC] :
IPS 5500 V5.21 -- Common Criteria Test Case Audit System Configuration and Audit Data
Viewing
IPS 5500 V5.21 -- Common Criteria Test Case Audit Event Triggers
IPS 5500 V5.21 -- Common Criteria Test Case Installation and Abstract Machine Testing
(Startup Testing)
IPS 5500 V5.21 -- Common Criteria Test Case Software Configuration for Testing
IPS 5500 V5.21 -- Common Criteria Test Case Domain Separation
IPS 5500 V5.21 -- Common Criteria Test Case Firewall, Fragments, Midflows, and other
IPS Checks
IPS 5500 V5.21 -- Common Criteria Test Case Good Traffic does not Trigger Rules
IPS 5500 V5.21 -- Common Criteria Test Case Management Controls
IPS 5500 V5.21 -- Common Criteria Test Case Traffic Cannot Pass Until Checked
IPS 5500 V5.21 -- Common Criteria Test Case Failure with Preservation of Secure State
IPS 5500 V5.21 -- Common Criteria Test Case Protection Cluster
IPS 5500 V5.21 -- Common Criteria Test Case Rate Based Security Features
IPS 5500 V5.21 -- Common Criteria Test Case Reliable Time Stamp
IPS 5500 V5.21 -- Common Criteria Test Case SNMP GET Operation Must Fail
IPS 5500 V5.21 -- Common Criteria Test Case TOP Response Update
IPS 5500 V5.21 -- Common Criteria Test Case Trusted Path
Test_Coverage_Firewall + IPSAug.xls
TestHarnessUserDocumentation.doc
MSU IPS 5500 E-Series: Common Criteria Analysis Guidance For Common Criteria EAL4
Evaluation Version 0.4 20-October-2008
SOF IPS 5500 E-Series: Strength of Function For Common Criteria EAL4 Evaluation Version
0.2 13-August-2008
VA IPS 5500 E-Series: Vulnerability Analysis For Common Criteria EAL4 Evaluation Version
0.5 3-October-2008
ACM IPS 5500 E-Series: Configuration Management For Common Criteria EAL4 Evaluation
Version 0.8 14-August-2008
IPS 5500 Software Build Process, Version 1.0 Issue Date:6-August-2005
Software Release Process Version 1.6 19-June-2008
16
Acronym Document Title
ADO IPS 5500 E-Series: Delivery and Modification Detection For Common Criteria EAL4
Evaluation Version 0.7 18-November-2008
IPS 5500 E-Series: Installation, Generation, and Start-up For Common Criteria EAL4
Evaluation Version 0.2 05-June-2008
AGD IPS 5500 E-SERIES RELEASE NOTES, Software Version: Version V5.21.001, Date Oct
2008
IPS 5500 E-Series: Administrator and User Guidance For Common Criteria EAL4
Evaluation Version 1.0 11-November-2008
Top Layer 5000-Series Hardware Installation Part Number: 990-0183-07 Date: April 2008
IPS 5500 and IPS 5500E Configuration and Management Part Number: 990-0188-09 Date:
February 2008
IPS5500-quick-protection.pdf
MIB text file V1.6 January 24, 2005
IPS Event logging system help
IPS 5500 Online Help Files
DVS IPS 5500 E-Series: Development Security Procedures For Common Criteria EAL4
Evaluation Version 0.6 13-August-2008
7.0 IT Product Testing
At EAL 4, the overall purpose of the testing activity is ―to determine, by independently testing a subset of
the TSF, whether the TSF behaves as specified, and to gain confidence in the developer's test results by
performing a sample of the developer's tests.‖ (ATE_IND.2, 14.9.5.1 [CEM])
At EAL 4, the developer’s test evidence must ―demonstrate the correspondence between the tests
identified in the test documentation and the TSF as described in the functional specification.‖
(ATE_COV.2, 14.9.2.3)
This section describes the testing efforts of the vendor and the evaluation team.
The purpose of the Testing activity was to determine whether the TOE behaves as specified in the design
documentation and in accordance with the TOE security functional requirements specified in the ST.
This section describes the testing efforts of the developer and the evaluation team.
The purpose of the Testing activity was to determine whether the TOE behaves as specified in the design
documentation and in accordance with the TOE security functional requirements specified in the ST.
This section describes the testing efforts of the developer and the evaluation team.
The developer and evaluator independent and penetration testing was conducted at:
Top Layer Networks, 2400 Computer Drive, Westboro, MA 01581
17
The Independent testing was performed over a week period from 1/12/09–1/16/09. Installation Testing
was performed the first day. Developer testing and Evaluator Testing was performed from 1/12/09–
1/16/09. The test plan and results, as well as the evaluation team’s review of the testing in the Evaluation
Technical Report, were well written and complete.
7.1 Developer Testing
The test approach consists of manual and automated tests that were grouped together under the TOE IT
Security Function and SFR being tested. The tests were designed to cover all of the security functions as
described in the SFR and TSS section of the ST.
The test plan & procedures do not cover every possible combination of parameters for a given interface
and every possible combination of parameters for a given security function. However, the test plan &
procedures do stimulate every external interface and all of the security functions.
The individual tests were performed and the results were collected and verified by the developer. The
results were archived, recorded, and sent to the evaluator for review.
The vendor’s testing purposefully intended to cover all the security functions of Security Audit, User Data
Protection, Identification and Authentication, Security Management, Protection of TOE Functions, and
Trusted Path as defined in Section 6 of the ST.
The evaluator determined that the developer’s approach to testing the TSFs was adequate for an EAL4
evaluation.
7.2 Evaluator Independent Testing
The test approach consists of providing full coverage of all the TOE’s security functions between the
developer tests and team-defined functional tests as required under EAL 4.
7.2.1 TEST HARDWARE
Top Layer Networks has provided the test setup for CygnaCom testing. The figure below shows logical
connections. The test setup is intended to be consistent with the available Top Layer test facilities.
CygnaCom has tested both Basic (Single IPS unit) and Protection Cluster (High Availability)
configurations. Evaluators ensured that all models (IPS 5500-150E, IPS 5500-500E, and IPS 5500-
1000E) are tested.
The basic setup is as shown in the Figure below:
18
Linux 1
10.20.30.178
Linux 2
10.20.30.254
Test
Harness
Doc Station
10.20.31.172
10.20.31.48
192.168.1.85
192.168.2.85
Figure 3- Test Configuration without Cluster
An out-of-the-box IPS 5500 E-Series unit issued by Top Layer to the Common Criteria testers
(IPS5500-150E-CC)
o Documentation Kit (software CDs, HW manual, Quick Start Card, welcome letter)
o Power cord (type is based on country shipped to)
o Cable and Mounting Kit (mounting brackets with hardware, Console port cable, Ethernet
cable-regular, Ethernet cable-crossover)
A preconfigured ―Test Harness‖ Linux workstation used as follows:
o Three Network Interface Cards (10.20.31.48/16), (192.168.1.85), (192.168.2.85).
o Perform initial IPS 5500 E-Series setup via the IPS CONSOLE port and the workstation
serial port.
o Access the IPS 5500 E-Series management GUI for TOE configuration and examination.
o Access the Top Layer Test Harness via the network to send targeted PCAP ―bad‖ traffic
through the TOE mission ports 1 and 2. The Top Layer Test Harness is a set of TK/TCL
programs that uses a Top Layer RMP client CLI test program to configure the IPS 5500 E
and tcpreplay to run PCAP’s through the IPS 55000 E. For each PCAP run through the
test harness, it compares the rule fired to the expected rules fired for a given test. A
single test case scripts can run many PCAP files and the test harness will print a result for
each PCAP test executed.
o Two switches connecting different network segments.
o The document station must be at IP address 10.20.31.172/16.
19
o The document station having Wireshark version .99.6a or later installed.
o The Network in the diagram contains one FTP server, one HTTP server and a Linux box running
Fedora Core 5, workstation at 10.20.30.254 on the 10.20.30.0/16 network. The Linux box at
10.20.30.254 contains the Neptune tool (included with test package).
o Two Fedora Core 5 (VM) machines, Linux 1 (10.20.30.178/16) and Linux 2 (10.20.30.254/16),
with Neptune compiled on them. These machines are used for Rate Based testing and other
manual tests. Both machines have SSH and Apache web servers running on them.
7.2.2 TEST SOFTWARE
The Linux station is supplied with the following CC test-related software:
Linux: version 2.6.22.14-72.fe6
Syslog server: version sysklogd 1.4.1, with remote syslog daemon configured.
Mozilla web browser
Putty (terminal emulator): version 0.60
Special Configuration: A Saved Session with TOE access configuration matching the terminal
setup in the Top Layer 5000-Series Hardware Installation [INSTALL] guide.
Java Realtime Engine (JRE): version 1.6.0_06
Java Development Kit (JDK): version JDK 1.6.0_07
AdventNet SNMP API: version 4.0 STD
TCP Replay (packet capture and replay utility): version 3.2.0
Top Layer Test Harness version (manage test traffic and record IPS results) version 1.0
The Client Workstation is supplied with the following CC test-related software:
Wireshark Version .99.6a
Neptune tool
All tools are available at Top Layer facility and are used for Developer tests.
7.3 Strategy for Devising Test Subset
CygnaCom has selected approximately (at least) 90% of the tests Top Layer provided as evaluation
evidence. The tests were selected to exercise security functions from the externally visible TSFI.
The evaluator ensured that the test sample included the tests such that:
- All Security Functions are tested
20
- All interfaces are exercised
- All Security Functional Requirements are tested.
Since the product is an Intrusion Protection System emphasis was on Security Management (SM),
Identification and Authentication functionality (I & A) and Information Flow Control/Security attributes
(FDP_IFC/IFF). The test provided by the developer and the test sample of the developer tests selected
tested security functions at appropriate level of rigor.
CygnaCom’s independent tests augment and supplement the tests Top Layer provided as evaluation
evidence. Again, the emphasis is on the TOE interfaces. The independent tests are and described in detail
in the Test Report and ETR.
7.4 Coverage Provided by Devised Test Subset
The evaluator ensured that the test sample included the tests such that:
- All Security Functions are tested
- All interfaces are exercised
- All Security Functional Requirements are tested.
- More emphasis is laid on the Network Interface being tested.
- All security relevant features mentioned in the Administration/User Guides are covered in
testing.
- Functional Specification references to the FW + IPS Rules are covered.
- Since the product is primarily a network gateway product providing advanced Intrusion
Prevention functionality at the perimeter, it is difficult to gauge the extent of coverage for the
network interfaces. Evaluators work with Developer Top Layer based on the guidance
provided by the Validator during the evaluation of the FSP to determine the complete extent
of coverage.
In testing the functionality of the network interface through which the FDP_IFC*/FDP_IFF*
requirements are tested, Top Layer used their proprietary test harness to devise and run tests using
Hundreds of PCAP (Packet Capture files) and respective cache files. During the process several
tools like TCP replay and Neptune are used. For broad requirements where it pertains to testing
signatures, worms, viruses, rules etc. Top Layer has tested them using several PCAP files.
The penetration tests cover hypothesized vulnerabilities and potential misuse of guidance. The list
hypothesized vulnerabilities was developed based on Top Layer’s vulnerability assessment and
analysis of evaluation evidence. The tests for potential misuse of guidance cover installing the
TOE from guidance documentation and sampling administrator procedures.
8.0 Evaluated Configuration
The Evaluated Configuration (consistent with the ST):
o IPS5500-1000E (Software Version 5.21)
21
The Management Workstation: Linux version 2.6.22.14-72.fe6, Syslog server: version sysklogd 1.4.1
with remote syslog daemon configured, Mozilla web browser, Putty (terminal emulator): version
0.60, Java Realtime Engine (JRE): version 1.6.0_06, Java Development Kit (JDK): version JDK
1.6.0_07, AdventNet SNMP API: version 4.0 STD, TCP Replay (packet capture and replay
utility): version 3.2.0, Top Layer Test Harness version (manage test traffic and record IPS results)
version 1.0
o The Client Workstation: Windows XP Service Pack 3, Intel platform, hard disk and
removable storage components and device drivers, Wireshark version .99.6a
o NTP Server
o SNMP Server
o Syslog Server
o Two Fedora Core 5 (VM) machines, Linux 1 (10.20.30.178/16) and Linux 2
(10.20.30.254/16), with Neptune compiled on them and running SSH and Apache Web
servers. (These machines used for Rate Based testing and other manual tests).
Figure 4- Evaluated Configuration (with High Availability) from ST
22
Figure 5- Evaluated Configuration (without High Availability) from ST
Note: Though the above-evaluated configuration shows distinct machines for different servers (Syslog,
SNMP) etc. the evaluator worked with the existing setup at Top Layer to put the TOE in the evaluated
configuration. The evaluator ensured that the test setup at Top Layer is logically equivalent to the one
shown in the above figure. Similarly when installing the TOE in protection Cluster Configuration, the
evaluator ensured that the configuration used in the Test configuration are logically equivalent to the one
in the security Target. Also, the evaluator covered all the Hardware models in the testing process.
9.0 Results of Evaluation
A verdict for an assurance component is determined by the resulting verdicts assigned to the
corresponding evaluator action elements. The evaluation was conducted based upon version 2.3 of the CC
and the CEM.
The Evaluation Team assigned a Pass, Fail, or Inconclusive verdict to each work unit of each EAL4
assurance component. For Fail or Inconclusive work unit verdicts, the Evaluation Team advised the
developer of issues requiring resolution or clarification within the evaluation evidence. In this way, the
Evaluation Team assigned an overall Pass verdict to the assurance component only when all of the work
units for that component had been assigned a Pass verdict.
The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is controlled
by CygnaCom CCTL.
Below lists the assurance requirements the TOE will meet to be evaluated at Evaluation Assurance
Level 4. The following components are taken from CC part 3. The components in the following section
23
have no dependencies unless otherwise noted. These components are included by reference only as there
are no parameters to be assigned; the body can be found in CC part 3.
ACM_AUT.1 Partial CM Automation
ACM_CAP.4 Generation Support and Acceptance Procedures
ACM_SCP.2 Problem Tracking CM Coverage
ADO_DEL.2 Detection of Modification
ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.2 Fully defined external interfaces
ADV_HLD.2 Security enforcing high-level design
ADV_IMP.1 Subset of the implementation of the TSF
ADV_LLD.1 Descriptive low-level design
ADV_RCR.1 Informal correspondence demonstration
ADV_SPM.1 Informal TOE security policy model
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
ALC_DVS.1 Identification of Security Measures
ALC_LCD.1 Developer defined life-cycle model
ALC_TAT.1 Well defined development tools
ATE_COV.2 Analysis of coverage
ATE_DPT.1 Testing: high-level design
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing—sample
AVA_MSU.2 Validation of Analysis
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.2 Independent vulnerability analysis
The evaluators concluded that the overall evaluation result for the target of evaluation is Pass. During
application of the AVA_VLA.2 CEM work units the evaluators found no residual vulnerabilities in the
product. The evaluation team reached pass verdicts for all applicable evaluator action elements and
consequently all applicable assurance components.
The TOE is CC Part 2 Extended
24
The TOE is CC Part 3 Conformant for EAL4.
Strength of Function Rating of SOF-medium
10.0 Validator Comments/Recommendations
All Validator concerns with respect to the evaluation have been addressed. No issues are
outstanding.
11.0 Security Target
The Security Target is identified as Top Layer Networks IPS 5500 E Security Target, Version
1.1, dated April 10, 2009.
12.0 List of Acronyms
The acronyms used within this document:
Table 4—Acronym and Document Title
Acronym Definition
ACM Configuration Management
ADO Delivery and Operation
ADV Development
AGD Guidance Documents
ALC Life cycle support
ASIC Application-Specific Integrated Circuit
ATE Tests
AVA Vulnerability assessment
CC Common Criteria [for IT Security Evaluation]
EAL Evaluation Assurance Level
FAU Security Audit
FDP User Data Protection
FIA Identification and Authentication
FMT Security Management
FPT Protection of the TSF
FTP Trusted Path/Channels
GUI Graphical User Interface
HTTP Hypertext Transfer Protocol
HTTPS Hypertext Transfer Protocol over SSL
ICMP Internet Control Message Protocol
25
Acronym Definition
ID Identifier
IP Internet Protocol
IPS Intrusion Protection System
IT Information Technology
LAN Local Area Network
OS Operating System
SF Security Function
SMTP Simple Mail Transfer Protocol
SNMP Simple Network Management Protocol
SFP Security Function Policy
SSH Secure Shell
SSL Secure Socket Layer
ST Security Target
TCP Transmission Control Protocol
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSFI TOE Security Functions Interface
TSP TOE Security Policy
TSS TOE Summary Specification
13.0 Bibliography
URLs
Common Criteria Evaluation and Validation Scheme (CCEVS): (http://www.niap-ccevs.org/cc-
scheme).
CygnaCom Solutions CCTL (http://www.cygnacom.com).
TopLayer Networks (http://www.toplayer.com/).
The validation team used the following documents to produce this Validation Report:
Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005, Part 1
Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005, Part 2
Common Criteria for Information Technology Security Evaluation, Version 2.3, August 2005, Part 3
Common Methodology for Information Technology Security Evaluation, Version 2.3, August 2005.
Top Layer Networks IPS 5500 E Security Target, Version 1.1, April 10, 2009
26
Evaluation Technical Report for a Target of Evaluation, IPS 5500 E Version 5.21, Volume 1
Evaluation Technical Report for a Target of Evaluation, IPS 5500 E Version 5.21, Volume 2
Evaluation Team Test Plan of Top Layer Networks IPS 5500 E Version 0.1