Validated Product - Cisco Security Agent

PRODUCT DESCRIPTION

This section provides a description of the Cisco Security Agent (CSA) Version 4.5.1.655 TOE. CSA is a software-based intrusion detection and intrusion prevention application comprised of two essential components: the Management Center that installs on designated Windows systems and the Agent that installs on server and desktop Windows systems across the network. Functioning under specific policies to be defined by the needs of the deploying organization, the Management Center and Agent(s) work in parallel to defend against the proliferation of attempted intrusions and attack scenarios across networks and systems.

Physical components of the TOE for the Management Center include the Report Generator Web Application, GUI Page Generator, Configuration Manager, and Global Event Manager. Physical components of the TOE for the CSA agent include the Rule/Event Correlation Engine, AgentPolicy Manager, Local Event Manager, Buffer Overflow/COM Component Interceptor, File Interceptor, Registry Interceptor, Network Application Interceptor, and Network Traffic Interceptor. There are additional components included in the product that are not evaluated; the ST and Validation Report should be consulted for the specifics of which components are covered by the validation. Further, the evaluation does not cover the underlying operating system platform, database management system, web server, and CiscoWorks; this is discussed in more detail in the ST and Validation Report.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the Cisco Security Agent TOE meets the security requirements contained in the Security Target.

The criteria against which the Cisco Security Agent TOE were judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.1. The COACT, Inc. CAFE Lab determined that the evaluation assurance level (EAL) for the Cisco Security Agent TOE is EAL 2. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target.

A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by the COACT, Inc. CAFE Lab. The evaluation was completed in June 2006. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report.

ENVIRONMENTAL STRENGTHS

The TOE’s Security Functions are:

Security Audit – Records of Program Access Control Policy enforcement, malicious activity, and system management events are logged by the Agent into secured disk space on the Agent host. These event records are also sent to the Management Center. Additionally, when the Agent detects malicious activity, the Agent will intercept the offending process and prompt the End User for guidance.

Security Management – When an Agent is installed, it registers with the Management Center. At this time, the security policy is given to the Agent. Also, the Agent polls the Management Center at configurable intervals for policy updates.

Monitoring and Detection – The Agent intercepts accesses to assets protected by the TOE at the operating system level to verify their authority. This includes attempts to access the TSF and TSF data like audit records, attack signatures, and access control rights. Only authorized accesses through the TSF are permitted. This monitoring also provides the Agent with the ability to identify the types of Packet Sniffer & Unauthorised Protocols, Port-scans and Ping-scans, Syn-flood Attacks, Malformed Packets, Email Worms, Keystroke Loggers, Code Injection, Trojan Programs (Process Memory Protection), Password Theft, Downloaded Executable Files Automatically Invoked Without User Intervention, Downloaded Active X Controls, Buffer Overflow Exploits, and ICMP Covert Channels.

Program Access Control – Access control rules are the foundation of the security policies configured by the Administrator. The Management Center enables the Administrator to create file access control, network access control, Windows Registry access control, and COM (component object model) access control rules. CSA ships with default rules. Access control decisions are based on security attributes of the subject and object.