CC Certificate 

Security Target 

Validation Report 

Assurance Activity 

Administrative Guide: Trellix Intrusion Prevention System 11.1 FIPS and CC Certification Guide 

Administrative Guide: Trellix Intrusion Prevention System 11.1.x Installation Guide 

Administrative Guide: Trellix Intrusion Prevention System Manager Appliance Product Guide 

Administrative Guide: Trellix Intrusion Prevention System NS-series Sensor Product Guide 

Administrative Guide: Trellix Intrusion Prevention System 11.1.x Product Guide 

The TOE is comprised of the Trellix Intrusion Prevention System (IPS) software running on one Trellix Intrusion Prevention System Manager Appliance and one or more Trellix Intrusion Prevention System Sensor (Sensor).

The Trellix Intrusion Prevention System (IPS) Sensor performs stateful inspection on a per-packet basis to discover and prevent intrusions, misuse, denial of service (DoS) attacks, and distributed denial of service (DDoS) attacks. Trellix Intrusion Prevention System (IPS) is available in multiple Sensor appliances providing different bandwidth and deployment strategies.

Trellix IPS Manager (IPS Manager) is used to manage, push configuration data and policies to the Sensors. Communication between Manager and Sensors uses secure channels that protect the traffic from disclosure and modification. Authorized administrators may access the Manager via a GUI (over HTTPS) or a CLI (via SSH or a local connection). Sensors may be accessed via CLI (via SSH or a local connection) for initial setup. Once initial setup is complete, all management occurs via the Manager.

The Sensor’s presence on the network is transparent. The Sensor is protected from the monitored networks as the system is configured to not accept any management requests or input from the monitored networks.

The following environmental components are required to operate the TOE in the evaluated configuration:

Table 1 – Required Environmental Components

This section provides an overview of the TOE architecture, including physical boundaries, security functions, and relevant TOE documentation and references.

Physical Boundaries

The TOE is a software and hardware Distributed TOE. It is a combination of:

·        One or more IPS Sensor appliances with their software [Sensor]

·        One IPS Manager appliance with its software [Manager]

Each component is delivered with the TOE software installed. The following table lists all the instances of the Sensors that are included in the evaluation. All listed Sensor appliances offer the same security functionality but vary in the type and number of processors, amount of memory, and storage.

Table 2 - TOE Appliance Series and Models

In the evaluated configuration, the devices are placed in Network Device collaborative Protection Profile (NDcPP) mode by configuration according to the Administrative Guidance.

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Trellix Intrusion Prevention System Sensor and Manager Appliances were evaluated are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 Rev 5.The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 Rev 5. The product, when delivered configured as identified in the Trellix Intrusion Prevention System 11.1.x Installation Guide, Trellix Intrusion Prevention System 11.1.x Product Guide, Trellix Intrusion Prevention System Manager Appliance Product Guide, Trellix Intrusion Prevention System NS-series Sensor Product Guide, Trellix Intrusion Prevention System 11.1 FIPS and CC Certification Guide,satisfies all of the security functional requirements stated in the Trellix Intrusion Prevention System Sensor and Manager Appliances version 11.1 Security Target version 1.9. The project underwent CCEVS Validator review.The evaluation was completed in May 2024. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.

The TOE provides the security functions required by the Collaborative Protection Profile for Network Devices, hereafter referred to as NDcPP v2.2e or NDcPP.

Security Audit

The TOE generates audit records related to TOE operation and administration. These audit records are stored on the IPS Manager (and stored in a local database) and are also forwarded to an external audit server. The database stores 50,000 audit records. When the database reaches capacity, the oldest audit records are overwritten.

The Sensor generates audit records and forwards the audit records to the IPS Manager, the Sensor caches audit records in a local file.  The audit file can be uploaded to Manager (or any other SCP server using the “auditlogupoload” CLI command). If the file reaches capacity, new events are dropped.

Only authenticated users can view audit records.

Communication

The TOE is a Distributed TOE. It is a combination of:

·        One or more IPS Sensor appliances with their software [Sensor]

·        One IPS Manager appliance with its software [Manager]

Each component is delivered with the TOE software installed. A security Administrator can enable or disable communications between any pair of TOE components. The communication between the TOE components is secured via TLS with Mutual Authentication as per the secure channel requirements in FPT_ITT.1.

Cryptographic Support

The TOE uses symmetric key cryptography to secure communication between the Sensors and the Manager for the following functionality:

·        Exchange of configuration information (including IPS policies)

·        Time/date synchronization from the Manager to Sensors

·        Transfer of IPS data to the Manager

·        Transfer of audit records to the Manager

·        Distribution of TOE updates to Sensors

Connections between the Manager and Sensors are secured using TLS.

Connections between the Manager and the Audit Server (for audit record upload) are secured using TLS.

Connection between a Sensor and the Update Server is secured using SSH.

Sessions between the Management Workstation and the TOE are secured using SSH or HTTPS. Administrators can connect to the Manager via HTTPS or SSH. Administrators can connect to the Sensor via SSH.

Local console connections between the Console Workstation and the TOE are physically secured.

Identification and Authentication

Administrators connecting to the TOE are required to enter an IPS administrator username and password to authenticate the administrative connection prior to access being granted.

The Manager and Sensors authenticate to one another through a shared secret that is configured during the initial installation and setup process of the TOE. Although in the evaluated configuration, the Manager supports use of a default self-signed certificate for trust establishment with the sensor, such a channel is out of scope for this evaluation. The sensor-Manager channel must be established using CA-signed certificates.

Security Management

An administrative CLI can be accessed via the Console port or SSH connection, and an administrative GUI can be accessed via HTTPS. These interfaces are used for administration of the TOE, including audit log configuration, upgrade of firmware and signatures, administration of users, configuration of SSH and TLS connections.

Only administrators authenticated to the “Admin” role are considered to be authorized administrators.

Protection of the TSF

The presence of the Sensors' components on the network is transparent (other than network packets sent as reactions to be configured IPS conditions). The Sensors are protected from the monitored networks as the system is configured to not accept any management requests or input via the monitored interfaces.

The TOE users must authenticate to the TOE before any administrative operations can be performed on the system.

The TOE ensures consistent timestamps are used by synchronizing time information on the Sensors with the Manager, so that all parts of the IPS system share the same relative time information.

Synchronization occurs over a secure communications channel. Time on the Manager may be configured by an administrator.

The administrator can query the currently installed versions of software on the Sensor using the “show” command, which returns details about the software and hardware version. A trusted update of the TOE software can be performed from the Manager UI, which is then pushed out to the Sensors.

A suite of self-tests is performed by the TOE at power on, and conditional self-tests are performed continuously.

TOE Access

The TOE monitors local and remote administrative sessions for inactivity and terminates the session when a threshold time is reached. An advisory notice is displayed at the start of each session.

Trusted Path/Channels

The TSF provides the following trusted communication channels:

·        TLS for an audit server

·        TLS for communication between Manager and Sensors

·        SSH for communication with an SCP Server for updates

The TOE implements TLS/HTTPS and SSH for protection of communications between itself and the administrators.

Intrusion Prevention

The IPS Sensors provides the following IPS-based Functionality:

·        Anomaly-based traffic patterns definition, including the specification of frequency and specific network protocol fields

·        IP blocking based on known-good and known-bad list of rules, IP addresses (source, destination), ACLs, and alert filters

·        IP-based network traffic analysis

·        Signature-based traffic analysis

Vendor Information