Common Criteria Evaluations of IDSs

While studying Common Criteria evaluation-procedures, and the relationship between Protection Profiles (PP) and Security Targets (ST), I went to find out if Snort was evaluated. I recall that other opensource projects, such as SuSE 9 and some verison of Redhat, has recieved EAL4.

NIST seems to be housing information on evaluated STs and PPs, and in their intrusion dectection section I found out that SourceFire (perhaps we should call them SourcePoint, or CheckFire? ;) has their IDS sensors and management interface evaluated to EAL2, and with conformance with U.S governments PP U.S. Government Intrusion Detection System System Protection Profile, thius forfilling the requirements of IDSs protecting the whitehouse :) I believe, that this means that Snort is evaluated to EAL2 indirectly, as SourceFires sensors are relying plainly on Snort.

The summary of the evaluation says:

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the Sourcefire TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.1 and International Interpretations effective on 19, February 2003. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 1.0. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is EAL 2 family of assurance requirements. The product, when configured as specified in the installation guides and user guides, satisfies all of the security functional requirements stated in the Sourcefire Intrusion Detection System Security Target. A validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in May 2005. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for Sourcefire Intrusion Detection System, prepared by CCEVS.

Other IDS's that are certified level 2 includes ones from Cisco, Checkpoints and other big names. The product with highest EAL is IntruShield Intrusion Detection System and Symantec Manhunt Version 2.11. But this does in not mean that they are better or more secure products that the others, just that more efforts have been put into analysing them in different criterias (which none of them are how well the IDS performs in the sence of detecting attacks etc, i believe).

Interesting.

This entry was posted on October 18th, 2005 and is filed under evaluation, Intrusion Detection, Security. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response or Trackback from your own site.