WIXLIB

Retina Network Security ScannerSecurity TargetVersion 1.005/25/07Prepared for:eEye Digital Security CorporationOne ColumbiaAliso Viejo, CA 92656Prepared By:Science Applications International CorporationCommon Criteria Testing Laboratory7125 Columbia Gateway Drive, Suite 300Columbia, MD 21046

Security TargetVersion 1.01. SECURITY TARGET INTRODUCTION .41.1SECURITY TARGET, TOE AND CC IDENTIFICATION.41.2CONFORMANCE CLAIMS .51.3CONVENTIONS, TERMINOLOGY, ABBREVIATIONS .51.3.1Conventions .51.3.2Terminology and Abbreviations.52.TOE DESCRIPTION .72.1TOE ARCHITECTURE .82.1.1Physical Boundaries .82.1.2Logical Boundaries.83.SECURITY ENVIRONMENT.93.1THREATS TO SECURITY.93.1.1TOE Threats.93.1.2IT System Threats .93.2SECURE USAGE ASSUMPTIONS .93.2.1Intended Usage Assumptions .93.2.2Physical Assumptions .103.2.3Personnel Assumptions .103.2.4System Assumptions .103.3ORGANIZATION SECURITY POLICIES .104.SECURITY OBJECTIVES .114.14.24.35.IT SECURITY OBJECTIVES FOR THE TOE .11IT SECURITY OBJECTIVES FOR THE ENVIRONMENT .11NON-IT SECURITY OBJECTIVES FOR THE ENVIRONMENT .11IT SECURITY REQUIREMENTS.125.1TOE SECURITY FUNCTIONAL REQUIREMENTS .125.1.1Security management (FMT) .125.1.2NSS Component Requirements (NSS) .125.2IT ENVIRONMENT SECURITY FUNCTIONAL REQUIREMENTS .135.2.1Identification and authentication (FIA) .135.2.2Protection of the TOE security functions (FPT) .145.2.3NSS Component Requirements (NSS) .145.3TOE SECURITY ASSURANCE REQUIREMENTS.145.3.1Configuration management (ACM) .155.3.2Delivery and operation (ADO) .155.3.3Development (ADV).165.3.4Guidance documents (AGD) .165.3.5Tests (ATE) .175.3.6Vulnerability assessment (AVA).186.TOE SUMMARY SPECIFICATION .196.1TOE SECURITY FUNCTIONS.196.1.1Security Management .196.1.2Network Security System.196.2TOE SECURITY ASSURANCE MEASURES .206.2.1Process Assurance .206.2.2Delivery and operation .206.2.3Development .216.2.4Guidance documents.216.2.5Tests .212

Security Target6.2.6Version 1.0Vulnerability Assessment .227.PROTECTION PROFILE CLAIMS.238.RATIONALE .248.1SECURITY OBJECTIVES RATIONALE.248.1.2Security Objectives for Non-IT Environment Rationale .278.2SECURITY REQUIREMENTS RATIONALE .288.3STRENGTH OF FUNCTION RATIONALE .298.4REQUIREMENT DEPENDENCY RATIONALE .298.5SECURITY ASSURANCE RATIONALE .298.6EXPLICITLY STATED REQUIREMENTS RATIONALE.308.7TOE SUMMARY SPECIFICATION RATIONALE.308.8PP CLAIMS RATIONALE .30LIST OF TABLESTable 1 Security Functional Components.12Table 2 System Events.13Table 3 Security Functional Components for the IT Environment.13Table 4 Security Environment vs. Objectives .24Table 5 Objective to Requirement Correspondence.28Table 6 Requirement Dependency Rationale .29Table 7 Security Functions vs. Requirements Mapping.303

Security TargetVersion 1.01. Security Target IntroductionThis section identifies the Security Target and Target of Evaluation (TOE), ST conventions, ST conformanceclaims, and the ST organization. The Target of Evaluation (TOE) is the Retina Network Security Scanner(Scanner), a software only, non-disruptive network security scanner – the TOE is not invasive and does not interferewith the operation of the IT system being monitored. eEye Digital Security Corporation, Inc provides the TOE(Retina Network Security Scanner).The Security Target contains the following additional sections: Section 2 – Target of Evaluation (TOE) DescriptionThis section gives an overview of the TOE, describes the TOE in terms of physical and logicalboundaries, and states the scope of the TOE. Section 3 – TOE Security EnvironmentThis section details the expectations of the environment, the threats that are countered by RetinaNetwork Security Scanner and the environment must fulfill. Section 4 – TOE Security ObjectivesThis section details the security objectives of the Retina Network Security Scanner and theenvironment. Section 5 – IT Security RequirementsThis section presents the security functional requirements (SFR) for Retina Network SecurityScanner and the IT Environment that supports the TOE, and details the assurance requirements forEAL2. Section 6 – TOE Summary SpecificationThis section describes the security functions represented in the Retina Network Security Scannerthat satisfy the security requirements. Section 7 – Protection Profile ClaimsThis section presents any protection profile claims. Section 8 – RationaleThis section closes the ST with the justifications of the security objectives, requirements and TOEsummary specifications as to their consistency, completeness, and suitability.1.1 Security Target, TOE and CC IdentificationST Title – Retina Network Security Scanner Security TargetST Version – Version 1.0ST Date – 05/25/07TOE Identification – Retina Network Security Scanner Version 5.4.21.53CC Identification – Common Criteria for Information Technology Security Evaluation, Version 2.2, January 2004,ISO/IEC 15408.4

Security TargetVersion 1.01.2 Conformance ClaimsThis TOE is conformant to the following CC specifications: Common Criteria for Information Technology Security Evaluation Part 2: Security functionalrequirements, Version 2.2, January 2004, ISO/IEC 15408-2. Part 2 Extended (with NSS SCN.1, NSS RDR.1, NSS SAR.3, and NSS STG.1)Common Criteria for Information Technology Security Evaluation Part 3: Security assurancerequirements, Version 2.2, January 2004, ISO/IEC 15408-3. Part 3 Conformant Evaluation Assurance Level 2 (EAL2)1.3 Conventions, Terminology, AbbreviationsThis section specifies the formatting information used in the Security Target.1.3.1 ConventionsThe requirements in this document are divided into assurance requirements and two sets of functional requirements.The first set of functional requirements, which were drawn from the Common Criteria, is designed to address thecore System requirements for self-protection. The second set of requirements, which were invented and categorizedby the short name, NSS, is designed to address the requirements for the System’s primary function, which is NSScollection of data and responses to conclusions based upon that data.The CC permits four functional component operations—assignment, refinement, selection, and iteration—to beperformed on functional requirements. This ST will highlight the four operations in the following manner: Assignment: allows the specification of an identified parameter. Assignments are indicated using bold andare surrounded by brackets (e.g., [assignment]). Refinement: allows the addition of details. Refinements are indicated using bold and italics, for additions,and strike-through, for deletions (e.g., “ all objects ” or “ some big things ”). Selection: allows the specification of one or more elements from a list. Selections are indicated usingunderline (e.g., selection). Iteration: allows a component to be used more than once with varying operations. Not used in this ST. Explicitly stated Security Functional Requirements (i.e., those not found in Part 2 of the CC) are identifiedwith “(EXP)”. Other sections of the ST – Other sections of the ST use bolding to highlight text of special interest, such ascaptions.1.3.2 Terminology and AbbreviationsThe following terminology and abbreviations may be used within this Security Target:AbbreviationDefinitionAISAutomated Information SystemAPIApplication programming interfaceCCCommon CriteriaCEMCommon Evaluation Methodology5

Security TargetVersion 1.0AbbreviationDefinitionCCEVSCommon Criteria Evaluation and Validation SchemeEALEvaluation Assurance LevelGUIGraphical User InterfaceHLDHigh-level DesignNSSNetwork Security SystemNIAPNational Information Assurance PartnershipNISTNational Institute of Standards and TechnologyNSANational Security AgencyOSOperating systemPPProtection ProfileREMRetina Enterprise ManagerSAICScience Applications International CorporationSOFStrength of FunctionSSLSecure Socket LayerSTSecurity TargetTOETarget of EvaluationTSFTOE Security FunctionsTSPTOE Security PolicyTermDefinitionAutomated Information SystemAny equipment of an interconnected system or subsystems ofequipment that is used in the automatic acquisition, storage,manipulation, control, display, transmission, or reception of data andincludes software, firmware, and hardware.Security configuration settingsSettings that implement different levels of security on the IT system.For example, security aspects for the different services installed on asystem, user rights, password policies, etc. If the configurationsettings were improperly configured, the IT system could be exploitedby a threat to gain unauthorized access to information or disruptcritical processing.VulnerabilityHardware, firmware, or software flow that leaves an AIS (definedabove) open for potential exploitation. A weakness in automatedsystem security procedures, administrative controls, physical layout,internal controls, and so forth, that could be exploited by a threat togain unauthorized access to information or disrupt critical processing.6