Validated Product - BigFix Enterprise Suite v7.1.1.315Certificate Date: 16 January 2009 Validation Report Number: CCEVS-VR-VID10214-2009 Product Type: Security Management Conformance Claim: EAL3 PP Identifiers: None CC Testing Lab: SAIC Common Criteria Testing Laboratory
PRODUCT DESCRIPTION
The Target of Evaluation (TOE) is BigFix Enterprise Suite (BES), Version 7.1.1.315. Note that there is no distinction between the BES product and the TOE since the TOE includes all parts of the product delivered to users and there are no specific restrictions imposed on the use of the product.
BES enables operators to monitor the configurations of targeted systems on a network in the IT environment from a centralized location. BES provides operators the ability to define corrective actions on individual targeted systems to be applied at the direction of the operator. Corrective actions can include, for example, installing an application or an application/operating-system update.
The TOE is a client-server application that allows monitoring and management of targeted IT systems from a central location. The TOE utilizes a patented Fixlet® technology to identify vulnerable or misconfigured computers in the enterprise and allows authorized users to remediate identified issues across the network. Fixlet messages are available to an enterprise by subscribing to any of a number of Fixlet Sites that are maintained by the BigFix Fixlet Server which is outside the TOE evaluated configuration. Each Fixlet Site contains pre-tested, pre-packaged Fixlet messages that provide out-of-the-box management solutions. Fixlet messages can optionally also be developed in-house by administrators to address policy, configuration and vulnerability concerns specific to an enterprise. In-house fixes are known as Actions as these are developed by an authorized administrator to address specific situations. Note that Fixlets and Fixlet Sites are not part of the TOE – they constitute data that the TOE collects, distributes and otherwise utilizes via the internet from the BigFix Fixlet Server to detect and remediate vulnerabilities. Fixlets enable authorized users to perform the following functions within the enterprise: § Analyze the vulnerability status (i.e., patched or insecure configurations); § Distribute patches to vulnerable computers to maintain endpoint security; § Establish and enforce configuration security policies across the network; § Distribute and update software; § Manage the network from a central Console; and, § View, modify and audit properties and configurations of the networked client computers.
The TOE contains built-in public/private key encryption capabilities to ensure the authenticity of the Fixlet messages and remedial Actions. Each Fixlet and Action received by a BES client is authenticated by verifying a signature affixed by the applicable administrator to ensure that it was generated by an administrator authorized to perform corresponding operations. These authorized operations instruct BES clients to view, modify and audit properties and configurations of the networked client computers. The results from those operations — or simply the gathered data — is encrypted and delivered back to the BES server. EVALUATED CONFIGURATION
Given that the TOE is a set of software applications or components, its physical boundaries are defined by those components: Server, Console, Client and Relays. Note that each of these components has a set of requirements for its hosting computer as follows: Server: The hardware requirements for the Server component depends on the deployment (i.e., how many Clients are attached); and, specific data can be obtained from http://support.bigfix.com/cgi-bin/redir.pl?page=serverreq. The Server can be installed on the following OS platforms: Microsoft Windows 2000 and Server 2003. A Microsoft MSDE 2000, SQL Server 2000, or SQL Server 2005 database is required to be accessible to the Server to serve as the BES database. Console: The Console can be installed on the following OS platforms: Windows 2000, XP Home, XP Professional with MDAC 2.7. Client: The Client can be installed on the following OS platforms: Windows 95, 98, NT 4+, Me, 2000, Server 2003, XP; Red Hat Linux 8.0, 9.0; Red Hat Linux Enterprise 3, 4, 5; Solaris 7, 8, 9, 10; HPUX 11.00, 11.11, 11.23; AIX 5.1, 5.2, 5.3; SUSE 8, 9, 10; Mac OS X 10.3, 10.4, and 10.5. Relay: Relays are optional and can be installed on any Windows server, workstation, PC or laptop within the TOE environment running Microsoft Windows NT SP6a, 2000, XP, Server 2003, or RHEL 4. SECURITY EVALUATION SUMMARY
The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 2.3. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3. Science Application International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the TOE is EAL 3. The TOE, configured as specified in the installation guide, satisfies all of the security functional requirements stated in the Security Target. Several validators on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in October 2008. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report for BigFix Enterprise Suite Version 7 prepared by CCEVS. ENVIRONMENTAL STRENGTHS
The TOE protects itself from attempts to bypass its security mechanisms. Data transfer is protected by enforcing the information flow SFPs largely via the use of cryptographic signature verification to ensure authenticity and integrity of Fixlet and Action messages carrying the instructions of authorized administrators. The TOE protects the security of audit data and operation results data gathered on networked client computers by encrypting this data before it is transmitted over the network. |
![[X]](/assets/images/button_close.gif){kind=small}
![[PDF]](http://www.niap-ccevs.org:80/assets/images/icon_pdf.gif){kind=icon}
