PRODUCT DESCRIPTION

The IBM Proventia Network Enterprise Scanner 1.3 with XPU 1.28 and SiteProtector 2.0 SP6.1 with Reporting Module and with Catalog 2.61 (Version 2.684/1/24/008) is a vulnerability management system that scans network devices and identifies and reports known vulnerabilities.

The TOE is divided into two components: IBM Proventia Network Enterprise Scanner Version 1.3 with XPU 1.28 (hereafter referred to as IBM ISS Network Enterprise Scanner Version 1.3, Network Enterprise Scanner, Enterprise Scanner, or Scanner) and IBM Proventia Management SiteProtector 2.0 SP6.1 with Reporting Module and with Catalog 2.61 (Version 2.684/1/24/008) (hereafter referred to as IBM SiteProtector with Reporting Module Version 2.0 SP 6.1, SiteProtector with Reporting Module, or SiteProtector).

EVALUATED CONFIGURATION

The Enterprise Scanner is an appliance that performs the scanning.  All hardware and software included in the Enterprise Scanner is included in the TOE boundary.  The evaluated configuration includes one or more Scanners.

SiteProtector with Reporting Module is a software distribution running on a Windows based workstation.  The evaluated configuration includes one SiteProtector with Reporting Module.   SiteProtector provides the management and monitoring functionality for the Enterprise Scanner(s).  The Reporting Module is separately licensed software in SiteProtector that enables authorized administrators to create and view reports reflecting audit data events and system data events.  Scanners support two separate network interfaces: the scanning network and the management network.  Scanners communicate with SiteProtector using the management network.  The scanning network is used to scan hosts.

The Enterprise Scanner scans any Internet Protocol version 4 addressable device connected to the scanning network (operational network) and discovers assets and determines the assets’ services and known vulnerabilities.  Vulnerabilities are known weaknesses in a system allowing an attacker to violate the integrity, confidentiality, access control, availability, consistency or audit mechanism of the system or the data and applications it hosts.  The Enterprise Scanner identifies vulnerabilities such as:

1)      improperly configured desktops, servers, Web servers, routers or firewalls;

2)      hosts running unauthorized services;

3)      weak or no password protection; and

4)      unpatched or outdated versions of operating systems.

The complete Scanner is included in the TOE boundary including hardware, OS and IBM ISS software.

SiteProtector with Reporting Module is used as the central controlling point for Enterprise Scanners deployed on the network.  The Reporting Module is embedded within SiteProtector, but its functionality must be enabled via a separate license.  The SiteProtector performs the following functionality:

1)      Manages and monitors Enterprise Scanners;

2)      Manages and monitors SiteProtector and

3)      displays audit data and system data events. 

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme.  The evaluation demonstrated that the IBM Proventia Network Enterprise Scanner 1.3 with XPU 1.28 and SiteProtector 2.0 SP6.1 with Reporting Module and with Catalog 2.61 (Version 2.684/1/24/008) meets the security requirements contained in the Security Target.

The criteria against which the IBM Proventia Network Enterprise Scanner 1.3 with XPU 1.28 and SiteProtector 2.0 SP6.1 with Reporting Module and with Catalog 2.61 (Version 2.684/1/24/008) was judged is described in the Common Criteria for Information Technology Security Evaluation, Version 2.3.  The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.3.  The COACT, Inc. CAFE Lab determined that the evaluation assurance level (EAL) for the IBM Proventia Network Enterprise Scanner 1.3 with XPU 1.28 and SiteProtector 2.0 SP6.1 with Reporting Module and with Catalog 2.61 (Version 2.684/1/24/008) is EAL 2.  The TOE, configured as specified in the installation guide and supplemental user’s guide (“IBM Proventia Network Enterprise Scanner 1.3 with XPU 1.28 and SiteProtector 2.0 SP6.1 with Reporting Module and with Catalog 2.61 [Version 2.684/1/24/008] Installation Supplement Version 1.1, November 25, 2008”), satisfies all of the security functional requirements stated in the Security Target.

A Validator on behalf of the CCEVS Validation Body monitored the evaluation carried out by the COACT, Inc. CAFE Lab.  The evaluation was completed in October 2008. Results of the evaluation and associated validation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (CCEVS-VR-VID10275-2008).

ENVIRONMENTAL STRENGTHS

The TOE’s Security Functions are:

Scanning

The TOE performs scanning of designated systems to detect known vulnerabilities on those systems.  The TOE is designed to automate the process of cyclically discovering and assessing assets (background scanning), while accommodating ad hoc scans as well.  Background scans are well suited to minimize impact on operational systems since their execution can be tailored for times when operational usage of the systems and networks is low.

Scanning is broken into two categories: discovery and assessment.  Discovery scans are initially used to discover assets on the network (so that they may subsequently be assessed).  On-going discovery scans highlight changes to the assets and detect unauthorized systems on the network.  Assessment scans perform in-depth searches for vulnerabilities on previously discovered systems.

Results of the scans are stored in the DBMS (IT Environment) located on the same system as the SiteProtector software.

Audit Data Generation and Viewing

The TOE’s Audit Data Generation and Viewing Security Function provides administrator support functionality that records the administrator commands and enables authorized administrators to view audit data records in human readable format via the SiteProtector Console. 

The TOE stores audit records into the SiteProtector database via the DBMS supplied by the IT Environment.  The audit records are retrieved from the database and saved as a report via the OS file system (IT Environment) for audit viewing.

System Data Generation

The TOE’s System Data Generation Security Function provides functionality to generate and store system data related to scans performed by the TOE.  The TOE’s system data includes three types of system data: scan events; analysis views; and system data reports. 

The first two types of system data are saved via the SiteProtector database via the DBMS supplied by the IT Environment, while the system data reports are saved on disk using the OS’ file I/O functionality (IT Environment).

System Data Viewing

The TOE’s System Data Viewing Security Function provides administrator support functionality that enables authorized administrators to view system data records (e.g., detected vulnerabilities) in human readable format via the SiteProtector Console.  Data included in system data records and available for viewing are the specific vulnerability, associated severity, timestamp, IP name and address of the asset on which the vulnerability was detected, scanner from which the scan was performed, and the service protocol (if applicable) associated with the vulnerability. 

The TOE retrieves system data from the SiteProtector database via the DBMS or from a file on disk via the OS’ file I/O functionality supplied by the IT Environment.

Self Protection

The TOE provides for self protection and non-bypassability of functions within the TOE’s scope of control (TSC). The TOE controls actions carried out by an administrator by controlling a session and the actions carried out during a session. When multiple administrators are connected simultaneously, the roles (and therefore permissions) are tracked individually to ensure proper access restrictions are applied to each session.  By maintaining and controlling a user session a user has with the TOE, the TOE ensures that no security functions within the TSC are bypassed and that there is a separate domain for the TOE that prevents the TOE from being interfered with or tampered with for those users that are within the TSC.

Since the SiteProtector component of the TOE consists of a set of applications, the TOE cannot provide complete self-protection for itself.  The TOE depends on the operating system and hardware (IT Environment) on the SiteProtector platform to protect the TOE from interference or bypass from users or processes outside the TSC. 

TLS is used to protect communication between the TOE components.  The TLS functionality is provided by the TOE on the Enterprise Scanners and by the IT Environment on the SiteProtector platform.

Management

Management of the TOE may be performed via SiteProtector Console on the SiteProtector platform.  All management of the TOE components is performed via SiteProtector.

SiteProtector collects userid and password information through a GUI and passes that information to Windows to authenticate the user.  If Windows indicates that the user is authenticated, SiteProtector looks up that userid in its database to determine the permissions associated with the user.  If Windows indicates that the user is not authenticated, SiteProtector terminates the session.

Vendor Information

IBM Internet Security Systems, Inc
Scott Sinsel
404-236-2722
404-236-2632 (Fax)
ssinsel@us.ibm.com

http://www.iss.net