The Mazu Profiler Version 5 is a network-wide internal security solution that analyzes network traffic and behavior to help organizations operate internal networks more securely. Profiler protects the internal assets of the network against zero-day worms, internal threats, and unauthorized user activity. These are not caught by perimeter security.
\r\nProfiler receives information about traffic connections or flows from high-performance Mazu sensors deployed passively on major links. It uses this data in real-time to build and maintain a model of network activity, including:
\r\nOn an ongoing basis, Profiler compares the current flow data with the baseline data and looks for behavior that deviates from the norm. It analyzes deviations or anomalies to determine if threats exist. If threats exist, Profiler sends alerts via SNMP trap messages and email. It also saves event reports for further analysis or forensic reporting.
\r\nProfiler’s extensive data collection, display and reporting features allow users to query its database and generate reports that are as broadly- or narrowly-focused as desired. Reports can be scheduled, saved, printed, automatically emailed, or output as data files for use by other applications.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The Mazu Profiler TOE was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. Booz Allen Hamilton has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL2. A validator, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in October 2005.
","environmental_strengths":"Security Audit
\r\nThe TOE receives audit data that has been collected and generated by a Mazu Sensor via the MPCP. In addition, the communication link between the Mazu Sensor and the TOE is established through the use of a shared secret. Once the TOE has received audit data, it stores the information in a profile. Complex heuristics are then applied to the profile to identify anomalous behaviour on the network that deviates from normal activity. The TOE then generates alerts based upon triggered events that have surpassed a configured threshold rating.
\r\nIdentification and Authentication
\r\nThe TOE provides an HTTPS interface that is used to access its security functions. During initial configuration, a user establishes a connection to the TOE using their local web browser running on the Admin Terminal. Next, the user is prompted to provide the identification and authentication credentials required to log onto the TOE under the Administrator role. Once the user has successfully assumed the Administrator role, that user can then create additional roles that the TOE will recognize when other users attempt to identify and authenticate themselves over the HTTPS interface from the Admin Terminal.
\r\nSecurity Management
\r\nThe TOE provides for the management of its security functions via the HTTPS interface from the Admin Terminal. Once a user has been successfully identified and authenticated, they will then be granted access to the TOE that is limited based upon the role that the user has been assigned. The roles supported by the TOE have varying levels of access rights with respect to viewing or modifying the way in which the security functions of the TOE behave. These roles include the Administrator, Operator, Monitor, and Event Viewer.
\r\nProtection
\r\nSince the TOE is an appliance-based system, most of the protection features are implemented in its hardware and software structures. These structures provide for process execution as well as process separation. In addition, management of the TOE is enforced by limiting user access by requiring each user to identify and authenticate prior to being granted access over the HTTPS interface. Additional aspects related to protection of the TOE are addressed via assumption statements identified in the Security Target, Section 4.
\r\nTOE Exclusions
\r\nAlthough the Profiler product offers the following features, they are not supported in the evaluated configuration:
\r\n