The Target of Evaluation (TOE) is DbProtect AppRadar 2009.1 R2, hereinafter referred to as AppRadar, as configured in accordance with the supplied guidance documentation.
\r\nAppRadar is an application that provides real-time database intrusion detection and security auditing. AppRadar provides database-specific, monitoring, and auditing of the commercially available database servers. The key features of the TOE are database event monitoring and auditing.
\r\nThe TOE is a software application that runs in the context of an operating system. AppRadar includes two system components: 1) a console, which serves as a data collector and provides a web-based front end and 2) a number of sensors that monitor databases on a host or on the network and send collected data back to the console.
\r\nThe AppRadar Console provides capabilities to initialize and manage the TOE and to view alerts and audit data collected by the Sensors. The TOE relies on the operational environment to ensure all communication between the Console and Sensors uses HyperText Transfer Protocol Secure (HTTPS) or SOAP over HTTPS.
\r\nThe AppRadar Console allows users to:
\r\nAppRadar Sensors monitor database activity; there is a sensor associated with each database monitored. There are two types of AppRadar sensors:
\r\nAppRadar Sensors monitor for a variety of events such as intrusion attempts or auditing of normal usage as defined by TOE policies and filters. Audit records and Alerts are created by the sensors based on database events.
\r\nAn alert is a notification of a monitored event detected on the database host or network and an audit is a record of standard database activity. AppRadar Sensors generates alerts for activities defined as security events by the TOE policies. The alerts and audit records are sent via a network connection to the AppRadar Console (actually its Message Collector component) and are stored in the Microsoft SQL[1] Data Repository (i.e., backend database), which is outside the TOE boundary.
\r\nThe TOE consists of an AppRadar Console, which includes the AppRadar Console service and Message Collector software applications, and a number of AppRadar Sensors, which are also software applications.
\r\nThe TOE is distributed with Tomcat Engine 5.5.20 to facilitate the web-based management interface. Although Tomcat is provided with the TOE installer, it is considered to be in the operational environment of the TOE.
\r\nThe following lists the TOE's requirements for the supporting operational environment:
\r\nDatabases monitored:
\r\nAppRadar monitors the following databases and versions:
\r\n| \r\n AppRadar Sensor Type \r\n | \r\n\r\n Database Platform \r\n | \r\n\r\n Versions \r\n | \r\n
| \r\n Network-based Sensor \r\n | \r\n\r\n Oracle \r\n | \r\n\r\n Oracle 7.x, Oracle 8, 8i, 9i, 9iR2, 10g, 10gR2 \r\n | \r\n
| \r\n Sybase \r\n | \r\n\r\n Sybase ASE 11.x through 15 \r\n | \r\n|
| \r\n IBM DB2 \r\n | \r\n\r\n IBM DB2 UDB version 8 and 9 \r\nIBM DB2 for zSeries v7 and v8 \r\n | \r\n|
| \r\n Host-based Sensor \r\n | \r\n\r\n Microsoft SQL Server \r\n | \r\n\r\n Microsoft SQL Server 2008 (all editions) \r\nMicrosoft SQL Server 2005 (all editions) \r\nMicrosoft SQL Server 2000 (all editions) \r\n | \r\n
| \r\n Oracle \r\n | \r\n\r\n Oracle 9iR2, 10g, and 10gR2 \r\n | \r\n|
| \r\n IBM DB2 \r\n | \r\n\r\n IBM DB2 UDB version 8 and 9 \r\n | \r\n
\r\n
AppRadar Console requirements:
\r\nNote that the Windows Data Protection API (DPAPI) is required to encrypt backend database credentials if Windows authentication is not used.
\r\nNote the browser requirement applies to any host from which the AppRadar Console might be accessed, including the local host.
\r\nNote that OpenSSL is also used to encrypt (and thereby protect) database credentials used by the host-based sensors.
\r\nNote that Tomcat 5.5.20, distributed with the TOE, is required to enable the web-based management front end of the TOE.
\r\nAppRadar Host-based Sensor requirements:
\r\nAppRadar Network-based Sensor requirements:
\r\n\r\n
[1] Note that the AppRadar Console can be configured to utilize a Microsoft SQL server that is running either on the same host server or on another server that is continuously accessible via a network connection. Note also that the TOE can be configured to either use Windows authentication for database access or alternately to use database authentication. In the latter case, the TOE stores the applicable database credentials using Windows Data protection API (DPAPI) to protect them and recall them when needed.
","evaluation_configuration":null,"security_evaluation_summary":"The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process. The criteria against which the DbProtect AppRadar 2009.1 R2 TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1. The evaluation methodology used by the Evaluation Team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1. Science Applications International Corporation (SAIC) determined that the evaluation assurance level (EAL) for the product is the EAL2 family of assurance requirements, augmented with ALC_FLR.2 (Flaw reporting procedures). The product satisfies all of the security functional requirements stated in the DbProtect AppRadar 2009.1 R2 Security Target, when configured as specified in the supplied guidance documentation.
\r\nA validation team on behalf of the CCEVS Validation Body monitored the evaluation carried out by SAIC. The evaluation was completed in April 2012. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-VID10258-2012), prepared by CCEVS.
","environmental_strengths":"DbProtect AppRadar 2009.1 R2 provides a low to moderate level of independently assured security in a conventional TOE and is suitable for a cooperative non-hostile environment with good physical access security and competent administrators.
\r\nDbProtect AppRadar 2009.1 R2 supports the following security functions:
\r\nDbProtect AppRadar 2009.1 R2 generates audit records for administrator operations, including attempts to access the TOE and its data and any configuration changes made to the TOE. The audit records are stored in the backend database and can be queried by the TOE to facilitate review of those records.
\r\nDbProtect AppRadar 2009.1 R2 provides security management functions to allow installation of TOE sensor components, modifications to TOE policies and filters, creation and modification of report templates, and loading of database login IDs and Passwords. The functions are accessible via an SSL-enabled web-browser. Each user is required to be identified an authenticated, using services of the host operating system (OS), and must be in one of the two pre-defined OS groups associated with the TOE in order to get access to the corresponding functions. Once a user is identified, authenticated and found to be associated with only one of the applicable groups, the corresponding functions are presented to the user so they can be used.
\r\nDbProtect AppRadar 2009.1 R2 monitors database functions based on policies and filters defined in the TOE by the AppRadar Administrator. Both normal database usage and security events are monitored and records are generated. Security events, as defined by TOE policies, cause the TOE to generate an alert that is sent to the Console.
\r\nIn general, the database monitoring is performed by AppRadar Sensor components that are configured to monitor associated databases in accordance with their individual configurations. The AppRadar Sensor components are centrally managed via the AppRadar Console component and report the results of monitoring to the AppRadar Console so that they can be centrally accessed.
\r\nNote that AppRadar includes both host-based and network-based sensors. Host-based sensors reside on the same host as the database that they monitor, while network-based sensors reside on the same network as the database that they monitor. Host-based sensors use database credentials in order to monitor database activities, while network-based sensors monitor network traffic to discern database activities. Both types of sensors perform similar monitoring functions, though given the differences in mechanics there are some differences in their function.
\r\nThe TOE relies on SSL in the operational environment to protect stored host-based database credentials. The TOE also relies on the Windows Data Protection API (DPAPI) to protect credentials for its backend database when Windows authentication is not being used.
","features":[]}