Vendor Provided Validation Details - ThreatGuard Secutor Magnus with ThreatView 4

The following text was provided by the vendor during testing to describe how the product implements the specific capabilities. 

Statement of FDCC Compliance

Secutor Magnus provides a variety of options to perform FDCC computer security assessments.  Secutor Magnus operates agentlessly, agent-based, or with any combination of the two.  In most cases, some modifications of the FDCC configuration are required to perform these assessments.  For agentless operation, these modifications may differ depending on whether the computer is a member of an Active Directory Domain or is standalone.

Agent-Based Assessments

Secutor Magnus offers a listening agent that can be installed on computers.  This server communicates with the agent over a FIPS-199 compliant TLS tunnel.  The agent requires a single inbound port be available to accept communication from the Secutor Magnus server.   By default that port is TCP 2650, but it is configurable.  The host-based firewall on each computer must be properly configured to allow this inbound communication to occur.

Agentless Assessments

The FDCC configurations are slightly different between Windows XP and Windows Vista, therefore the Secutor Magnus deviation requirements slightly differ between the two.  For Windows XP computers that are members of an Active Directory Domain, no modifications to the FDCC are required.  Standalone XP computers require an exception to the host-based firewall rules to permit file and print sharing on TCP port 445.  Opening this port enables Secutor Magnus to utilize Microsoft¡¯s built-in remote administration facilities to perform remote security assessment. 

Like Windows XP, Microsoft Vista also requires inbound TCP port 445 be permitted through the host-based firewall.  That is true for both Active Directory Domain members and standalone systems.  Each of these configurations also requires the Remote Registry service be started.  Unlike Windows XP, the Vista FDCC configuration has this service disabled and stopped by default.  The Remote Registry service is used by Secutor Magnus to enumerate registry values that help determine the security posture of computers.  Finally, standalone Vista systems require the registry value LocalAccountTokenFilterPolicy be added and set to ¡°1¡±.  By default, the User Access Control system in Windows Vista does not permit local Security Account Manager accounts to be used for remote administration.  Setting this registry value allows standalone Vista computers to be remotely administered and assessed.

Statement of SCAP Implementation    

Secutor Magnus is built around support for the Security Content Automation Protocol (SCAP).  SCAP is a collection of six open standards developed jointly by the government and private sector.  Security content written to the SCAP standard can by used by any product that supports the standard.  This allows regulatory authorities and configuration managers a means to construct much more definitive guidance than was possible in the past.  The guidance is written in the standard format and passed to security products for automated processing and reporting; common input and common output.  Secutor Magnus includes support for all six protocols.  It uses the XCCDF and OVAL assessment protocols to determine what items to check and how to check them.  It uses the CPE, CCE, CVSS, and CVE reference protocols to ensure all rules are accurately and appropriately reflected in the system.  The SCAP standard references are visible in the interface, reports, and export files. 

Using Secutor Magnus, ThreatGuard presented the first live demonstration of SCAP-driven compliance assessments against HP-UX, Solaris, Red Hat Enterprise Linux, and Cisco IOS at the 3rd annual NIST Security Automation Conference, held September 2007.

Statement of CVE Implementation  

Secutor Magnus includes support for Common Vulnerabilities and Exposures (CVE) names.  CVE provides standardized references to known vulnerabilities.   This unique identifier provides a common way to refer to vulnerabilities.  CVE is the oldest of the six protocols and is directed at vulnerabilities rather than compliance items.  Patch content can optionally refer to CVE names, allowing the end user to track attack vectors associated with missing patches.  The XCCDF and OVAL compliance checks currently do not reference CVE names. Secutor Magnus raises the CVE references from the SCAP patch content to populate the user interface and reports.  The CVE name is included on the Details tab of the Secutor Magnus Failures Viewer for each listed patch check.  Secutor Magnus can also perform vulnerability assessments using the included Open Vulnerability and Assessment Language (OVAL) content.  The References tab of the Failures Viewer includes the CVE name and a link to the NVD site for each CVE name.

Statement of CCE Implementation   

Secutor Magnus includes support for Common Configuration Enumeration (CCE) references.  CCE provides a standard notation and reference for configuration settings.  The SCAP data stream contains CCE tags in the XCCDF documents.  ThreatGuard raises the CCE references from the SCAP content to populate user interfaces, reports, and exports.

By including CCE references in the content, SCAP supports a wide range of comparison possibilities.  Configuration items can be tracked and compared across multiple systems using any combination of SCAP compatible tools.  Magnus fully supports this concept of interoperability by simply processing the SCAP content as intended.

Exports provided by the Secutor line of products include the ThreatGuard Results (Tiger) format.  This format was developed to insulate integrators from the intricacies and evolutions of the SCAP languages.  Each configuration check includes the CCE reference, enabling the integrator to easily process SCAP data properly.  Tiger was designed to give any product a fast track to SCAP compatibility and validation; CCE is a key ingredient.

Statement of CPE Implementation    

Secutor Magnus includes automated support for the Common Platform Enumeration (CPE) standard.  CPE provides a standard notation and reference to operating systems and applications.  An operating system can be referred to in many different ways such as "Windows XP" vs. "Microsoft Windows XP".  CPE introduces a standard notation, such as "cpe:/o:microsoft:windows_xp" and "cpe:/a:microsoft:ie:7", enabling products to share SCAP results without pre-coordinating operating system and application references.

The SCAP data stream provides OVAL-based checks that precisely determine whether or not a benchmark applies to a network asset.  Compatible tools can use these tests to decide whether or not to assess a benchmark; they can also use this check to filter the list of available benchmarks for a selected network asset.  Secutor Magnus executes the CPE check to automatically select benchmarks that are applicable to a target system.   The user simply defines a set of network assets to assess, and Magnus automatically determines which benchmarks to assess for each individual target.  The user can enable or disable any benchmark; Magnus applies all enabled and applicable benchmarks to each target in the scan range.  The Secutor Magnus report and export files also include the applicable operating system or application CPE reference.

Statement of CVSS Implementation   

Secutor Magnus provides support for the Common Vulnerability Scoring System (CVSS).  CVSS represents a standardized approach to measuring the impacts of IT vulnerabilities.   Each CVE includes an associated CVSS vector for use in calculating the relative severity of vulnerabilities.  The SCAP data stream currently uses a flat scoring methodology, giving all compliance checks the same "weight" (level of importance).  These weights are compatible with CVSS scoring.  NIST, through their National Vulnerability Database (NVD), plans to include CVSS vectors and scores for each CCE compliance item.  That will enable Secutor Magnus to provide a more informative view of the relative impact of mis-configuration issues.  Likewise, the Secutor libraries include a CVSS calculator which can be used to calculate a score (from 0 to 10) given a CVSS vector.  The references tab in Secutor Prime also includes links to the NVD to view the CVSS vectors, giving the user access to the online CVSS calculator hosted at NIST.  As CVSS grows to play a larger role in SCAP, ThreatGuard products stand ready to support.

Statement of OVAL Implementation   

Secutor Magnus includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF).  XCCDF specifies system settings for automated tools to assess.  XCCDF specifies what to check.  It is the primary protocol required to process the SCAP data stream.  The Secutor XCCDF interpreting engine has been exercised by thousands of users in hundreds of Federal Agencies, hundreds of commercial sites, and over fifty countries.  Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (FDCC), is written in the standard XCCDF format.  These files are included with Secutor Magnus and are used by the product to generate the groups and lists of rules to be checked.  The product then uses information from the XCCDF file to perform the assessment as specified in the accompanying Open Vulnerability and Assessment Language (OVAL) file.  Secutor Magnus generates and displays assessment results in the graphical interface, reports, and export files based on the structure and content of the XCCDF benchmark.

Statement of XCCDF Implementation    

Secutor Magnus includes seamless support for the eXtensible Configuration Checklist Description Format (XCCDF).  XCCDF specifies system settings for automated tools to assess.  XCCDF specifies what to check.  It is the primary protocol required to process the SCAP data stream.  The Secutor XCCDF interpreting engine has been exercised by thousands of users in hundreds of Federal Agencies, hundreds of commercial sites, and over fifty countries.  Compliance checklist content, like those developed by NIST for the Federal Desktop Core Configuration (FDCC), is written in the standard XCCDF format.  These files are included with Secutor Magnus and are used by the product to generate the groups and lists of rules to be checked.  The product then uses information from the XCCDF file to perform the assessment as specified in the accompanying Open Vulnerability and Assessment Language (OVAL) file.  Secutor Magnus generates and displays assessment results in the graphical interface, reports, and export files based on the structure and content of the XCCDF benchmark.