Symantec Endpoint Protection - CESG by zhouwenjuan

VIEWS: 0 PAGES: 11

									                  CCTM ICD               Symantec Endpoint Protection




           CCTM IA CLAIMS DOCUMENT (ICD)
                           Symantec Endpoint Protection
                                    VERSION 11.0.6


VENDOR DETAILS

Symantec

350 Brook Drive, Green Park, Reading, United Kingdom RG2 6UH

Telephone Number: +44 (0)870 243 1080

Email:

Website: http://www.symantec.com/business/endpoint-protection




CERTIFICATE DETAILS
The table will be on the front cover of the Final ICD when this is published on the CCTM
Website

CCTM Certificate Number                      2011/10/0100
                                               th
CCTM Awarded on                              12 October 2011
                                               th
CCTM Award Expires on                        11 October 2012
                                               th
ICD Issue Date                               12 October 2011




Symantec Endpoint Protection     Commercial in Confidence                      Page 1 of 11
                     CCTM ICD                 Symantec Endpoint Protection


                                  TABLE OF CONTENTS




      TABLE OF CONTENTS............................................................................2
1     INTRODUCTION......................................................................... 3

    1.1     Background........................................................................... 3
    1.2     Objectives ............................................................................. 3
    1.3     Purpose of Document ........................................................... 3
    1.4     Structure ............................................................................... 3
2     IS PRODUCT DESCRIPTION..................................................... 4

    2.1     Product Name: Symantec Endpoint Security......................... 4
    Version 11.0.6 ................................................................................ 4
    2.2     Product Overview.................................................................. 4
    Symantec Endpoint Protection is a business security product for
    Windows based server operating systems, which provides
    multiple layers of endpoint protection technology in a single
    client, all of which is managed via a single management console.
    The protection technologies include Anti-virus/Anti-spyware
    scanning, Host-based Scanning, and Client Firewall...................... 4
    2.3     Usage assumptions............................................................... 7
3     CCTM CLAIMS FOR THE IS PRODUCT OR SERVICE ............. 9

    3.1     Claims Statements ................................................................ 9




Symantec Endpoint Protection          Commercial in Confidence                            Page 2 of 11
                    CCTM ICD            Symantec Endpoint Protection



1 INTRODUCTION
1.1   Background
       This document outlines the IA claims made by Symantec in regard to
       the suitability of Symantec Endpoint Security as used by the UK Public
       Sector for an Anti-Malware product for Windows based operating
       systems providing greater protection for client and server operating
       systems. Symantec Endpoint Security is being tested under the CCT
       Mark Scheme which is aimed at providing information assurance at
       Government Impact Levels 1 and 2, for purchase by central
       government and the wider public sector, NHS, education, local
       authorities, police and criminal justice.


1.2   Objectives
      1.2.1      The objectives of this ICD are to provide:
       •      An overview of Symantec Endpoint Security and all information
              related to the security of Symantec Endpoint Security,
       •      Details of the IA claims made by Symantec Endpoint Security


1.3   Purpose of Document
1.3.1 This document is the ICD for Symantec Endpoint Security.

1.3.2 This ICD is the baseline document for the CCT Mark Claims Test of
      Symantec Endpoint Security


1.4   Structure
      The structure of this ICD is as follows:
       • Section 1 (this section) contains the introductory material.
       • Section 2 contains the description of functionality of Symantec
       Endpoint Security and all the information related to the security of
       Symantec Endpoint Security
       • Section 3 details the security functionality claims that are being made.




Symantec Endpoint Protection     Commercial in Confidence                Page 3 of 11
                      CCTM ICD             Symantec Endpoint Protection



2 IS PRODUCT DESCRIPTION

2.1       Product Name: Symantec Endpoint Security
          Version 11.0.6
          Supported Operating Systems:

      •    Windows XP Professional with Service Pack 3 (32-bit edition) for client
           component.
      •    Windows Server 2008 for server component.
      •    Other operating systems are supported, but are out of scope for the
           consideration of this CCTM test – see section 2.2.5.



            Operating System       Version      Browser                   Version

            Windows XP             SP3    (32
            Professional           bit)

            Windows Server         2008
                                   Standard




2.2       Product Overview
      Symantec Endpoint Protection is a business security product for Windows
      based server operating systems, which provides multiple layers of
      endpoint protection technology in a single client, all of which is managed
      via a single management console. The protection technologies include
      Anti-virus/Anti-spyware scanning, Host-based Scanning, and Client
      Firewall.
      Features of the Symantec Endpoint Security software include; (bracketed
      references refer to the detailed claims in section 3).

                  Detecting viruses (claim SEP-01)
                  Disinfecting viruses (claims SEP-02)
                  Detecting trojans (claim SEP-03)
                  Detecting spyware (claim SEP-04)


          2.2.1   Security architecture
The architecture used is as shown in Figure 1.1 below. The Symantec
Endpoint Protection Manager (SEPM) is a web server which runs both IIS and
Tomcat simultaneously. It stores all the data in a database which can run on
MS-SQL 2000, 2005 and 2008 (these are Out of Scope for the purposes of



Symantec Endpoint Protection       Commercial in Confidence                         Page 4 of 11
                  CCTM ICD            Symantec Endpoint Protection


this test as the lab will use the embedded database as detailed below) and
accesses this database regularly as part of normal operation.
SEP Clients that protect the laptops, desktops and servers communicate with
the SEPM over HTTP on TCP port 8014 by default. This port is configurable.
HTTPS can be used if required to secure the communications channel
between SEP Clients and the SEPM.
The console used to access the SEPM, can be run either locally on the SEPM
machine or from any remote machine with network access to the SEPM. The
communications between the console and the SEPM happen over HTTPS.




    Fig 1.1 High level diagram of the various components & relationships



2.2.2   Hardware requirements
        This product installs on Windows Server and Windows endpoints. The
        minimum hardware specification required should include at the
        minimum the specifications below. These are relatively low and any
        recent servers from any of the major manufacturers should be able to
        adequately cope with these requirements. For example, the testing for
        this ICD will be conducted on an HP DL360 G7 and an Acer Aspire
        T180

Symantec Endpoint Protection client
  • RAM: 256 MB minimum
  • Hard drive: 600 MB (32-bit), 700 MB (x64)




Symantec Endpoint Protection   Commercial in Confidence              Page 5 of 11
                    CCTM ICD            Symantec Endpoint Protection


   •     Video: Super VGA (1,024x768) or higher-resolution video adapter and
         monitor
Symantec Endpoint Protection manager (Server component)
   •     RAM: 1 Gb minimum (2-4 recommended)
   •     Hard drive: 4GB for the server, plus and additional 4Gb for the
         database
   •     Video: Super VGA (1,024x768) or higher-resolution video adapter and
         monitor


2.2.3    Software requirements
Supported operating systems and platforms

   •     Windows XP Professional with Service Pack 3 (32-bit edition)
   •     Windows Server 2008
   •     Other operating systems are supported, but are out of scope for the
         consideration of this CCTM test – see section 2.2.5.

Symantec Endpoint Protection Manager


         Software requirements
            • Internet Information Services server 5.0 or later, with World
              Wide Web services enabled
            • Internet Explorer 6.0 or later
            • Static IP address (recommended)


         Microsoft SQL Server (optional)
         Microsoft SQL Server is optional. The Symantec Endpoint Protection
         Manager comes with an embedded database suitable for networks up
         to about 5000 clients. If you choose to use Microsoft SQL Server, the
         following versions are supported:
             • Microsoft SQL Server 2000 with SP3 or above
             • Microsoft SQL Server 2005
             • Microsoft SQL Server 2008



Symantec Endpoint Protection Manager Remote Management Console
     • Sun Java JRE 6.0 (Update 14 or above recommended)


        2.2.4   Out of Scope

         Windows XP Professional x64 bit edition

         Windows Server 2003 Standard/Standard Edition/Enterprise
         Edition/Datacenter Edition/Storage Edition/Web Edition/Cluster
         Edition/Small Business Server (32-bit or x64 edition),

Symantec Endpoint Protection     Commercial in Confidence                 Page 6 of 11
                    CCTM ICD            Symantec Endpoint Protection


         Windows Server 2008 Enterprise/Datacenter/Web/Small Business
         Server (Standard and Premium)/Essential Business Server (Standard
         and Premium) (32-bit or x64 edition)

         Windows Server 2008 R2 (x64 edition) (New in Release Update 5)

         Microsoft Hyper-V and VMware VMotion

         Network Access Control and Compliance Checking (Host Integrity)
         capabilities.
         On-demand and scheduled scanning performance impact on end user
         machines.
         Integration with Active Directory for synchronisation of user, client
         machine and group/OU information.
         Compatibility with Windows Security Center.
         Virtualization Compatibility and Security.
         Windows Server Core and Cluster Services Protection.
         Blocking of the AutoRun feature on 64bit operating systems.
         Symantec Endpoint Protection self-protection against processes other
         than those named in claim SEP-16.
         Protection of Data at IL3 or above.


  2.3 Usage assumptions
  2.3.1 Assets
           Assets to be protected include any data at IL2 or below on the client
           PC, laptop, or server operating system that could pose a risk or
           threat to an organisation or individual if compromised by infections.
           The following assets are to be protected by Symantec Endpoint
           Security:
               •   Client information
               •   Client IT system
               •   Client reputation
  2.3.2 Threat scenario
           Threats to assets which are countered are:
              viruses (Claim SEP-01)
              spyware (Claim SEP-04)
              trojans (Claim SEP-03)



2.3.3    Expected operational environment
        Supported platforms are listed in the “Supported Hardware” and
        “Supported Software” sections within this document.


Symantec Endpoint Protection     Commercial in Confidence                Page 7 of 11
                  CCTM ICD            Symantec Endpoint Protection


     Symantec Endpoint Protection (SEP) is can be fully centrally managed in
     a networked environment. For this to be possible the SEP clients must
     be able to communicate with the Symantec Endpoint Protection Manager
     (SEPM) over one of the standard defined network port.

     A single Symantec Endpoint Protection Manager can manage up to
     30,000 SEP clients assuming MS-SQL server is used for the database
     and the hardware specification of the utilized platforms is sufficient.


     Protect sensitive data from external threats (malware related
     compromises and theft by Trojans and spyware, targeted data theft)


       Scale of Use


             2.3.3.1 Organisational security policies


     A Data Security policy should be in effect which states the following:
     “Other than data defined as public, which is accessible to all identified
     and authenticated users, the organisation should ensure that all data and
     processing resources are only accessible on a need to know basis to
     specifically identified, authenticated, and authorised entities.”



             2.3.3.2 Security requirements on the environment


•   The client IT/Security staff are professional and can carry out their duties.
•   Administrative access to the manager console of the Symantec Endpoint
    Protection product is strictly controlled and enforced so policy and
    configuration changes are carried out by only those with the appropriate
    rights and such changes are audited.
•   Logical and physical security is assured on the servers which run the
    Symantec Endpoint Protection manager and database software.




Symantec Endpoint Protection   Commercial in Confidence                   Page 8 of 11
                  CCTM ICD                 Symantec Endpoint Protection



3 CCTM CLAIMS FOR THE IS PRODUCT OR SERVICE
3.1   Claims Statements

 SEP-01     Symantec Endpoint Protection is able to detect all viruses passing through it which
            have been included in the Checkmark Anti-Virus collections for the 12 months prior to
            the test.
 SEP-02     Symantec Endpoint Protection is able to disinfect all viruses passing through it which
            have been included in the Checkmark Anti-Virus disinfection collections for the 12
            months prior to the test.
 SEP-03     Symantec Endpoint Protection is able to detect all Trojans passing through it which
            have been included in the Checkmark Anti-Trojan collections for the 12 months prior
            to the test.
 SEP-04     Symantec Endpoint Protection is able to detect all spyware passing through it which
            have been included in the Checkmark Anti-Spyware collections for the 12 months
            prior to the test.
 SEP-05     Signature database updates, for detecting and blocking malware as per claim
            numbers SEP-01, SEP-02, SEP-03, and SEP-04, are delivered at least once every
            day.
            Symantec’s inbuilt IPS technology is capable of blocking downadup/conficker remote
 SEP-06
            network-based attacks. The related MS vulnerability is located at
            http://www.securityfocus.com/bid/31874. The IPS signatures that block the exploit
            attempt are MSRPC Server Service Buffer Overflow, RPC Server Service BO2, and
            the IPS signatures that block other related activity are HTTP W32 Downadup
            Downloader Activity, P2P Downadup Activity

            SEP can block remote exploit attempts from the Aurora / Trojan.Hydraq attack (this is
 SEP-07
            related to the “China / google” zero day IE vulnerability, see
            http://www.symantec.com/outbreak/index.jsp?id=trojan-hydraq)
            Each Windows vulnerability newly announced by Microsoft will be assessed by
 SEP-08
            Symantec with a view to possible signature provision within 48 hours of the
            vulnerability being announced.
            It is possible to create a custom IPS signature, such as one to block the transfer of
 SEP-09
            files with the .mp3 extension to/from machines that are running SEP.
            It is possible to create a firewall ruleset to block all incoming traffic except Remote
 SEP-10
            Desktop connections and these can be configured to be logged.
            SEP can detect and report the presence of an active keylogger which is not detected
 SEP-11
            by the more traditional signature-based AV/AS protection included within the product.
            SEP can be configured to automatically block the AutoRun feature of devices that are
 SEP-12
            attached to machines running the SEP Client. Note: This currently only works on 32bit
            operating systems.
            SEP can be configured to log each file copied to USB devices connected to machines
 SEP-13
            running SEP and make these logs centrally available via the management console for
            review (a default application control rule exists for this) by authorised users.

            SEP can be configured to allow all USB device types to connect, but users can only
 SEP-14
            read from them, not write to them (a default application control rule exists for this)

            SEP can block the connection of all USB devices, except a specific model which has
 SEP-15
            been specified as standard for their company.

 SEP-16     SEP can self-protect itself, so processes such as cmd.exe, taskman.exe,
            explorer.exe, regedit.exe can not delete its registry keys, stop its services, delete its
            files or stop its drivers (a default application control rule exists for this). This extends
            to all processes but is outside of the scope of this testing (see out of scope section).



Symantec Endpoint Protection       Commercial in Confidence                             Page 9 of 11
                  CCTM ICD                 Symantec Endpoint Protection


            SEP can be configured to switch policies silently and dynamically based on the
 SEP-17
            network location of the machine. A common example of this is a laptop which moves
            in and out of the corporate network. SEP will switch both the firewall and Liveupdate
            policies automatically as this occurs. The trigger to monitor for the location switch can
            be set to IP subnet, domain suffix or domain lookup.

            It is possible to create a SEP firewall rule to block all inbound connections, and to only
 SEP-18
            allow outbound connections to a specific IP address on a specific protocol/port (for
            example SSL/443).




ANNEX A       GLOSSARY OF TERMS
Spyware              Spyware refers to a broad category of malicious software designed to
                     intercept or take partial control of a computer's operation without the
                     informed consent of that machine's owner or legitimate user.
Trojan               A malicious program that steals and exports data to an attacker from
                     the computer it has infected without the awareness of the authorised
                     user(s) and/or system owner.
Virus                A computer virus is a self-replicating computer program that spreads
                     by inserting copies of itself into other executable code or documents
                     and is intended to cause damage.
HTTP                 Hypertext Transfer Protocol
HTTPS                Hypertext Transfer Protocol Secure
FTP                  File Transfer Protocol
WildList             The WildList as published by the WildList                    Organisation
                     (http://www.wildlist.org) of most prevalent viruses.
Malware              A broad category of malicious software designed to cause damage to
                     the computer it has infected.




ANNEX B  MARKETING STATEMENT TO BE USED (IF THE CLAIM IS
SUCCESSFUL)
Symantec Endpoint Protection delivers antivirus and antispyware signature-
based protection for endpoint hosts and operates a client-server model. It
includes administrative control features that allow the administrator to deny
specific device and application activities deemed as high risk for your
organization. Further, it is possible to block specific actions based upon the
location of the user. This approach can significantly lowers risks and gives a
company the confidence that their business assets are protected against


Symantec Endpoint Protection      Commercial in Confidence                           Page 10 of 11
                  CCTM ICD            Symantec Endpoint Protection


malware for laptops, desktops and servers. It seamlessly integrates essential
security technologies in a single agent and management console, thus
leading to increased protection. It is a comprehensive product that provides
the capabilities needed whether the attack is coming from a malicious insider
or is externally motivated, and ensures that endpoints can be protected.


The CCTM test conducted on the solution does not cover the full range of
functionality – a number of other areas are not covered – please refer to the
original ICD on the CCTM web site for further details.




Symantec Endpoint Protection   Commercial in Confidence              Page 11 of 11

								
To top