Name of Your Organization:

NSFocus Information Technology (Beijing) Co., Ltd.

Web Site:

http://www.nsfocus.com

Adopting Capability:

NSFocus Next-Generation Firewall (NF)

Capability home page:

http://www.nsfocus.com/1_solution/1_2_15.html

General Capability Questions

Product Accessibility <CR_2.4>

Provide a short description of how and where your capability is made available to your customers and the public (required):

NSFOCUS makes information about security vulnerabilities publicly available on its website; customers can also download and install product updates on the website.

Related resources and links:

NSFOCUS Vulnerability Database:
http://www.nsfocus.net/index.php?act=sec_bug (Chinese)

NSFOCUS NF Component Update:
http://update.nsfocus.com/update/listNf (Chinese)

Mapping Questions

Map Currency Indication <CR_5.1>

Describe how and where your capability indicates the most recent CVE version used to create or update its mappings (required):

We check for new CVE versions and complete related updates in the next regular update.

Map Currency Update Approach <CR_5.2>

Indicate how often you plan on updating the mappings to reflect the current CVE content and describe your approach to keeping reasonably current with the CVE content when mapping them to your repository (required):

We review CVE website weekly, and will generate a list of CVE names to be updated via script tools within 3 days if any new CVE version is made available, then complete the update in a few days afterwards, depending on the amount of CVE entries to be updated and workload at that time.

Map Currency Update Time <CR_5.3>

Describe how and where you explain to your customers the timeframe they should expect an update of your capability’s mappings to reflect newly available CVE content (required):

NSFOCUS NF is updated weekly. Any revisions to CVE information during update intervals will be timely included in the update file. We will not make any specific explanation to CVE version for the customers.

Map Content Selection Criteria <CR_5.4>

Describe the criteria used for determining the relevance of a given CVE Identifier to your Capability (required):

We track all the latest new reported CVE and update to web site and then be update to capability, every CVE Identifier is relevant by capability when found.

Map Currency Update Mechanism <CR_5.4>

Describe the mechanism used for reviewing CVE for content changes (required):

We review CVE website weekly, and will generate a list of CVE names to be updated via script tools within 3 days if any new CVE version is made available, and we also track the CVE change log on website by tools which will notice us about the latest change on time.

Map Content Source <CR_5.5>

Describe the source of your CVE content (required):

https://cve.mitre.org
Documentation Questions

CVE and Compatibility Documentation<CR_4.1>

Provide a copy, or directions to its location, of where your documentation describes CVE and CVE compatibility for your customers (required):

We describe the CVE and CVE compatibility information in the help file named "rule help.chm" for our customers.

Documentation of Finding Elements Using CVE Names <CR_4.2>

Provide a copy, or directions to its location, of where your documentation describes the specific details of how your customers can use CVE names to find the individual security elements within your capability’s repository (required):

CVE names may be used as a search criterion from the search page in the help file, the following steps shows the search capability:
  1. Open the help file and change to the search tab.
  2. Input CVE name or other key word.
  3. Click the list topic button.
  4. List the related entries to the input key word, then select an entry to display the details.

CVE and Compatibility Documentation

CVE and Compatibility Documentation

Documentation of Finding CVE Names Using Elements <CR_4.3>

Provide a copy, or directions to its location, of where your documentation describes the process a user would follow to find the CVE names associated with individual security elements within your capability’s repository (required):

CVE element's any key words may be used as a search criterion from the search page in the help file, the following steps shows the search capability:

  1. Open the help file and change to the search tab.
  2. Input CVE element key word.
  3. Click the list topic button.
  4. List the related entries to the input key word, then select an entry to display the details especially the CVE name.

CVE and Compatibility Documentation

CVE and Compatibility Documentation

Documentation Indexing of CVE-Related Material <CR_4.4>

If your documentation includes an index, provide a copy of the items and resources that you have listed under "CVE" in your index. Alternately, provide directions to where these "CVE" items are posted on your web site (recommended):

For NSFOCUS NF, a list of CVE-related vulnerability is conveniently available by searching "CVE" in its Help file.

Type-Specific Capability Questions

Tool Questions

Finding Tasks Using CVE Names <CR_A.2.1>

Give detailed examples and explanations of how a user can locate tasks in the tool by looking for their associated CVE name (required):

Users can utilize product's online Help in order to find related CVEs and information about the corresponding CVE. Links to https://cve.mitre.org are also commonly available.

Finding CVE Names Using Elements in Reports <CR_A.2.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the tool allows the user to determine the associated CVE names for the individual security elements in the report (required):

CVE details and links are provided in most NSFOCUS NF alerts if only corresponding CVE name is available. Each available CVE can be searched by its name in NSFOCUS NF online Help.

Getting a List of CVE Names Associated with Tasks <CR_A.2.4>

Give detailed examples and explanations of how a user can obtain a listing of all of the CVE names that are associated with the tool’s tasks (recommended):

A user can obtain a listing or all vulnerabilities and related CVE from within the online Help, The user can enter 'CVE' and 'Search'. The total number of vulnerabilities is then listed in the left view pane followed by each vulnerability name. CVEs are then listed in each vulnerability in the right hand view of Help window.

Selecting Tasks with a List of CVE Names <CR_A.2.5>

Describe the steps and format that a user would use to select a set of tasks by providing a file with a list of CVE names (recommended):

If there is no check in the online Help, the task associated to a selected CVE cannot be done.
Online Capability Questions

Finding Online Capability Tasks Using CVE Names <CR_A.4.1>

Give detailed examples and explanations of how a "find" or "search" function is available to the user to locate tasks in the online capability by looking for their associated CVE name or through an online mapping that links each element of the capability with its associated CVE name(s) (required):

From the search Webpage of NSFOCUS Security Information Database http://www.nsfocus.net/index.php?act=sec_bug, enter the CVE name in one of the following formats:

Format example:

CVE-YYYY-NNNN CVE-2004-0122
YYYY-NNNN 2004-0122
  1. Select "search by Keyword". The Keyword Search Results page appears.
  2. Under the displaying results list, select the appropriate link for more information. CVE and vulnerability details appear in the "Description" section.

Online Capability Interface Template Usage <CR_A.4.1.1>

Provide a detailed description of how someone can use your "URL template" to interface to your capability’s search function (recommended):

From the search Webpage of NSFOCUS Security information Database http://www.nsfocus.net/index.php?act=sec_bug, enter the CVE name in one of the following formats:

Format example:

CVE-YYYY-NNNN CVE-2004-0122
YYYY-NNNN 2004-0122

Online Capability CGI GET Method Support <CR_A.4.1.2>

If the URL template is for a CGI program, does it support the HTTP "GET" method? (recommended):

From the search Webpage of NSFOCUS Security Information Database http://www.nsfocus.net/index.php?act=sec_bug, enter the CVE name in the following formats:

Format example:
CVE

  1. Select "Search by Keyword". The Keyword Search results page appears.
  2. Under the displaying results list, select the appropriate link for more information. CVE and vulnerability details appear in the "description" section.

Finding CVE Names Using Online Capability Elements <CR_A.4.2>

Give detailed examples and explanations of how, for reports that identify individual security elements, the online capability allows the user to determine the associated CVE names for the individual security elements in the report. (required):

This capability is available on each Web page in product's alert detail section. For CVE names, the section lists the CVE name, a link to the MITRE CVE entry for the same name (opens in a new browser window).

For example: http://www.nsfocus.net/index.php?act=sec_bug&do=view&bug_id=6160&keyword=CVE-2004-0122

In "Description" section, CVE-2004-0122 is the CVE name of this entry, which links to the corresponding CVE information in MITRE website: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-0122 CVE names appearing in Description section are the latest CVE names. NSFOCUS Security Team will not keep revision history for specific security information-related CVE names.

Online Capability Element to CVE Name Mapping <CR_A.4.3>

If details for individual security elements are not provided, give examples and explanations of how a user can obtain a mapping that links each element with its associated CVE name(s), otherwise enter N/A (required):

From the search Webpage of NSFOCUS Security information Database http://www.nsfocus.net/index.php?act=sec_bug, enter the CVE name in one of the following formats:

Format example:

CVE-YYYY-NNNN CVE-2004-0122
YYYY-NNNN 2004-0122
Media Questions

Electronic Document Format Info <CR_B.3.1>

Provide details about the different electronic document formats that you provide and describe how they can be searched for specific CVE-related text (required):

NSFOCUS NF provide output in PDF, HTM, and RTF. Each is searchable via the browser, viewer, or editor chosen.

Electronic Document Listing of CVE Names <CR_B.3.2>

If one of the capability’s standard electronic documents only lists security elements by their short names or titles provide example documents that demonstrate how the associated CVE names are listed for each individual security element (required):

Currently when security elements are listed by titles, we provide no mapping in our reports on how a CVE name is related to each individual security element.
Graphical User Interface (GUI)

Finding Elements Using CVE Names Through the GUI <CR_B.4.1>

Give detailed examples and explanations of how the GUI provides a "find" or "search" function for the user to identify your capability’s elements by looking for their associated CVE name(s) (required):

CVE information can be found in the product Help text, it will detail what CVE is, and also covers details of detectable exploits and how to relate to corresponding CVE. Both Help texts can be searched by content, index, search, or favorites within the help module.

GUI Element to CVE Name Mapping <CR_B.4.2>

Briefly describe how the associated CVE names are listed for the individual security elements or discuss how the user can use the mapping between CVE entries and the capability’s elements, also describe the format of the mapping (required):

In our Vulnerability Details section within the product we have the associated CVEs included in the vulnerability description. Click CVE name, then a new browser page that links to corresponding CVE name in MITRE website will appear.

GUI Export Electronic Document Format Info <CR_B.4.3>

Provide details about the different electronic document formats that you provide for exporting or accessing CVE-related data and describe how they can be searched for specific CVE-related text (recommended):

Export document provides output in HTML and RTF format. Each is searchable via the browser or editor chosen according to CVE information.
Questions for Signature

Statement of Compatibility <CR_2.7>

Have an authorized individual sign and date the following Compatibility Statement (required):

"As an authorized representative of my organization I agree that we will abide by all of the mandatory CVE Compatibility Requirements as well as all of the additional mandatory CVE Compatibility Requirements that are appropriate for our specific type of capability."

Name: Brian Miao

Title: Product Manager

Statement of Accuracy <CR_3.4>

Have an authorized individual sign and date the following accuracy Statement (recommended):

"As an authorized representative of my organization and to the best of my knowledge, there are no errors in the mapping between our capability’s Repository and the CVE entries our capability identifies."

Name: Brian Miao

Title: Product Manager

Statement on False-Positives and False-Negatives <CR_A.2.8 and/or CR_A.3.5>

FOR TOOLS ONLY - Have an authorized individual sign and date the following statement about your tools efficiency in identification of security elements (required):

"As an authorized representative of my organization and to the best of my knowledge, normally when our capability reports a specific security element, it is generally correct and normally when an event occurs that is related to a specific security element our capability generally reports it."

Name: Brian Miao

Title: Product Manager

Page Last Updated or Reviewed: September 08, 2017