Security Target – Version 1.8
1
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Oullim Information Technology, Inc.
ActiveTSM V3.0
Security Target
Version 1.8
Updatedate:June03,2006
Security Target – Version 1.8
2
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
< Contents >
1 SecurityTargetIntroduction......................................................................................................................................5
1.1 STandTOEIdentification..........................................................................................................5
1.2 Conventions,Terminology,andAcronyms..................................................................................6
1.2.1 Conventions.........................................................................................................6
1.2.2 Terminology.........................................................................................................6
1.3 SecurityTargetOverview.........................................................................................................10
1.4 CommonCriteriaConformance...............................................................................................10
2 TOEDescription.......................................................................................................................................................11
2.1 ProductType..........................................................................................................................11
2.1.2 TOE Environment..............................................................................................13
2.2 ProductComponents...............................................................................................................14
2.3 ScopeandBoundariesoftheEvaluatedconfiguration................................................................16
2.3.1 Physical Scope and Boundaries......................................................................16
2.3.2 Logical Scope and Boundaries ......................................................................17
3 TOESecurityEnvironments..................................................................................................................................19
3.1 Assumptions...........................................................................................................................19
3.2 Threats....................................................................................................................................20
3.2.1 Threats Addressed by the TOE.....................................................................20
3.2.2 Threats Addressed by the Operating Environment ...................................21
3.3 OrganizationSecurity Policies..................................................................................................21
4 Security Objectives...................................................................................................................................................22
4.1 Security ObjectivesfortheTOE...............................................................................................22
4.2 Security ObjectivesfortheEnvironment...................................................................................23
5 ITSecurityRequirements.......................................................................................................................................24
5.1 TOESecurity FunctionRequirements ......................................................................................24
5.1.1 Security Functional Requirements (SFRs)....................................................25
5.2 TOESecurityAssuranceRequirements....................................................................................41
5.2.1 Configuration Management .............................................................................42
5.2.2 Delivery and operation.....................................................................................44
5.2.3 Development ......................................................................................................46
5.2.4 Guidance documents.........................................................................................50
5.2.5 Life cycle support..............................................................................................52
5.2.6 Tests....................................................................................................................54
5.2.7 Vulnerability assessment.................................................................................57
5.3 Security RequirementsfortheITEnvironment..........................................................................60
6 TOESummary Specification.................................................................................................................................61
6.1 TOESecurity Functions...........................................................................................................61
6.1.1 Security Management (AT_ADMIN).....................................................................61
6.1.2 Audit (AT_AUDIT)....................................................................................................73
6.1.3 User Data Protection (AT_UDP)............................................................................76
6.1.4 Identification and Authentication (AT_INA).........................................................77
6.1.5 Protection of Security Function (AT_PT)............................................................79
6.2 AssuranceMeasures................................................................................................................81
7 Rationale....................................................................................................................................................................82
7.1 RationaleForITSecurityObjectives ........................................................................................84
Security Target – Version 1.8
3
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.2 RationaleForSecurityObjectivesForTheEnvironments..........................................................86
7.3 RationaleforTOESecurity Requirements.................................................................................87
7.4 RationaleforSecurityRequirementsofITEnvironment............................................................93
7.5 RationaleforAssuranceRequirement.......................................................................................94
7.6 RationaleforSOF....................................................................................................................94
7.7 RationaleforTOESummary Specification...............................................................................95
7.7.1 TOE Security Functions...................................................................................95
7.7.2 TOE SOF Claims................................................................................................99
7.7.3 TOE Assurance Requirements....................................................................100
7.8 RationaleForSFRdependencies...........................................................................................103
Security Target – Version 1.8
4
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
< List of Figure >
[Figure2-1]GeneralTOENetworkArchtecture..........................................................................................................11
[Figure2-2]TOELogicalArchitectureDiagram..........................................................................................................14
< List ofTable >
[Table2-1]Software..........................................................................................................................................................16
[Table3-1]Assumptions...................................................................................................................................................19
[Table3-2]ThreatsagainstTOE......................................................................................................................................20
[Table3-3]ThreatsagainstAssetsunderTOEsecurity protection.............................................................................20
[Table3-4]ThreatsagainstTOEOperatingEnvironment...........................................................................................21
[Table3-5]Security Policy...............................................................................................................................................21
[Table4-1]TOESecurity Objectives..............................................................................................................................22
[Table4-2]Security ObjectivesfortheEnvironment...................................................................................................23
[Table5-1]Security FunctionalRequirements(SFRs)................................................................................................25
[Table5-2]MinimumAuditTargetEvents....................................................................................................................27
[Table5-3]AdditionalAuditTargetEvent.....................................................................................................................27
[Table5-4]SecurityAttributeList...................................................................................................................................35
[Table5-5]EAL4AssuranceRequirements..................................................................................................................41
[Table6-1]TracedAssuranceMeasures.........................................................................................................................81
[Table7-1]LogialmappingbetweenSecurityEnvironmentandTOEsecurityobjectives...................................82
[Table7-2]LogicalmappingbetweenSecurityEnvironmentandITEnvironmentsecurityobjectives.............83
[Table7-3]RationaleforsecurityobjectivesequivalenttoIPSPP.............................................................................84
[Table7-4]RationaleforSecurityObjectivesfortheEnvironment...........................................................................86
[Table7-5]RationaleforSecurityFunctionalRequirements......................................................................................87
[Table7-5]MappingofSFRstoSecurity Functions....................................................................................................95
[Table7-6]AssuranceMeasureComplianceTable....................................................................................................100
[Table7-7]SatisfactionofDepencyofSFRSecurityFunctionalRequitements...................................................103
Security Target – Version 1.8
5
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
1 Security Target Introduction
Chapter 1 provides identification information and overview of Security Target (ST). This ST document also
describes product type, TOE scope and boundaries in Chapter 2, threats and assumptions of TOE in Chapter 3,
Security Objectives and requirements in Chapters 4 and 5, security functions for TOE requirements in Chapter
6,andtheRationaleinChapter7.
1.1 STandTOE Identification
Section 1.1 provides the information necessary for identification and control of this ST and the Target of
Evaluation(TOE)-ActiveTSMV3.0.
STTitle: OullimInformationTechnology,Inc.ActiveTSMV3.0
SecurityTargetVersion1.8
STVersion V1.8
ST Specification prepared
on:
July3,2006
Authors OullimInformationTechnology,Inc.Lee,Su-Yeon
TOEIdentification ActiveTSMV3.0
CCIdentification: CommonCriteriaforInformationTechnologySecurity EvaluationV2.3
(MICNoticeNo.2005-25)
PPIdentification None
Evaluation
AssuranceLevel
EAL4
STEvaluation KoreaInformationSecurityAgency (KISA)
Keywords Security Management,IdentificationandAuthentication,Intrusion
DetectionSystem(IDS),Firewall, IntrusionPreventionSystem(IPS),
AccessControl
Security Target – Version 1.8
6
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
1.2 Conventions,Terminology, andAcronyms
This section identifies the formatting conventions used to convey additional information and terminology
having specific meaning. It also defines the meanings of abbreviations and acronyms used throughout the
remainderofthedocument.
1.2.1 Conventions
This section describes the conventions used to denote CC operations on security requirements and to
distinguish test with special meaning. The notation, formatting, and conventions used in this ST are largely
consistent withthose used in the CC. Selected presentation choices are discussed here to aid the Security Target
reader.
The CC allows several operations to be performed on functional requirements; refinement, selection,
assignment,iteration
ƒ Refinement
Refinements are added to requirements of CC to further restrict the requirements. Results of
refinementoperationsareexpressedinboldletters.
ƒ Selection
Selection is used to select one or more options provided in CC when describing requirements.
Resultofaselectionisexpressedinunderlineditalic.
ƒ Assignment
Assignment is used to assign a specific value to a parameter unspecified in CC. (e.g. password
length). Result of an assignment operation is expressed in large parenthesis, i.e.
[assigned_value].
ƒ Iteration
Iteration is used when a component is repeated in an operation. Result of an iteration is
expressed as the number of iterations in parentheses behind the component identifier, i.e.
(iterationfrequency).
‘Application Note’ is provided to clarify meaning of requirements; to provide information on options during
implementation; and to define ‘sat/unsat’criteria for requirements. Application Note is provided together with
relevantrequirementsasneeded.
1.2.2 Terminology
ThefollowingtermsincludetermsdefinedinCC1.3thathelpunderstandingofthisSTSpecificationandthose
termsusedby theSTauthors.
Security Target – Version 1.8
7
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
AuditTrail–Thesetofdiskrecordsthatrecordusersthataccessthesystemandtheiractions.
AuditRecord–AuditdatathatiskepttorecordTOEsecurityrelatedevents.
Object – An entity within the TSC that contains or receives information and upon which subjects perform
operations.
Attack potential – The perceived potential for a successful attack, should an attack be launched, expressed in
termsofanattacker’sexpertise,resourcesandmotivation.
Strength of Function (SOF) – A qualification of a TOE security function expressing the minimum efforts
assumed necessary to defeat its expected security behavior by directly attacking its underlying security
mechanisms.
SOF-medium – A level of the TOE strength of function where analysis shows that the function provides
adequate protection against straightforward or intentional breach of TOE security by attackers possessing a
moderateattack potential.
EnterpriseSecurityManagement–Thesystemusedtocollectdataonuseractivitiesofcontrolsubjectassets,
analyzethedataanduseittoconductintegratedcontrol,operationandmanagementbasedonaconsistentset
of policiesattheenterpriseleveltomaximizeefficiencyofsecuritymanagementandthesecuritylevel.
EnterpriseSecurityManagementAgentSystem–Asystemthatisasubjectof TOEsecuritycontrol.
Security Target (ST) – Aset of security requirements and specifications to be used as the basis for evaluation
ofanidentifiedTOE.
Security attribute - Characteristics of subjects, users, objects, information, and/or resources that are used for
theenforcementoftheTSP(TOESecurityPolicy).
Security Device Log – An audit log that records security related events that occur in an enterprise security
managementagentsystemofTOE.
Security Device Data – Data including the status information of TOE enterprise security management agent
system including their CPU, memory capacity and network traffic; and the packet information that is blocked
orallowedatdevicessuchasafirewall.
DistributedSystem–Asystemthatisdistributedphysicallyoverseveralcomputersandexecuted logically as
asingleprogram.
HumanUser–Any personwhointeractswiththeTOE.
Security Target – Version 1.8
8
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
User–Anyentity(humanuserorexternalITentity)outsidetheTOEthatinteractswiththeTOE.
UserData–Datacreatedbyandfortheuser,thatdoesnotaffecttheoperationoftheTSF.
Identity–Arepresentation(e.g.astring)uniquelyidentifyinganauthorizeduser,whichcaneitherbethefullor
abbreviatednameofthatuserorapseudonym.
Role–A predefined set of rules establishing the allowed interactions between a user and the TOE. (e.g. User,
Administrator)
Operation – Actions to enable a component to counter a specific threat or to satisfy a specific security policy
specificationintheCC.(e.g.Iteration,Selection,Refinement,Assignment)
Threat Agent – An unauthorized user or external IT entity that causes threats such as unauthorized access,
editingordeletiononaninformationasset.
External IT Entity - any IT product or system, untrusted or trusted, outside of the TOE that interacts with the
TOE.
Authorized Administrator – TOE administrators include the Top Level Admin, Control Admin and
Monitoring Admin depending on levels of authority. Unless otherwise stated, the Authorized Admin used in
this STspecification refers to the Top Level Admin. Lower level Admin users are configured by the Top Level
Admin and any Authorized Admin is not allowed to perform any control functions besides the permitted
privileges.
-TopLevelAdmin:TheAuthorizedAdminwithallprivileges
-Management Admin:AuthorizedAdminwithallprivilegesexceptaddition,deletionandeditingofAdmin
ID;anddeletionofauditlogs.
- Monitoring Admin: Authorized Admin who is permitted to perform event monitoring and system
monitoringfunctionsonly.
AuthenticationData-informationusedtoverify theclaimedidentity ofauser.
Java Virtual Machine (Java VM) – Software that functions as a virtual CPU for executing Java compiled
classfilesinaCPU.
Assets-informationorresourcestobeprotectedbythecountermeasuresofaTOE.
Information Protection System Common Criteria – Refers to the common criteria announced in MIC
Notice of May 21, 2005. This CC is a Koreanized version of CC v. 2.3, which has been developed
internationally based on common language and understanding to accommodate various criteria existing in
different countriesoftheworld.
Security Target – Version 1.8
9
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Organizational Security Policies - One or more security rules, procedures, practices, or guidelines imposed
by anorganizationuponitsoperations.
Dependency - a relationship between requirements such that the requirement that is depended upon must
normallybesatisfiedfortheotherrequirementstobeabletomeettheirobjectives.
Subject-anentitywithintheTSCthatcausesoperationstobeperformed.
Abstract machine – An abstract machine could be a hardware or firmware platform or a combination of
hardware and software that is known or evaluated to operate as a virtual machine. An abstract virtual machine
used in this functional package could be an operating system if the TOE is an application software and a
firmwareorhardwareincasetheTOEisanoperatingsystem.
Intrusion Detection System (IDS) – A system that collects and analyzes user activities of assets under
protection to detect real-time illegal events and takes countermeasures to protect the system based on analysis
results.
Intrusion Prevention System (IPS) – Asystem that detects illegal intrusion attempts or worms on a network
andblockssuchdetectedtraffic.
Firewall–Asystemthatblocksunauthorizedaccessbycontrollingservicerequestsonanetwork.
Target of Evaluation (TOE) - an IT product or system and its associated guidance documentation that is the
subjectofanevaluation.
Evaluation Assurance Level (EAL) - a package consisting of assurance components from CC Part 3 that
representsapointontheCCpredefinedassurancescale.
TOE Security Function (TSF) – a set consisting of all hardware, software, and firmware of the TOE that
mustberelieduponforthecorrectenforcementoftheTSP.
TOE Security Policy(TSP) – a set of rules that regulate how assets are managed, protected and distributed
withinaTOE.
TSFData–datacreatedbyandfortheTOE,thatmightaffecttheoperationoftheTOE.
TSFScope of Control (TSC) – the set of interactions that can occur with or within a TOE and are subject to
therulesoftheTSP.
RemoteMethodInvocation(RMI)–TechniquethatformsthebaseofJavadistributedsystem.
Security Target – Version 1.8
10
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
1.3 SecurityTarget Overview
This STdocument defines TOE threats, assumptions, organizational security policy and security requirements;
anddescribesSecurity Objectives,security functionalrequirementsandassurancerequirements.
ThisSTspecificationprovidestheRationaleontheproposedSecurityObjectivesandrequirements.
TheTOEdescribedinthisSTspecificationhasthefollowingarchitecture.
ƒ ActiveTSMV3.0 –EnterpriseSecurityManagementAgentSystem
The TOE is a software based product that is installed on a Java VM environment (multi-platform support) to
provide security management functions. TOE is a security product that performs effective centralized security
controlofsecurityproductssuchasFirewallsorVPN.
1.4 Common Criteria Compliance
ThisSTspecificationisincomplianceoffollowing evaluationcriteria:
ƒ CommonCriteria(MICNoticeNo.2005-25)
ƒ CCV2.3Part2compliant
ƒ CCV2.3Part3compliant
ƒ EvaluationAssuranceLevel4(EAL4)compliant
Security Target – Version 1.8
11
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
2 TOE Description
This chapter provides context for the TOE evaluation by identifying the product type and describing the
evaluatedconfiguration.
TOEsatisfiesEAL4gradeoftheassurancerequirementsofCCV2.3Part3.
2.1 ProductType
[Figure2-1]GeneralTOENetworkArchitecture
TOE is installed for operation at locations of connection with enterprise security management agent system of
an internal network as in Figure 2-1. Enterprise security management agent systems of TOE include Intrusion
Detection System (IDS), Firewall, Intrusion Protection System (IPS), general servers and network devices
(suchasrouters).
TOE is an integrated security management system that collects/analyzes user activities of enterprise security
management agent system; performs integrated control, operation and management of said systems at the
enterprise level based on a consistent set of policies towards maximizing the efficiency of security control
activities and the security level. Detailed functions of integrated security management provided by TOE are as
follows:
ƒ EventMonitoring
ƒ SystemPerformanceMonitoring
Security Target – Version 1.8
12
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ MapMonitoring
ƒ CorrelationAnalysisMonitoring
TOE (Slave Server) collects and stores data (security equipment logs and security equipment information) of
enterprisesecuritymanagementagentsystem(ITentities)thatarewithinthescopeofcontrol.
Methods of information collection consist of direct collection method from enterprise security management
agentsystemviastandardinterfacessuchasSNMP(RFC1157,1901)andSyslog(RFC3195);andtheindirect
method where a TOE (Agent) is installed on enterprise security management agent system so that said Agent
delivers the data via API. In case TOE (Agent) sends data to TOE (Slave Server), SSL-based RMI
communication isused.
TOE users include IT entities and Authorized Administrators, which include Top Level Admin, Management
Admin and Monitoring Admin. Unless stated otherwise, an Authorized Admin refers to the Top Level Admin
withallprivilegesandtherolesofManagementAdminorMonitoringAdminarestatedwherenecessary.
Authorized Admin performs security Admin functions using TOE (Monitor), which can be used within the
internal network where enterprise security management agent systems reside or from an external network.
Configured security Admin functions are sent to TOE (Master Server), which requests information when
needed to TOE (Slave Server). Communication between TOE (Monitor) and TOE (Master) is done via
SSL-basedRMIcommunication.
TOE(Master Server) and TOE(Slave Server) may be installed on the same system or in separate systems. For
separateinstallation,TOE(Master)canbeconnectedtomultipleTOEs(SlaveServers)forsecurity functions.A
TOE(Slave)alsocollectsinformationfrommultipleenterprisesecurity managementagentsystems.Therefore,
the security function performance of TOE can be done in a tree structure. Communication between TOE
(Master)andTOE(Slave)isviaSSL-basedcommunication.
TOE controls data sent from outside of TOE based on the security policy. TOE enforces access control policy
anddatareceivesecurity policyonsecurity controltargetsystems.
TOEcommunicationbetweenTOE(Monitor)andTOE(MasterServer),TOE(SlaveServer),orTOE(Agent)is
doneviaSSL-basedRMIcommunication.
Security Target – Version 1.8
13
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
2.1.2 TOE Environment
2.1.2.1 ITEnvironment
TOE ITenvironment includes DBMS (Oracle), character message server and mail server. TOE uses DBMS to
manage TOE’s security attributes, TSF data, user data and audit data. TOE sends information on management
countermeasure activities or correlation analysis to the Admin e-mail via e-mail server. It uses a character
messageservertosendcorrelationanalysisinformationasacharactermessage.
2.1.2.2 OperationalEnvironment
TOE is installed in an internalnetwork that isconnected to enterprise security management agent systemand is
used in an environment which may include threat sources of low knowledge level. Attackers of low level
professional knowledge can easily acquire information on exploitable vulnerability and attack tools from
Internet, use themto damage or acquire targeted assets. TOE can be usedby the Admin to identify such attacks
oflowlevelthreatsourcesagainstenterprisesecurity managementagentsystems.
Security Target – Version 1.8
14
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
2.2 Product Components
TOE has a four-tier architecture consisting of Master, Slave, Monitor and Agent (installed on Firewall, IPS or
IDS).ComponentsofTOEforsecurity functionsareasfollows:
Master Server
Slave Server
Monitor
Agent
물리적 경계 논리적 경계
에이전트
모니터
OS
HW
OS
HW
Java VM
Java VM
데이터 흐름
Admin
Monitor
마스터
OS
HW
Java VM
슬레이브
OS
HW
Java VM
Slave Server Agent
PhysicalBoundary LogicalBoundary DataFlow
Master Server
[Figure2-2]TOELogicalArchitectureDiagram
Admin ID and authentication process is required to allow only Authorized Admin to access a monitor to
request information to the Master. Information exchanged between access channels is safeguarded via
SSL-basedRMIcommunication.
Monitor can be used to send requests for information stored in Master or in Slave through Master; and sending
commands to the Master to implement a policy. Master functions include Management Activity Retrieve,
Event Monitoring, System Performance Info Monitoring, Account Monitoring, Event Rule Configuration
Retrieve, Audit data Retrieve, Security Log Search, Report Generation, and Code Retrieve. Management
Activity Retrieve allows viewing of events for special control. Event Monitoring shows events defined from
the Master. System Performance Info Monitoring receives performance info from the Master and displays it.
Account Monitoring receives account data from Master and displays it. Event Rule Configuration Retrieve
receives filtering, leveling, compression, and correlation analysis rules from the Master and displays them.
Audit data Retrieve receives audit data from the Master and displays them. Security Log Search receives logs
of intrusion detection, intrusion blocking, control target severs, accounts and correlation analysis from the
Master and displays them. Report Generation receives report info from the Master and displays it. Code
Security Target – Version 1.8
15
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
RetrievereceivescodeinfofromtheMasteranddisplaysit.
The Master component is responsible for processing requests from the Monitor. Most information
configured at a Monitor is stored through the Master, which calls the Slave to perform security
management functions requested from Monitor. Functions of the Master include Management Activity
Management, Event Log Transfer, System Performance Info Transfer, Account Log Transfer, Event Rule
Configuration Management, Audit data Transfer, Report Generation and Code Management.
Management Activity Management stores/edits/retrieves management activity information in DB. Event
Log Transfer applies event rules on events collected from Slave and sends them to Monitor. System
Performance Info Transfer sends collected account log from Slave to Monitor. Event Rule Configuration
Management stores/edits/retrieves event rules received from Monitor to DB. Audit data Management
stores/edits/retrieves audit data that occur at Monitor or the system. Security Log Transfer sends security
log data from Slave to Master. Report Generation receives basic data for report generation from DB and
sends it to Monitor. Code Management stores/edits/retrieves code information from Monitor to DB.
The Slave component is responsible for storage and management of information sent from Agent. Also, when
the Master sends a request for security equipment log, Slave retrieves this log from DB and delivers it to the
Master. Slave functions include Event Log Collect, System Performance Info Collect, Account Log Collect
and Security Log Search. Event Log Collect collects event related info from log info received from Agent.
System Performance Info Collect collects performance related info from log data received from Agent.
Account Log Collect collects account info from log data received from Agent. Security Log Search performs
searchesofsecurity logdataofAgentbasedonrequestsfromtheMaster.
The Agent component collects log data of enterprise security management agent system and system
performance info and delivers them to Slave. Agent functions include Log Collect and Log Transfer. Log
Collect and Log Transfer perform collection of log data from equipment where Agents are installed and
transfersthedatatoSlaveatthesametime.
Security Target – Version 1.8
16
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
2.3 Scope and Boundaries of the Evaluated configuration
ThissectionprovidesageneraldescriptionofthephysicalandlogicalscopeandboundariesoftheTOE.
2.3.1 Physical Scope and Boundaries
TOE consists of software components and its physical scope refers to software installed on OS. Table 2-1
shows the hardware system specification and operating environment where TOE is to be installed. Software
environment is categorized based on whether the Master and Slave servers are installed on the same system
(integratedsystemenvironment)orondifferentsystems(distributedsystemenvironment).
[Table2-1]Software
Environment
Components
(Softwate) Hardware OperatingEnvironment
Master
Server
CPU–1Ghzormore
Memory -1Gbyteormore
EthernetCard–1eaormore
HDD-20GBormore
SunSolaris9forSparc
Java(v.1.4.2_10)VMEnvironment
DBMS–Oracle9i(v.9.2.0.8)
Distributed
System
Environment
Slave
Server
CPU–1Ghzormore
Memory -1Gbyteormore
EthernetCard–1eaormore
HDD-40GBormore
SunSolaris9forSparc
Java(v.1.4.2_10)VMEnvironment
Syslog,SNMPsupport
DBMS–Oracle9i(v.9.2.0.8)
Integrated
System
Environment
Master
/Slave
Server
CPU–1.5Ghz*2eaormore
Memory-4Gbyteormore
EthernetCard–1eaormore
HDD-73GB*4eaormore
SunSolaris9forSparc
Java(v.1.4.2_10)VMEnvironment
Syslog,SNMPsupport
DBMS–Oracle9i(v.9.2.0.8)
Monitor
CPU–1Ghzormore
Memory -1Gbyteormore
EthernetCard–1eaormore
HDD–100MBormore
Windows2000(ServicePack4)
or
WindowsXP(ServicePack2)
Java(v.1.4.2_10)VMEnvironment
Agent
CPU–300Mhzormore
Memory –128Mbyteormore
EthernetCard–1eaormore
HDD–100MBormore
SunSolaris9forSparc
Java(v.1.4.2_10)VMEnvironment
ActiveTSM V3.0 consists of the above four products. Master Server, Slave Server and Agent are installed on
Sun Solaris 9 for Sparc, where Java VM environment is supported, for operation. Monitor for managing the
Master server is installed either in Windows 2000 or Windows XP for operation. Oracle DBMS is outside of
theTOEandishenceexcludedfromevaluation.
Security Target – Version 1.8
17
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
2.3.2 Logical Scope and Boundaries
2.3.2.1TOESecurityFunctions(TSF)
TOEprovidesthefollowingsecurityfunctionsasawhole.
SecurityManagement–TOEpermitsonlyAuthorizedAdmintomanageandoperatetheaccesscontrolpolicy.
This function uses coded communication channel using SSL-based RMI.. Also, only Authorized Admin can
perform retrieval and configuration management including Event Monitoring, System Performance
Monitoring, Map Monitoring,Security Policy Configuration, Enterprise Security Management Agent Systems
LogAnalysis,TOErelateddatasuchascountermeasures,SecurityAttributesandAuthenticationData.
Security Audit – TOE permits only the Authorized Admin to perform retrieval of audit data. Significant TOE
security events are time stamped and stored in a storage in time sequence. Stored audit data can be categorized
andretrievedforvariousconditions.
Protection of User Data – TOE performs user data protection function through Security Management Access
Control Policy and Enterprise Security Management Agent System Data Receive Security Policy. TOE
performs access control on data sent from ITentities of Authorized Admin. Also, TOE enforces access control
policyondatasenttoTOEfromexternalITentities.
Identification and Authentication – TOE performs ID and authentication to ensure that only authorized
externalITentitiesandAuthorizedAdminhaveaccesstoTOE.TOEprovidesgeneralpasswordfunctionasan
authentication mechanism for Authorized Admin. TOE forms a safe data channel using SSL-based RMI to
ensuresafety ofAdminauthenticationdatasentfromtheAdminmainconsole.
Protection of Security Functions - TOE conducts periodic security check on whether security functions are
being performed normally. In case of an abnormality, the relevant function is re-executed. TOE performs
integrity test of TOE data and execution program to ensure safety of TOE data and functions. TOE demon
statusischeckedperiodically andstoppeddemonsarere-executed.
Security Target – Version 1.8
18
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
2.3.2.2 OutofScope
Functionsoutsideof TOEscopeareasfollows:
a) DatamanagementviaDBMS(DatabaseManagementSystem)Oracle9i
b) JavaprovidedRMIcommunication
Security Target – Version 1.8
19
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
3 TOE Security Environments
TOE Security Environment consists of assumptions, which describe security requirements; threats that can be
targeted against TOE assets or environment by threat sources; and the organizational security policy, which
consistsofrules,proceduresandpracticesthatTOEisrequiredtocomply.
3.1 Assumptions
The following shows assumptions that must be implemented or maintained in the operating environment of
TOE.
[Table3-1]Assumptions
Name Description
A.DYNAMIC TOEshallbemanagedtoappropriatelyhandledynamicvariationsofenterprisesecurity
managementagentsystem.
A.PHYSEC TOEshallbelocatedinphysicallysafeenvironmentwhereonlyauthorizedusershave
access.
A.TADMIN TOE'sAuthorizedAdminshallhavenomalice,betrainedonTOEAdminfunctions,and
performhis/herdutiesinaccordancewiththeAdminguideline.
A.REINFOC
EOS
OSservicesandtoolsthatarenotneededbyTOEshallbe removedandOSweaknesses
shallbeaugmentedtoensurereliabilityandsafetyofOS.
A.REINFOC
EOE
WeaknessesofJavaVMenvironmentshallbeaugmentedtoensureitsreliabilityand
safety.
A.ACCESS SlaveandAgent,componentsofTOE,shallhaveaccesstoallenterprisesecurity
managementagentsystemsforsecurity management purposes.
A.DBINSTLI
MIT
DBMSforTOEdatamanagementshallbeinstalledinthesamesystemwhereTOEis
installedtoensurereliability andsafety oftheDBaccess.
A.TEXTSER
VER
Reliability andsafety ofthefollowingservers,whichresideoutsideofTOEinsupportof
TOEfunctions,shallbeensured.
-SMTPserverforsendingmailstoadmin.
-SMSserverforsendingcharactermessagestoadmin.
Security Target – Version 1.8
20
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
3.2 Threats
The following threats are categorized as those against TOE and those against the environment. Assets for
protection by TOE are computer resources that the organization operates. Threat sources have low level of
professionalknowledge,resourcesandmotives.
3.2.1 ThreatsAgainstTOE
This section addresses threats against TOE. The following threats are derived by either TOE or the operating
environment.SourcesofsuchthreatsareunauthorizeduserswithoutTOEprivilegesorexternalITentities.
[Table3-2]ThreatsagainstTOE
Name Description
T.DISGUISE Anexternalattackercangetanauthenticationdataanduseittodisguiseasan
AuthorizedAdmintoaccessTOEandtodamageTSFdata.
T.RECFAIL Storagecapacitycanbedepletedby athreatsourcetodisablesecurity event
logging.DepletionofTOEstoragereferstouseofanormalmethodtochange
TSFdataortogenerateauditdatatobestoredinauditdataDB.
T.WRONGINFO Anexternalthreatsourcecanbringinunauthorizedinformationfromanexternal
ITentity tocausedamagetosecurity equipmentlogorsecurityequipment
withinTOE.
T.REPEAT Anexternalattackercanmakecontinualauthenticationattemptstofindout
authenticationdata,thenaccesstheTOEanddamageTSFdata.
T.CHGTSFD Anexternalthreatsourcecanexpose,changeordeleteTSFdatainunauthorized
ways.ExternalthreatsourcesrefertoexternalattackersthataccessTSFdata
storageusingillegalmethods.
ThefollowingthreatsareagainstassetsunderTOEprotection.
[Table3-3]ThreatsagainstAssetsunderTOEsecurityprotection
Name Description
T.ABNORMALSVC AthreatsourcecanaccessTOEtouseaserviceresourceofanenterprise
security managementagentsysteminexcessofnormaluseandthuscausethe
enterprisesecuritymanagementagentsystemtooperateabnormally.
T.ABNORMALRES DuetoSystemError(externalattackincludingworm,virusorDOSattack;
systemmalfunctionduetohardwareorsoftwareerror)anenterprisesecurity
managementagentsystem’sresourcescanbedepletedandthesystemoperates
abnormally.
Security Target – Version 1.8
21
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
3.2.2 Threats against Operating Environment
ThefollowingarethreatsagainsttheTOEoperatingenvironment.
[Table3-4]ThreatsagainstTOEOperatingEnvironment
Name Description
TE.WEAKMGT AnAuthorizedAdmincanconfigure,manageorusetheTOEinanunsafe
manner.
TE.DELNINST TOEsecuritycanbedamagedbyanexternalthreatsourceduringdistributionor
installationprocess.Anexternalthreatsourcereferstoanunauthorizedperson
whoattemptstochange,damageorerroneouslyinstallTOEduringtheTOE
distributionprocess.
TE.CHGTSFD TSFdatasentbyTOEcanbeexposed,changedordeletedbyanexternalthreat
sourceinunauthorizedways.
3.3 Organization Security Policy
An organization that operates the TOE implemented in accordance with this ST Specification shall have its
ownsecuritypolicy andtheAuthorizedAdminutilizestheTOEtoimplementsuchsecuritypolicy.
ThefollowingorganizationalsecuritypolicyshallbeapplicabletoTOEoperatingenvironment.
[Table3-5]SecurityPolicy
Name Description
P.AUDIT Securityeventsshallberecordedandmaintainedtoenableaccountabilitytrackingofall
security relatedactions,andtherecordeddatashallbereviewed.
P.SECMGT AuthorizedAdminshallmanagetheTOEusingsafemethods.
P.STAT AuthorizedAdminshouldbeabletoperformstatisticalprocessingofauditdataanddata
fromintegratedsecuritymanagement.
Security Target – Version 1.8
22
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
4 Security Objectives
Security objectives are categorized into those for TOE and those for the environment. TOE security objectives
are those addressed by the TOE directly while those for the environment are those addressed by IT areas or
non-technical/proceduralmeans.
4.1 TOE Security Objectives
Thissectionliststhesecurity objectivesfortheTOE.
[Table4-1]TOESecurityObjectives
Name Description
O.AUDIT TOEshallrecordandmaintainsecurityrelatedeventstoenableaccountability
trackingofsecurityrelatedactions.TOEshallalsoprovidethemeanstoreview
recordedsecurityrelateddata.
O.MANAGE TOEshallprovidethemanagementtoolstoenableAuthorizedAdminto
efficiently managetheTOEinsafeways.
O.ID TOEshallidentifyallexternalITentitiesthatareunderTOE’saccesscontroland
allusersthatattempttoaccessTOE.
O.AUTH TOEshallauthenticateAdminIDafteritsidentificationpriortograntingaccessto
TOE.
ApplicationNote:Itispossibleforathreatsourcetomakerepeatedattemptsfor
authenticationusinganAdminID.Toblocksuchrepeatedauthentication
attempts,aproperauthenticationmechanismshallbeimplementedassuitableto
thedesiredsecuritystrengthlevel.
O.COLLECTINFO TOEshallcollectdatageneratedfromactivitiesofenterprisesecurity
managementagentsystems.
O.ACCESS TOEshallcontroltheTOEaccessofexternalusersbasedonthesecurity policy.
O.ABNORMALOP TOEshallperformappropriatecountermeasuresbasedonanalysisresultof
collectedinformationtoensurenormaloperationenterprisesecuritymanagement
agentsystems.
O.SECTSFD TOEshallprotectTSFdatastoredwithinTOEfromanyunauthorizedexposure,
editinganddeletionattempts.
O.STAT TOEshallprovidetheAuthorizedAdminthestatisticalprocessingcapabilityof
auditdataanddatageneratedfromintegratedsecurity management.
Security Target – Version 1.8
23
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
4.2 Security Objectives for the Environment
Security objectives for the environment are addressed or resolved through assumptions and the organization’s
securitypolicy.Thefollowingaresecurityobjectivesfortheenvironment.
[Table4-2]SecurityObjectivesfortheEnvironment
Name Description
OE.DYNAMIC TOEshallbemanagedtoappropriately handledynamicvariationsofenterprise
security managementagentsystems.
OE.PHYSEC TOEshallbelocatedinphysicallysafeenvironmentwhereonlyauthorized
usershaveaccess.
OE.TADMIN TOE'sAuthorizedAdminshallhavenomalice,betrainedonTOEAdmin
functions,andperformhis/herdutiesinaccordancewiththeAdminguideline.
OE.SECMGT TOEshallbedistributedandinstalledinsafewaysandbesafelyconfigured,
managedandusedbyAuthorizedAdmin.
OE.REINFORCEOS OSservicesandtoolsthatarenotneededbyTOEshallberemovedandOS
weaknessesshallbeaugmentedtoensurereliabilityandsafetyofOS.
OE.REINFORCEOE WeaknessesofJavaVMenvironmentshallbeaugmentedtoensureitsreliability
andsafety.
OE.ACCESS TOEshallallowaccesstoenterprisesecuritymanagementagentsystemdefined
asthesecurity controlscopebythesecuritypolicyfornormalsecurity
managementactivities.
OE.DBINSTLIMIT DBMSforTOEdatamanagementshallbeinstalledinthesamesystemwhere
TOEisinstalledtoensurereliability andsafetyoftheDBaccess.
OE.SECCH TOEshallsendorreceiveTSFdatathroughsafechannelsforcommunication
betweenphysicallyseparatedTOEs,orbetweenexternalITentitiesandthe
admin.
OE.SECTSF TheoperatingsystemwhereTOEisinstalledshallperiodicallyverifytheTOE
statustoensuresafeoperationofTSF.
OE.EXTSERVER Reliabilityandsafetyofthefollowingservers,whichresideoutsideofTOEin
supportofTOEfunctions,shallbeensured.
-SMTPserverforsendingmailstoadmin.
-SMSserverforsendingcharactermessagestoadmin.
Security Target – Version 1.8
24
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5 IT Security Requirements
This chapter presents security functional requirements and assurance requirements of TOE. These
requirements consist of the security functional components in Part 2 of CC (v. 2.3) and the assurance
componentsofPart3(AssuranceGrade).CCiscategorizedintothefollowingtwocategories.
ƒ TOE Security Functional Requirements: Provide security functions including Security
Violation Analysis, Security Violation Countermeasure, Security Management, Audit data
andIdentification&Authentication.
ƒ TOE Security Assurance Requirements: Provide a reliable basis of verifying if TOE
satisfiessecurityobjectives.
.
5.1 TOE Security Functional Requirements
This section presents security functional requirements(SFR) of TOE, whichare explained inthe following two
parts.
ƒ Security Functional Requirements (SFRs): SFRs are defined using those components
selectedfromPart2ofCCtosatisfy securityobjectivesidentifiedinthepreviouschapter.
ƒ SFRswithStrengthofFunction(SOF):SOFsusedinthisSTaredescribedin5.1.2.
Security Target – Version 1.8
25
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.1.1 Security Functional Requirements (SFRs)
SFRs listed in Table 5-1 are names of SFR components used in this ST Specification. They have been quoted
from Part 2 of CC. Those with incomplete operations have been completed by the author of this ST
Specification.
[Table5-1]SecurityFunctionalRequirements(SFRs)
SecurityFunctional
Class
Functional Component
ID
FunctionalComponent
FAU_ARP.1 Security alarm
FAU_GEN.1 Audit data generation
FAU_GEN.2 User identity association
FAU_SAA.1 Potential violation analysis
FAU_SAR.1 Audit review
FAU_SAR.3 Select audit review
FAU_STG.1 Protected audit trail storage
FAU_STG.3 Action in case of possible audit data loss
SecurityAuditClass
FAU_STG.4 Prevention of audit data loss
FDP_ACC.1(1) Subset access control(1)
FDP_ACF.1(1) Security attribute based access control (1)
FDP_ACC.1(2) Subset access control(2)
FDP_ACF.1(2) Security attribute based access control (2)
UserDataProtectionClass
FDP_ITC.1 Import of user data without security attributes
FIA_AFL.1 Authentication failure handling
FIA_ATD.1(1) User attribute definition (1)
FIA_ATD.1(2) User attribute definition (2)
FIA_UAU.2 User authentication before any action
FIA_UAU.7 Protected authentication feedback
FIA_UID.2(1) User identification before any action (1)
Identification&
AuthenticationClass
FIA_UID.2(2) User identification before any action (2)
FMT_MOF.1 Management security function action
FMT_MSA.1 Management of security attribute
FMT_MSA.3 Static attribute initialization
FMT_MTD.1(1) Management of TSF data (1)
FMT_MTD.1(2) Management of TSF data (2)
FMT_MTD.1(3) Management of TSF data (3)
FMT_MTD.1(4) Management of TSF data (4)
FMT_MTD.2(1) Management limits on TSF data (1)
FMT_MTD.2(2) Management limits on TSF data (2)
FMT_SMF.1 Specification of Management Functions
SecurityManagementClass
FMT_SMR.1 Security roles
FPT_TST.1 TSF Testing
Protection of the TOE
SecurityFunctionalClass FPT_STM.1 Security alarm
Security Target – Version 1.8
26
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FAU_ARP.1 Securityalarm
Hierarchicalto:Noothercomponents.
Dependencies:FAU_SAA.1Potentialviolationanalysis
FAU_ARP.1.1 TheTSFshalltakethefollowingactionsupondetectionofapotentialsecurityviolation;
a) AuthenticationFailure:TERMINATErelevantAdminaccount.
b) Correlation analysis trigged by configured value for correlation analysis: An action configured by
AuthorizedAdmin.
FAU_GEN.1 Auditdatageneration
Hierarchicalto:Noothercomponents
Dependencies:FPT_STM.1Reliabletimestamp
FAU_GEN.1.1 TheTSFshallbeabletogenerateanauditdataofthefollowingauditableevents:
a) Start-upandshutdownoftheauditfunctions
b) AllauditableeventsforminimalorbasiclevelofauditspecifiedinTable5-4
c) [Referto[Table5-3]AuditTargetEvent]
FAU_GEN.1.2 TheTSFshallrecordwithineachauditdataatleastthefollowinginformation:
a) EventDate/Time,EventType,EntityID,EventResult(SuccessorFailure)
b) For each audit target event defined in functional components of ST Specification, record the
followinginfo.[Referto[Table5-2]and[Table5-3]AuditTargetEvents]
ƒ ObjectID(AdminID,Master,Slave,EnterpriseSecurity ManagementAgent Systems)
ƒ EventSignificance(ERROR,WARNING,NOTICE,MANAGE)
ƒ SequenceNo.
ƒ EventDetail
Security Target – Version 1.8
27
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
[Table5-2]MinimumAuditTargetEvents
Component
ID
MinimumAuditTargetEvents Additionalauditinfo
FAU_ARP.1 Actioncausedbyanurgentsecurityviolation -
FAU_SAA.1 AutomatedactionduetoActionStart,ActionStop
orToolofanalysismechanism.
AuthorizedAdminID
(AdminID)
FDP_ACF.1 Successfulrequestforanoperationonanobject
handledbySFP.
Entity&ObjectIdentificationInfo
FDP_ITC.1 SuccessfulentryofuserdataincludingSecurity
Attributes
-
FIA_AFL.1 Reachingthelimitofauthenticationfailuresand
subsequentactionstakenandsubsequentreturnto
normalcondition,asnecessary.
UnauthorizedUsersand
AuthorizedAdminIdentification
FIA_UAU.2 FaileduseofAuthenticationmechanism UserIDprovidedtoTOE(User
ID)
FIA_UID.2 FaileduseofAdminIDmechanismincluding
AdminIDprovided.
UserIDprovidedtoTOE(User
ID)
FMT_SMF.1 UseofaManagementFunction AuthorizedAdminID
(AdminID)
FMT_SMR.1 Changeinusergroupsthatshareroles AuthorizedAdminID
(AdminID)
FPT_STM.1 Timechange AuthorizedAdminID
(AdminID)
[Table5-3]AdditionalAuditTargetEvent
Component
ID
AdditionalAuditTargetEvent Additionalauditinfo
FAU_STG.3 Alarmforauditdatastoragespaceshortage -
FIA_UAU.2 AuthenticationSuccess AuthorizedAdminID
(AdminID)
FMT_MSA.1 AllchangesofSecurityAttributevalues SecurityAttributeValue
FMT_MSA.3 Changeinbasicconfigurationonauthorization
rulesorlimitingrules.Allchangestoinitialvalues
ofsecurity attributes.
SecurityAttributeValue
FMT_MTD.1 AllchangestoTSFData ChangedTSFDataValue
FMT_MTD.2 AllchangestoTSFDatalimits ChangedTSFDatalimit
FPT_TST.1 TSFSelfDiagnoseResult
FPT_AMT.1 TOEerrorstatus -
Other DBHASHcomputationerror
Security Target – Version 1.8
28
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FAU_GEN.2 Useridentityassociation
Hierarchicalto:Noothercomponents.
Dependencies:FAU_GEN.1Auditdatageneration
FIA_UID.1Timingofidentification
FAU_GEN.2.1 TheTSFshallbeabletoassociateeachauditableeventwith theidentityoftheuserthatcaused
theevent.
FAU_SAA.1 Potentialviolationanalysis
Hierarchicalto:Noothercomponents
Dependencies:FAU_GEN.1Auditdatageneration
FAU_SAA.1.1 The TSF shall be able to apply a set of rules in monitoring the audited events and based upon
theserulesindicateapotentialviolationoftheTSP.
FAU_SAA.1.2 TheTSFshallenforcethefollowingrulesformonitoringauditedevents:
a) The TSF shall enforce the following rules for monitoring audited events: [Authentication
Failure or Correlation Analysis trigger by Correlation Analysis Configuration Value] known to
indicateapotentialsecurity violation
b) [None]
FAU_SAR.1 Auditreview
Hierarchicalto:Noothercomponents
Dependencies:FAU_GEN.1Securityalarm
FAU_SAR.1.1 The TSF shall provide [an Authorized Administrator] with the capability to read [all audit trail
data]fromtheauditdata
FAU_SAR.1.2 The TSF shall provide the audit data in a manner suitable for the user to interpret the
information.
ApplicationNote:AuthorizedAdminreferstoTopLevelAdminorManagementAdmin.
Security Target – Version 1.8
29
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FAU_SAR.3 Selectauditreview
Hierarchicalto:Noothercomponents
Dependencies:FAU_SAR.1Auditreview
FAU_SAR.3.1TheTSFshallprovidetheabilitytoperformsearchesandsortingofauditdatabasedon[
ƒ EventDate/Time(Date&Time)
ƒ ObjectID
ƒ EventCategory
ƒ EventSignificance(EventType)
ƒ Keyword(EventDetail)
]
FAU_STG.1 Protectedaudittrailstorage
Hierarchicalto:Noothercomponents
Dependencies:FAU_GEN.1Auditdatageneration
FAU_STG.1.1TheTSFshallpreventthestoredauditdatafromunauthorizeddeletion.
FAU_STG.1.2 TheTSFshallbeabletopreventmodificationstotheauditdata
FAU_STG.3 Actionincaseofpossibleauditdataloss
Hierarchicalto:Noothercomponents
Dependencies:FAU_STG.1Protectedaudittrailstorage
FAU_STG.3.1 The TSF shall [Send Notice to Authorized Admin] if the audit trail exceeds [Authorized disk
spacespecifiedbyAuthorizedAdmin].
ApplicationNote:AuthorizedAdminreferstoTopLevelAdminorManagementAdmin.
FAU_STG.4 Preventionofauditdataloss
Hierarchicalto:FAU_STG.3
Dependencies:FAU_STG.1Protectedaudittrailstorage
FAU_STG.4.1 The TSF shall terminate TOE and TSF services to prevent Audit Target Events and [Send
emailtoAuthorizedAdmin]iftheaudittrailisfull.
FDP_ACC.1(1) Subsetaccesscontrol(1)
Security Target – Version 1.8
30
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Hierarchicalto:Noothercomponents
Dependencies:FDP_ACF.1Securityattributebasedaccesscontrol
FDP_ACC.1.1TheTSFshallenforcethe[SecurityManagementAccessControlPolicy]on[
a) Entity List:AuthenticatedAdminwithFIA_UAU.2completed.
b) ObjectList:TOESecurity ManagementFunctionalProcess
c) Operation:PermittedincaseofAuthenticatedAdminaccess
]
FDP_ACF.1(1) Securityattributebasedaccesscontrol(1)
Hierarchicalto:Noothercomponents
Dependencies:FDP_ACC.1Subsetaccesscontrol
FMT_MSA.3Staticattributeinitialization
FDP_ACF.1.1 The TSF shall enforce the [Security Management Access Control Policy] to objects based on
thefollowing: [
a) Entity List:AuthenticatedAdminwithFIA_UAU.2completed
b) EntitySecurityAttributes:
ƒ Privilege(TopLevelAdmin,ManagementAdmin,MonitoringAdmin)
c) ObjectList:TOESecurity ManagementFunctionalProcess
d) ObjectSecurityAttributes:
ƒ Security ManagementFunction
]
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled
subjectsandcontrolledobjectsisallowed:
[
ƒ PermittedifFDP_ACF.1.1EntitySecurityAttributesarenormalAuthenticationstatus,and
ƒ FDP_ACF.1.1 Entity Security Attribute Privilege is the same as Object Operation
Privilege]
FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following
additionalrules:[None]
FDP_ACF.1.4TheTSFshallexplicitly denyaccessofsubjectstoobjectsbasedonthe[None]
Security Target – Version 1.8
31
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FDP_ACC.1(2) Subsetaccesscontrol(2)
Hierarchicalto:Noothercomponents
Dependencies:FDP_ACF.1Securityattributebasedaccesscontrol
FDP_ACC.1.1The TSF shall enforce the [Enterprise Security Management Agent Systems Data Receive
Security Policy]on[
a) Entity List:UnauthenticatedexternalITentity onthesenderside
b) Object List: File that stores equipment security log of enterprise security management agent
system
c) Operation:PermittedwhenentityIPaddressisregisteredastheasset’ssecurityIP
]
FDP_ACF.1(2) SecurityAttribute-basedAccessControl(2)
Hierarchicalto:Noothercomponents
Dependencies:FDP_ACC.1Subsetaccesscontrol
FMT_MSA.3Staticattributeinitialization
FDP_ACF.1.1 The TSF shall enforce the [Enterprise Security Management Agent Systems Data Receive
Security Policy]toobjectsbasedonthefollowing: [
a) Entity List:UnauthenticatedexternalITentity onthesenderside
b) EntitySecurityAttributes:
-IPaddressofexternalITentitythatsendsinfotoTOE
-ProtocoltypeofinfosentbyanexternalITentitytoTOE
c) Object List: File that stores equipment security log of Enterprise Security Management Agent
systems
d) ObjectSecurityAttributes:Filenameandstoragelocation
]
FDP_ACF.1.2 The TSF shall enforce the following rules to determine if an operation among controlled
subjectsandcontrolledobjectsisallowed:
[Accesstoobjectpermittedif
ƒ FDP_ACF.1.1 Entity Security Attribute, external IT entity’s IP Address is the same as the
security attributeIPoftheassetregisteredby theAuthorizedAdmin,and
ƒ FDP_ACF.1.1EntitySecurityAttribute,protocoltypeispermittedbyTOE.]
FDP_ACF.1.3 The TSF shall explicitly authorize access of subjects to objects based on the following
additionalrules:[None]
FDP_ACF.1.4TheTSFshallexplicitly denyaccessofsubjectstoobjectsbasedonthe[None]
ApplicationNote:AuthorizedAdminincludesTopLevelAdminandManagementAdmin.
Security Target – Version 1.8
32
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FDP_ITC.1Importofuserdatawithoutsecurityattributes
Hierarchicalto:Noothercomponents
Dependencies:[FDP_ACC.1Subsetaccesscontrol or
FDP_IFC.1Subsetinformationflowcontrol]
FMT_MSA.3Staticattributeinitialization
FDP_ITC.1.1 The TSF shall enforce the [Enterprise Security Management Agent Systems Data Receive
Security Policy]whenimportinguserdata,controlledundertheSFP,fromoutsideoftheTSC.
FDP_ITC.1.2 The TSF shall ignore any security attributes associated with the user data when imported from
outsidetheTSC.
FDP_ITC.1.3 The TSF shall enforce the following rules when importing user data controlled under the SFP
fromoutsidetheTSC:[None]
FIA_AFL.1 Authenticationfailurehandling
Hierarchicalto:Noothercomponents
Dependencies:FIA_UAU.1Timingofauthentication
FIA_AFL.1.1 The TSF shall detect when [3] unsuccessful authentication attempts occur related to [Admin
Authenticationattempts].
FIA_AFL.1.2 When the defined number of unsuccessful authentication attempts has been met or surpassed,
theTSFshall[preventauthenticationuntilacountermeasureactionbyAuthorizedAdmin]
ApplicationNote:AuthorizedAdminreferstotheTopLevelAdmin.
FIA_ATD.1(1) Userattributedefinition(1)
Hierarchicalto:Noothercomponents
Dependencies:Nodependencies.
FIA_ATD.1.1 TheTSFshallmaintainthefollowinglistofsecurityattributesbelongingtoeachITentity:[
a) IPAddress
].
Security Target – Version 1.8
33
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FIA_ATD.1(2) Userattributedefinition(2)
Hierarchicalto:Noothercomponents
Dependencies:Nodependencies.
FIA_ATD.1.1 The TSF shall maintain the following list of security attributes belonging to each
administrator:[
a) ID
b) UserSecurityAttributes
ƒ Password
ƒ AuthenticationFailureFrequencyConfigurationValue
ƒ Privilege
].
ApplicationNote:AdminincludesTopLevelAdmin,ManagementAdminandMonitoringAdmin.
FIA_UAU.2 Userauthenticationbeforeanyaction
Hierarchicalto:FIA_UAU.1Timingofauthentication
Dependencies:FIA_UID.1Timingofidentification
FIA_UAU.2.1The TSF shall require each administrator to be successfully authenticated before allowing any
otherTSF-mediatedactionsonbehalfofthatadministrator.
ApplicationNote:AdminincludesTopLevelAdmin,ManagementAdminandMonitoringAdmin.
FIA_UAU.7 Protectedauthenticationfeedback
Hierarchicalto:Noothercomponents
Dependencies:FIA_UAU.1Timingofauthentication
FIA_UAU.7.1The TSF shall provide only [Asterisk marked Password] to the administrator while the
authenticationisinprogress.
ApplicationNote:AdminincludesTopLevelAdmin,ManagementAdminandMonitoringAdmin.
Security Target – Version 1.8
34
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FIA_UID.2(1) Useridentificationbeforeanyaction(1)
Hierarchicalto:FIA_UID.1
Dependencies:Nodependencies.
FIA_UID.2.1 The TSF shall require each IT entity to identify itself before allowing any other TSF-mediated
actionsonbehalfofthatuser.
FIA_UID.2(2) Useridentificationbeforeanyaction(2)
Hierarchicalto:FIA_UID.1
Dependencies:Nodependencies.
FIA_UID.2.1 The TSF shall require each administrator to identify itself before allowing any other
TSF-mediatedactionsonbehalfofthatuser.
ApplicationNote:AdminincludesTopLevelAdmin,ManagementAdminandMonitoringAdmin.
FMT_MOF.1 Managementofsecurityfunctionsbehavior
Hierarchicalto:Noothercomponents
Dependencies:FMT_SMR.1Securityroles
FMT_SMF.1SpecificationofManagementFunctions
FMT_MOF.1.1TheTSFshallrestricttheabilitytodisable,enablethefunctions[
ƒ Event
-Apply EventCompression
ƒ CorrelationAnalysis
-Apply CorrelationAnalysisPerformanceInfoSecurity Policy
-ApplyCorrelationAnalysisEventSecurityPolicy
-Apply CorrelationAnalysisYELLOWList
-Apply CorrelationAnalysisBLACKList
-SendCorrelationAnalysisInfoe-mail
-SendCorrelationAnalysisInfocharactermessage
ƒ Other
-Generatealarmsoundorwarningscreen.
-Sende-mailonmanagementcountermeasure
]to[anAuthorizedAdministrator].
ApplicationNote:AuthorizedAdminreferstoTopLevelAdminorManagementAdmin.
Security Target – Version 1.8
35
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FMT_MSA.1 Managementofsecurityattribute
Hierarchicalto:Noothercomponents
Dependencies:[FDP_ACC.1Subsetaccesscontrol or
FDP_IFC.1Subsetinformationflowcontrol]
FMT_SMF.1SpecificationofManagementFunctions
FMT_SMR.1Securityroles
FMT_MSA.1.1 The TSF shall enforce the [Security Management Access Control Policy, Enterprise Security
Management Agent Systems Data Receive Security Policy] to restrict the ability query, modify the security
attributes[
[Table5-4]SecurityAttributeList
SecurityAttribute Action RelatedSecurityPolicy
AdminPrivilege Query,Modify Security ManagementAccessControlPolicy
]to[theAuthorizedAdministrator].
ApplicationNote:AuthorizedAdminreferstoTopLevelAdminorManagementAdmin.
FMT_MSA.3 Staticattributeinitialization
Hierarchicalto:Noothercomponents
Dependencies:FMT_MSA.1SpecificationofManagementFunctions
FMT_SMR.1Securityroles
FMT_MSA.3.1 The TSF shall enforce the [Security Management Access Control Policy, Enterprise Security
Management Agent Systems Data Receive Security Policy] to provide restrictive default values for security
attributesthatareusedtoenforcetheSFP.
FMT_MSA.3.2 The TSF shall allow the [Authorized Administrator] to specify alternative initial values to
overridethedefaultvalueswhenanobjectorinformationiscreated.
ApplicationNote:AuthorizedAdminincludesTopLevelAdminandManagementAdmin.
FMT_MTD.1(1) ManagementofTSFdata(1)
Hierarchicalto:Noothercomponents
Dependencies:FMT_SMF.1SpecificationofManagementFunctions
FMT_SMR.1Securityroles
FMT_MTD.1.1 TheTSFshallrestricttheabilitytoquery,modify,delete,[create] the[
ƒ Identification&AuthenticationData
ƒ ControlActivityManagement
ƒ Event
-EventFilteringSecurityPolicy
Security Target – Version 1.8
36
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
-EventLevelingSecurityPolicy
ƒ CorrelationAnalysis
-CorrelationAnalysisPerformanceInfoSecurityPolicy
-CorrelationAnalysisEventSecurityPolicy
-CorrelationAnalysisYELLOWListSecurityPolicy
-CorrelationAnalysisBLACKListSecurityPolicy
ƒ Security EquipmentInfoManagement
ƒ CodeManagement
]to[anAuthorizedAdministrator].
Application Note: Authorized Admin refers to Top Level Admin or Management Admin. Here, Identification
&AuthenticationDatahandlingcanonlybeperformedbyTopLevelAdmin.
FMT_MTD.1(2) ManagementofTSFdata(2)
Hierarchicalto:Noothercomponents
Dependencies:FMT_SMF.1SpecificationofManagementFunctions
FMT_SMR.1Securityroles
FMT_MTD.1.1 TheTSFshallrestricttheabilitytoquery,modifythe[
ƒ EventPatternNumber
ƒ EventPatternInitialization(Time,Interval)
ƒ EventScreenDisplay Number
ƒ TOETimeStampusedforAuditDataaccumulation
ƒ ManagementEnvironmentConfiguration
ƒ MapManagementFunction
ƒ Diskreservespace
ƒ IntegrityTestfrequency
]to[anAuthorizedAdministrator].
ApplicationNote:AuthorizedAdminreferstoTopLevelAdminorManagementAdmin.
FMT_MTD.1(3) ManagementofTSFdata(3)
Hierarchicalto:Noothercomponents
Dependencies:FMT_SMF.1SpecificationofManagementFunctions
FMT_SMR.1Securityroles
FMT_MTD.1.1 TheTSFshallrestricttheabilitytoquerythe[
ƒ EventMonitoring(IDS,Firewall,Account)
ƒ EventSearch(IDS,Firewall,Account)
Security Target – Version 1.8
37
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ PerformanceMonitoring(CPU,Memory,Traffic)
ƒ CorrelationAnalysisMonitoring
ƒ CorrelationAnalysisSearch
ƒ AuditInfo
-ObjectHistory
-SystemHistory
-UserHistory
-AuditDataRetrieve
ƒ TrendReport
-PerformanceManagementTrendReport
-EventTrendReport
ƒ KnowledgeManagementInfoSearch
ƒ MapNodeSearch
ƒ EventPatternMonitoring
]to[anAuthorizedAdministrator].
Application Note: Top Level Admin and Management Admin can perform this activity while Monitoring
Admin is allowed only Map Node Search and various Monitoring Functions. (Monitoring Functions: Event
Monitoring,PerformanceMonitoringandCorrelationAnalysisMonitoring)
FMT_MTD.1(4) ManagementofTSFdata(4)
Hierarchicalto:Noothercomponents
Dependencies:FMT_SMF.1SpecificationofManagementFunctions
FMT_SMR.1Securityroles
FMT_MTD.1.1 TheTSFshallrestricttheabilityto[StatisticalProcessing]the[
ƒ Security EquipmentLog
ƒ Security EquipmentInfo
]to[anAuthorizedAdministrator].
ApplicationNote:AuthorizedAdminreferstoTopLevelAdmin,Management AdminorMonitoringAdmin.
Security Target – Version 1.8
38
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FMT_MTD.2(1) ManagementlimitsonTSFdata(1)
Hierarchicalto:Noothercomponents
Dependencies:FMT_MTD.1ManagementofTSFdata
FMT_SMR.1Securityroles
FMT_MTD.2.1 The TSF shall restrict the specification of the limits for [Audit Storage Capacity] to [the
AuthorizedAdministrator]
FMT_MTD.2.2 TheTSFshalltakethefollowingactions,iftheTSFdataareat,orexceedtheindicatedlimits:
[FAU_STG.3specifiedCountermeasureorFAU_STG.4specifiedCountermeasure].
ApplicationNote:TopLevelAdminandManagementAdmincanperformthisactivity.
FMT_MTD.2(2) ManagementlimitsonTSFdata(2)
Hierarchicalto:Noothercomponents
Dependencies:FMT_MTD.1ManagementofTSFdata
FMT_SMR.1Securityroles
FMT_MTD.2.1 The TSF shall restrict the specification of the limits for [Integrity Test를 수행하는 Time
Interval]to[theAuthorizedAdministrator]
FMT_MTD.2.2 TheTSFshalltakethefollowingactions,iftheTSFdataareat,orexceedtheindicatedlimits:
[IntegrityTest&SelfDiagnosis].
ApplicationNote:TopLevelAdminandManagementAdmincanperformthistask.
FMT_SMF.1 SpecificationofManagementFunctions
Hierarchicalto:Noothercomponents
Dependencies:Nodependencies.
FMT_SMF.1.1 TheTSFshallbecapableofperformingthefollowingsecuritymanagementfunctions:[
a) TSFFunctionManagement
ƒ Itemsspecifiedin5.1.1.1FMT_MOF.1
b) TSFSecurityAttributesManagement
ƒ Itemsof5.1.1.1FMT_MSA.1
c) TSFDataManagement
ƒ Itemsof5.1.1.1FMT_MTD.1
d) TSFDataLimitManagement
ƒ Itemsof5.1.1.1FMT_MTD.2
Security Target – Version 1.8
39
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
e) SecurityRoleManagement
ƒ Itemsof5.1.1.1FMT_SMR.1
].
FMT_SMR.1 Securityroles
Hierarchicalto:Noothercomponents
Dependencies:FIA_UID.1Timingofidentification
FMT_SMR.1.1 TheTSFshallmaintaintheroles[
a) TopLevelAdmin
b) ManagementAdmin
c) MonitoringAdmin
].
FMT_SMR.1.2 The TSF shall be able to associate users with AuthorizedAdminroles.
FPT_STM.1 Reliabletimestamps
Hierarchicalto:Noothercomponents
Dependencies:Nodependencies.
FPT_STM.1.1TheTSFshallbeabletoprovidereliabletimestampsforitsownuse.
ApplicationNote:Asaway ofmaintainingowntime stamps,TOEshallallowAuthorizedAdmintoconfigure
ownsystemtimestampprovidedbyownOSthroughTOEandusethissystem.
FPT_TST.1 TSFTesting
Hierarchicalto:Noothercomponents
Dependencies:FPT_AMT.1Abstractmachinetesting
FPT_TST.1.1 The TSF shall run a suite of self tests during initial start-up, periodically during normal
operation,anduponrequestfromanauthorizedusertodemonstratethecorrectoperationoftheTSF.
FPT_TST.1.2 TheTSFshallprovidetheAuthorizedAdministratorwiththecapability toverify theintegrity
ofTSFdata.
FPT_TST.1.3 TheTSFshallprovidetheAuthorizedAdministratorwiththecapabilitytoverifytheintegrity
ofstoredTSFexecutablecode.
ApplicationNote:AuthorizedAdminincludesTopLevelAdminandManagement Admin.
Security Target – Version 1.8
40
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.1.2 SOF Declarations
This ST Specification selects SOF-Medium. Thus, the ST considers threats of low level professional
knowledge, resources and motives. To countersuch threats TOE has to satisfy minimumSOF-basic. Since this
ST Specification provides security functions whose strength level is ‘medium,’ said TOE satisfies the
requirement.
Security Target – Version 1.8
41
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2 TOE SecurityAssurance Requirements
Table5-5showssecurity assurancecomponentsofTOE.ThesearefromtheAssuranceRequirementsofPart3
ofCC[1]andtheassurancelevelisEAL4.
[Table5-5]EAL4AssuranceRequirements
AssuranceClass Assurance
ComponentID
AssuranceComponentName
ACM_AUT.1 PartialCMautomation
ACM_CAP.4 Generationsupportandacceptanceprocedures
Configuration
Management
ACM_SCP.2 ProblemtrackingCMcoverage
ADO_DEL.2 Detectionofmodification
Deliveryand
operation ADO_IGS.1 Installation,generation,andstart-upprocedures
ADV_FSP.2 Fully definedexternalinterfaces
ADV_HLD.2 Security enforcinghigh-leveldesign
ADV_IMP.1 SubsetoftheimplementationoftheTSF
ADV_LLD.1 Descriptivelow-leveldesign
ADV_RCR.1 Informalcorrespondencedemonstration
Development
ADV_SPM.1 InformalTOEsecuritypolicymodel
AGD_ADM.1 Administratorguidance
Guidance
documents AGD_USR.1 Userguidance
ALC_DVS.1 Identificationofsecuritymeasures
ALC_LCD.1 Developerdefinedlife-cyclemodel
Life-cyclesupport
activity
ALC_TAT.1 Well-defineddevelopmenttools
ATE_COV.2 Analysisofcoverage
ATE_DPT.1 Testing:high-leveldesign
ATE_FUN.1 Functionaltesting
Tests
ATE_IND.2 Independenttesting-sample
AVA_MSU.2 Validationofanalysis
AVA_SOF.1 StrengthofTOEsecurity functionevaluation
Vulnerability
assessment
AVA_VLA.2 Independentvulnerabilityanalysis
Security Target – Version 1.8
42
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.1 Configuration Management
ACM_AUT.1PartialCMautomation
Dependencies: ACM_CAP.3 Authorization controls
Developer action elements:
ACM_AUT.1.1D The developer shall use a CM system.
ACM_AUT.1.2D The developer shall provide a CM plan.
Content and presentation of evidence elements:
ACM_AUT.1.1C The CM system shall provide an automated means by which only
authorized changes are made to the TOE implementation representation.
ACM_AUT.1.2C The CM system shall provide an automated means to support the
generation of the TOE.
ACM_AUT.1.3C The CM plan shall describe the automated tools used in the CM system.
ACM_AUT.1.4C The CM plan shall describe how the automated tools are used in the CM
system.
Evaluator action elements:
ACM_AUT.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ACM_CAP.4Generationsupportandacceptanceprocedures
Dependencies: ALC_DVS.1 Identification of security measures
Developer action elements:
ACM_CAP.4.1D The developer shall provide a reference for the TOE.
ACM_CAP.4.2D The developer shall use a CM system.
ACM_CAP.4.3D The developer shall provide CM documentation.
Content and presentation of evidence elements:
ACM_CAP.4.1C The reference for the TOE shall be unique to each version of the TOE.
ACM_CAP.4.2C The TOE shall be labeled with its reference.
ACM_CAP.4.3C The CM documentation shall include a configuration list, a CM plan, and
an acceptance plan.
ACM_CAP.4.4C The configuration list shall uniquely identify all configuration items that
comprise the TOE.
Security Target – Version 1.8
43
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ACM_CAP.4.5C The configuration list shall describe the configuration items that comprise
the TOE.
ACM_CAP.4.6C The CM documentation shall describe the method used to uniquely
identify the configuration items that comprise the TOE.
ACM_CAP.4.7C The CM system shall uniquely identify all configuration items that
comprise the TOE.
ACM_CAP.4.8C The CM plan shall describe how the CM system is used.
ACM_CAP.4.9C The evidence shall demonstrate that the CM system is operating in
accordance with the CM plan.
ACM_CAP.4.10C The CM documentation shall provide evidence that all configuration
items have been and are being effectively maintained under the CM system.
ACM_CAP.4.11C The CM system shall provide measures such that only authorized
changes are made to the configuration items.
ACM_CAP.4.12C The CM system shall support the generation of the TOE.
ACM_CAP.4.13C The acceptance plan shall describe the procedures used to accept
modified or newly created configuration items as part of the TOE.
Evaluator action elements:
ACM_CAP.4.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ACM_SCP.2ProblemtrackingCMcoverage
Dependencies: ACM_CAP.3 Authorization controls
Developer action elements:
ACM_SCP.2.1D The developer shall provide a list of configuration items for the TOE.
Content and presentation of evidence elements:
ACM_SCP.2.1C The list of configuration items shall include the following: implementation
representation; security flaws; and the evaluation evidence required by the assurance
components in the ST.
Evaluator action elements:
ACM_SCP.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
Security Target – Version 1.8
44
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.2 Delivery and operation
ADO_DEL.2Detectionofmodification
Dependencies: ACM_CAP.3 Authorization controls
Developer action elements:
ADO_DEL.2.1D The developer shall document procedures for delivery of the TOE or
parts of it to the user.
ADO_DEL.2.2D The developer shall use the delivery procedures.
Content and presentation of evidence elements:
ADO_DEL.2.1C The delivery documentation shall describe all procedures that are
necessary to maintain security when distributing versions of the TOE to a user's site.
ADO_DEL.2.2C The delivery documentation shall describe how the various procedures
and technical measures provide for the detection of modifications, or any discrepancy
between the developer's master copy and the version received at the user site.
ADO_DEL.2.3C The delivery documentation shall describe how the various procedures
allow detection of attempts to masquerade as the developer, even in cases in which the
developer has sent nothing to the user's site.
Evaluator action elements:
ADO_DEL.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADO_IGS.1Installation,generation,andstart-upprocedures
Dependencies: AGD_ADM.1 Administrator guidance
Developer action elements:
ADO_IGS.1.1D The developer shall document procedures necessary for the secure
installation, generation, and start-up of the TOE.
Content and presentation of evidence elements:
ADO_IGS.1.1C The installation, generation and start-up documentation shall describe all
the steps necessary for secure installation, generation and start-up of the TOE.
Evaluator action elements:
ADO_IGS.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADO_IGS.1.2E The evaluator shall determine that the installation, generation, and start-up
Security Target – Version 1.8
45
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
procedures result in a secure configuration.
Security Target – Version 1.8
46
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.3 Development
ADV_FSP.2Fullydefinedexternalinterfaces
Dependencies: ADV_RCR.1 Informal correspondence demonstration
Developer action elements:
ADV_FSP.2.1D The developer shall provide a functional specification.
Content and presentation of evidence elements:
ADV_FSP.2.1C The functional specification shall describe the TSF and its external
interfaces using an informal style.
ADV_FSP.2.2C The functional specification shall be internally consistent.
ADV_FSP.2.3C The functional specification shall describe the purpose and method of use
of all external TSF interfaces, providing complete details of all effects, exceptions and
error messages.
ADV_FSP.2.4C The functional specification shall completely represent the TSF.
ADV_FSP.2.5C The functional specification shall include rationale that the TSF is
completely represented.
Evaluator action elements:
ADV_FSP.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADV_FSP.2.2E The evaluator shall determine that the functional specification is an
accurate and complete instantiation of the TOE security functional requirements.
ADV_HLD.2Securityenforcinghigh-leveldesign
Dependencies: ADV_FSP.1 Informal functional specification
ADV_RCR.1 Informal correspondence demonstration
Developer action elements:
ADV_HLD.2.1D The developer shall provide the high-level design of the TSF.
Content and presentation of evidence elements:
ADV_HLD.2.1C The presentation of the high-level design shall be informal.
ADV_HLD.2.2C The high-level design shall be internally consistent.
ADV_HLD.2.3C The high-level design shall describe the structure of the TSF in terms of
subsystems.
Security Target – Version 1.8
47
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ADV_HLD.2.4C The high-level design shall describe the security functionality provided
by each subsystem of the TSF.
ADV_HLD.2.5C The high-level design shall identify any underlying hardware, firmware,
and/or software required by the TSF with a presentation of the functions provided by the
supporting protection mechanisms implemented in that hardware, firmware, or software.
ADV_HLD.2.6C The high-level design shall identify all interfaces to the subsystems of
the TSF.
ADV_HLD.2.7C The high-level design shall identify which of the interfaces to the
subsystems of the TSF are externally visible.
ADV_HLD.2.8C The high-level design shall describe the purpose and method of use of all
interfaces to the subsystems of the TSF, providing details of effects, exceptions and error
messages, as appropriate.
ADV_HLD.2.9C The high-level design shall describe the separation of the TOE into
TSP-enforcing and other subsystems.
Evaluator action elements:
ADV_HLD.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADV_HLD.2.2E The evaluator shall determine that the high-level design is an accurate
and complete instantiation of the TOE security functional requirements.
ADV_IMP.1SubsetoftheimplementationoftheTSF
Dependencies: ADV_LLD.1 Descriptive low-level design
ADV_RCR.1 Informal correspondence demonstration
ALC_TAT.1 Well-defined development tools
Developer action elements:
ADV_IMP.1.1D The developer shall provide the implementation representation for a
selected subset of the TSF.
Content and presentation of evidence elements:
ADV_IMP.1.1C The implementation representation shall unambiguously define the TSF to
a level of detail such that the TSF can be generated without further design decisions.
ADV_IMP.1.2C The implementation representation shall be internally consistent.
Evaluator action elements:
ADV_IMP.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
Security Target – Version 1.8
48
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ADV_IMP.1.2E The evaluator shall determine that the least abstract TSF representation
provided is an accurate and complete instantiation of the TOE security functional
requirements.
ADV_LLD.1Descriptivelow-leveldesign
Dependencies: ADV_HLD.2 Security enforcing high-level design
ADV_RCR.1 Informal correspondence demonstration
Developer action elements:
ADV_LLD.1.1D The developer shall provide the low-level design of the TSF.
Content and presentation of evidence elements:
ADV_LLD.1.1C The presentation of the low-level design shall be informal.
ADV_LLD.1.2C The low-level design shall be internally consistent.
ADV_LLD.1.3C The low-level design shall describe the TSF in terms of modules.
ADV_LLD.1.4C The low-level design shall describe the purpose of each module.
ADV_LLD.1.5C The low-level design shall define the interrelationships between the
modules in terms of provided security functionality and dependencies on other modules.
ADV_LLD.1.6C The low-level design shall describe how each TSP-enforcing function is
provided.
ADV_LLD.1.7C The low-level design shall identify all interfaces to the modules of the
TSF.
ADV_LLD.1.8C The low-level design shall identify which of the interfaces to the modules
of the TSF are externally visible.
ADV_LLD.1.9C The low-level design shall describe the purpose and method of use of all
interfaces to the modules of the TSF, providing details of effects, exceptions and error
messages, as appropriate.
ADV_LLD.1.10C The low-level design shall describe the separation of the TOE into
TSP-enforcing and other modules.
Evaluator action elements:
ADV_LLD.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADV_LLD.1.2E The evaluator shall determine that the low-level design is an accurate
and complete instantiation of the TOE security functional requirements.
Security Target – Version 1.8
49
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ADV_RCR.1Informalcorrespondencedemonstration
Dependencies: No dependencies.
Developer action elements:
ADV_RCR.1.1D The developer shall provide an analysis of correspondence between all
adjacent pairs of TSF representations that are provided.
Content and presentation of evidence elements:
ADV_RCR.1.1C For each adjacent pair of provided TSF representations, the analysis shall
demonstrate that all relevant security functionality of the more abstract TSF
representation is correctly and completely refined in the less abstract TSF representation.
Evaluator action elements:
ADV_RCR.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADV_SPM.1InformalTOEsecuritypolicymodel
Dependencies: ADV_FSP.1 Informal functional specification
Developer action elements:
ADV_SPM.1.1D The developer shall provide a TSP model.
ADV_SPM.1.2D The developer shall demonstrate correspondence between the functional
specification and the TSP model.
Content and presentation of evidence elements:
ADV_SPM.1.1C The TSP model shall be informal.
ADV_SPM.1.2C The TSP model shall describe the rules and characteristics of all policies
of the TSP that can be modeled.
ADV_SPM.1.3C The TSP model shall include a rationale that demonstrates that it is
consistent and complete with respect to all policies of the TSP that can be modeled.
ADV_SPM.1.4C The demonstration of correspondence between the TSP model and the
functional specification shall show that all of the security functions in the functional
specification are consistent and complete with respect to the TSP model.
Evaluator action elements:
ADV_SPM.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
Security Target – Version 1.8
50
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.4 Guidance documents
AGD_ADM.1Administratorguidance
Dependencies: ADV_FSP.1 Informal functional specification
Developer action elements:
AGD_ADM.1.1D The developer shall provide administrator guidance addressed to system
administrative personnel.
Content and presentation of evidence elements:
AGD_ADM.1.1C The administrator guidance shall describe the administrative functions
and interfaces available to the administrator of the TOE.
AGD_ADM.1.2C The administrator guidance shall describe how to administer the TOE in
a secure manner.
AGD_ADM.1.3C The administrator guidance shall contain warnings about functions and
privileges that should be controlled in a secure processing environment.
AGD_ADM.1.4C The administrator guidance shall describe all assumptions regarding user
behavior that are relevant to secure operation of the TOE.
AGD_ADM.1.5C The administrator guidance shall describe all security parameters under
the control of the administrator, indicating secure values as appropriate.
AGD_ADM.1.6C The administrator guidance shall describe each type of security-relevant
event relative to the administrative functions that need to be performed, including
changing the security characteristics of entities under the control of the TSF.
AGD_ADM.1.7C The administrator guidance shall be consistent with all other
documentation supplied for evaluation.
AGD_ADM.1.8C The administrator guidance shall describe all security requirements for
the IT environment that are relevant to the administrator.
Evaluator action elements:
AGD_ADM.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
Security Target – Version 1.8
51
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
AGD_USR.1Userguidance
Since this TOE is not a general user product, there is no user management content in the
FMT class within the TOE security functional requirements. Therefore, we do not provide
Users’ Manual and assurance mechanism on AGD_USR.1 is not applicable.
Security Target – Version 1.8
52
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.5 Life cycle support
ALC_DVS.1Identificationofsecuritymeasures
Dependencies: No dependencies.
Developer action elements:
ALC_DVS.1.1D The developer shall produce development security documentation.
Content and presentation of evidence elements:
ALC_DVS.1.1C The development security documentation shall describe all the physical,
procedural, personnel, and other security measures that are necessary to protect the
confidentiality and integrity of the TOE design and implementation in its development
environment.
ALC_DVS.1.2C The development security documentation shall provide evidence that
these security measures are followed during the development and maintenance of the
TOE.
Evaluator action elements:
ALC_DVS.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ALC_DVS.1.2E The evaluator shall confirm that the security measures are being applied.
ALC_LCD.1Developerdefinedlife-cyclemodel
Dependencies: No dependencies.
Developer action elements:
ALC_LCD.1.1D The developer shall establish a life-cycle model to be used in the
development and maintenance of the TOE.
ALC_LCD.1.2D The developer shall provide life-cycle definition documentation.
Content and presentation of evidence elements:
ALC_LCD.1.1C The life-cycle definition documentation shall describe the model used to
develop and maintain the TOE.
ALC_LCD.1.2C The life-cycle model shall provide for the necessary control over the
development and maintenance of the TOE.
Evaluator action elements:
ALC_LCD.1.1E The evaluator shall confirm that the information provided meets all
Security Target – Version 1.8
53
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
requirements for content and presentation of evidence.
ALC_TAT.1 Well-defined development tools
Dependencies: ADV_IMP.1 Subset of the implementation of the TSF
Developer action elements:
ALC_TAT.1.1D The developer shall identify the development tools being used for the
TOE.
ALC_TAT.1.2D The developer shall document the selected implementation-dependent
options of the development tools.
Content and presentation of evidence elements:
ALC_TAT.1.1C All development tools used for implementation shall be well-defined.
ALC_TAT.1.2C The documentation of the development tools shall unambiguously define
the meaning of all statements used in the implementation.
ALC_TAT.1.3C The documentation of the development tools shall unambiguously define
the meaning of all implementation-dependent options.
Evaluator action elements:
ALC_TAT.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
Security Target – Version 1.8
54
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.6 Tests
ATE_COV.2Analysisofcoverage
Dependencies: ADV_FSP.1 Informal functional specification
ATE_FUN.1 Functional testing
Developer action elements:
ATE_COV.2.1D The developer shall provide an analysis of the test coverage.
Content and presentation of evidence elements:
ATE_COV.2.1C The analysis of the test coverage shall demonstrate the correspondence
between the tests identified in the test documentation and the TSF as described in the
functional specification.
ATE_COV.2.2C The analysis of the test coverage shall demonstrate that the
correspondence between the TSF as described in the functional specification and the
tests identified in the test documentation is complete.
Evaluator action elements:
ATE_COV.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ATE_DPT.1Testing:high-leveldesign
Dependencies: ADV_HLD.1 Descriptive high-level design
ATE_FUN.1 Functional testing
Developer action elements:
ATE_DPT.1.1D The developer shall provide the analysis of the depth of testing.
Content and presentation of evidence elements:
ATE_DPT.1.1C The depth analysis shall demonstrate that the tests identified in the test
documentation are sufficient to demonstrate that the TSF operates in accordance with its
high-level design.
Evaluator action elements:
ATE_DPT.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
Security Target – Version 1.8
55
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ATE_FUN.1Functionaltesting
Dependencies: No dependencies.
Developeractionelements:
ATE_FUN.1.1D The developer shall test the TSF and document the results.
ATE_FUN.1.2D The developer shall provide test documentation.
Content and presentation of evidence elements:
ATE_FUN.1.1C The test documentation shall consist of test plans, test procedure
descriptions, expected test results and actual test results.
ATE_FUN.1.2C The test plans shall identify the security functions to be tested and
describe the goal of the tests to be performed.
ATE_FUN.1.3C The test procedure descriptions shall identify the tests to be performed
and describe the scenarios for testing each security function. These scenarios shall
include any ordering dependencies on the results of other tests.
ATE_FUN.1.4C The expected test results shall show the anticipated outputs from a
successful execution of the tests.
ATE_FUN.1.5C The test results from the developer execution of the tests shall
demonstrate that each tested security function behaved as specified.
Evaluator action elements:
ATE_FUN.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ATE_IND.2Independenttesting-sample
Dependencies: ADV_FSP.1 Informal functional specification
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
ATE_FUN.1 Functional testing
Developer action elements:
ATE_IND.2.1D The developer shall provide the TOE for testing.
Content and presentation of evidence elements:
ATE_IND.2.1C The TOE shall be suitable for testing.
ATE_IND.2.2C The developer shall provide an equivalent set of resources to those that
Security Target – Version 1.8
56
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
were used in the developer's functional testing of the TSF.
Evaluator action elements:
ATE_IND.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ATE_IND.2.2E The evaluator shall test a subset of the TSF as appropriate to confirm that
the TOE operates as specified.
ATE_IND.2.3E The evaluator shall execute a sample of tests in the test documentation to
verify the developer test results.
Security Target – Version 1.8
57
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.2.7 Vulnerability assessment
AVA_MSU.2 Validationofanalysis
Dependencies: ADO_IGS.1 Installation, generation, and start-up procedures
ADV_FSP.1 Informal functional specification
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Developer action elements:
AVA_MSU.2.1D The developer shall provide guidance documentation.
AVA_MSU.2.2D The developer shall document an analysis of the guidance
documentation.
Content and presentation of evidence elements:
AVA_MSU.2.1C The guidance documentation shall identify all possible modes of
operation of the TOE (including operation following failure or operational error), their
consequences and implications for maintaining secure operation.
AVA_MSU.2.2C The guidance documentation shall be complete, clear, consistent and
reasonable.
AVA_MSU.2.3C The guidance documentation shall list all assumptions about the intended
environment.
AVA_MSU.2.4C The guidance documentation shall list all requirements for external
security measures (including external procedural, physical and personnel controls).
AVA_MSU.2.5C The analysis documentation shall demonstrate that the guidance
documentation is complete.
Evaluator action elements:
AVA_MSU.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
AVA_MSU.2.2E The evaluator shall repeat all configuration and installation procedures
and other procedures selectively, to confirm that the TOE can be configured and used
securely using only the supplied guidance documentation.
AVA_MSU.2.3E The evaluator shall determine that the use of the guidance
documentation allows all insecure states to be detected.
AVA_MSU.2.4E The evaluator shall confirm that the analysis documentation shows that
guidance is provided for secure operation in all modes of operation of the TOE.
Security Target – Version 1.8
58
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
AVA_SOF.1StrengthofTOEsecurityfunctionevaluation
Dependencies:
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
Developer action elements:
AVA_SOF.1.1D The developer shall perform a strength of TOE security function analysis
for each mechanism identified in the ST as having a strength of TOE security function
claim.
Content and presentation of evidence elements:
AVA_SOF.1.1C For each mechanism with a strength of TOE security function claim the
strength of TOE security function analysis shall show that it meets or exceeds the
minimum strength level defined in the PP/ST.
AVA_SOF.1.2C For each mechanism with a specific strength of TOE security function
claim the strength of TOE security function analysis shall show that it meets or exceeds
the specific strength of function metric defined in the PP/ST.
Evaluator action elements:
AVA_SOF.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
AVA_SOF.1.2E The evaluator shall confirm that the strength claims are correct.
AVA_VLA.2 Independentvulnerabilityanalysis
Dependencies:
ADV_FSP.1 Informal functional specification
ADV_HLD.2 Security enforcing high-level design
ADV_IMP.1 Subset of the implementation of the TSF
ADV_LLD.1 Descriptive low-level design
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
Developer action elements:
AVA_VLA.2.1D The developer shall perform a vulnerability analysis.
AVA_VLA.2.2D The developer shall provide vulnerability analysis documentation.
Security Target – Version 1.8
59
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Content and presentation of evidence elements:
AVA_VLA.2.1C The vulnerability analysis documentation shall describe the analysis of
the TOE deliverables performed to search for ways in which a user can violate the TSP.
AVA_VLA.2.2C The vulnerability analysis documentation shall describe the disposition of
identified vulnerabilities.
AVA_VLA.2.3C The vulnerability analysis documentation shall show, for all identified
vulnerabilities, that the vulnerability cannot be exploited in the intended environment for
the TOE.
AVA_VLA.2.4C The vulnerability analysis documentation shall justify that the TOE, with
the identified vulnerabilities, is resistant to obvious penetration attacks.
Evaluator action elements:
AVA_VLA.2.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
AVA_VLA.2.2E The evaluator shall conduct penetration testing, building on the developer
vulnerability analysis, to ensure the identified vulnerabilities have been addressed.
AVA_VLA.2.3E The evaluator shall perform an independent vulnerability analysis.
AVA_VLA.2.4E The evaluator shall perform independent penetration testing, based on
the independent vulnerability analysis, to determine the exploitability of additional
identified vulnerabilities in the intended environment.
AVA_VLA.2.5E The evaluator shall determine that the TOE is resistant to penetration
attacks performed by an attacker possessing a low attack potential.
Security Target – Version 1.8
60
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
5.3 Security Requirements for the ITEnvironment
RequirementsforITEnvironmentareasfollows.
FDP_ITT.1 Basicinternaltransferprotection
Hierarchicalto:Noothercomponents
Dependencies:[FDP_ACC.1Subsetaccesscontrol,or
FDP_IFC.1Subsetinformationflowcontrol]
FDT_ITT.1.1 The IT environment shall enforce the [Enterprise Security Management Agent Systems Data
Receive Security Policy] to prevent the disclosure, modification of user data when it is transmitted between
physically-separatedpartsoftheTOE.
FPT_AMT.1 Abstractmachinetesting
Hierarchicalto:Noothercomponents
Dependencies:Nodependencies.
FPT_AMT.1.1TheITenvironmentshallrunasuiteoftestsduringinitialstart-up,periodicallyduringnormal
operation to demonstrate the correct operation of the security assumptions provided by the abstract machine
thatunderliestheTSF.
Application Note: TOE uses commands supported by own OS to perform configuration processing and DB
status check monitoring periodically. Through these processes TOE monitors and checks status of each TOE
processor performance and DB status. In case of a halt, the hated processor or DB is re-executed to provide
normalTOEoperation.
FPT_ITT.1 BasicinternalTSFdatatransferprotection
Hierarchicalto:Noothercomponents
Dependencies:Nodependencies.
FPT_ITT.1.1 The IT environment shall protect TSF data from disclosure, modification when it is
transmittedbetweenseparatepartsoftheTOE.
Application Note: TOE calls SSLfunctions provided as a part of the ITenvironment to form SSLprotocol and
thussafechannels.
Security Target – Version 1.8
61
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
6 TOE Summary Specification
This Chapter presents a functional overview of the TOE; the security functions implemented by the TOE; and
theAssuranceMeasuresappliedtoensuretheircorrectimplementation.
6.1 TOE Security Functions
This section describes TOE security functions. It describes how all SFRs specified in Chapter 5 are satisfied by
thesecurity functionsofActiveTSMV3.0,whichisanenterprisesecurity managementsystem.
6.1.1 Security Management (AT_ADMIN)
Basically, the Top Level Admin has privileges to directly manage Admin ID and related information necessary
for system management. When an Authorized Admin successfully logs into the Master server using own ID,
he/she can perform functions to manage TOE’s security related data. If an Authorized Admin enters any value
outside of limit or inappropriate value when entering security attributes, TOE sends a system management
errormessagetonotifytheerror.
Security Management Role (Privilege Management)
Top Level Admin, who is basically created when TOE is installed, has all privileges. Top Level Admin
canadd,deleteormodifyspecificprivilegeadmins(ManagementAdminorMonitoringAdmin).
Functionalscopeofprivilegeadminsareasfollows:
- Management Admin cannot perform the following major functions that can impact the overall
system.
ƒ Retrieve,Add,DeleteofallAdminIDs
ƒ AuditDataDelete
- Monitoring Admin functions are limited to monitoring of security equipment log and system
performance status. Specifically, Monitoring Admin is authorized to perform the following
functions.
ƒ EventMonitoring(IDS,Firewall,ACCOUNT)
ƒ PerformanceMonitoring(CPULoad,MemoryStatus,NetworkStatus)
ƒ CorrelationAnalysisMonitoring
Security Access Management
TOE Monitor can access the Master Server via RMI communication. Here, TOE Admin accesses the
Master Server using SSL protocol, which is implemented within RMI communication. SSL
communicationprovidescodingofAdmintrafficaswellasdataintegrity.
TOESecurityManagementfunctionsconsistofthefollowing:
ƒ EventMonitoring
ƒ PerformanceMonitoring
Security Target – Version 1.8
62
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ AgentLogManagement
ƒ SecurityInfoManagement
ƒ SecurityCorrelationAnalysisManagement
ƒ SecurityObjectManagement
ƒ SecurityEnvironmentConfigurationManagement
Event Monitoring
Event Monitoring provides the basic information to enable Authorized Admin to perform real-time
monitoring of security status (Intrusion Detection, Intrusion Block, Traffic, System Load, etc.) of
EnterpriseSecurityManagementAgentSystemstodevisenecessary countermeasures.
Each Enterprise Security Management Agent System generates a considerable amount of security
equipment log, which is collected by the Agent and sent to the Slave, which receives such security
equipment log and stores it in a relevant DB. Since real-time monitoring of all security equipment log for
all systems stored in DB by Authorized Admin is practically impossible, this function extracts and
transmits only the significant security equipment logs configured beforehand by Authorized Admin. Such
refinedsecurityequipmentlogisreferredas‘event.’
Log info that isgenerated at each Enterprise Security Management Agent Systemis collected by the TOE
Agent. This log data is stored in a DB via interfaces of Master and Slave. At the same time, Authorized
Admin can monitor any security status of Enterprise Security Management Agent Systems via TOE’s
Monitorfromreal-timeextractedsecurityinfo.
Event info is displayed on a monitoring screen whenever an event occurs. Admin can freeze event info
based on date/time for analysis or send specific info directly to event related functions (Event Filtering/
Level Management, Correlation Analysis Rule Registration, KMS (Attack Info, Virus Info, Management
History Info)SearchorManagementReceive).
Informationforaneventconsistsofthefollowingdata:
ƒ LogType(Firewall/IDS)
ƒ OccurrenceObject
ƒ OccurrenceDate/Time
ƒ SystemTime
ƒ ActualEquipmentName
ƒ AttackName
ƒ AttackerIP,Port
ƒ TargetIP,Port
ƒ ThreatLevel
ƒ Frequency
ƒ Other
TOEprovidesEventFilteringMethod,EventCompressionandEventLevelingtoenableeventextraction
upon security equipment log refinement. Extracted events can be monitored using certain event data
selectivelybasedonAdminchoice(e.g.IntrusionBlockorIntrusionDetection).
Security Target – Version 1.8
63
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
EventFiltering
Collected security equipment log is analyzed and configured event filtering rules are applied.
The result is then sent to Monitor via Master. Authorized Admin can add, delete or modify the
eventfilteringrules.
EventCompression
Sometimes the same attack causes multiple security equipment logs. That is, when an attacker
makes repeated attacks, the log information is almost identical except the occurrence number
and the time data. Therefore, these log records can be compressed into a single log. Event
compression is a basic TOE function and the Authorized Admin simply sets whether to use
thisfeatureornot.
EventLevelManagement
Security equipment log analysis system uses the log significance (level) to judge severity of
pertinent security problem. However, sometimes the security equipment log does not maintain
accurate level information. Therefore, the Authorized Admin can use the Event Level
Management function to modify the level info in accordance with the leveling rule, which is
configuredbytheAuthorizedAdmin,appliedinthesimilarmannerasEventFilteringtoevents
extracted from security equipment logs. Thus, existing level info can be adjusted to higher or
lowerlevels.
For leveling rule generation, information necessary for leveling rule configuration is
automatically filled in while the Admin only adds the level info to modify. TOE provides the
functionstoedit,deleteorretrieveeventlevelingrules.
EventPatternMonitoring
When the number of Enterprise Security Management Agent Systems that TOE manages is
numerous, the number of events extracted from security equipment logs can be considerable.
Therefore, the Admin cannot possibly monitor all events. For this reason, TOE provides the
function to extract only the top N number of events in sequence of their occurrence frequency
fromamongextractedevents.
Extracted event patterns are displayed in a pie chart in terms of detailed info units (Attack
Name, Attacker IP, Target IP, Occurrence Object, Attack Port, Target Port, etc.) on the monitor
screen. Normally, the Admin uses such graphic info to monitor security status of TOE rather
thanfocusingondetailedeventinfo.
For event pattern configuration, since basic values are configured at the time of TOE
installation and this function is used for processing of the entire TOE event patterns, only the
value of event patterns to view is configured. That is, the upper limit of the most frequent event
patternsforviewisconfiguredforextraction.
EventMonitoring
Event Monitoring allows simultaneous display ofevent monitoring results ofIDS and Firewall
aswellasEventPatternMonitoringresult.
Security Target – Version 1.8
64
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ACCOUNTMonitoring: TOEprovides the function to monitor packets that are either blocked
orallowedatEnterpriseSecurityManagementAgentSystemssuchasaFirewall.
ACCOUNTinfoconsistsofthefollowingdata:
ƒ LogType(IntrusionBlock)
ƒ OccurrenceObject
ƒ OccurrenceDate/Time
ƒ SystemTime
ƒ ActualEquipmentName
ƒ Service
ƒ Action
ƒ SourceIP,Port
ƒ DestinationIP,Port
ƒ Frequency
ƒ Other
Performance Monitoring
TOE provides the function to real-time monitoring at Monitor of system status info (CPU Load Rate,
Network Traffic/ Packet Volume, Memory Status, etc.) of Enterprise Security Management Agent
Systems. Thus, the operating status of Enterprise Security Management Agent Systems and security &
networkstatuscanbeverified.
Agent Log Management
TOE provides the function to collect and manage Security Equipment Logs, which are basic data that
occurs at Enterprise Security Management Agent Systems. Security Equipment Log Management
functionconsistsofthefollowingthreesub-functions.
ƒ Security EquipmentLogCollection(Agent)
ƒ SecurityLogEventProcessing(Slave)
ƒ CollectedLogSearch(Monitor)
InterfacesthatanAgentusesforsecurity equipmentlogcollectionareSNMP,SYSLOGandcustomAPIs,
where the former two are standard interfaces that enable log collection from all Enterprise Security
Management Agent Systems regardless of their type via common interfaces. In case of custom API, TOE
Agentprovidescollectioninterfacetorepresentativeproducts.
TOE Agent functions are performed in two types of modes: internal mode and external mode. The
internal mode enables TOE to directly conduct log collection remotely via standard interfaces (SNMPor
SYSLOG) from Enterprise Security Management Agent Systems and interfaces with Slave. On the other
hand, in the external mode, Enterprise Security Management Agent Systems do not provide standard
interfaces but only custom interfaces so that they perform Agent function directly for equipment log
collection. SSL-based RMI communication channel is used to transfer log collected by Agent using the
externalmodetoSlave.
Security Target – Version 1.8
65
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
a) SecurityEquipmentLogCollection
TOE provides the function for its Agent to collect security log and status info from Enterprise
Security Management Agent Systems. Collected info includes Intrusion Detection, Intrusion
Block, Management Target Server, Security Equipment Log, CPULoad, Network Traffic and
Memory.CollectedinfoissenttoSlaveofTOE.
b) Security LogEventProcessing
TOESlavereceivessecurity logscollectedbyAgentandstoresthemintheir primitiveformina
DB. At the same time, the Slave applies Event Filtering Rules and Event Compression Rules
configured by the Authorized Admin to security logs and delivers the refined security log-in
eventstotheMasteratreal-time.
Event Filtering rules defined at Monitor by Authorized Admin are stored in DB by Master.
However, the defined event filtering and event compression are performed directly by Slave at
real-timeandtheresultsaresenttoTOEMaster.
Event Filtering rules defined at Monitor by Authorized Admin are stored in DB by Master.
However, the defined event filtering rules and event compression are performed directly by
Slaveatreal-time.
c) EventSearch
Event Search function is categorized into event search of events that occurs at Enterprise
SecurityManagementAgentSystemsandthesearchforFirewallAccountLogTypes.
Admin normally uses either Event Monitoring or Event Pattern Monitoring for security
monitoring tasks. However, in case a specific Enterprise Security Management Agent System
incurs a heavy volume of security log or experiences a serious security problem, its primitive
securitylogneedstoberetrieved.SecurityEquipmentLogSearchisconductedby Slave,where
thesearchcriteriaareasfollows.Storingofsearchfilesinexternaltextfilesisalsoprovided.
Events
ƒ LogType(IntrusionDetection,IntrusionBlock)
ƒ Area
ƒ Entity
ƒ AttackName
ƒ ThreatLevel
ƒ ActualEquipmentName
ƒ AttackerIP/Port
ƒ TargetIP/Port
ƒ Begin/EndDate
ƒ MaxSearchResultNumber
Account
Security Target – Version 1.8
66
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ LogType(IntrusionBlock)
ƒ OccurrenceObject
ƒ OccurrenceDate/Time
ƒ SystemTime
ƒ ActualEquipmentName
ƒ Service
ƒ Action
ƒ SourceIP,Port
ƒ DestinationIP,Port
ƒ Frequency
ƒ Other
Security Info Management
TOE’s security info management function includes Security Management Admin, Security Knowledge
Management System (KMS), Security Management Report and Admin Function to support Authorized
Admintoreviewcollectedsecurity logdata,analyzesecurityissuesandtakeappropriatecountermeasures.
That is, the Admin utilizes this function to analyze performance (CPU, memory, traffic) of Enterprise
Security ManagementAgentSystemsandtheexternalattackinfoto takemeasuresonEnterpriseSecurity
ManagementAgentSystemsortoestablishappropriatesecuritypolicy.
a) Security Management Admin
Authorized Admin analyzes major security event info that is delivered real-time to
Monitor, makes judgment on the seriousness of current problems, takes appropriate
measures to counter them and record the results.
Basic functions of security management are Add, Edit, Delete and Retrieve of
management records. Also, management records can proceed through the steps of
Receive, Analysis and Countering as the Admin completes each process in
sequence. If a further process is required at Analysis or Countering step, then a
record can be held temporarily, while if no further processing is required, the
record is returned to previous process.
Upon management acceptance of a record, requester info is required on the
requester who makes a request for analysis and countering on the occurred security
problem, where the requester can be a Management Admin, Monitoring personnel,
or System Admin. Requester Info (name, position, team, e-mail, phone number,
company) Management function (Add, Edit, Retrieve, Delete) is provided.
Also, the info on a general equipment that caused a security problem is required.
Therefore, a function, including Add, Edit, Retrieve and Delete, is provided to
manage problem equipment info as follows:
ƒ HostName
ƒ DomainName
ƒ EquipmentType(PC,Router,Server,Switch,ExternalServer,etc.)
ƒ Location
ƒ HostIP,Port
Security Target – Version 1.8
67
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ OSVersion
ƒ OtherInfo
b) Knowledge Management System (KMS)
TOE provides the security knowledge management function that supports
systematic accumulation of diverse knowledge management info and rapid countering
of security events that occur. The types of security knowledge managed by KMS
include Virus Info, Attack Info and Management History Info. Virus and Attack info
are automatically stored in DB via a web robot while the Management History is
stored in Security Management.
Therefore, KMS only provides the function to retrieve security info that has been
collected and stored. This is used for security info analysis based on reference info
including analyzed info history and virus attack info while conducting Management
tasks. Virus info and attack info include URL info so that web content of relevant URL
for each info record can be retrieved and detailed management history info also can be
retrieved.
Virus Info includes the following data.
ƒ VirusName
ƒ Type(TrojanHorse,Harmful,etc.)
ƒ ThreatLevel(Average,Serious,Unknown,etc.)
ƒ SymptomDetail
ƒ DateDetected
ƒ TargetPlatform
ƒ Symptom
ƒ OccurrenceLocation
ƒ Treatment
ƒ URL
AttackInfoincludesthefollowingdata:
ƒ AttackName
ƒ AttackCode
ƒ AttackType
ƒ Overview
ƒ URL
ManagementHistoryInfoincludesthefollowingdata:
ƒ ReceiveNo.
ƒ ReceiveTitle
ƒ AttackType
ƒ AttackMethod
ƒ ReceiveDetail
ƒ Analyzer
ƒ Countermeasure
Security Target – Version 1.8
68
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ CountermeasureResult
ƒ ModifyData
ƒ Modifier
c) Trend Report Retrieve
This function allows Authorized Admin to generate a trend report based on collected security logs
and event data. That is, an Authorized Admin can analyze collected info through such reports and
take appropriate actions. Reports are only generated for Admin verification but are not stored.
Here,reportscanbestoredintheadmin’slocalcomputerinfileformsbasedonAdminrequests.
Trend Reports include performance trend reports on CPU, traffic, packet and memory as well as
eventtrendreports.
Security Correlation Analysis
TOE provides correlation analysis function that allows extraction of significant info from various info and
events that occur in large quantities at numerous Enterprise Security Management Agent Systems.
Correlation analysis is necessary because it is practically difficult to track and monitor security logs and
eventsofsuchtargetsystemsandsuchsecuritylogsareusuallymutually correlated.
Although an external attack can be identified through analysis of a specific system, usually an attack
symptoms occur in multiple systems. Therefore, instead of analyzing a single event, IDS attack names,
firewall blocking rules and event extraction rules on CPU/memory/network load conditions can be
configured as elements that generate security logs on all Enterprise Security Management Agent Systems
so that the countermeasures configured by the Admin are performed when such rules are satisfied
simultaneously. Thus, multiple events’correlations are configured to enable accurate analysis of security
problems.
Rule management for correlation analysis provides management of rules on performance and events,
whereasinfotobeconfiguredisasfollows:
a) PerformanceThresholdManagement
Thresholds on performance (CPU load, memory load, or network load) are set by equipment
and by network so that when such a threshold is reached, pertinent action configured by the
Admin for the event is performed. This function provides correlation analysis of performance
info not only of individual equipment but all equipment in group networks or areas.
Performance correlation analysis manages (add, edit, delete, retrieve) the following
configurationdata.
ƒ RuleName
ƒ Applicability
ƒ Entity (Network,BlackList,Firewall,Area(Domain),YellowList)
ƒ Threshold
ƒ Action
Security Target – Version 1.8
69
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Threshold data used in performance correlation analysis are separately managed. Load
variations by specific time periods (by date) under normal operating conditions are analyzed or
average values per time periods (a day, three days, a week, a month or average by day of week)
and the respective Threshold values are adjusted accordingly to prevent unnecessary triggering
of security events. Also, event triggers are configured only when a configured Threshold is held
for a certain length of time continuously. The following Thresholds are managed (add, edit,
delete,retrieve)withinperformancesecuritypolicyconfigurationforcorrelationanalysis.
ƒ ThresholdName
ƒ Description
ƒ CodeType(CPULoad,Memory Load,NetworkLoad)
ƒ ContinuityThreshold(seconds,minutes,numberoftimes)
ƒ Frequency (daily average, 3-day average, weekly average, monthly average, average by
dayofweek)
ƒ Thresholdvaluebydateordayofweek
b) EventSecurityPolicyManagement
The Admin can configure event correlations to extract those events that satisfy
these rules. Logical relationships between events that occur in one or more
Enterprise Security Management Agent Systems are configured. When an event
that satisfies any of such relationships occurs, it is delivered to the Admin
according to the configured alarm process.
When configuring event correlation rules, rules can be generated on three different
related Enterprise Security Management Agent Systems. However, existing event
correlation rules can be used in other correlation rules as if they are rules for other
related target systems. Thus, an infinite number of event correlation rules can be
configured as connected rules. Event correlation rules include the following data.
ƒ RuleName
ƒ Applicability
ƒ TargetEquipmentEntity/Event/Occurrence Count(Condition)
ƒ RelatedEquipment1Entity/Event/OccurrenceCount(Condition)
ƒ RelatedEquipment2Entity/Event/OccurrenceCount(Condition)
ƒ Action(AlarmSound,WarningScreen,Logging,E-mail,CharacterMessage)
ƒ ThreatLevel(High/Medium/Low/EventSurge)
c) CorrelationYELLOW/BLACKListManagement
Black List is the list of attack IPs that cause security problems and it is managed
(add, edit, delete, retrieve) together with the following info.
ƒ SystemTitle
ƒ AttackIP
Security Target – Version 1.8
70
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ƒ Description
ƒ Applicability
On the other hand, Yellow List is systems that have been attacked. It is managed (add, edit,
delete,retrieve)withthefollowinginfo.
ƒ SystemTitle
ƒ SystemIP
ƒ ServiceName
ƒ Description
ƒ Applicability
Security Object Management
TOE components such as Master, Slave, Agent and Enterprise Security Management Agent Systems
must be registered as security objects to enable security functions on them. Thus, they are all managed as
TOE assets. Relationships among TOE security objects must be configured via Management Maps to
enable normal application of security functions. Therefore, security objects registered in Asset
Management must be added to map info within Map Management to define interrelationships and roles
among security objects. In case multiple Slaves are registered as TOE assets, Map Management is used to
configurewhichofthemisconnectedtotheMasterandtowhatAgentseachSlaveisconnected.
a) AssetManagement
This function manages (add, edit, delete, retrieve) information required for security
management of all TOE components, excluding Monitor and Agents, and Enterprise Security
Management Agent Systems. Major info consists of the following data and this info can be
storedasanexternaltextfile.
ƒ ControlNo.
ƒ Category (Hardware/Software)
ƒ Item (Master/ Slave/ Intrusion Detection/ Intrusion Block/ Management Target Server/
NetworkEquipment)
ƒ HostName,IP
ƒ Usage
b) MapManagement
Security objectsregisteredin asset management mustbe configuredtointerconnectwithin TOE.
Such relationships are configured by registering them as objects in a visual map. Relationships
of Master-Slave-Agent-Equipment are registered in map management to enable TOE security
functions. When a problem occurs with a system registered in the map, then the system’s status
isvisuallydisplayedonthemap.
In case the number of registered equipment is large, their map display can be very complicated
anddifficult.Thus,thefollowingmapdisplayoptionscanbeused.
ƒ Actual Group: This map shows actual TOE execution architecture that shows
Security Target – Version 1.8
71
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
configurationamongphysicalsecurity objects.
ƒ Equipment Group: Equipment is grouped for display by their type including Intrusion
Detection,IntrusionBlock,RouterandManagementTargetServer.
ƒ Area Group: This map displays numerous Enterprise Security Management Agent
Systemsby areasuchaslocalitiesororganizationalgroups.
Within map management, Areas, Slaves and Agents are managed (add, edit, delete, retrieve) to
initializeorstoretheentiremap info.
Master is basically displayed on the map always. Therefore, it does not need registration in the
map. Slaves are managed with the following info. Asset info registered in Asset Management
canbeutilizedforSlaveregistrationinthemap.
ƒ SlaveName
ƒ SlaveDescription
ƒ ControlNo.
ƒ Item
ƒ DetailCategory
ƒ HostName,IP
ƒ ConnectedMaster
ƒ Area
ƒ Port
ThefollowingdataareusedforAgentregistration.
ƒ AgentName
ƒ AgentDescription
ƒ ControlNo.
ƒ Item
ƒ HostName,IP
ƒ Community
ƒ CPUOID
ƒ Memory OID
ƒ MemoryTotalOID
ƒ Memory freeOID
ƒ Memory usedOID
ƒ ConnectedSlave
ƒ Area
ƒ Port
c) MapNodeSearch
Aspecificnodecanbesearchedusingnodenamefrommapscreen.
The network interface status between TOE system and Enterprise Security Management Agent Systems
canbeverifiedusingICMPping.
Security Target – Version 1.8
72
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Since SSL-based RMI is used for communication among all TOE components (Monitor, Master, Slave,
Agent), data transferred through RMI interfaces are protected using the confidentiality algorithm (3DES)
andintegrity algorithm(SHA-1).
Security Management Environment Configuration
a)CodeManagement
Codes used for TOE security functions are managed (add, edit, delete, retrieve) and the
Authorized Admin can modify them as necessary. Codes configured by Authorized Admin
include Item (System Type), Control No., Product Category, Nation, Equipment Type, Attack
TypeandAttackMethod.
b)TOEallowsthefollowingconfigurationonsecurity managementconfigurationdata.
ƒ IntegrityTestFrequencyConfiguration
ƒ DiskSpaceConfiguration
ƒ TOESystemTimeConfiguration
ƒ Functiontoturnon/offofAlarmSoundorWarningScreenincaseofexcessivegeneration.
ƒ Maxnumberofeventsinareal-timeeventlist
ƒ ManagementEnvironmentConfiguration
- Add/Delete of Character Message Server Access Info (SMS Server IP, Port, User
ID/Password)andReceiverInfo(SMSNo.,Description,Applicability)
- FrequencyofMonitorandMastereventprocessing
- FrequencyofTOEstatuscheck
- FrequencyofDBstatuscheck
- No.ofscreensdisplayedonMonitor
- MailserverIP
Functional Requirements Satisfied: FMT_MOF.1, FMT_MSA.1, FMT_MSA.3, FMT_MTD.1(1),
FMT_MTD.1(2), FMT_MTD.1(3), FMT_MTD.1(4), FMT_MTD.2(1), FMT_MTD.2(2), FMT_SMF.1,
FMT_SMR.1,FPT_ITT.1
Security Target – Version 1.8
73
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
6.1.2Audit (AT_AUDIT)
Security audit functions described in this sub-section include Audit Data Generation, Audit Data Retrieve,
AuditDataStorageandselectiveAuditDataRetrieve.
Audit data generated at each module is sent to Log Module, which checks the audit data and generates an
alarmincaseofanalarmconditionandtheauditdataisstoredinthelogtablewithinarelevantDB.
Audit data generation
a) Audit info generated by TOE is categorized into changes in TOE security configuration and
errorsormajormessagesgeneratedwithinTOEsystem.
Whenever Authorized Admin processes Add, Edit or Delete requests on security configuration
info, this action is stored as an audit data record. In addition, errors that occur during TOE
system performance and results of major security functions that are applicable for audit are
stored as audit data. Major target items are as follows. All security audit events incur audit data,
whichisdeliveredtoLogModuleforstorageintheorderoftheiroccurrencetime.
ƒ Allfunctionalerrorsthatoccur
ƒ SelfDiagnoseResults
ƒ IntegrityTestResults
b) For audit target events described in Table 5-2 and Table 5-3 are stored as audit data records with
thefollowingdataatminimum.
ƒ EventDate/Time
ƒ ObjectID(AdminID,Agent,Master,Slave,Agent)
ƒ EventSignificance(ERROR,WARNING,NOTICE,MANAGE)
ƒ SequenceNo.
ƒ EventDetail
c) TOE converts all actions of security policy implementation by Authorized Admin specified in
AT_ADMINasauditdata.
d) TOE monitors generated audit data and in case a pre-configured alarm condition occurs with
any audit data, this event is sent to Authorized Admin via e-mail and a warning screen is
displayed.
e) When generating audit data, Event Significance log (ACCOUNT, WARNING, ERROR,
MANAGE)issenttoLogProcessModule.
f) WhenAdminauthenticationoccursthreetimesconsecutively foranAdminID,thestatusofthis
Admin ID is changed to ‘TERMINATE.’ In this condition, a normal authentication info entry
failsauthentication.
Security Target – Version 1.8
74
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
g) In the event of exceeding a Threshold for correlation analysis configured by Admin is exceeded
or any specified event occurs, this creates an audit data record and the action specified for the
correlationanalysisconditionisexecuted(suchasanalarmtoadmin).
Audit review
a) AuditDataRetrieve
TOE provides Retrieve and Search functions to Authorized Admin on all audit data records
based on conditions. However, Monitoring Admin is not allowed to retrieve audit data.
AuthorizedAdmincanretrieveauditdatabyauditdatatypebasedonspecificdateandtime.
Authorized Admin (Top Level Admin, Management Admin) can retrieve desired audit data
from stored audit data by specific conditions. Retrieved search result can be viewed via TOE
Monitor.
ƒ EventDate/Time(Date&Time)
ƒ ObjectID
ƒ EventCategory
ƒ EventSignificance(EventType)
ƒ EventDetail(Arbitrary searchkey)
b) Real-timeAuditDataRetrieve
Authorized Admin can view audit data upon retrieve at real-time. If Authorized Admin wishes
to view current audit data using any of the following conditions, he/she may enter values for
suchconditionsandretrievedesiredauditdataatreal-time.
ƒ EventDate/Time(Date&Time)
ƒ ObjectID
ƒ EventCategory
ƒ EventSignificance(EventType)
ƒ EventDetail(Arbitrary searchkey)
c) ObjectHistory
HistoryofMaster,Slave,AgentorAreacanberetrieved.
d) SystemHistory
ExecutionandStopofMasterandSlave’sMasterAccessHistorycanberetrieved.
e) UserHistory
AdmincanretrieveTOElog-onorlog-outhistory.
Security Target – Version 1.8
75
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
TOE Audit Data Configuration
TOE Security Management function allows configuration of audit data generation level within audit data
environmentconfiguration.
AdmincansetOSTimeforMaster,SlaveandMonitorsystemstoensureconsistency oflogtimes.
All security configuration changes of TOE by Authorized Admin are left in audit data as are TOE internal
problems.Whenstoringauditdata,auditdatasignificancelevelcantriggeranAlarmSendtoAdminordisplay
ofawarningscreen.
TOE uses DBMS as the audit data storage. When its storage capacity is less than the configured value, an
alarm is sent to Admin or service is terminated. Action for this case is the DB Admin modifies DB partition
configurationtosecureadditionalstoragespace.
Upon checking the DB partition storage space, if the storage space reaches the first Admin Alarm Percent
Value (default value 5%: in case available space is less than or equal to 5%), TOE sends e-mails to all admins
anddisplaysawarningmessageatMonitor.
If the storage space reaches Total Service Terminate Percentage (default value 3%), both Slave and Master
components are terminated and log info is no longer stored in DB. Also, e-mails are sent to admins and a
warningmessageisdisplayedontheTOEMonitor.
TOE time stamp
To ensure consistency of audit data times, the Top Level Admin configures time stamp directly. Then times of
all systems that perform TOE functions are set simultaneously. That is, OS times of Agent, Master and Slave
systemsareallmodifiedatreal-time.
Functional Requirements Satisfied: FAU_ARP.1, FAU_GEN.1, FAU_GEN.2, FAU_SAA.1,
FAU_SAR.1,FAU_SAR.3,FAU_STG.1,FAU_STG.3,FAU_STG.4,FPT_STM.1
Security Target – Version 1.8
76
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
6.1.3 User Data Protection (AT_UDP)
TOEperformsaccesscontrolonAdminandallEnterpriseSecurity ManagementAgentSystems.
Enterprise Security Management Agent Systems request access to send audit data and system status info
generated within themto TOE. TOE then verifies Ips ofEnterprise SecurityManagement Agent Systems. If IP
and Port data match, then access is granted, upon which a session is established to exchange actual data. Upon
sessioncreation,anEnterprise Security ManagementAgent Systemusesthesessionto senduserdata,whichis
storedinaTOEstorage.
When the Admin requests security management screen to retrieve or edit TSF data, TOE first authenticate the
Admin as an Authorized Admin (successful authentication and verification of relevant TSF privilege), then
security managementscreenisdisplayedtoauthenticatedAuthorizedAdminonly.
Functional Requirements Satisfied: FDP_ACC.1(1), FDP_ACF.1(1), FDP_ACC.1(2), FDP_ACF.1(2),
FDP_ITC.1,FDP_ITT.1
Security Target – Version 1.8
77
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
6.1.4 Identification andAuthentication (AT_INA)
Admin authentication function allows an Admin to request authentication to TOE via only RMI interface so
that only Authorized Admins are authenticated to use TOE security management. That is, authentication is
possibleonlythroughpre-registeredsystemIps.
General Identification & Authentication Method –Authorized Admin
a) TOE has authentication mechanism for admins. Authentication method includes ID and
password.Alladminsusethesameauthenticationmechanism.
b) Identification & Authentication function is implemented using permutation mechanism
(PasswordbasedAdminAuthentication).StrengthofFunctionsatisfiesSOF-Mediumlevel.
c) Identification&AuthenticationFunctionperformsauthenticationofremoteAuthorizedAdmins
via password based SSL protocol. The function receives safely remote admin’s ID and
password via SSLbased RMI, which is supported in the IT environment, and performs Admin
authentication.
d) TOE Password Authentication mechanism is used to authenticate admins using the following
codedcharacters.
ƒ Passwordhasmin6andmax20alphanumericcharacters.
ƒ Permitted characters are total 93 including a-z(26), A-Z(26), 0-9(10) ‘&’but excluding! @
#$%^*()_+|`-=\{}:”<>?[];’,./“
ƒ AdminIDandpasswordofanAdminaccountbeingconfiguredarenotpermitted.
e) When an admin, including specific privilege admins, requests security management function,
the admin’s authentication status is checked and access is granted only if the status is normal.
Also, even if the authentication status is normal, if the requested security management function
isnotapartoftheadmin’sassignedprivileges,accessisblocked.
While an Admin performs authentication, TOE shows only the admin’s ID but echoes its password as a series
ofasterisks(*).
f) TOE receives directly security logs and equipment info from Agents or Enterprise Security
Management Agent Systems. Here, TOE identifies the IT entity that sends such info to TOE.
The source IP address of info source is checked against the registered IP list of Enterprise
Security Management Agent Systems so that, if the source is not included in the registered
sourceIPlist,theinforeceiveisblocked.
FIA_UAU.2satisfiesSOF-Mediumlevel.
Security Target – Version 1.8
78
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Authentication Failure Process Method
WhenAdminauthenticationfailsthreetimes,theAdminIDisconvertedtoTERMINATEstatus,wheretheID
cannolongerenableauthenticationunlesstheTopLevelAdminreleasestheTERMINATEstatus.
Functional Requirements Satisfied: FIA_AFL.1, FIA_ATD.1(1), FIA_ATD.1(2), FIA_UAU.2,
FIA_UAU.7,FIA_UID.2(1),FIA_UID.2(2)
Security Target – Version 1.8
79
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
6.1.5 Protection of Security Function (AT_PT)
TOE stores hash values of TSF environment data and TSF execution data to protect TSF area against
unauthorized entities so that, when an Admin accesses security management server and makes requests, such
requests are compared against stored hash values to verify integrity. TOE also checks the status of the RMI
interfacethatconnectsTOEcomponentsaswellasthestatusofcomponentsthatareconnectedtotheinterface.
TSF Data Transfer via Safe Channel
Since TOE uses SSL-based RMI communication between all components (Monitor, Master, Slave, Agent),
data transferred via RMI interface is protected using confidentiality algorithm (3DES) and integrity algorithm
(SHA-1). This is the same for Admin authentication so that SSL certificate created during TOE installation is
usedtocreateatrustSSLchannel,whichisthenusedforAdminauthentication.
All TOE components uses RMI based communication interface provided by Java language for mutual
connection. Each Java RMI interface has a unique internal ID so that connection is not possible unless the
interface ID matches when connecting with RMI interface of another system. Also, Java RMI interface
selectively uses SSL. Thus, TOE’s Monitor, Master, Slave and Agents all use Java RMI for mutual
identification.
TOE Self Diagnosis
TOE ensures safety of environment files and execution files of TSF through integrity test, which ensures safe
execution of security functions. To protect TSF data, TOE stores hash values of TSF environment data and
TSF execution files so that when an Admin accesses the security management server, frequent comparison is
made against the stored hash values to check integrity. Any deviation identified is sent to the Authorized
Admin.
WhenanAdminaccessesTOEviaasecurity serverandanintegrity erroroccursfromTSFprotectionfunction,
it is displayed on a security management screen for resolution. The Authorized Admin can re-create hash
values of the error files to resolve the integrity problem. Integrity test and TOE process checks are periodically
conductedduringsystemoperation.
TOE Self Diagnose is conducted at each TOE start-up and periodically conducted at every minute. Integrity
testsareconductedatstart-up,atfrequencydefinedby FMT_MTD.2(2)anduponrequestfromAdmin.
TSF Protection Function is implemented using a permutation mechanism (SHA-1 based TSF Data Integrity
Test).
a) EnvironmentConfigurationDataIntegrityManagement
Integrity test ensures safety of TSF environment files and execution files. To protect TSF data,
TOE stores hash values of TSF environment data and TSF execution files so that when an
Security Target – Version 1.8
80
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
Admin accesses the security management server, frequent comparison is made against the
storedhashvaluestocheckintegrity.AnydeviationidentifiedissenttotheAuthorizedAdmin.
TOE provides the Integrity Test Result View function to Authorized Admin. Also, TOE
provides the Initialization function for Integrity Test execution and Integrity Test Time
Configuration function as well as retrieval of recent integrity test results. Authorized Admin can
re-createhashvaluesofintegrityerrorfiles.
TOE Self Diagnose is conducted at each TOE start-up and periodically conducted at every
minute. Integrity tests are conducted at start-up, at frequency defined by FMT_MTD.2(2) and
uponrequestfromAdmin.
b) SystemStatusManagement
TOE checks status of its major components toensure their normal operations. Targets of system
status check include Master, Slave, Agent and DBMS. Abnormal status info is sent to the
Admin as follows. In case TOE Master Operation is abnormal, TOE Monitor can detect the
status and send a message to the Admin. For abnormal status of Slave, Agent or DBMS, TOE
Masterinnormalconditiondetectstheproblemandsendsamessagetotheadmin.
FunctionalRequirementsSatisfied:FPT_TST.1,FPT_AMT.1,FPT_ITT.1
Security Target – Version 1.8
81
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
6.2 Assurance Measures
Assurance requirements of this ST follow those of Part 3 of CC (1). TOE provides documents to verify the
assurancerequirementsofChapter5asinTable6-1.
[Table6-1]TracedAssuranceMeasures
Assurance
ComponentID
AssuranceComponentName AssuranceMeasure
ACM_AUT.1 PartialCMautomation ConfigurationManagement
ACM_CAP.4 Generationsupportandacceptance
procedures
ConfigurationManagement
ACM_SCP.2 ProblemtrackingCMcoverage ConfigurationManagement
ADO_DEL.2 Detectionofmodification Delivery Documentation
ADO_IGS.1 Installation,generation,andstart-up
procedures
Installationguidance
ADV_FSP.2 Fullydefinedexternalinterfaces FunctionSpecification
ADV_HLD.2 Security enforcinghigh-leveldesign High-levelDesign
ADV_IMP.1 SubsetoftheimplementationoftheTSF ImplementationRepresentation
ADV_LLD.1 Descriptivelow-leveldesign Low-LevelDesign
ADV_RCR.1 Informalcorrespondencedemonstration AnalysisofCorrespondence
ADV_SPM.1 InformalTOEsecuritypolicymodel SecurityPolicyModel
AGD_ADM.1 Administratorguidance Administratorguidance
AGD_USR.1 Userguidance *N/A
ALC_DVS.1 Identificationofsecuritymeasures DevelopmentSecurity
ALC_LCD.1 Developerdefinedlife-cyclemodel LifeCycledefinitionDocument
ALC_TAT.1 Well-defineddevelopmenttools DevelopmentToolDocument
ATE_COV.2 Analysisofcoverage TestDocumentation
ATE_DPT.1 Testing:high-leveldesign TestDocumentation
ATE_FUN.1 Functionaltesting TestDocumentation
ATE_IND.2 Independenttesting-sample TestDocument,TestableTOE
AVA_MSU.2 Validationofanalysis MisuseAnalysis
AVA_SOF.1 StrengthofTOEsecurity function
evaluation
StrengthofFunctionAnalysis
AVA_VLA.2 Independentvulnerabilityanalysis VulnerabilityAnalysis
* TOE does not allow general users. Since there is no mention of general user management in FMT class
within the TOE security function requirements, users’ manual is not provided. Therefore, assurance measure
forAGD_USR.1isnotapplicable.
Security Target – Version 1.8
82
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7 Rationale
This chapter describes evidences used in evaluation. These evidences are complete and concentrated collection
ofSTrequirements,providesefficientITsecuritymeasureswithintheTOEsecurityenvironment,andsupports
thefactthattheTOEsummaryspecificationaddressestheTOErequirementsproperly.
[Table7-1]LogicalmappingbetweenSecurityEnvironmentandTOEsecurityobjectives
ITSecurityObjectives(TOE)
ITSecurityEnvironments
O
.
A
U
D
I
T
O
.
M
A
N
A
G
E
O
.
S
E
C
T
S
F
D
O
.
I
D
O
.
A
U
T
H
O
.
C
O
L
L
E
C
T
I
N
F
O
O
.
A
C
C
E
S
S
O
.
A
B
N
O
R
M
A
L
O
P
O
.
S
T
A
T
A.DYNAMIC
A.ACCESS
A.TADMIN
A.PHYSEC
A.REINFOCEOS
A.REINFOCEOE
A.DBINSTLIMIT
A.TEXTSERVER
T.DISGUISE X X X
T.RECFAIL X
T.WRONGINFO X X X
T.REPEAT X X X
T.CHGTSFD X X X X X
T.ABNORMALSVC X X
T.ABNORMALRES X X
TE.WEAKMGT X
TE.DELNINST
TE.CHGTSFD
P.AUDIT X X X
P.SECMGT X
P.STAT X
Security Target – Version 1.8
83
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
[Table7-2]LogicalmappingbetweenSecurityEnvironmentandITEnvironmentsecurityobjectives
ITSecurityObjectives(TOE)
ITSecurityEnvironments
OE
.
P
H
Y
S
E
C
OE
.
T
A
D
M
I
N
OE
.
S
E
C
M
G
T
OE
.
R
E
I
N
F
O
R
C
E
O
S
OE
.
R
E
I
N
F
O
R
C
E
O
E
OE
.
D
Y
N
A
M
I
C
OE
.
A
C
C
E
S
S
OE
.
D
B
I
N
S
T
L
I
M
I
T
OE
.
S
E
C
C
H
OE
.
S
E
C
T
S
F
OE
.
E
X
T
S
E
R
V
E
R
A.DYNAMIC X
A.ACCESS X
A.TADMIN X
A.PHYSEC X X
A.REINFOCEOS X X
A.REINFOCEOE X
A.DBINSTLIMIT X
A.TEXTSERVER X
T.DISGUISE
T.RECFAIL
T.WRONGINFO
T.REPEAT
T.CHGTSFD
T.ABNORMALSVC
T.ABNORMALRES
TE.WEAKMGT X X
TE.DELNINST X X
TE.CHGTSFD X
P.AUDIT
P.SECMGT X X
P.STAT
Security Target – Version 1.8
84
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.1 Rationale for ITSecurity Objectives
Thefollowingistherationaleforsecurityobjectives.
[Table7-3]RationaleforsecurityobjectivesequivalenttoIPSPP
SecurityObjective Description
O.AUDIT Whenauserusesasecurity function,TOEshallrecordeachuserauditeventbased
on audit data policy and provide a mechanism to maintain safely and to review
suchrecordedauditeventdata.Auditdatapolicyisasfollows.
ƒ Audit events of Admin Identification & Authentication shall
berecorded.
ƒ TOE shall provide a countermeasure when audit data reaches
asaturationlevel.
ƒ TOE shall record unauthorized access attempts as audit
events.
ƒ In case of repeated authentication attempts, TOE shall ensure
detectionofsuchattackerIDusingauditdata.
ƒ TOEshallrecordintegrityerrorsasauditevents.
Thus, this TOE security objective is to counter unauthorized modification of
threats T.DISGUISE, T.RECFAIL, T.WRONGINFO, T.REPEAT and T.TSF
Datausingauditdata;andtosupporttheorganization’ssecuritypolicyP.AUDIT.
O.MANAGE TOE configures access control rules to execute security policy and control
unauthorizedTOEaccess.For thispurpose,TOEshallprovidethe meansto safely
manage TSF data and TOE including TOE configuration data creation and
management.
Thus, this security objective is to counter the threats of T.WRONGINFO and
TE.WRONGMGT and support organizational security policy P.SECMGT by
providingmeanstoAuthorizedAdmintosafelymanageTOE.
O.SECTSFD TSF data can be modified through an external, unexpected access without
Admin’s awareness to disable normal execution of security policy. To prevent this
condition, TSF data is checked for intentional/unintentional modification to ensure
its integrity and thus ensure normal TSF functioning. Thus, this TOE security
objectiveistocounterthethreatofT.CHGTSFD.
O.ID When an external IT entity sends user data to TOE, the entity has to be identified
andtheAdmin hastobeauthenticatedtoallowonlyAuthorizedAdminaccess.By
identifying Admin and external IT entities, TOE uses ID info for audit data
generation, permits access to only registered IT entities and Authorized Admins
and preventsunauthorized modification ofTSF data. Also, repeated authentication
failures cause termination of relevant Admin ID. Thus, this security objective is to
counter the threats of T.DISGUISE, T.REPEAT, T.CHGTSFD and to support
P.AUDIT.
O.AUTH An Admin that wishes to access TOE has to secure authentication. And only
authenticated Admin can access TOE and modify TSF data. However,
authentication is vulnerable to repeated authentication attempts by an external
attacker.Therefore,thissecurityobjectiveistocounterthethreatsofT.DISGUISE,
T.REPEATandT.CHGTSFD;andtosupportP.AUDIT.
O.COLLECTINFO TOE collects user data of system resource usage and security actions from Agents
thatresideinTSCexternalsystems.Collected infoisusedtocheckstatusofAgent
service and resource usage. Thus, this TOE security objective is to counter
T.ABNORMALSVCandT.ABNORMALRES.
Security Target – Version 1.8
85
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
O.ACCESS TOE controls user’s unauthorized use of TOE security management functions.
TOEblocksunauthenticateduser’saccesstosecurity managementfunctions.TOE
receives user data from Enterprise Security Management Agent Systems that are
external IT entities. This security objective is to ensure blocking of user data
transfer from any unauthorized external IT entity based on Agent Data Receive
Security Policy, and to block access of unauthorized user based on Admin Access
Control Policy. Thus, this security objective counters the threats of
T.WRONGINFOandT.CHGTSFD.
O.ABNORMALOP TOE sends an alarm to Admin in case Agent services or resources are used
abnormally by checking Agent collected info. Therefore, TOE shall ensure
Admin’s countermeasure against abnormal Agent operational status via alarm
system. Thus, this security objective counters the threats of T.ABNORMALSVC,
andT.ABNORMALRES.
O.STAT TOE performs statistical processing of Security Equipment Log and Security
EquipmentInfocollectedfromAgentsbasedonStatisticalProcessingPolicy.
Thus,thisTOEsecurityobjectivesupportsSecurityPolicyP.STAT.
Security Target – Version 1.8
86
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.2 Rationale For Security Objectives ForThe Environments
ThefollowingarerationaleforEnvironmentSecurityObjectives.
[Table7-4]RationaleforSecurityObjectivesfortheEnvironment
SecurityObjective Description
OE.DYNAMIC This environment security objective is to counter A.DYNAMIC by ensuring
dynamicvariationsofEnterpriseSecurity ManagementAgentSystems.
OE.PHYSEC This environment security objective is to ensure that TOE is installed in a
physically safe location to defend against external physical attacks and TOE
modification attempts, thus ensuring the physical safety of TOE. Thus, it supports
theassumptionA.PHYSEC.
OE.TADMIN ThisenvironmentsecurityobjectiveensurestrustworthinessofAuthorizedAdmin
so that it supports the assumption A.TADMIN and security policy P.SECMGT;
andcountersTE.WRONGMGTandTE.DELNINST.
OE.SECMGT This environment security objective ensures that TOE is distributed/installed in a
safe way, configured and used safely by Authorized Admin so that it counters
threats of TE.WRONGMGT and TE.DELNINST; and is needed to support the
assumptionA.PHYSECandthesecuritypolicyP.SECMGT
OE.REINFORCEOS Thisenvironmentsecurity objectiveistoensuresafe andreliableOSby removing
all unnecessary services and means in OS and augmenting all OS vulnerabilities.
Thus,itsupportstheassumptionA.REINFORCEOS.
OE.REINFORCEOE This environment security objective ensures safety and reliability of Java VM
operating environment by augmenting its vulnerabilities. Thus, it supports the
assumptionA.REINFORCEOE.
OE.ACCESS This environment security objective ensures TOE access to Enterprise Security
Management Agent Systems defined as the scope of protection in security policy
toperformnormalsecurity Managementfunctions.Thus,itsupportsA.ACCESS.
OE.DBINSTLIMIT This environment security objective ensures reliability and safety of DB access
viaDBMSforTOEdatamanagementinstalledinthesamesystemasTOE.Thus,
itsupportsA.DBINSTLIMIT.
OE.SECCH This environment security objective ensures that TSF data transfer to a physically
separated TOE or receive from an external entity is done through a safe
communication channel.Thus,itcountersthethreatTE.CHGTSFD.
OE.SECTSF This environment security objective is to ensure that OS detects any abnormal
TSF operation and takes appropriate action. Thus, it supports the assumption
A.REINFOCEOS.
OE.EXTSERVER This environment security objective ensures that external servers that TOE
interacts for normal functions are safe. Thus, it supports the assumption
A.TEXTSERVER.
Security Target – Version 1.8
87
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.3 Rationale forTOE Security Requirements
[Table7-5]RationaleforSecurityFunctionalRequirements
ITSecurity
Objectives(TOE)
SecurityFunction
Requirements
O
.
A
U
D
I
T
O
.
M
A
N
A
G
E
O
.
S
E
C
T
S
F
D
O
.
I
D
O
.
A
U
T
H
O
.
C
O
L
L
E
C
T
I
N
F
O
O
.
A
C
C
E
S
S
O
.
A
B
N
O
R
M
A
L
O
P
O
.
S
T
A
T
FAU_ARP.1 X
FAU_GEN.1 X
FAU_GEN.2 X
FAU_SAA.1 X X
FAU_SAR.1 X
FAU_SAR.3 X
FAU_STG.1 X
FAU_STG.3 X
FAU_STG.4 X
FDP_ACC.1(1) X X
FDP_ACF.1(1) X X
FDP_ACC.1(2) X
FDP_ACF.1(2) X
FDP_ITC.1 X
FIA_AFL.1 X X
FIA_ATD.1(1) X X
FIA_ATD.1(2) X X
FIA_UAU.2 X X
FIA_UAU.7 X
FIA_UID.2(1) X X
FIA_UID.2(2) X X
FMT_MOF.1 X
FMT_MSA.1 X X
FMT_MSA.3 X X
FMT_MTD.1(1) X X
FMT_MTD.1(2) X X
FMT_MTD.1(3) X X
FMT_MTD.1(4) X X X
FMT_MTD.2(1) X
FMT_MTD.2(2) X
FMT_SMR.1 X X X
FMT_SMF.1 X
FPT_STM.1 X
FPT_TST.1 X
Security Target – Version 1.8
88
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ThefollowingaredescriptionsoftherationaleforthesecurityfunctionalrequirementsofTOE.
FAU_ARP.1 Security alarm
This component ensures admin’s ability to take a countermeasure against three authentication attempts and
correlationanalysisresults.Thus,TOEsecurityobjectiveO.ABNORMALOPissatisfied.
FAU_GEN.1 Auditdatageneration
This component ensures audit target event definition and audit data generation. Thus, TOE security objective
O.AUDITissatisfied.
FAU_GEN.2 Useridentity association
This component ensures that user identification is required to define audit target events and to track user
relationwithauditdata.Thus,TOEsecurity objectiveO.AUDITissatisfied.
FAU_SAA.1 Potentialviolationanalysis
This component ensures identification of security violations through audit event review. Thus, TOE security
objectiveO.AUDIT,O.ABNORMALOPissatisfied.
FAU_SAR.1 Auditreview
This component ensures Authorized Admin’s capability to review audit data. Thus, TOE security objective
O.AUDITissatisfied.
FAU_SAR.3 Selectauditreview
This component ensures audit data search and ordering based on logical relations. Thus, TOE security
objectiveO.AUDITissatisfied.
FAU_STG.1Protectedaudittrailstorage
Thiscomponentensuresprotectionofauditrecordsfromunauthorizedmodificationsanddeletions.Thus,TOE
security objectiveO.AUDITissatisfied.
FAU_STG.3Actionincaseofpossibleauditdataloss
This component ensures countermeasures in case accumulated audit data exceeds a pre-configured limit. Thus,
TOEsecurity objectiveO.AUDITissatisfied.
FAU_STG.4Preventionofauditdataloss
This component ensures countermeasures in case audit data storage saturation. Thus, TOE security objective
Security Target – Version 1.8
89
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
O.AUDITissatisfied.
FDP_ACC.1(1) Subsetaccesscontrol(1)
This component ensures that Security Management Access Control Policy and its scope are defined. Thus,
TOEsecurity objectiveO.ACCESS,O.SECTSFDissatisfied.
FDP_ACF.1(1) Securityattributebasedaccesscontrol(1)
This component ensures attribute-based Security Management Access Control Policy is executed properly.
Thus,TOEsecurity objectiveO.ACCESS,O.SECTSFDissatisfied.
FDP_ACC.1(2)Subsetaccesscontrol(2)
This component ensures that Enterprise Security Management Agent Systems Data Receive Security Policy
for access control is defined and the scope of Enterprise Security Management Agent Systems Data Receive
SecurityPolicyisdefined.Thus,TOEsecurityobjectiveO.ACCESSissatisfied.
FDP_ACF.1(2)Security attributebasedaccesscontrol(2)
This component ensures that Enterprise Security Management Agent Systems Data Receive Security Policy
Rulesforattribute-basedaccesscontrolareprovided.Thus,TOEsecurity objectiveO.ACCESSissatisfied.
FDP_ITC.1 Importofuserdatawithoutsecurityattributes
This component ensures that for SFP controlled User Data inflow from a TSC External System, proper
Enterprise Security Management Agent Systems Data Receive Security Policy is applied. Thus, TOE security
objectiveO.COLLECTINFOissatisfied.
FIA_AFL.1Authenticationfailurehandling
This component ensures that the admin’s max number of failed authentication attempts is defined and the
ability of take a countermeasure in case of reaching or exceeding this predefined limit. Thus, TOE security
objectiveO.ID,O.AUTHissatisfied.
FIA_ATD.1(1)Userattributedefinition(1)
This component requires that external IT entities provide IP addresses as security attributes, which identify
themandprovidethebasisforaccesscontrol.Thus,SecurityobjectivesO.IDandO.ACCESSaresatisfied.
FIA_ATD.1(2)Userattributedefinition(2)
ThiscomponentrequiresthatAdminSecurityAttributesofID(ID)andUserSecurity Attributesare maintained
for Admin identification and as basis for access control. Thus, the Security objectives O.ID and O.ACCESS
aresatisfied.
Security Target – Version 1.8
90
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FIA_UAU.2 Userauthenticationbeforeanyaction
This component ensures the capability to successfully authenticate Admin prior to any action and allow only
authenticatedAdmintomanageTSFdata.Thus,TOEsecurityobjectiveO.SECTSFD,O.AUTHissatisfied.
FIA_UAU.7 Protectedauthenticationfeedback
This component ensures that only designed authentication feedback is provided while authentication is in
process.Thus,TOEsecurity objectiveO.AUTHissatisfied.
FIA_UID.2(1) Useridentificationbeforeanyaction(1)
This component requires IP address identification of external IT entities, where the IP addresses provide the
basis for their identification, audit data generation and access control. Thus, Security objective O.ID, and
O.ACCESSaresatisfied.
FIA_UID.2(2) Useridentificationbeforeanyaction(2)
This component ensures that ID is required of all Admin and that only those identified Admin that succeed in
authenticationareallowedtomanageTSFdata.Thus,SecurityobjectiveO.SECTSFDandO.IDaresatisfied.
FMT_MOF.1 Managementsecurity functionaction
This component ensures the Authorized Admin’s ability to terminate or initiate security functions. Thus, TOE
security objectiveO.MANAGEissatisfied.
FMT_MSA.1Managementofsecurityattribute
This component ensures that only Authorized Admin has the access to security attributes as TSF data required
forexecutingTOEsecurity functions.Thus,TOEsecurity objectiveO.MANAGE,O.SECTSFDissatisfied.
FMT_MSA.3 Staticattributeinitialization
This component ensures that only Authorized Admin has access to security attributes that are TSF data
necessary to perform TOE security functions. Thus, TOE security objective O.MANAGE, O.SECTSFD is
satisfied.
FMT_MTD.1(1)ManagementofTSFdata(1)
This component ensures the Authorized Admin capability to manage Identification & Authentication Data,
Management tasks, Event & Correlation Analysis Data. Thus, TOE security objective O.MANAGE,
O.SECTSFDissatisfied.
FMT_MTD.1(2)ManagementofTSFdata(2)
Security Target – Version 1.8
91
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
This component ensures the Authorized Admin capability to manage Event Compression Security Policy,
Event Pattern Number, Event Pattern Initialization (Time, Interval), Event Screen Number, Master Info,
ManagementEnvironmentConfigurationandMonitoring ScreenConfiguration.Thus,TOEsecurity objective
O.MANAGE,O.SECTSFDissatisfied.
FMT_MTD.1(3)ManagementofTSFdata(3)
This component provides the Authorized Admin capability tomanage Enterprise Security Management Agent
Systems statistical reporting, Management System reporting, Correlation Analysis Results, History & Trend
Reporting.Thus,TOEsecurityobjectiveO.MANAGE,O.SECTSFDissatisfied.
FMT_MTD.1(4)ManagementofTSFdata(4)
This component provides the Authorized Admin capability to perform statistical processing of Security
Equipment Log and Security Equipment Info. Thus, TOE security objective O.MANAGE, O.SECTSFD,
O.STATissatisfied.
FMT_MTD.2(1) ManagementlimitsonTSFdata(1)
This component ensures availability of major TOE resources through authorized Admin control of storage
capacity limit and countermeasures in the event of any limit excess. Thus, TOE security objective
O.MANAGEissatisfied.
FMT_MTD.2(2)ManagementlimitsonTSFdata(2)
This component ensures that authorized admin manages the integrity test interval limit so that proper actions
are taken in the event of limit violation, thus ensuring major availability of TOE. Thus, TOE security objective
O.MANAGEissatisfied.
FMT_SMF.1 SpecificationofManagementFunctions
This component requires that Admin functions are specified for TSF Security Attributes, TSF Data and
Security Function.Thus,TOEsecurity objectiveO.MANAGEissatisfied.
FMT_SMR.1 Securityroles
This component requires that TOE Admin roles are limited to Authorized Admin roles. Thus, TOE security
objectiveO.MANAGE,O.ID,O.AUTHissatisfied.
FPT_STM.1 Reliabletimestamps
This component requires reliable time stamp function for TSF use and ensures that generated time stamps
ensure sequential recording of Security Audit Events for audit data generation. Thus, TOE Security objective
O.AUDITissatisfied.
Security Target – Version 1.8
92
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FPT_TST.1 TSFTesting
This component ensures self diagnosis for precise TSF operation and that Authorized Admin checks integrity
ofTSFdataandTSFexecutioncode.Thus,TOEsecurity objectiveO.SECTSFDissatisfied.
Security Target – Version 1.8
93
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.4 Rationale for Security Requirements of ITEnvironment
ThefollowingdescribesrationaleforsecurityfunctionalrequirementsforITenvironment.
FDP_ITT.1 Basicinternaltransferprotection
Thiscomponentensuresthatdatareceivesecuritypolicy isimplementedwhensendinguserdatabetweenTOE
componentsviainternalsafechannels.Thus,TOEsecurityobjectiveOE.SECCHissatisfied.
FPT_AMT.1 Abstractmachinetesting
This component ensures a series of tests are performed by IT environment OS to show precise operation of
TSFabstractmachine.Thus,TOEsecurity objectiveOE.SECTSFissatisfied.
FPT_ITT.1 BasicinternalTSFdatatransferprotection
This component requires that a safe channel is formed to receive TSF data transfer between physically
separatedTOEcomponents.Thus,TOEsecurityobjectiveOE.SECCHissatisfied.
Security Target – Version 1.8
94
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.5 Rationale forAssurance Requirements
This ST chose assurance requirements to satisfy EAL4. EAL4 provides sufficient assurance in the TOE
security environment. Assurance means for satisfying EAL4 package requirements are described in the
assurance documents referenced in 6.2 and each document is sufficient to satisfy the assurance requirements.
For AGD_USR.1 Users’Manual Assurance Component, since there is no general user for TOE based on its
characteristics,users’manualisnotavailable.Thus,noassurancemeansforthiscomponentisprovidedhere.
7.6 Rationale for SOF
This ST chooses SOF-medium, where threats are considered to have low level of professional knowledge,
resources and motives. To counter threat sources having low level of attack success rate, SOF-basic has to be
satisfiedat minimum.SincethisSTprovidessecurity functionsofintermediatestrengthlevels,thisrequirement
issatisfied.
Security Target – Version 1.8
95
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.7 Rationale forTOE Summary Specification
This section describes whether TOE security functions and assurance methods are appropriate for TOE
security requirements.
7.7.1 TOE Security Functions
Certain special TOE security functions must be performed together to satisfy a security requirement. Table 7-5
showsthatTOESFRsmaptoallsecurityfunctions.
[Table7-5]MappingofSFRstoSecurityFunctions
SecurityFunction SecurityFunctionalRequirement
FMT_MOF.1
FMT_MSA.1
FMT_MSA.3
FMT_MTD.1(1)
FMT_MTD.1(2)
FMT_MTD.1(3)
FMT_MTD.1(4)
FMT_MTD.2(1)
FMT_MTD.2(2)
FMT_SMF.1
FMT_SMR.1
SecurityManagement(AT_ADMIN)
FPT_ITT.1
FAU_ARP.1,
FAU_GEN.1
FAU_GEN.2
FAU_SAA.1
FAU_SAR.1
FAU_SAR.3
FAU_STG.1
FAU_STG.3
FAU_STG.4
Audit(AT_AUDIT)
FPT_STM.1
FDP_ACC.1(1)
FDP_ACF.1(1)
FDP_ACC.1(2)
FDP_ACF.1(2)
FDP_ITC.1
UserDataProtection(AT_UDP)
FDP_ITT.1
FIA_AFL.1
FIA_ATD.1(1)
FIA_ATD.1(2)
FIA_UAU.2
FIA_UAU.7
FIA_UID.2(1)
Identificationand
Authentication(AT_INA)
FIA_UID.2(2)
FPT_ITT.1
FPT_TST.1
ProtectionofSecurityFunction
(AT_PT)
FPT_AMT.1
Security Target – Version 1.8
96
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FMT_MOF.1- Management of security function action – TOE provides security management
interfaces to Authorized Admin to stopor initiate configuration ofvarious environment elements such as Event
CompressionandCorrelationAnalysisSecurityPolicy.Thus,thisfunctionissatisfied.(AT_ADMIN)
FMT_MSA.1- Management of security attribute – TOE provides interface to manage security
attributes to implement Access Control Policy and Enterprise Security Management Agent Systems Data
ReceiveSecurityPolicy.(AT_ADMIN)
FMT_MSA.3- Static attribute initialization – TOE ensures basic values are maintained for Security
Management Access Control Policy and Security Control Target Systems Data Receive Security Policy.
(AT_ADMIN)
FMT_MTD.1(1)-Management of TSF data(2) – TOE enables Authorized Admin to retrieve, create, edit and
delete to manage Identification & Authentication Data, Management Tasks, Event Security Policy, Correlation
AnalysisSecurityPolicy,SecurityEquipmentInfoManagementandCodeManagement.(AT_ADMIN)
FMT_MTD.1(2)-Management of TSF data(3) – TOE enables Authorized Admin to retrieve and modify
configurationvalues includingEvent Pattern Number, Event Pattern Initialization, Event Screen Number, TOE
Time Stamp, Management Environment Configuration, Map Management Function, Disk Space and
IntegrityTestFrequency.(AT_ADMIN)
FMT_MTD.1(3)-Management of TSF data(4) – TOE enables Authorized Admin to retrieve/perform Event
Monitoring, Event Search, Performance Monitoring, Correlation Analysis Monitoring, Correlation Analysis
Search, Audit Info, Trend Report, Knowledge Management Info Search, Map Node Search and Event Pattern
Monitoring.(AT_ADMIN)
FMT_MTD.1(4)-Management of TSF data(5) – TOE enables Authorized Admin to perform statistical
processing of Security Equipment Log & Security Equipment Info from Enterprise Security Management
AgentSystems.(AT_ADMIN)
FMT_MTD.2(1)- Management limits on TSF data (1)– TOE enables definition of audit storage
capacitylimitviasecuritymanagementinterface.(AT_ADMIN)
FMT_MTD.2(2)- Management limits on TSF data (2)– TOE enables definition of time interval for
integritytestsviasecurity managementinterface.(AT_ADMIN)
FMT_SMR.1- Security roles – TOE can assign or add Admin privileges to Management Admin and
MonitoringAdmin.(AT_ADMIN)
FMT_SMF.1- Specification of Management Functions – TOE provides security management
interface to Authorized Admin to perform TSF Function Management, TSF Security Attributes Management,
TSFDataManagementandTSFDataLimitManagement.(AT_ADMIN)
FAU_ARP.1- Security alarm – TOE stops use of Admin account in case of authentication failures and
takes a countermeasure configured by Authorized Admin in the event correlation analysis result reaches a
thresholdvalue.(AT_AUDIT)
FAU_GEN.1- Audit data generation – TOE generates audit data for Error, Warning, Notice and Manage
foralleventsthatoccurwithinTOE.(AT_AUDIT)
FAU_GEN.2- User identity association – TOE can relate user ID and audit target events for all events
Security Target – Version 1.8
97
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
thatoccurwithinTOE.(AT_AUDIT)
FAU_SAA.1- Potential violation analysis – In the event of three consecutive generation of audit data per
Admin authentication failures or abnormal action from correlation analysis, TOE categorizes such as security
violationsandtakeappropriatecountermeasures.(AT_AUDIT)
FAU_SAR.1- Audit review – TOE allows Authorized Admin to receive security audit data via security
managementinterface.(AT_AUDIT)
FAU_SAR.3- Select audit review – TOE allows Authorized Admin to retrieve desired audit data using
varioussearchconditions.(AT_AUDIT)
FAU_STG.1- Protected audit trail storage – TOE stores generated audit data to DBMS that is
accessibleonlybyAuthorizedAdmin.(AT_AUDIT)
FAU_STG.3- Action in case of possible audit data loss – TOE displays available storage space to
AuthorizedAdminandgeneratesalarmasnecessary.(AT_AUDIT)
FAU_STG.4- Prevention of audit data loss – TOE negates all services in case audit storage is saturated
andsendsawarninge-mailtoAuthorizedAdmin.(AT_AUDIT)
FDP_ACC.1(1)- Subset access control(1)– TOE implements Security Management Access Control
Policy to negate access from any Admin without normal authentication status and security management
requeststhatarenotcompliantwithassignedprivileges.(AT_UDP)
FDP_ACF.1(1)- Security attribute based access control (1)– TOE either negates or grants Admin
access or request based on admin’s authentication status and privilege when implementing Security
ManagementAccessControlPolicy.(AT_UDP)
FDP_ACC.1(2)- Subset access control(2)– TOE controls access of external IT entities to TOE via
EnterpriseSecurityManagementAgentSystemsDataReceiveSecurity Policy.(AT_UDP)
FDP_ACF.1(2)- Security attribute based access control (2)- TOE performs access control based on
source IP address and protocol type of info transferred when implementing Enterprise Security Management
AgentSystemsDataReceiveSecurityPolicy.(AT_UDP)
FDP_ITC.1- Import of user data without security attributes – TOE applies Enterprise Security
Management Agent Systems Data Receive Security Policy for transfer of Security Equipment Log, Security
EquipmentInfofromexternalITentitiesoutsideofTOEManagementscope.(AT_UDP)
FDP_ITT.1- Basic internal transfer protection- TOE applies Enterprise Security Management Agent Systems
Data Receive Security Policy for transfer of Security Equipment Log, Security Equipment Info received from
externalITentitiesamongTOEcomponents.(AT_UDP)
FIA_AFL.1- Authentication failure handling – TOE sends an alarm to authorized Admin in case a
specificAdminauthenticationfailsthreetimesormore.(AT_INA)
FIA_ATD.1(1)- User attribute definition (1)– TOE requires Authorized Admin to define security
attributesofITentitiesforimplementingsecuritypolicyonexternalITentities.(AT_INA)
Security Target – Version 1.8
98
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FIA_ATD.1(2)- User attribute definition (2)– TOE requires Authorized Admin to define and apply
AdminsecurityattributesforimplementationofAdminbased security policy.(AT_INA)
FIA_UAU.2– User authentication before any action – TOE applies security policy on authenticated
Adminforadminsthatrequireauthentication.(AT_INA)
FIA_UAU.7- Protected authentication feedback – TOE uses a special character for Admin password
duringAdminauthenticationtopreventpassworddisplayontheAdmininterface.(AT_INA)
FIA_UID.2(1)– User identification before any action (1)– TOE identifies IP address for IT
identificationpriortoallowingtheITentitytouseanyTOEsecurityfunction.(AT_INA)
FIA_UID.2(2)– User identification before any action (2)– TOE receives Admin ID prior to allowing
anAdmintouseTOEsecurityfunction.(AT_INA)
FPT_ITT.1- Basic internal TSF data transfer protection– TOE implements SSL-based coded communication
forcommunicationbetweenTOEinternalcomponentsthatarephysically separated.(AT_ADMIN,AT_PT)
FPT_STM.1- Reliable time stamps– TOE allows an Authorized Admin to modify TOE time, which is
uniformly appliedtoallTOEcomponents.(AT_AUDIT)
FPT_AMT.1- Abstract machine testing– TOE checks TOE status periodically using functions provided by IT
environmentOSandperformsrestart-upincaseofanabnormalcondition.(AT_PT)
FPT_TST.1- TSF Testing – TOE performs integrity test on own execution binary files at start-up, during
operationandbasedonAuthorizedAdminrequestandtheresultsaredisplayedtoAuthorizedAdmin.(AT_PT)
Security Target – Version 1.8
99
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.7.2 TOE SOF Claims
SOF of this TOE is SOF-Medium as defined in CC Part 1, which is the level against attackers with low level
attack success probability. Security functions of SOF application are Identification and Authentication, which
utilizeapermutationandprobabilisticmechanism.
TOE is installed in an internal network that is connected to Enterprise Security Management Agent Systems.
Attackers in this environment are assumed to have low level of professional knowledge, resources and motives
andtheprobabilityofathreatsourcetofindsystemvulnerabilityislow.
Security Target – Version 1.8
100
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.7.3 TOEAssurance Requirements
Table7-6providesmethodsofassuranceverificationforassurancerequirementsspecifiedin5.2.
[Table7-6]AssuranceMeasureComplianceTable
Assurance
Measure
Assurance
ComponentID
Configuration
Management
Delivery
Documentation
Installation
guidance
Function
Specification
High-level
Design
Implementation
R
i
Low-Level
Design
Analysis
of
Correspondence
Security
Policy
Model
Administrator
guidance
Development
Security
Life
Cycle
definition
D
Development
Tool
D
Test
Documentation
Misuse
Analysis
Vulnerability
Analysis
Strength
of
Function
Analysis
TOE
to
Test
ACM_AUT.1 X
ACM_CAP.4 X
ACM_SCP.2 X
ADO_DEL.2 X
ADO_IGS.1 X
ADV_FSP.2 X
ADV_HLD.2 X
ADV_IMP.1 X
ADV_LLD.1 X
ADV_RCR.1 X
ADV_SPM.1 X
AGD_ADM.1 X
ALC_DVS.1 X
ALC_LCD.1 X
ALC_TAT.1 X
ATE_COV.2 X
ATE_DPT.1 X
ATE_FUN.1 X
ATE_IND.2 X X
AVA_MSU.2 X
AVA_SOF.1 X
AVA_VLA.2 X
ACM_AUT.1- Partial CM automation – TOE provides Configuration Management that provides the
automated feature to allow only the permitted modifications occur in TOE implementation expressions and the
automatedTOEcreationmechanism.
ACM_CAP.4- Generation support and acceptance procedures – TOE provides Configuration Management
to ensure that proper control is implemented to prevent unauthorized modifications and appropriate
functionalityandusageoftheconfigurationmanagementsystem.
ACM_SCP.2- Problem tracking CM coverage – TOE provides Configuration Management to ensure that
all configuration items are modified in accordance with controlled methods with appropriate authorization
process.
ADO_DEL.2-Detectionofmodification–TOEprovidesDeliveryDocumentationwheresystemcontrol,
distributionfacilityandprocessensuredatasentby asensorissentwithout beingmodified.
Security Target – Version 1.8
101
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
ADO_IGS.1-Installation,generation,andstart-upprocedures–TOEprovidesInstallationGuidanceto
ensurethatTOEisinstalled,createdandoperatedinasafemannerintendedbythedeveloper.
ADV_FSP.2-Fullydefinedexternalinterfaces–TOEprovidesFunctionalSpecificationtodefineallexternal
interfacesandtoimplementbasicdescriptionsofinterfacesvisibletoTSFusersandactionsaswellasTOE
security functionalrequirements.
ADV_HLD.2-Security enforcinghigh-leveldesign–TOEprovidesHigh-LevelDesigntodescribeTSFin
termsofmajorcomponents(subsystems),describetheirfunctionsandrelationships,andensuresTOE
architectureisappropriateforimplementingtheTOEsecurityfunctionalrequirements.
ADV_IMP.1-SubsetoftheimplementationoftheTSF–TOEprovidesImplementationRepresentationto
ensureidentificationofdetailedactionsofTSFandtofacilitatetheiranalysis.
ADV_LLD.1-Descriptivelow-leveldesign–TOEprovidesLow-LevelDesigntodescribeTSFinternal
actions,mutualrelationshipsanddependenciesbetweenmodulesandtoensurethatTSFsubsystemsare
accurately andeffectively detailed.
ADV_RCR.1-Informalcorrespondencedemonstration–TOEprovidesAnalysisofCorrespondenceto
ensureconsistencyofdiverseexpressionsofTSF(descriptionsofTOESummary Specification,Functional
Specification,BasicDesign,DetailedDesignandImplementation).
ADV_SPM.1-InformalTOEsecurity policymodel–TOEprovidesSecurityPolicyModeltodescriberules
andcharacteristicsofallTSPpoliciesandtoensureconsistency andcompletenessofallpolicies.
AGD_ADM.1-Administratorguidance–TOEprovidesAdministratorGuidanceasandocumentationfor
usebythoseresponsibleforconfiguration,maintenanceandmanagementofTOEinprecisewaystomaximize
TOEsecurity.
ALC_DVS.1-Identificationofsecurity measures–TOEprovidesDevelopmentSecuritytoprotectTOEby
utilizingphysical,procedural,humanandothersecuritymeasuresfordevelopmentenvironment.
ALC_LCD.1-Developerdefinedlife-cyclemodel–TOEprovidesLifeCycleDefinitionDocumentto
ensurecontrolsnecessary fordevelopmentandmaintenanceofmodels.
ALC_TAT.1-Well-defineddevelopmenttools–TOEprovidesDevelopmentToolDocumenttoensurethat
wronglydefined,inconsistentorinaccuratedevelopmenttoolsarenotusedforTOEdevelopment.
ATE_COV.2-Analysisofcoverage–TOEprovidesTestDocumentationtoensurethatTSFistested
systematically accordingtofunctionspecification.
ATE_DPT.1-Testing:high-leveldesign–TOEprovidesTestDocumentationtoensurethatTSFsubsystems
areimplementedcorrectly.
ATE_FUN.1-Functionaltesting–TOEprovidesTestDocumentationtoensurethatallsecurityfunctionsare
executedaccordingtotheirspecifications.
ATE_IND.2-Independenttesting-sample–TOEprovidesTestDocumentation&TOEforTestingto
ensurethatsecurityfunctionsareperformedaccordingtotheirspecifications.
AVA_MSU.2-Validationofanalysis–TOEprovidesMisuseAnalysistoensurethatsystemdocumentation
doesnotcontainanyerrors,inconsistenciesorconflictingguidelinesandthatalloperatingmodesarebasedon
safeprocedures.
Security Target – Version 1.8
102
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
AVA_SOF.1-StrengthofTOEsecurity functionevaluation–TOEprovidesStrengthofFunctionAnalysisto
determinethequantitativeorstatisticalanalysisresultsonsecurityactionsofsub-securitymechanismsandthe
strengthofsecurityactionstoovercometheproblems.
AVA_VLA.2-Independentvulnerabilityanalysis–TOEprovidesVulnerabilityAnalysistoensurethat
certainsecurityvulnerabilitiesexistandthatsuchvulnerabilitiescannotbemisutilizedwithintheintended
environmentofTOE.
Security Target – Version 1.8
103
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
7.8 Rationale for SFR Dependencies
Security functional requirements used in this SF satisfy the dependencies of Table 7-7 and there are no
componentsthatdonotsatisfydependencies.
[Table7-7]SatisfactionofDependencyofSFRSecurityFunctionalRequirements
No. Functional
ComponentID
Dependency
(ies)
ReferenceNumber
1 FAU_ARP.1 FAU_SAA.1 4
2 FAU_GEN.1 FPT_STM.1 34
3 FAU_GEN.2 FAU_GEN.1
FIA_UID.1
2
19, 20 (Select FIA_UID.2 as upper
dependency)
4 FAU_SAA.1 FAU_GEN.1 2
5 FAU_SAR.1 FAU_GEN.1 2
6 FAU_SAR.3 FAU_SAR.1 5
7 FAU_STG.1 FAU_GEN.1 2
8 FAU_STG.3 FAU_STG.1 7
9 FAU_STG.4 FAU_STG.1 7
10 FDP_ACC.1 FDP_ACF.1 11
11 FDP_ACF.1 FDP_ACC.1
FMT_MSA.3
10
23
12 FDP_ITC.1 [FDP_ACC.1or
FDP_IFC.1]
FMT_MSA.3
10
23
13 FDP_ITT.1 FDP_ACC.1or
FDP_IFC.1
10
14 FIA_AFL.1 FIA_UAU.1 17 (Select FIA_UAU.2 as upper
dependency)
15 FIA_ATD.1(1) - -
16 FIA_ATD.1(2) - -
17 FIA_UAU.2 FIA_UID.1 19(SelectFIA_UID.2asupperdependency)
18 FIA_UAU.7 FIA_UAU.1 17 (Select FIA_UAU.2 as upper
dependency)
19 FIA_UID.2(1) - -
20 FIA_UID.2(2) - -
21 FMT_MOF.1 FMT_SMR.1
FMT_SMF.1
31
30
22 FMT_MSA.1 [FDP_ACC.1or
FDP_IFC.1]
FMT_SMR.1
FMT_SMF.1
10
31
30
23 FMT_MSA.3 FMT_MSA.1
FMT_SMR.1
22
31
24 FMT_MTD.1(1) FMT_SMF.1
FMT_SMR.1
30
31
25 FMT_MTD.1(2) FMT_SMF.1
FMT_SMR.1
30
31
26 FMT_MTD.1(3) FMT_SMF.1
FMT_SMR.1
30
31
27 FMT_MTD.1(4) FMT_SMF.1 30
Security Target – Version 1.8
104
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
FMT_SMR.1 31
28 FMT_MTD.2(1) FMT_MTD.1
FMT_SMR.1
24,25,26,27
31
29 FMT_MTD.2(2) FMT_MTD.1
FMT_SMR.1
24,25,26,27
31
30 FMT_SMF.1 - -
31 FMT_SMR.1 FIA_UID.1 20(SelectFIA_UID.2asupperdependency)
32 FPT_AMT.1 - -
33 FPT_ITT.1 - -
34 FPT_STM.1 - -
35 FPT_TST.1 FPT_AMT.1 32
Security Target – Version 1.8
105
Oullim Information Technology, Inc.
COMMERCIAL IN CONFIDENCE
REFERENCES
[1]CCV2.3
[2]ConfigurationManagementCMP-TSM-v30.docVersion1.2
[3]Delivery DocumentationDEL-TSM-v40.docVersion1.2
[4]FunctionSpecificationFSP-TSM-v40.docVersion1.7
[5]High-levelDesignHLD-TSM-v40.docVersion1.2
[6]Low-LevelDesignLLD-TSM-v40.docVersion1.2
[7]ImplementationRepresentationIMP-TSM-v40.docVersion1.1
[8]Security Policy ModelSPM-TSM-v40.docVersion1.4
[9]AnalysisofCorrespondenceRCR-TSM-v40.docVersion1.1
[10]AdministratorguidanceADM-Admin-TSM-v40.docVersion1.4
[11]InstallationguidanceIGS-TSM-v40.docVersion1.6
[12]TestDocumentationTST-K1-v40.docVersion1.3
[13]DevelopmentSecurity DVS-K1-v40.docVersion1.2
[14]LifeCycledefinitionDocumentLCD-K1-v40.docVersion1.2
[15]DevelopmentToolDocumentTAT-K1-v40.docVersion1.2
[16]MisuseAnalysisMSU-K1-v40.docVersion1.3
[17]StrengthofFunctionAnalysisSOF-K1-v40.docVersion1.3
[18]VulnerabilityAnalysisVLA-K1-v40.docVersion1.2