Q1 Labs
QRadarâ„¢ V5.1.2
Security Target V 2.0.4
January 30, 2007
Prepared By:
Suite 5200 West♦7925 Jones Branch Drive♦McLean, VA 22102-3321♦703 848-0883♦Fax 703 848-0960
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
ii
TABLE OF CONTENTS
SECTION PAGE
1 Security Target Introduction........................................................................................................ 1
1.1 Security Target Identification .........................................................................................................1
1.2 Security Target Overview................................................................................................................1
1.3 Common Criteria Conformance .....................................................................................................2
1.4 Document Organization...................................................................................................................2
2 TOE Description........................................................................................................................... 3
2.1 Product Type.....................................................................................................................................3
2.2 Product Description..........................................................................................................................3
2.3 TSF Physical Boundary and Scope of the Evaluation...................................................................5
2.3.1 The TOE Components ..................................................................................................................................5
2.3.2 The TOE IT Environment Components........................................................................................................6
2.4 Logical Boundary .............................................................................................................................7
2.4.1 Security Audit...............................................................................................................................................7
2.4.2 Identification and Authentication .................................................................................................................7
2.4.3 Security Management ...................................................................................................................................7
2.4.4 Partial TSF Self-Protection...........................................................................................................................7
2.4.5 Intrusion Detection .......................................................................................................................................7
2.5 TOE Security Environment.............................................................................................................8
3 TOE Security Environment.......................................................................................................... 9
3.1 Assumptions ......................................................................................................................................9
3.2 Threats...............................................................................................................................................9
3.3 Organizational Security Policies ...................................................................................................10
4 Security Objectives...................................................................................................................... 12
4.1 Security Objectives for the TOE ...................................................................................................12
4.2 Security Objectives for the Environment.....................................................................................12
4.2.1 Security Objectives for the IT Environment...............................................................................................12
5 IT Security Requirements........................................................................................................... 14
5.1 TOE Security Functional Requirements ......................................................................................14
5.1.1 Class FAU: Security Audit .........................................................................................................................15
5.1.2 Class FIA: Identification and Authentication .............................................................................................16
5.1.3 Class FMT: Security Management (FMT)..................................................................................................17
5.1.4 Class FPT: Protection of the TOE Security Functions................................................................................20
5.1.5 IDS Component Requirements (IDS) .........................................................................................................20
5.1.6 Strength of Function ...................................................................................................................................22
5.2 Security requirements for the IT Environment...........................................................................22
5.2.1 Class FAU: Security Audit .........................................................................................................................22
5.2.2 Class FPT: Protection of the TOE Security Functions................................................................................23
5.2.3 Class FTP: Trusted path/channels...............................................................................................................23
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
iii
5.2.4 IDS Component Requirements (IDS) .........................................................................................................23
5.3 TOE Security Assurance Requirements.......................................................................................24
6 TOE Summary Specification...................................................................................................... 25
6.1 IT Security Functions.....................................................................................................................25
6.1.1 Overview ....................................................................................................................................................25
6.1.2 Security Audit.............................................................................................................................................25
6.1.3 Identification and Authentication ...............................................................................................................26
6.1.4 Security Management .................................................................................................................................27
6.1.5 Partial TSF Self-Protection.........................................................................................................................28
6.1.6 Intrusion Detection System Functions........................................................................................................29
6.1.7 SOF Claims.................................................................................................................................................35
6.2 Assurance Measures.......................................................................................................................35
7 PP Claims.................................................................................................................................... 37
8 Rationale ..................................................................................................................................... 38
8.1 Security Objectives Rationale........................................................................................................38
8.1.1 Threats to Security......................................................................................................................................38
8.1.2 Organizational Security Policies.................................................................................................................42
8.1.3 Assumptions ...............................................................................................................................................45
8.2 Security Requirements Rationale..................................................................................................49
8.2.1 Functional Requirements ............................................................................................................................49
8.2.2 Dependencies..............................................................................................................................................53
8.2.3 Strength of Function ...................................................................................................................................54
8.2.4 Assurance Requirements.............................................................................................................................54
8.2.5 Rationale that IT Security Requirements are Internally Consistent............................................................54
8.2.6 Explicitly Stated Requirements Rationale ..................................................................................................55
8.2.7 Requirements for the IT Environment ........................................................................................................56
8.3 TOE Summary Specification Rationale........................................................................................57
8.3.1 IT Security Functions..................................................................................................................................57
8.3.2 Assurance Measures ...................................................................................................................................59
8.4 PP Claims Rationale.......................................................................................................................61
9 Appendix ..................................................................................................................................... 62
9.1 Acronyms.........................................................................................................................................62
9.2 References .......................................................................................................................................63
9.3 Glossary...........................................................................................................................................63
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
iv
Table of Tables and Figures
Table or Figure Page
Figure 2-1 QRadar Architecture Diagram and Physical TOE Boundary ............................................................................5
Table 3-1 Assumptions..........................................................................................................................................................9
Table 3-2 TOE Threats.........................................................................................................................................................9
Table 3-3 IT System Threats...............................................................................................................................................10
Table 3-4 Organizational Security Policies........................................................................................................................10
Table 4-1 Security Objectives for TOE...............................................................................................................................12
Table 4-2 Security Objectives for the IT Environment .......................................................................................................12
Table 4-3 Security Objectives for the Non-IT Environment ...............................................................................................13
Table 5-1 Functional Components ....................................................................................................................................14
Table 5-2 Administrator Management of TSF data............................................................................................................17
Table 5-3 Users Management of TSF data.........................................................................................................................18
Table 5-4 Management of Passwords.................................................................................................................................19
Table 5-5 Defense perspective data....................................................................................................................................20
Table 5-6 Functional Components for the IT environment................................................................................................22
Table 5-7 EAL2 Assurance Components ...........................................................................................................................24
Table 6-1 Security Functional Requirements mapped to Security Functions....................................................................25
Table 6-2 Assurance Measures...........................................................................................................................................35
Table 8-1 All Threats to Security Countered.....................................................................................................................38
Table 8-2 All Organizational Security Policies are addressed...........................................................................................43
Table 8-3 All Assumptions Addressed ...............................................................................................................................45
Table 8-4 Reverse Mapping of Security Objectives of the TOE map to Threat/Policies ....................................................47
Table 8-5 Reverse Mapping of Security Objectives of the IT Environment to Threat/Policies/Assumptions .....................48
Table 8-6 Reverse Mapping of Security Objectives of the Non-IT Environment to Threat/Policies/Assumptions .............48
Table 8-7 All Objectives Met by Functional Components..................................................................................................49
Table 8-8 Reverse Mapping of SFRs to Objectives.............................................................................................................52
Table 8-9 TOE Dependencies Satisfied ..............................................................................................................................53
Table 8-10 IT Environment Dependencies are Satisfied ....................................................................................................53
Table 8-11 All Objectives for the IT Environment map to Requirements in the IT environment........................................56
Table 8-12 Reverse Mapping of Security Requirements for the Environment to IT Security Objectives of the Environment
............................................................................................................................................................................................57
Table 8-13 Mapping of Functional Requirements to TOE Summary Specification............................................................57
Table 8-14 Assurance Measures Rationale ........................................................................................................................60
Table 9-1 Acronyms............................................................................................................................................................62
Table 9-2 References ..........................................................................................................................................................63
Table 9-3 Customer Specific Terms....................................................................................................................................63
Table 9-4 CC Specific Terms..............................................................................................................................................64
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
1
1 Security Target Introduction
1.1 Security Target Identification
TOE Identification: QRadar V5.1.2, with modules Offence Resolution v1.0 and Offence Manager
ST Title: Q1 Labs QRadar v5.1.2 Security Target
ST Version: Version 2.0.4
ST Date: January 30, 2007
Assurance Level: EAL2
Registration: VID10050
Keywords: Intrusion Detection, Intrusion Detection System, Sensor, Scanner, and Analyzer
1.2 Security Target Overview
This Security Target (ST) defines the Information Technology (IT) security requirements for Q1 Labs
QRadar v5.1.2 network security monitoring system, with modules Offence Resolution v1.0 and
Offence Manager.
The Q1 Labs QRadar v5.1.2 product is an administrator configurable network intrusion detection and
response system. Note that the product is also referred to as “QRadar” in this ST.
QRadar collects and process data both from network taps and from event collectors installed on
network devices. The product produces security events by real-time event matching and by
comparing the collected data to historical flow-based behaviour patterns. The security events are
then correlated by the product to produce weighted alerts which are sent to the product users. Note
that all QRadar users are trusted and are granted privileges to manage an Enterprise’s network or
subnet.
QRadar also can be configured to return a security response to configured network devices, either
automatically, or in response to an action taken by an authorized user. By this means, a network
device may be reconfigured to isolate a detected network security threat.
QRadar supports the user in manually isolating threats to specific hosts or groups of hosts through
customizable views and reports representing network devices, groups of network devices, and
collections of data, security events, and alerts.
QRadar includes its own auditing, user identification and authentication, security management, and
TSF self protection mechanisms. The security management mechanism specifically supports limiting
a user’s access to the data collected from the network.
QRadar’s Offence Resolution v1.0 and Offence Manager modules are product packages that bundle
specific user interfaces and product functionality. The Offence Manager module includes the product’s
functional and user interface components that support the correlation of security alerts to reduce false
positives and association of alerts to security events. The Offence Resolution module includes the
product’s functionality and user interface components needed to associate a security event to a
network device (or group of network devices) and return a security response to that network device
(or devices).
The Target of Evaluation (TOE) is a distributed, software-only TOE. The TOE includes all product
components, except those that are installed directly on third party devices. However, product
components that are installed directly on third party devices were included in the test configuration as
interfaces to the TOE. The product components that are installed on third party network devices are
the Device Support Module and the External Event Collector.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
2
In summary, the product components included in the TOE are the QRadar v5.1.2 server software and
user interface components, the product modules Offence Resolution v1.0 and Offence Manager
software and user interface components, the product’s collectors that access network taps, and the
interface to the External Event Collector and the Device Support Module.
The TOE is available installed in all-in-one ‘Appliance’ products, or may be installed by the end-user
on a suitable hardware platform.
1.3 Common Criteria Conformance
The TOE is Part 2 extended, Part 3 conformant, and meets the requirements of Evaluation Assurance
Level (EAL) 2 from the Common Criteria Version 2.3, ISO/IEC 18405.
1.4 Document Organization
The main sections of an ST are the ST Introduction, Target of Evaluation (TOE) Description, TOE
Security Environment, Security Objectives, IT Security Requirements, TOE Summary Specification,
and Rationale.
Section 2, TOE Description, describes the product type and the scope and boundaries of the TOE.
Section 3, TOE Security Environment, identifies assumptions about the TOE’s intended usage and
environment and threats relevant to secure TOE operation.
Section 4, Security Objectives, defines the security objectives for the TOE and its environment.
Section 5, IT Security Requirements, specifies the TOE Security Functional Requirements (SFR),
Security Requirements for the IT Environment, and the Security Assurance Requirements.
Section 6, TOE Summary Specification, describes the IT Security Functions and Assurance
Measures.
Section 7, Protection Profile (PP) Claims, is not applicable, as this product does not claim
conformance to any PP.
Section 8, Rationale, presents evidence that the ST is a complete and cohesive set of requirements
and that a conformant TOE would provide an effective set of IT security countermeasures within the
security environment. The Rationale has three main parts: Security Objectives Rationale, Security
Requirements Rationale, and TOE Summary Specification Rationale.
Sections 9 and 10 provide acronym definitions and references.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
3
2 TOE Description
The TOE is defined as all Q1 Labs QRadar v5.1.2 product components except the Device Support
Module and the External Event Collector, which were included in the test configuration as interfaces to
the TOE. The QRadar Engine and Console TOE component is enhanced by the inclusion of the
product’s Offence Resolution v1.0 and Offence Manager modules. As shown in Figure 2-1, the
product components included in the TOE are the QRadar Engine and Console and the QFlow
Collector. Each of these is described as follows:
• The QFlow Collector passively collects traffic flows from a network tap and forwards the
collected network traffic to the QRadar Engine.
• The QRadar Engine is the core of the product and supports:
o the collection, analyses and storage of data gathered by the QFlow Collector and the
external event collectors,
o the generation and correlation of alerts to security events, filtering of ‘false positive’
security alerts, population of user interface views, and generation of reports to support
the Administrator in identifying and countering network security threats and
vulnerabilities,
o the automatic return of a security response to configured network devices upon
detection of specific security events, and
o the auditing of user actions, user identification and authentication, security
management, and TSF self protection mechanisms.
The subcomponents of the QRadar Engine are presented in Section 2.3.1.
• The QRadar Console utilizes pre-analyzed data derived by the QRadar Engine to populate the
user interface. The QRadar Console GUI screen includes the Dashboard view, the Offence
Manager view, the Offence Resolution view, the Network Surveillance view, and the Reports
view.
o The Dashboard is a customizable view that appears immediately upon user
authentication. It allows the user to monitor the overall network behavior, security and
vulnerability posture, top targeted assets, top attackers, and worst and most recent
security Offences from one window.
o The Offence Manager view supports the user in correlating security alerts to reduce
false positives and in associating alerts with security events. .
o The Offence Resolution view supports the user in associating a security event to a
network device (or group of network devices) and returning a security response to that
network device (or devices).
o The Network Surveillance view supports the user in monitoring the behavioral profiles
of network traffic associated with systems and applications. This is useful to trace the
source of alerts and events to specific systems and applications.
o The Reports view provides “out of the box” Executive and Operations level reporting
capability. Additional customized reports may be defined by the user.
2.1 Product Type
The Q1 Labs QRadar v5.1.2 product is an administrator configurable network intrusion detection and
response system.
2.2 Product Description
The product collects and processes data from network taps through the QFlow Collector and from
QRadar External Event Collectors installed on network devices. The QRadar External Event Collector
was included in the test configuration only as an interface to the TOE. The product produces security
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
4
events from the data collected by the QFlow Collector by comparing the data with historical behaviour
patterns and by performing real-time event matching through Sentries. The security events generated
in this way are then correlated by the product with the event data collected from QRadar Event
Collectors and refined so that similar events are grouped into a single weighted alert which is sent to
the product users. QRadar provides alerts based on behaviors, anomalies, policies and thresholds.
Upon receiving the weighted alert, the user can selectively decompose it, exposing the associated
security events and collected data for further investigation.
The product can be configured to return a security response to configured network devices, either
automatically, or in response to an action taken by a user. The built-in security responses are: TCP
Resets, ARP Redirection, and the ability to issue commands to network devices such as switches
routers and firewalls, but a general interface for passing data and commands to configured network
devices is also included. By these means, a network device may be configured to isolate detected
network security threats.
The product includes its own auditing, user identification and authentication, security management,
and TSF self protection mechanisms. The security management mechanism specifically supports
limiting a user’s access to the data collected from the network.
No cryptographic functionality is included in the product or the TOE.
The QRadar software included in the TOE is modular and components and subcomponents as
identified below in Section 2.3.1. The software can support product configurations where product
components are installed on independent platforms. However, in the evaluated configuration the
QFlow Collector was installed on one platform, and all other TOE components are installed on a
single server.
In addition, the TOE software components are incorporated into the following QRadar ‘Appliance’
products, which provide the identified QRadar security services on pre-installed and configured
servers:
• Appliance # 2101 (Entry-Level ‘All in 1” Appliance) – This is an all –in-one box that enables the
user to collect “flows” (QFlow) and events.
• Appliance # 2102 (Entry-Level ‘All in 1” Appliance) – This is an all –in-one box that includes
the same features as #2101 but also includes an Endace copper NIC for greater performance
• Appliance # 3101 (Mid-Level Server Appliance) – This includes the same features as
Appliance # 2101 except that there is a larger Storage array and QFlow capability is not
configured upon delivery. Event Collecting/Processing is included.
• Appliance # 4101 (High-End Server Appliance) – This includes the same features as
Appliance # 3101 except that it has a quad CPU and there is no .QFlow or Event
Collecting/Processing capability included.
Appliance # 2101 was tested in the evaluated configuration.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
5
Figure 2-1 QRadar Architecture Diagram and Physical TOE Boundary
Note: In Figure 2-1 the Flow Processor, Classification Engine, Internal Event Collector, External Event
Processor, QRadar Console and Magistrate Processing Core TOE subcomponents are shown as the
‘QRadar Engine and Console’.
2.3 TSF Physical Boundary and Scope of the Evaluation
2.3.1 The TOE Components
The TOE is defined as Q1 Lab’s QRadar v5.1.2 software components QRadar Engine and Console
and the QFlow Collector. The exact version of the software components is version 5.1.2. All product
components of the TOE are software. QRadar v5.1.2 includes the following product components and
subcomponents:
• QFlow Collector(s)
• QRadar Engine and Console
o Flow Processor
o Classification Engine
o Internal Event Collector
o External Event Processor
o QRadar Console
o Magistrate Processing Core
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
6
The subcomponents of the QRadar Engine and Console are the Flow Processor, the Classification
Engine, Internal Event Collector, Event Processor, QRadar Console, and the Magistrate Processing
Core. These subcomponents are referenced in this document in order to add clarity to the description
of the operation and function of the product. A brief description of each of these subcomponents
follows:
• The QRadar Flow Processor collects and consolidates data from one or more QFlow Collector(s)
and passes the consolidated data to the Classification Engine.
• The Classification engine receives consolidated data from the Flow Processor, and determines if
an event should be generated.
• The Internal Event Collector of the Event process receives policy and security data emitted
internally from the QRadar Classification engine.
• The External Event Processor receives the normalized data from the External Event Collector.
The External Event Collector is included in the TOE as an interface only.
• The QRadar Console includes User access functionality that corresponds with the necessary
Security Functionality Requirements.
• The Magistrate Processing Core (MPC) is responsible for collecting the events generated
internally from the Internal Event Collector and externally from the External Event Processor. It
correlates these events and takes actions such as issuing alerts and/or executing automated
actions triggered by detected events. It also supports the functionality required to enable the user
to investigate alerts and events.
2.3.2 The TOE IT Environment Components
The following are the IT Environment components required for operation of the TOE and to support
the TOE’s security functions:
o Hardware platform(s): Intel PC Platforms, one for each QFlow Collector, and one for all
other TOE components.
o Operating System platform(s): Trustix 2.2 for all product components. The product is
also certified to run on Linux Red Hat Enterprise v.4.
o Supporting S/W on the customer network:
o QRadar External Event Collector and its associated Device Support Modules
(DSMs) compatible with the network devices being monitored;
o 3rd
party vulnerability scanning modules such as Nessus
o QFlow Vulnerability Assessment (VA) Integration Server module providing an
interface for the vulnerability scanners.
o Protection of data in transit between the QFlow Collectors and the QRadar server, and
between the QRadar Server and the External Event Collector. This can be
implemented by physical protection of the network connection between the collectors
and the Server, or a virtual LAN such as that supported by cryptographic module(s)
such as Open SSL.
o Network or other connectivity:
o Ethernet network to connect the TOE. Note that the TOE can also be installed
on a single platform.
o Based on customer requirements, connectivity between Network Elements that
support a tap for the QFlow Collectors.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
7
2.4 Logical Boundary
The TOE provides the following security features:
• Security Audit
• Identification and Authentication
• Security Management
• Partial TSF Self-Protection
• Intrusion Detection
2.4.1 Security Audit
QRadar provides the ability to audit blocks generated by the TOE and the addition, modification, and
deletion of configuration information that specifies the blocks. QRadar is able to associate the
auditable events with identified users.
2.4.2 Identification and Authentication
QRadar provides user identification and authentication independent of that provided by the operating
system through the use of user identifiers and passwords.
2.4.3 Security Management
QRadar supports the following administrative roles: Administrator, User, and Customer and limits the
management of TSF Data to users with the appropriate privileges and network access.
QRadar provides the following security management functionality:
• Management of security management data
• Management of collected event data and collected network data
• Management of CIDR ranges assigned to users
• Management of blocks
• Management of passwords
2.4.4 Partial TSF Self-Protection
QRadar provides for non-bypassability and for protection of the audit data and defense perspective
data in conjunction with the operating system platform,
2.4.5 Intrusion Detection
QRadar provides for customer network data collection and processing to create the set of surveillance
information. This includes a database of flow information, a set of analysis data, and a database of
external event information. The intrusion detection function provides the following capabilities:
• Reads network data in real-time including data from Gigabyte networks
• Allows for amount of payload information to be configured by bytes per Collector.
• Analyzes vulnerability data by correlating the event with the various types of raw data,
normalized data, and Offences. As a result, weighted Offence alerts can be generated.
• Provides behavioral and event correlation analysis on surveillance information
• Records results by date, time, and type
• Generates internal events and their associated violations
• Sends alerts based on analysis of defense perspective data
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
8
• Provides security responses to block network security threats based on analysis of defense
perspective data.
• Generates automatic reports on defense perspective data.
• Provide Administrators and Users the ability to review the defense perspective data they are
authorized to view.
2.5 TOE Security Environment
It is assumed that there will be no untrusted users or software on the QRadar server(s).
The TOE environment is one where the potential attacker is unsophisticated, with access to only
standard equipment and public information about the product.
The Security Functions provided by the TOE security environment can be categorized as
follows:
• Event and vulnerability data collection on the customer network - The TOE relies on QRadar
IT Environment components on the customer network to collect event data from network devices
that produce Netflow, Jflow, and Sflow events through the External Event Collector.
• Cryptographic Support - The TOE relies on the IT environment to provide cryptographic support
and the cryptographic module which includes OpenSSL for secure data communication over a
trusted channel. The TOE does not include any cryptographic functionality, nor does include an
interface to any cryptographic functionality.
• Partial Protection of TSF - QRadar relies on the underlying platform, OS and hardware, to
provide security capabilities for the TOE’s protection. These include SFP domain separation,
Non-bypassability of the TSP, and a reliable time-stamp. The TOE also relies on the platform to
support the protection of the audit and defense perspective data.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
9
3 TOE Security Environment
This section identifies secure usage assumptions and threats to security.
3.1 Assumptions
This section contains assumptions regarding the security environment and the intended usage of the
TOE.
Table 3-1 Assumptions
Item Assumption Assumption Description
1. A.ACCESS The TOE has access to all the IT security management data and defense
perspective data it needs to perform its functions.
2. A.DYNAMIC The TOE will be managed in a manner that allows it to appropriately address
changes in the IT System the TOE monitors.
3. A.MANAGE There will be one or more competent individuals assigned to manage the TOE and
the security of the information it contains.
4. A.NOEVIL The authorized administrators are not careless, willfully negligent, or hostile, and will
follow and abide by the instructions provided by the TOE documentation.
5. A.PASSWD Authorized users will follow the guidance provided by the TOE documentation for
choosing good passwords.
6. A.PROTCT The TOE hardware and software critical to security policy enforcement will be
protected from unauthorized physical modification.
7. A.PROTCTCOMM Those responsible for the TOE will ensure the communications between the TOE
components are secure via a SSL secure channel.
8. A.SCOPE The TOE is appropriately scalable to the IT System the TOE monitors.
9. A.TRUSTED There will be no untrusted users of the TOE and no untrusted software loaded on
the TOE host platforms.
Application Note: A.PROTCTCOMM provides for a secure communications between the User Web interface
and QRadar Server Console, and among the TOE components when operating in a distributed environment
(see Figure 2-2).
3.2 Threats
The following are threats identified for the TOE and the IT System the TOE monitors. The TOE itself
has threats and the TOE is also responsible for addressing threats to the environment in which it
resides. The assumed level of expertise of the attacker is unsophisticated, with access to only
standard equipment and public information about the product.
The TOE must counter the following threats to security:
Table 3-2 TOE Threats
Item TOE Threat TOE Threat Description
1. T.COMINT An unauthorized user may attempt to compromise the integrity of the data collected
and produced by the TOE by bypassing a security mechanism.
2. T.COMDIS An unauthorized user may attempt to disclose the data collected and produced by the
TOE by bypassing a security mechanism.
3. T.NOHALT An unauthorized user may attempt to compromise the continuity of the System’s
collection and analysis functions by halting execution of the TOE.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
10
Item TOE Threat TOE Threat Description
4. T.PRIVIL An unauthorized user may gain access to the TOE and exploit system privileges to
gain access to TOE security functions and data.
5. T.IMPCON An unauthorized user may inappropriately change the configuration of the TOE
causing potential intrusions to go undetected.
6. T.INFLUX An unauthorized user may cause malfunction of the TOE by creating an influx of data
that the TOE cannot handle.
7. T.FACCNT Unauthorized attempts to access TOE data or security functions may go undetected.
Table 3-3 IT System Threats
The following identifies threats to the IT System that may be indicative of vulnerabilities in or
misuse of IT resources.
Item IT Threat IT Threat Description
8. T.SCNCFG Improper security configuration settings may exist in the IT System the TOE
monitors.
9. T.SCNMLC Users could execute malicious code on an IT System that the TOE monitors
which causes modification of the IT System protected data or undermines the
IT System security functions.
10. T.SCNVUL Vulnerabilities may exist in the IT System the TOE monitors.
11. T.FALASC The TOE may fail to identify vulnerabilities or inappropriate activity based on
association of IDS data received from all data sources.
12. T.MISUSE Unauthorized accesses and activity indicative of misuse may occur on an IT
System the TOE monitors.
13. T.TRANSMIT TSF data may be disclosed or modified by an attacker while being transmitted
between the TOE and its users.
3.3 Organizational Security Policies
Table 3-4 Organizational Security Policies
An organizational security policy is a set of rules, practices, and procedures imposed by an
organization to address its security needs. This section identifies the organizational security
policies applicable to this TOE.
Item Organization
Security
Policy
Organization Security Policy Description
1. P.DETECT Static configuration information that might be indicative of the potential for a future
intrusion or the occurrence of a past intrusion of an IT System or events that are
indicative of inappropriate activity that may have resulted from misuse, access, or
malicious activity of IT System assets must be collected.
2. P.ANALYZ Analytical processes and information to derive conclusions about intrusions (past,
present, or future) must be applied to Defense Perspective data and appropriate
response actions taken.
3. P.MANAGE The TOE shall only be managed by authorized users.
4. P.ACCESS All data collected and produced by the TOE shall only be used for authorized purposes.
5. P.ACCACT Users of the TOE shall be accountable for their actions when configuring and initiating
blocks within the IDS.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
11
6. P.INTGTY Data collected and produced by the TOE shall be protected from modification.
7. P.PROTCT The TOE shall be protected from unauthorized accesses and disruptions of TOE data
and functions.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
12
4 Security Objectives
This section identifies the security objectives of the TOE and its supporting environment. The security
objectives identify the responsibilities of the TOE and its environment in meeting the security needs.
4.1 Security Objectives for the TOE
The security objectives for the TOE are as follows:
Table 4-1 Security Objectives for TOE
Item TOE Objective TOE Objective Description
1. O.PARTPROTCT The TOE when invoked by the underlying host OS must protect itself from
unauthorized modifications and access to its functions and data within the TOE,
through its own interfaces.
2. O.IDBLOCK The TOE must block network security threats or out-of-policy applications.
3. O.IDSCAN The TOE must collect and store static configuration information that might be
indicative of the potential for a future intrusion or the occurrence of a past intrusion
of an IT System.
4. O.IDSENS The TOE must collect and store information about all events that are indicative of
inappropriate activity that may have resulted from misuse, access, or malicious
activity of IT System assets and the IDS.
5. O.IDANLZ The TOE must accept data from IDS Sensors or IDS Scanners and then apply
analytical processes and information to derive conclusions about intrusions (past,
present, or future).
6. O.EADMIN The TOE must include a set of functions that allow effective management of its
functions and data.
7. O.ACCESS The TOE must allow authorized users to access only appropriate TOE functions
and data.
8. O.IDAUTH The TOE must be able to identify and authenticate users prior to allowing access
to TOE functions and data.
9. O.OFLOWS The TOE must appropriately handle potential audit and defense perspective data
storage overflows, through its own interfaces.
10. O.AUDITS The TOE must record audit records for accesses and use of the System blocking
function.
11. O.PARTINTEGR The TOE with the support of the underlying host OS must ensure the integrity of
all audit and defense perspective data, through its own interfaces.
4.2 Security Objectives for the Environment
The TOEs operating environment must satisfy the following objectives. Most of these objectives do
not levy any IT requirements but are satisfied by procedural or administrative measures.
4.2.1 Security Objectives for the IT Environment
The security objectives for the IT environment are as follows:
Table 4-2 Security Objectives for the IT Environment
Item IT Environment Objective IT Environment Objective Description
12. OE.COLLECTEVENTVULN The IT Environment must collect event and vulnerability data of an IT
System.
13. OE.OFLOWS The IT Environment must appropriately handle potential audit and defense
perspective data storage overflows, through the IT Environment’s
interfaces
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
13
Item IT Environment Objective IT Environment Objective Description
14. OE.PARTINTEGR The IT Environment must ensure the integrity of all audit and defense
perspective data, through the IT Environment’s interfaces within its scope
of control.
15. OE.PARTPROTCT The IT Environment must protect itself from unauthorized modifications
and access to its functions and data within the TOE, through the IT
Environment’s interfaces within its scope of control.
16. OE.PROTCTCOMM The IT environment must protect communications between the TOE and
its components.
17. OE.TIME The underlying operating system will provide reliable time stamps.
Table 4-3 Security Objectives for the Non-IT Environment
Item Non-IT Environment
Objective
Non-IT Environment
Description Objective
18. ON.INSTALL Those responsible for the TOE must ensure that the TOE is delivered,
installed, managed, and operated in a manner which is consistent with IT
security.
19. ON.PHYCAL Those responsible for the TOE must ensure that those parts of the TOE critical
to security policy are protected from any physical attack.
20. ON.CREDEN Those responsible for the TOE must ensure that all access credentials are
protected by the users in a manner which is consistent with IT security.
21. ON.PERSON Personnel working as authorized administrators shall be carefully selected and
trained for proper operation of the System.
22. ON.INTROP The TOE is interoperable with the IT System it monitors.
23. ON.EXPORT When any IDS component makes its data available to other IDS components,
the IT Environment will ensure the confidentiality of the defense perspective
data.
24. ON.PASSWD Personnel working as authorized users must follow the password policy
parameters in the TOE guidance about choosing good passwords such as
minimum length requirements.
25. ON.PRTCTCOMM Those responsible for the TOE will ensure the communications between the
TOE components are secure via a SSL secure channel.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
14
5 IT Security Requirements
This section provides the TOE security functional and assurance requirements. In addition, the IT
environment security functional requirements on which the TOE relies are described. Formatting
Conventions
The notation, formatting, and conventions used in this security target (ST) are consistent with version
2.3 of the Common Criteria for Information Technology Security Evaluation. Font style and clarifying
information conventions were developed to aid the reader.
The CC permits four functional component operations: assignment, iteration, refinement, and
selection to be performed on functional requirements. These operations are defined in Common
Criteria, Part 2 and paragraph 2.1.4 as:
• assignment: allows the specification of an identified parameter;
• refinement: allows the addition of details or the narrowing of requirements;
• selection: allows the specification of one or more elements from a list; and
• iteration: allows a component to be used more than once with varying operations.
This ST indicates which text is affected by each of these operations in the following manner:
• Assignments and Selections specified by the ST author are in [italicized bold text].
• Refinements are identified with "Refinement:" right after the short name. Additions to the CC
text are specified in italicized bold and underlined text.
• Iterations are identified with a dash number "-#". These follow the short family name and allow
components to be used more than once with varying operations. “*” refers to all iterations of a
component.
• Explicitly stated requirements are named “_EXP” to denote that the requirement has been
explicitly stated. For example IDS_ANL_EXP.1.
• Application notes provide additional information for the reader, but do not specify
requirements. Application notes are denoted by italicized text.
• Comments are provided as an aid to the ST author and evaluation team. These items will be
deleted in the final version of the ST.
5.1 TOE Security Functional Requirements
The functional security requirements for the TOE consist of the following components derived from
Part 2 of the CC and explicit components, summarized in the Table 5-1 below.
Table 5-1 Functional Components
No. Component Component Name
1. FAU_LOG_EXP.1 Audit log generation
2. FAU_GEN.2 User identity association
3. FAU_SAR.1 Audit review
4. FAU_SAR.2 Restricted audit review
5. FIA_ATD.1* User attribute definition
6. FIA_SOS.1 Verification of secrets
7. FIA_UAU.2 User authentication before any action
8. FIA_UID.2 User identification before any action
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
15
No. Component Component Name
9. FMT_MTD.1* Management of TSF data
10. FMT_SMF.1 Specification of management functions
11. FMT_SMR.1 Security roles
12. FPT_RVM_EXP.1-1 Non-bypassability of the TSP
13. IDS_DPD_EXP.1 Defense perspective data collection
14. IDS_ANL_EXP.1 Analyzer analysis
15. IDS_SA_EXP.1 Security alarms
16. IDS_SR_EXP.1 Security response
17. IDS_RDR_EXP.1 Restricted data review
18. IDS_STG_EXP.1-1 Guarantee of defense perspective data availability
19. IDS_DRS_EXP.1 Data reporting
5.1.1 Class FAU: Security Audit
FAU_LOG_EXP.1 Audit log generation
Hierarchical to: No other components.
FAU_LOG_EXP.1.1 The TSF shall be able to generate an audit record of the following auditable
events:
a) All auditable events for the [not specified] level of audit; and
b) [the following auditable events:
• QRadar Response Module (Offence Resolution) Audit:
o Blocks generated by the TOE, both automatically based on the alert rules
and by an authorized User;
o the addition, modification, and deletion of the configuration information
that specifies the blocks.
FAU_LOG_EXP.1.2 The TSF shall record within each audit record at least the following information:
a) Date and time of the event, type of event, subject identity, and the outcome (success or
failure) of the event; and
b) For each audit event type, based on the auditable event definitions of the functional
components included in the PP/ST: [no additional audit information].
Dependencies: FPT_STM.1 Reliable time stamps
FAU_GEN.2 User identity association
Hierarchical to: No other components.
FAU_GEN.2.1 The TSF shall be able to associate each auditable event with the identity of the user
that caused the event.
Dependencies: FAU_GEN.1 Audit data generation
FIA_UID.1 Timing of identification
FAU_SAR.1 Audit review
Hierarchical to: No other components.
FAU_SAR.1.1 The TSF shall provide [Administrator and Users with Offence Resolution
privileges] with the capability to read [all audit information and audit information for the User,
respectively] from the audit records.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
16
FAU_SAR.1.2 The TSF shall provide the audit records in a manner suitable for the user to interpret
the information.
Dependencies: FAU_GEN.1 Audit data generation
FAU_SAR.2 Restricted audit review
Hierarchical to: No other components.
FAU_SAR.2.1 The TSF shall prohibit all users read access to the audit records, except those users
that have been granted explicit read-access.
Dependencies: FAU_SAR.1 Audit review
5.1.2 Class FIA: Identification and Authentication
FIA_ATD.1-1 User attribute definition
Hierarchical to: No other components.
FIA_ATD.1.1-1 Refinement: The TSF shall maintain the following list of security attributes belonging
to administrators and Customer Support users:
• [User Name ;
• Authentication data ;
• Assigned Role, either Administrator or Customer Support.]
Dependencies: No dependencies.
Application note: The access privileges held by a user acting in the Customer Support Role is defined in
FMT_MTD.1-4, while the privileges held by a user acting in the Administrator Role are defined in
FMT_MTD.1-1.
FIA_ATD.1-2 User attribute definition
Hierarchical to: No other components.
FIA_ATD.1.1-2 Refinement: The TSF shall maintain the following list of security attributes belonging
to users:
• [User Name;
• Authentication data;
• CIDR Address Ranges;
• Assigned Privileges ( Reports, Offence Resolution, Offense Manager, Network
Surveillance )]
Dependencies: No dependencies.
FIA_SOS.1 Verification of secrets
Hierarchical to: No other components.
FIA_SOS.1.1 The TSF shall provide a mechanism to verify that secrets meet [a length greater than
or equal to 5, and may contain numeric, underscore, hyphen, lower case and upper case
characters].
Dependencies: No dependencies
FIA_UAU.2 User authentication before any action
Hierarchical to: FIA_UAU.1
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
17
FIA_UAU.2.1 The TSF shall require each user to be successfully authenticated before allowing any
other TSF-mediated actions on behalf of that user.
Dependencies: FIA_UID.1 Timing of identification
FIA_UID.2 User identification before any action
Hierarchical to: FIA_UID.1
FIA_UID.2.1 The TSF shall require each user to identify itself before allowing any other TSF-mediated
actions on behalf of that user.
Dependencies: No dependencies.
5.1.3 Class FMT: Security Management (FMT)
FMT_MTD.1-1 Management of TSF data
Application Note: FMT_MTD.1-1 describes the management of TSF data in regards to the Administration of
Security Functions
FMT_MTD.1.1-1 The TSF shall restrict the ability to [Operations listed below] the [TSF data listed
below] to [Administrator]:
Table 5-2 Administrator Management of TSF data
Operations selection
and assignment
TSF Data Assignment
query, modify, delete Security Management Data:
• TSF data required to manage users Identification and Authentication, see the
attributes defined in FIA_ATD.1* except ‘password’.
IDS Data:
• Configure collection of data from IDS_DPD_EXP.1.
• Configure and initiate ‘blocks’ based on all the Defense Perspective Data.
• Configure the Global Exclusions, the addresses protected from blocks.
• Reporting interface to all the Defense Perspective Data
• Rules and Sentries applied to Offense Manager data and flow data, respectively,
from which alerts (IDS_SA_EXP.1) and blocks (IDS_SR_EXP.1) are generated,
includes email notification and logging.
• Threshold level and email notice location for Defense Perspective data storage
required for IDS_STG_EXP.1-1.
• Define the data to be collected by the QFlow Collectors, as specified in
IDS_DPD_EXP.1,
Query Security Management Data:
• Audit log data
IDS Data:
• All Defense Perspective Data
• Alerts generated by the TSF
• Blocks generated by the TSF
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
18
FMT_MTD.1-2 Management of TSF data
Application Note: FMT_MTD.1-2 describes the management of TSF data in regards to the Users with Privileges.
FMT_MTD.1.1-2 Refinement: The TSF shall restrict the ability to [Operations listed below] the
[TSF data listed below for the data related to the CIDR ranges specified by the Administrator
for each User] to [Role Assignment listed below].
Table 5-3 Users Management of TSF data
Operations
selection and
assignment
TSF Data Assignment Role Assignment
Query Pre-defined Dashboard Report Users
Query, modify,
delete, create
Configure and initiate ‘blocks’ based on the Defense
Perspective Data
Query Blocks generated by the TSF
Query Audit log data
Users with Offence
Resolution privileges
Query, modify,
delete, create
Reporting interface to the Defense Perspective Data Users with Reports
privileges
Query, modify,
delete, create
Configuration for rules applied to the Offense Manager
data from which Alerts (IDS_SA_EXP.1) and blocks
(IDS_SR_EXP.1) are generated, includes email
notification and logging.
Users with Offense Manager
with Customized Rule
privileges
Query, modify,
delete, create
Configuration for the Sentries applied to the flow data
from which alerts (IDS_SA_EXP.1) and blocks
(IDS_SR_EXP.1) are generated, includes email
notification and logging.
Query Flow data
Users with Network
Surveillance and Users with
Offense Manager privileges
Query Rules and Sentries applied to Offense Manager data and
flow data, respectively, from which alerts
(IDS_SA_EXP.1) and blocks (IDS_SR_EXP.1) are
generated
Users with Offense Manager
privileges
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_MTD.1-3 Management of TSF data
Application Note: FMT_MTD.1-3 describes the management of TSF data in regards to Users with sharing
privileges.
FMT_MTD.1.1-3 Refinement: The TSF shall restrict the ability to [query] the [
• Reporting interface to the Defense Perspective Data for User-specified CIDR ranges within
the (granting) Users domain, and
• Alerts on Defense Perspective Data for User-specified CIDR ranges within the
(granting) Users domain]
to [Users] with User-specified report sharing privileges and Offense Manager sharing
privileges, respectively.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
19
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_MTD.1-4 Management of TSF data
Application Note: FMT_MTD.1-4 describes the management of TSF data in regards to Customer Support Users.
FMT_MTD.1.1-4 The TSF shall restrict the ability to [query] the [‘blocks’ based on the Defense
Perspective Data] to [Customer Support].
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_MTD.1-5 Management of TSF data
Application Note: FMT_MTD.1-5 describes the management of TSF data in regards to the management of
passwords.
FMT_MTD.1.1-5 The TSF shall restrict the ability to [see table below] the [see table below]
to [see table below].
Table 5-4 Management of Passwords
Operations selection and assignment TSF Data Assignment Role Assignment
modify, delete, create All passwords Administrator
modify Own password User
Application Note: User passwords in their original state must be created by the Administrator, Customer Support
Users do not manage their own passwords, they are created and maintained by the Administrator.
Dependencies: FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
FMT_SMF.1 Specification of Management Functions
Hierarchical to: No other components.
FMT_SMF.1.1 The TSF shall be capable of performing the following security management functions:
[Security Management: Audit (as described in Sections 6.1.2 and 6.1.6) and I&A(as described
in Sections 6.1.3);
IDS Management: Access Control over Defense Perspective data, control over reports, blocks
and alerts, as specified in FMT_MTD.1*].
Dependencies: No Dependencies
FMT_SMR.1 Security roles
Hierarchical to: No other components.
FMT_SMR.1.1 The TSF shall maintain the roles [Administrator, Customer Support, and User].
FMT_SMR.1.2 The TSF shall be able to associate users with roles.
Dependencies: FIA_UID.1 Timing of identification
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
20
5.1.4 Class FPT: Protection of the TOE Security Functions
FPT_RVM_EXP.1-1 Non-bypassability of the TSP
Hierarchical to: No other components.
FPT_RVM_EXP.1.1-1 The TSF, when invoked by the underlying host OS, shall ensure that TSP
enforcement functions are invoked and succeed before each function within the TSC is allowed to
proceed.
Dependencies: No dependencies.
5.1.5 IDS Component Requirements (IDS)
IDS_DPD_EXP.1 Defense perspective data collection
Hierarchical to: No other components
IDS_DPD_EXP.1.1 The TOE shall be able to collect the following information from the targeted IT
System resource(s): see column 1 of Table 5-5.
IDS_DPD_EXP.1.2 At a minimum, the TOE shall collect and record the following information:
a) Date and time of the event, type of event, subject identity, and the outcome (success or
failure) of the event; and
b) The additional information specified in the Details column of Table 5-5 defense
perspective data.
Table 5-5 Defense perspective data
Events Details
Network traffic Protocol, Application, Content, Source Port, Destination Port, source address, destination
address, TCP Flags
Host Profiles Open Ports, Services, IP address
Dependencies: No dependencies.
IDS_ANL_EXP.1 Analyzer analysis
Hierarchical to: No other components
IDS_ANL_EXP.1.1 The TOE shall perform the following analysis function(s) on all defense
perspective data received:
a) behavioral and event correlation
b) No other analytical functions.
IDS_ANL_EXP.1.2 The TOE shall record within each analytical result at least the following
information:
a) Date and time of the result, type of result, identification of data source; and
b) Analysis results.
Dependencies: IDS_DPD_EXP.1 Defense perspective data collection
IDS_EVD_EXP.1 Event and vulnerability data collection
FPT_STM.1 Reliable time stamps
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
21
IDS_SA_EXP.1 Security alarms
Hierarchical to: No other components.
IDS_SA_EXP.1.1 The TSF shall take action to send an alert to the Offense Manager console, send
the alert to the QRadar system log, or send a notification via e-mail upon detection of a potential
security violation.
Dependencies: IDS_ANL_EXP.1 Analyzer analysis
IDS_SR_EXP.1 Security response
Hierarchical to: No other components
IDS_SR_EXP.1.1 The TSF shall take the following actions:
Block - Prevent network traffic from moving through the network. The QRadar Response Module
(Offence Resolution) provides several blocking mechanisms.
o TCP Resets: TCP Resets have the capability to block an individual host and layer 4
sessions.
o ARP Redirection: ARP Redirection (Poisoning) blocks the host from any and all
communications to other subnets/CIDRs and VLANs. ARP Redirector can redirect the
quarantined host to a customizable website that informs the host that they have been
quarantined.
o Network Devices: The QRadar Response Module can issue commands to 3rd
party
devices which support ACLs and blocking rules (such as switches, routers, and
firewalls)
Application Note: The block can be enabled manually or automatically.
Dependencies: IDS_ANL_EXP.1 Analyzer analysis
IDS_RDR_EXP.1 Restricted data review
Hierarchical to: No other components
IDS_RDR_EXP.1.1 The TOE shall provide the Administrator with the capability to read all data from
the Defense Perspective data.
IDS_RDR_EXP.1.2 The TOE shall provide the TOE data in a manner suitable for the user to interpret
the information.
IDS_RDR_EXP.1.3 The TOE shall prohibit all users read access to the Defense Perspective data,
except those users that have been granted explicit read-access.
Dependencies: IDS_DPD_EXP.1 Defense perspective data collection
IDS_EVD_EXP.1 Event data collection
IDS_STG_EXP.1-1 Guarantee of defense perspective data availability
Hierarchical to: No other components
IDS_STG_EXP.1.1-1 The TOE shall protect the stored Defense Perspective data from unauthorized
deletion through its own TSFI.
IDS_STG_EXP.1.2-1 The TOE shall protect the stored Defense Perspective data from modification
through its own TSFI.
IDS_STG_EXP.1.3-1 The TOE shall ensure that the most recent, limited by available storage space
defense perspective data will be maintained when defense perspective data storage exhaustion
occurs.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
22
IDS_STG_EXP.1.4-1 The TOE shall send an alarm if the storage capacity has been reached.
Dependencies: IDS_DPD_EXP.1 Defense perspective data collection
IDS_EVD_EXP.1 Event data collection
IDS_DRS_EXP.1 Data Reporting
Hierarchical to: No other components
IDS_DRS_EXP.1.1 The TSF shall be able to report collected Defense Perspective data using
automatically generated reports.
IDS_DRS_EXP.1.2 The TSF shall be capable of generating user defined reports.
IDS_DRS_EXP.1.3 The TSF shall be capable of generating scheduled and real-time views:
Dependencies: IDS_DPD_EXP.1 Defense perspective data collection
IDS_EVD_EXP.1 Event data collection
5.1.6 Strength of Function
The threat level for the TOE authentication function is assumed to be SOF-basic. The strength of
cryptographic algorithms is outside the scope of the CC. Strength of function applies only to non-
cryptographic, probabilistic or permutational mechanisms. The SOF requirement applies to the
identification and authentication functionality within the TOE.
5.2 Security requirements for the IT Environment
QRadar requires that the operating system platform provide reliable time stamps. QRadar requires
that the operating system provides TSF domain separation and non-bypassability. All cryptographic
functions are part of the IT environment, not part of the TOE.
Table 5-6 Functional Components for the IT environment
No. Component Component Name
20. FAU_STG_EXP.2 Guarantees of audit data availability
21. FPT_RVM_EXP.1-2 Non-bypassability of the TSP
22. FPT_SEP_EXP.1 TSF domain separation
23. FPT_STM.1 Reliable time stamps
24. FTP_ITC.1 Trusted path/channels
25. IDS_STG_EXP.1-2 Prevention of Defense Perspective data loss
26. IDS_EVD_EXP.1 Event and vulnerability data collection
5.2.1 Class FAU: Security Audit
FAU_STG_EXP.2 Guarantees of audit data availability
Hierarchical to: FAU_STG.1
FAU_STG_EXP.2.1 The IT Environment shall protect the stored TSF audit records from unauthorised
deletion initiated through the IT Environment's Interfaces.
FAU_STG_EXP.2.2 The IT Environment shall be able to prevent unauthorized modifications to the
TSF audit records in the audit trail initiated through the IT Environment's Interfaces.
FAU_STG_EXP.2.3 The IT Environment shall ensure that the most recent limited by available storage
space audit records will be maintained when the following conditions occur: audit storage exhaustion.
Dependencies: FAU_GEN.1 Audit data generation
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
23
5.2.2 Class FPT: Protection of the TOE Security Functions
FPT_RVM_EXP.1-2 Non-bypassability of the TSP
Hierarchical to: No other components.
FPT_RVM_EXP.1.1-2 The IT environment shall ensure that the Operating System Security Policy
enforcement functions are invoked and succeed before each function within the Operating System’s
Scope of Control is allowed to proceed.
Dependencies: No dependencies.
FPT_SEP_EXP.1 TSF domain separation
Hierarchical to: No other components.
FPT_SEP_EXP1.1 The IT environment shall maintain a security domain for its own execution that
protects it from interference and tampering by untrusted subjects initiating actions through the
Operating System’s Interface.
FPT_SEP_EXP.1.2 The IT environment shall enforce separation between the security domains of
subjects in the Operating System’s Scope of Control.
Dependencies: No dependencies
FPT_STM.1 Reliable time stamps
Hierarchical to: No other components.
FPT_STM.1.1 Refinement: The IT environment shall be able to provide reliable time stamps for its
own use.
Dependencies: No dependencies
5.2.3 Class FTP: Trusted path/channels
FTP_ITC.1 Inter-TSF trusted channel
Hierarchical to: No other components.
FTP_ITC.1.1 Refinement: The IT environment shall provide a communication channel between
itself and a remote trusted IT product that is logically distinct from other communication channels and
provides assured identification of its end points and protection of the channel data from modification
or disclosure.
FTP_ITC.1.2 Refinement: The IT environment shall permit [the TSF, or the remote trusted IT
product] to initiate communication via the trusted channel.
FTP_ITC.1.3 Refinement: The IT environment shall initiate communication via the trusted channel
for [all data communication among the distributed TOE component].
Dependencies: No dependencies
5.2.4 IDS Component Requirements (IDS)
IDS_STG_EXP.1-2 Guarantee of defense perspective data availability
Hierarchical to: No other components
IDS_STG_EXP.1.1-2 The IT environment shall protect the stored Defense Perspective data from
unauthorized deletion through its own TSFI.
IDS_ STG_EXP.1.2-2 The IT environment shall protect the stored Defense Perspective data from
modification through its own TSFI.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
24
IDS_ STG_EXP.1.3-2 The IT environment shall ensure that the most recent, limited by available
storage space defense perspective data will be maintained when Defense Perspective data storage
exhaustion occurs.
Dependencies: No dependencies.
IDS_EVD_EXP.1 Event and vulnerability data collection
Hierarchical to: No other components
IDS_EVD_EXP.1.1 The IT environment shall be able to collect the following information from the
targeted IT System resource(s): event data from network devices that produce Netflow, Jflow, and
Sflow events, and vulnerability data.
Dependencies: No dependencies.
5.3 TOE Security Assurance Requirements
The Security Assurance Requirements for the TOE are the assurance components of Evaluation
Assurance Level 2 (EAL2) taken from Part 3 of the Common Criteria. None of the assurance
components are refined. The assurance components are listed in Table 5-7.
Table 5-7 EAL2 Assurance Components
Item Component Component Title
1 ACM_CAP.2 Configuration items
2 ADO_DEL.1 Delivery procedures
3 ADO_IGS.1 Installation, generation, and start-up procedures
4 ADV_FSP.1 Informal functional specification
5 ADV_HLD.1 Descriptive high-level design
6 ADV_RCR.1 Informal correspondence demonstration
7 AGD_ADM.1 Administrator guidance
8 AGD_USR.1 User guidance
9 ATE_COV.1 Evidence of coverage
10 ATE_FUN.1 Functional testing
11 ATE_IND.2 Independent testing – sample
12 AVA_SOF.1 Strength of TOE security function evaluation
13 AVA_VLA.1 Developer vulnerability analysis
Further information on these assurance components can be found in the Common Criteria for
Information Technology Security Evaluation (CCITSE) Part 3.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
25
6 TOE Summary Specification
6.1 IT Security Functions
6.1.1 Overview
Table 6-1 Security Functional Requirements mapped to Security Functions
No. SFRs Security Class Security Functions Sub-
functions
1 FAU_LOG_EXP.1 Security audit Security Audit AU-1
2 FAU_GEN.2 Security audit Security Audit AU-2
3 FAU_SAR.1 Security audit Security Audit AU-3
4 FAU_SAR.2 Security audit Security Audit AU-4
5a FIA_ATD.1-1 Identification and authentication Identification and
Authentication
IA-1
5b FIA_ATD.1-2 Identification and authentication Identification and
Authentication
IA-2
6 FIA_SOS.1 Identification and authentication Identification and
Authentication
IA-3
7 FIA_UAU.2 Identification and authentication Identification and
Authentication
IA-3
8 FIA_UID.2 Identification and authentication Identification and
Authentication
IA-4
9 FMT_MTD.1-1 Security management Security Management SM-1
10a FMT_MTD.1-2 Security management Security Management SM-2
10b FMT_MTD.1-3 Security management Security Management SM-3
10c FMT_MTD.1-4 Security management Security Management SM-4
10d FMT_MTD.1-5 Security management Security Management SM-5
10e FMT_SMF.1 Security management Security Management SM-6
11 FMT_SMR.1 Security management Security Management SM-7
12 FPT_RVM_EXP.1-1 Protection of the TSF Partial TSF Self-Protection SP-1
13 IDS_DPD_EXP.1 Intrusion Detection Intrusion Detection System IDS-1
14 IDS_ANL_EXP.1 Intrusion Detection Intrusion Detection System IDS-2
15 IDS_SA_EXP.1 Intrusion Detection Intrusion Detection System IDS-3
16 IDS_SR_EXP.1 Intrusion Detection Intrusion Detection System IDS-4
17 IDS_RDR_EXP.1 Intrusion Detection Intrusion Detection System IDS-5
18 IDS_STG_EXP.1-1 Intrusion Detection Intrusion Detection System IDS-6
19 IDS_DRS_EXP.1 Intrusion Detection Intrusion Detection System IDS-7
6.1.2 Security Audit
6.1.2.1 AU-1 Audit trail (FAU_LOG_EXP.1)
QRadar provides an audit trail function. Audit trails are maintained by QRadar and track the actions
taken by QRadar users and automated actions taken by the system.
The TSF shall be able to generate an audit record of the following auditable events:
• Blocks generated by the TOE, both automatically based on the alert rules and by an
authorized User;
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
26
• Addition, modification, and deletion of the configuration information that specifies the
blocks.
Audit Trail data is generated by the QRadar Engine and is stored in the Postgres database on the
QRadar Engine server. The Offence Resolution view provides reports of Resolver and Resolver
Actions (i.e.: Blocks and commands issued to layer 2 thru 4 devices). The configuration activity for
the blocks is recorded in the audit log for the Resolver, and the action of the TSF generating the block
is recorded in the Resolver Actions audit log.
Since the audit function is always enabled, the auditing of system startup and shutdown also indicates
the startup and shutdown of the audit function.
The host platform in the IT Environment provides the timestamp for the audit records.
6.1.2.2 AU-2 User identity association (FAU_GEN.2)
QRadar is able to associate each auditable event with the identity of the TOE user that caused the
event. Users activating auditable events can be identified via their username.
6.1.2.3 AU-3 Audit review (FAU_SAR.1)
QRadar provides the Administrator with the capability to read all audit information from the audit
records. Users with Offence Resolution privilege can only view the audit records for resolver actions
that they have created. Only the Administrator may view records created by other users.
The audit records are viewable through QRadar Console Offence Resolution view in a manner
suitable for the user to interpret the information. Specifically, a search function supports the selective
population of views of the audit trail. In the populated view, the audit records are presented in a
tabular format and can be sorted into ascending or descending order by clicking on the column
headings.
6.1.2.4 AU-4 Restricted audit review (FAU_SAR.2)
QRadar prohibits all users read access to the audit records, except those users that have been
granted explicit read-access. The Administrator has implicit query access, and the Administrator
grants a User the Offence Resolution privilege. Once the User has been granted the Offence
Resolution privilege, the internal database will permit the user to access the audit records. The
QRadar GUI is engineered so that the user’s can only view the data for which they have privilege.
6.1.3 Identification and Authentication
6.1.3.1 IA-1 User attribute definition (FIA_ATD.1-1)
Consistent with FMT_MTD.1-4, Customer Support users are not assigned individual permissions, as
users are, but derive their privilege from their assigned role. Their access privilege is limited to
searching the current actions for blocked IPs.
The privileges held by a user acting in the Administrator Role are defined in FMT_MTD.1-1.
The TSF maintains the following user attributes for Administrators and Customer Support users:
• User Name – explicit (maintained as Unique ID);
• Authentication data – explicit (maintained as password)
• Assigned Role – explicit (defined attribute).
The role that may be assigned is either Administrators or Customer Support. If a user is not assigned
a role, their access permissions are assigned individually, as required by FIA_ATD.1-2.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
27
6.1.3.2 IA-2 User attribute definition (FIA_ATD.1-2)
Operationally, the Administrator may assign privileges directly to users, or create a customized user
role, assign permissions to that role, and then assign that role to users. The TSF maintains the
following attributes for users:
• User Name – explicit (maintained as Unique ID);,
• Authentication data – explicit (maintained as password),
• CIDR Address Ranges – explicit (defined attribute);
• Assigned Privileges ( Reports, Offence Resolution, Offence Manager, Network Surveillance) –
explicit (defined attribute)
Within the Offense Manager privilege, a user can be granted additional access to customized rule
creation functionality, viewing vulnerability assessment data, and performing vulnerability assessment
scans. Within the Network Surveillance privilege, a user can be granted additional access to content
captured using the data mine function and the data mine content. Within the Reporting functionality
privilege, a user can be granted additional access to distribute reports via email and maintain report
templates.
6.1.3.3 IA-3 User authentication (FIA_UAU.2 and FIA_SOS.1)
QRadar provides a password authentication mechanism to authenticate users before they are able to
access the TOE.
The required password length is greater than 4 characters. The character set available for passwords
included upper and lower case alphanumeric characters and special characters. Users are trained to
pick passwords that include upper and lower case characters as well as at least one numeric and
special character.
The password is encrypted prior to storage using a modified implementation of the MD5 hash.
6.1.3.4 IA-4 User identification (FIA_UID.2)
QRadar identifies users before they are able to access the TOE. Users are identified by their supplied
user name.
6.1.4 Security Management
6.1.4.1 SM-1 Management of TSF Data (FMT_MTD.1-1)
FMT_MTD.1-1 describes operations that a user assigned to the Administrator role may perform on the
specified TSF data (See Table 5-2 in Section 5.1).
6.1.4.2 SM-2 Management of TSF Data (FMT_MTD.1-2)
FMT_MTD.1-2 describes the management of TSF data with respect to granting User permissions on
the basis of the source and destination IP address recorded in the collected data. QRadar is able to
restrict the ability to query the Defense Perspective Data for the IP address range specified by the
Administrator for each User. It also describes the management of TSF data in regards to specific
privileges (See Table 5-3 in Section 5.1).
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
28
6.1.4.3 SM-3 Management of TSF Data (FMT_MTD.1-3)
FMT_MTD.1-3 describes the management of TSF data with respect to User data sharing privileges.
Users with User-specified report sharing privileges and Offence Manager sharing privileges,
respectively are able to query the:
• Reporting interface to the Defense Perspective Data for User-specified IP address ranges
within the (granting) Users domain, and
• Alerts on Defense Perspective Data for User-specified IP address ranges within the (granting)
Users domain.
A user permitted to grant access to alerts and the reports interface may not grant access to data
that is not associated with their IP address range.
6.1.4.4 SM-4 Management of TSF Data (FMT_MTD.1-4)
FMT_MTD.1-4 describes the management of TSF data in regards to Users assigned to the ‘Customer
Support’ role. QRadar restricts the ability to query ‘blocks’ based on the Defense Perspective Data to
Users assigned to the ‘Customer Support’ role.
6.1.4.5 SM-5 Management of TSF Data (FMT_MTD.1-5)
FMT_MTD.1-5 describes the management of TSF data in regards to the management of passwords
(See Table 5-4 in Section 5.1). Administrators have completed control over all user passwords.
Administrators may create a password in the context of creating a user account. Administrators may
delete a user password in the context of removing the user account. All users may change their own
password.
6.1.4.6 SM-6 Specification of Management Functions (FMT_SMF.1)
QRadar is capable of performing the following security management functions:
• Security Management: Audit and I&A;
• IDS Data Management: Access Control over Defense Perspective data, control over reports,
blocks and alerts, as specified in FMT_MTD.1, iterations 1 thru 5.
6.1.4.7 SM-7 Security Roles (FMT_SMR.1)
The TOE maintains three trusted roles:
• Administrator
• Customer Support
• User
The security management privileges reserved for users granted Administrator role are described in
FMT_MTD.1-1. The security management privileges reserved for users granted Customer Support
role are described in FMT_MTD.1-4. The permissions that define the User role capabilities are
described in FMT_MTD.1-2, FMT_MTD.1-3, and FMT_MTD.1-5.
6.1.5 Partial TSF Self-Protection
6.1.5.1 SP-1 Non-bypassability (FPT_RVM_EXP.1-1)
Upon being invoked by the OS, the TSF maintains a security domain for its own execution and
ensures that TOE security functions are non-bypassable. The TOE ensures that security protection
and enforcement functions are invoked and succeed before each function within its scope of control is
allowed to proceed.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
29
The TOE includes three network connections that must be considered in terms of non-bypassability.
• The connection from the TOE Engine and Console component to the External User.
• The connection of the TOE Engine and Console component to the Collector
• The connection of the TOE Engine and Console component to the External Event Collector
In combination with the IT environment, the TOE environment ensures all information from an external
client (e.g.: external user, Collector, External Event Collector) to the Engine and Console component
or vice versa goes through the TSF. The TSF ensures that all information must flow through the policy
enforcement mechanisms.
In order for an external user to access Engine and Console component, the external user must use a
encrypted connection between the External user and the TSF. The encrypted connection is supported
by the IT environment. The external user must provide a valid UID and authenticator (password).
Once the external user is identified and authenticated, they cannot act without invoking a function or
object that is protected by the TSF. Hence, the TSF ensures that all TOE security functions may only
be accessed by an authorized user.
Based on the user attributes the external user’s access privilege is determined for the invoked
function or object. There is no communication path that passes data directly from the Collector or the
External Event Collector to the External user (or vice versa) except through the TSF. Hence, the TSF
ensures that all information collected from the IT environment must flow through the policy
enforcement mechanisms before being accessed by an external user.
In order for a Collector or External Event Collector to access the Engine and Console component of
the TOE, the connection from the Collector or External Event Collector to the Engine and Console
component must be specifically configured by the Administrator. The Administrator is responsible to
ensure the security of this connection, either thru physical protection, or an encrypted connection.
There is no communication path that passes data directly from the Collector to the External Event
Collector (or vice versa). Hence, the TSF ensures that all information collected or passed to the
Collector or External Event Collector must flow through the policy enforcement mechanisms, and the
Collector or External Event Collector cannot act except to pass data to the TOE server, and to accept
data from the TOE server.
Further protection is provided by the underlying assumption regarding the operation of QRadar is that
it is maintained in a physically secure environment.
Hence, in combination with the IT environment, the TSF ensures that all information must flow through
the policy enforcement mechanisms.
6.1.6 Intrusion Detection System Functions
6.1.6.1 IDS-1 Defense perspective data collection (IDS_DPD_EXP.1)
QRadar collects data from the network via the QFlow Collectors, network components via the External
Event Collector/DSM, and a vulnerability scanner, e.g., Nessus (http://www.nessus.org/) via the
External Event Collector. Only the QFlow Collectors are within the TOE Boundary, the External Event
Collector/DSMs are included only as a TOE interface.
The QFlow Collectors are attached to network links using a tap or span connection and, using a
proprietary process, collect data passively from the network. QFlow Collectors, through their tap, are
able to collect all data that passes the location, or a subset of the data as specified in
IDS_DPD_EXP.1. This data is referred to as QFlow Data.
QFlow Collectors also collect Netflow, Jflow and Sflow data from routers, switches, etc. The
Netflow/Jflow/Sflow data is collected by the QFlow Collector configured to
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
30
• listen on a specific port,
• for packets with designated device’s IP address in the SrcIP field of the packet header, and
• with the TOE server’s IP address in the DstIP field of the packet header, and
• via User DataGram Protocol (UDP) protocol.
These two data sets, the QFlow and Netflow/Jflow/Sflow, comprise the ‘flow data’ collected by QFlow
Collectors.
QFlow Collectors are placed at key locations where surveillance is required. Once they have been
deployed, QFlow Collectors require no daily management. QFlow Collectors are unique for three
reasons:
• No Sampling - QFlow Collectors analyze all packets on the segment it is monitoring. Sampling
can overlook data important for detecting policy issues as well as some Trojan and back-door
programs. However, it is important to note that some QRadar v5.1.2 appliance models are
licensed to be limited to a certain amount of flows.
• Layer 7 analysis - QRadar does not rely on static definitions of applications by port number.
Instead it analyzes application protocol headers (Layer 7) to capture packets running on ports
other than the ones expected (e.g. SSH back door), multiple ports (e.g. P2P) and even
applications tunneled within other applications (e.g. IM).
• Content Capture - QRadar captures a configurable amount of content from the first part of
each flow and stores URLs, filenames, and other applicable information. This allows in-depth
analysis well after the event has passed.
See Table 5-5 for a list of defense perspective data that is collected by QFlow Collector.
QFlow Collectors send the collected flow data to the TOE server (QRadar Engine and Console
component of the TOE) via a protected channel.
As defined in IDS_EVD_EXP.1, the event data and vulnerability analysis data are collected by the
DSMs and the vulnerability scanners, respectively and forwarded to the TOE server by the External
Event Collector.
Before forwarding the collected data to the TOE server, the External Event Collector standardizes and
normalizes the collected data to include the: QID, Device Event ID, Device ID, Device Type, Source
IP, Source Port, Destination IP, Destination Port, Device Event Count, Protocol, Category, Credibility,
Severity, Relevance, Payload, Annotations, Start Time, and End Time.
The External Event Collector also sends the collected normalized data to the TOE server via a
protected channel.
6.1.6.2 IDS-2 Analyzer analysis (IDS_ANL_EXP.1)
Behavioral Analysis:
Behavioral analysis is performed on the data collected by the Collector by the Flow Processor and
Classification Engine subcomponents of the TOE. The analysis begins with normalizing the flow,
removing duplications and, using a proprietary process (patent pending), bundling the flows to create
superflows, optimizing further analysis. The optimized flow data is sent to the Classification Engine
subcomponent of the TOE where classification analysis is performed creating tags for the data. The
data is tagged based on the packet header data and content, and threat and policy configuration
information based on parameters defined in Table 5-5, Defense perspective data.
A Sentry process on the Classification Engine further analyzes the tagged data, comparing the
behavior represented by the data with policy and threat configuration information. It also analyzes the
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
31
new data and compares the product of this analysis with accumulated statistical data characterizing
‘normal’ behavior. Based on this processing, the Sentry may take a configured action, such as raising
an alert, generating a ‘block’, or raising an internal event. An internal event is then further processed
in a way similar to data collected by the External Event Collector.
Default Sentries are pre-configured that detect aggressive scanning or worm activity, detect changes
in the number of hosts participating in client applications and port connections, detect denial of service
attacks both to and from local hosts, detect changes in unidirectional and bi-directional flows, detect
threats from top hostile networks, highly targeted ports, and sensitive applications, detect changes in
traffic volume for upper-level objects such as large abnormal data transfers, detect network protocol
anomaly, detect changes in the number of hosts participating in server port connections, detect slow
scan response, detect remote access application on non-standard ports, and detect activity-level
anomalies in non-TCP, UDP, and ICMP protocols.
The Sentries explicitly included in the TSF are:
1. Client Based DNS Activity to the Internet
2. Distributed DoS Attack (High Number of Hosts)
3. Distributed DoS Attack (Low Number of Hosts)
4. Distributed DoS Attack (Medium Number of Hosts)
5. Excessive Anomalous IMCP Flows
6. Excessive Inbound Unidirectional Flows Threshold
7. Excessive Outbound Unidirectional Flows Threshold
8. Excessive P2P Policy Threshold
9. Excessive Rejected Communication Attempts
10. Excessive SMTP Mail Sender
11. Excessive Unidirectional ICMP Detected
12. Excessive Unidirectional ICMP Responses Detected
13. Excessive Unidirectional TCP Flows
14. Excessive Unidirectional UDP or Misc Flows
15. Flow Count Behaviour Change
16. Hidden FTP Server
17. High Rate DoS Flood Attack
18. High Rate ICMP Scan
19. High Rate Scanning Activity
20. Host Count Behaviour Change
21. ICMP DoS
22. Invalid TCP Flag Usage
23. Local P2P Server Detected
24. Low Rate DoS Flood Attack
25. Low Rate ICMP Scan
26. Medium Rate DoS Flood Attack
27. Medium Rate ICMP Scan
28. Medium Rate Scanning Activity
29. Policy Excessive IM/Chat
30. Policy Excessive IRC Connections
31. Port 0 Flows Detected
32. Scanning Activity
33. SSH or Telnet Detected on Non-Standard Port
34. TCP DoS
35. Threat Traffic Packet Rate Behaviour Change
36. UDP DoS
37. VNC Access from the Internet to a Local Host
38. Potential Network Scan
39. Potential Unresponsive Service or Distributed DoS
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
32
Behavioral analysis is also supported through Event Rules and Offence Rules. A rule is a collection of
tests and consequent actions. Each rule consists of tests, functions that logically combine tests, and
building blocks which allow re-use of tests in multiple rules. Tests may be based on source and
destination Network Properties, Event properties, IP/Port properties, Host Profile properties, Date and
Time properties, Device properties and Offence properties.
Default Event Rules supported by the Event Processor module are: Login Failures across Multiple
Hosts, Repeated Login Failures Single Host, Scan and Attack, Threat Exposure of Target Rapidly
Increasing, Exploit and IRC Connect, Mass Mailing Host Detected, Drop Unwanted Events, Recon
and Suspicious Activities, Multiple Firewall System Configuration Errors detected, Recon Detected
Across Multiple Hosts, Suspicious Events Across Multiple Hosts, Multiple Local Hosts Connecting to
Single Remote Site, Exploit Attempts Across Multiple Hosts, Multiple Attack Types Detected, Multiple
System Errors or Failure Detected, and Push Policy Events to the Internal Event Collector
subcomponent.
Offence Rules supported by the QRadar Engine component are Offence Syslog Sender, Offence
EMAIL Sender.
Event Correlation:
Two types of events, the internal events from the Sentry and the external events from the external
DSM, and the vulnerability analysis data are brought together in the QRadar Engine. The Offence
Manager view permits users to analyze this combined data. The events are normalized and
correlated with the goal of identifying the source attack actions with a profile that includes identifying
the target assets and where the attacks are occurring. The vulnerability analysis data is also
correlated with this information to help establish severity and to prioritize based on the target’s
vulnerability to the detected threat. Administrator-configured credibility ratings for events are also
factored into the analysis.
These external and internal events are also correlated to data collected by the Collector to both
reduce false positives and to track hosts associated with events. This is accomplished by the
Magistrate Engine, which after receiving certain event types, makes a request to the QRadar
Classification engine sub-component of the QRadar Engine to modify the real-time analysis
information from incoming flows to identify network traffic that is significant to an event. The events
that trigger this request are not Administrator or User configurable.
Analysis that trigger Alerts and Blocks:
Administrators and Users with privilege can create ‘sentries’ and ‘rules’ which the analysis processes
can use to trigger alerts (IDS_SA_EXP.1) and blocks (IDS_SR_EXP.1).
The types of alerts a Sentry can generate are email, SNMP, or log based alerts. Rules may be used
to generate email, SNMP, log based alerts, and actions (security responses) that block certain
activities or resolve the Offence.
The sentries support the analysis to the raw flow data in the Magistrate subcomponent of the QRadar
Engine, and the Offence rules support the analysis of the data resulting from the application of the
sentries to the raw flow data, generating alerts when the Offence rule predicate is satisfied. The result
of the application of the Offence rules is then processed by Event Rules where the alerts are
weighted, i.e., prioritized based on the result of the Event Rules.
6.1.6.3 IDS-3 Security alarms (IDS_SA_EXP.1)
Internally, QRadar emits alerts from the sentry process on the Classification Engine. These alerts are
sent to the QRadar Engine for display in the Offence Manager view on the Console via the internal
event processor. The Administrator may also configure these alerts to be sent to a QRadar system
log and send a notification to a designated email address.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
33
As explained in IDS-2, there are two types of events, Internal Events generated by Sentries
processing data gathered by Collectors, and External Events generated by the External Event
Collector. This is collectively referred to as ‘event information’.
The Offence Manager includes a Custom Rule Engine that allows Administrators and Users with
appropriate privilege to create rules based on any combination of the event information. Offence
Manager processes each event against these rules and can generate alarms. Based on the rule
definition the alarms can be sent to the QRadar Console Offence Manager view, syslog, pager and/or
e-mail. These alarms are prioritized based on the correlation analysis, e.g., factoring in vulnerabilities
and credibility.
6.1.6.4 IDS-4 Security response (IDS_SR_EXP.1)
QRadar Offence Resolution is a QRadar product module that includes the capability of the QRadar
Engine to block network security threats, as well as security management capabilities and user
interface enhancements.
Authorized administrators and users of QRadar Offence Resolution have the option of taking any of
the actions below either automatically via user-specification in the QRadar Engine, as described in
IDS-3, or upon notification.
Based upon the equipment and location of a detected threat an authorized TOE user can perform a
block action to mitigate the threat. The block action prevents threatening traffic (such as a worm) from
proliferating through the network and infecting other hosts. To achieve the block action three
mechanisms have been incorporated into QRadar Offence Resolution:
• TCP Resets
QRadar utilizes the TCP Reset mechanism to block TCP communications of a host that has
been identified to be a threat to the network. TCP Resets can be used to only shut down the
threatening traffic, while allowing the host to continue running normal business applications.
• ARP Redirection
ARP Redirection allows QRadar to quarantine a host to a specific VLAN/Subnet/CIDR to
inhibit the spread of a threat to other areas of the network.
• Network Devices
QRadar has the ability to issue ACL and rule commands to network devices such as switches
routers and firewalls. ACL and rule commands can be used to configure switches, routers and
firewalls to block specific hosts, ports and interfaces. The protocols thru which rule commands
are directed to layer 2 thru 4 devices vary for different network devices, e.g., they include
telnet, and SNMP.
The QRadar product’s Offence Resolution module also includes a ‘Global exclusions’ mechanism
which allows Administrators to prohibit blocks to a set of pre-defined IP-addresses.
6.1.6.5 IDS-5 Restricted Data Review (IDS_RDR_EXP.1)
QRadar provides the Administrator, or a User who has been granted the Network Surveillance
Administrative privilege, with the capability to read all defense perspective data. The Administrator,
when granting a user the Network Surveillance Administrative privilege, can restrict the read
permission to specific CIDR ranges of the defense perspective data. QRadar prohibits all users read
access to the event data, except those users that have been granted explicit read-access.
QRadar provides the defense perspective data in a manner that is readable for the user. QRadar
provides two methods to view collected network traffic.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
34
First, for users who have been assigned the Administrator role, or hold Network Surveillance
privileges, QRadar supports Views. Each view represents all traffic activity on the network; however,
each view displays the network activity in a specific profile.
The Local Network View has levels of depth, specific to the network hierarchy. The administrator can
also create Custom Views to display the types of traffic the administrator wish to identify, monitor, and
be alerted to, when specific flows appear in the network. The administrator must configure Custom
Views with equations that identify the network activity and match the properties built into an equation.
Global Views are pre-configured views that capture and display network activity.
Each view filters traffic based upon traffic attributes. Views can be configured with an identifiable color
scheme. Each color that appears on the graph represents the activity occurring on the network. Each
color is also displayed in the legend beside the graph. The administrator can point to the color on the
legend to identify the traffic type.
The second method is the Reports capability. The user can design and generate detailed operational
reports and executive summaries with the Reports function. Once the user creates a report, the user
can view the results in multiple formats. The template wizard also allows the user to create a
distribution list to e-mail reports or send a URL that enables online access for viewers. Available views
(and traffic layers) options include: Bytes-which includes Bytes In and Bytes Out, Packets-which
includes pin and pout, Number of Hosts-which includes hlocal and hremote, and Unique Ports-which
includes plocal and premote.
6.1.6.6 IDS-6 Guarantee of Defense perspective data availability (IDS_STG_EXP.1-1)
QRadar stores the Defense Perspective data in 3 separate databases. The flow data is stored in a
proprietary file-based database on the QRadar Engine server to a location specified during
installation. The post-analysis event data is stored on the QRadar Engine server in a Postgres SQL
database, and the raw event data, used to provide the forensic data with the alerts, is stored on the
QRadar Engine server in a proprietary file-based database, referred to as Ariel.
QRadar protects the stored Defense Perspective data from unauthorized modification and deletion
through the TSF interfaces. The QRadar v5.1.2 main screen GUI is engineered so that the user
cannot delete or modify the Defense Perspective data. Also, the QRadar v5.1.2 databases are
configured so that only the Engine and Console component of the TOE can update the records.
QRadar contains a QMonitor feature that signals when the storage capacity is nearing exhaustion.
When the disk space utilization of the database server exceeds an Administrator-specified threshold
an email notification is sent. The notice is re-sent at each 1% increment until the capacity is below
the configured threshold level. The Administrator is responsible to configure the threshold so that
there is sufficient time to delete older data before storage capacity is exhausted.
The Postgres database uses a QRadar process, Vacuumdb that serves as a reduction tool
application. It enables the setting of an expiry date so that older audit database records are removed
when the data’s set expiry date is exceeded. The expiry date of the data and frequency of execution
of crontab is configurable by the Administrator. The Administrator is responsible to configure and
adjust the expiry data so that older data does not saturate the QRadar Engine server’s storage
capacity.
The TSF is dependent on the IT environment and hardware to protect the Defense perspective data
storage from access via the OS interfaces.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
35
6.1.6.7 IDS-7 Data Reporting (IDS_DRS_EXP.1)
QRadar provides two methods for users to view collected network traffic: the Views capability and the
Reports capability.
The Views capability includes default views. Default Views include:
• Local Networks View — Displays traffic by network objects.
• Ports View — Displays traffic originating from identified destination ports.
• Applications View — Displays traffic originating from application layer by client connection and
server connection.
• Remote Networks View — Displays user defined traffic originating from named remote
networks.
• Remote Services View — Displays traffic originating from user defined network ranges or, if
desired, the automatic update function provided by QRadar.
• Collector View — Displays traffic seen by each QFlow Collector.
• Protocol — Displays traffic originating from protocol usage.
• Flow types — Displays the calculated ratio of inbound to outbound traffic.
The Reports capability of QRadar includes a template wizard that enables scheduling, formatting,
viewing, and notification capabilities. Reports may be scheduled for immediate generation by manual
commend, or automatic generation on an hourly, daily, weekly, or monthly basis. Reports can be
created so that they include detailed time series graphs, summarized graphs, derived vulnerability
data, and a combination of charts. Reports are created using the Report Template Wizard and the
defined objects. Defined objects include nets, apps, ports, geographic, remote nets, remote services,
protocols, flow types, collector, IP Tracking, and Threats.
6.1.7 SOF Claims
The threat level for the TOE authentication function is assumed to be SOF-basic. This defines a level
of authentication strength of function where analysis shows that the function provides basic protection
against straightforward or intentional breach of TOE security by attackers possessing a minimum
attack potential. The strength of cryptographic algorithms is outside the scope of the CC. Strength of
function applies only to non-cryptographic, probabilistic or permutational mechanisms. The SOF
requirement applies to the identification and authentication functionality within the TOE.
The overall strength of function requirement is SOF-Basic. The strength of function requirement
applies to FIA_UAU.2. The SOF claim for FIA_UAU.2 is SOF-Basic. Strength of Function shall be
demonstrated for the non-certificate based authentication mechanisms to be SOF-basic, as defined in
Part 1 of the CC. Specifically, the TOE password authentication mechanism must demonstrate
adequate protection against attackers possessing a low-level attack potential.
6.2 Assurance Measures
The TOE satisfies the assurance requirements for Evaluation Assurance Level (EAL) 2. The following
items are provided as evaluation evidence to satisfy the EAL2 assurance requirements:
Table 6-2 Assurance Measures
Component Evidence Requirements How Satisfied
ACM_CAP.2 CM Documentation
• CM Proof
• Configuration Item List
ACM_CAP.2 - QRadar 5.1.2 file list.
ACM_CAP.2 - QRadar 5.1.2 file list - history
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
36
Component Evidence Requirements How Satisfied
ADO_DEL.1 Delivery Procedures Q1 Labs QRadar Reference Guide 5.1
Q1 Labs QRadar Getting Started With QRadar Appliances 5.1, May
2006
Q1 Labs QRadar Installation Guide 5.1, May 2006
QRadar Release Notes; Release 5.1.2; August 2006
ADO_IGS.1 Installation, generation,
and start-up procedures
Q1 Labs QRadar Getting Started With QRadar Appliances 5.1, May
2006
QRadar Release Notes; Release 5.1.1; August 2006
QRadar Release Notes; Release 5.1.2; August 2006
Q1 Labs Q1 Labs QRadarâ„¢ 5.1 Common Criteria Supplement to
the Guidance Documentation”, V0.1, October 28, 2006
ADV_FSP.1 Functional Specification Q1 Labs QRadar 5.1 EAL2 Common Criteria Evaluation
Proprietary Development Specification, v 0.12, December 5, 2005
ADV_HLD.1 High-Level Design Q1 Labs QRadar 5.1 EAL2 Common Criteria Evaluation
Proprietary Development Specification, v 0.12, December 5, 2005
ADV_RCR.1 Representation
Correspondence
Q1 Labs QRadar 5.1 EAL2 Common Criteria Evaluation
Proprietary Development Specification, v 0.12, December 5, 2005
AGD_ADM.1 Administrator Guidance Q1 Labs QRadar Administration Guide 5.1, July 2006
Q1 Labs QRadar Users Guide 5.1, May 2006
Q1 Labs QRadar Getting Started With QRadar Appliances 5.1, May
2006
Q1 Labs Q1 Labsâ„¢ QRadarâ„¢ 5.1 Common Criteria Supplement to
the Guidance Documentation”, V0.1, October 28, 2006
Offence Resolution Users Guide, Release 2.0, May 2006
AGD_USR.1 User Guidance Not applicable for this product
ATE_COV.1 Test Coverage Analysis Test Coverage for Q1 Labs QRadar, October 27, 2006
ATE_FUN.1 Test Documentation Q1 Labs QRadar 5.1 EAL2 Common Criteria Evaluation
Proprietary Development Specification, v 0.12, December 5, 2005
Enterprise_Sentries_Test_Plan.doc, September 7, 2006
IdenAuth#2.doc, September 7, 2006
SecureAudit#1.doc, September 7, 2006
SecurityManage#3.doc, September 7, 2006
IDS#5.doc, September 7, 2006
TSFProtect#4.doc, September 7, 2006
Common Criteria Certification Test Environment Specification,
September 29, 2006
CC test Summary, Version 0.3, September 7, 2006
ATE_IND.2 TOE for Testing TOE for Testing, QRadar Version 5.1.2
Evaluation Team Test Plan: Q1 Labs QRadar V5.1.2, Version 0.4,
October 26, 2006
Evaluation Team Test Report: Q1 Labs QRadar V5.1.2, Version1.0,
December 18, 2006
AVA_SOF.1 SOF Analysis Common Criteria Security Assurance Measures – Strength of TOE
Function Claims Evaluation - AVA_SOF.1, V. 1.3
AVA_VLA.1 Vulnerability Analysis Common Criteria Security Assurance Measures – (EAL2)
Developer Vulnerability Analysis – AVA_VLA.1, version 1.4,
September 13, 2006
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
37
7 PP Claims
The QRadar Security Target was not written to address any existing Protection Profile.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
38
8 Rationale
8.1 Security Objectives Rationale
8.1.1 Threats to Security
Table 8-1 shows that all the identified threats to security are countered by Security Objectives for the
TOE and IT Environment. Rationale is provided for each threat below the table.
Table 8-1 All Threats to Security Countered
Item Threat Name Security Objective
1 T.COMINT O.PARTPROTCT
O.ACCESS
O.IDAUTH
O.PARTINTEGR
OE.PARTPROTCT
OE.PARTINTEGR
OE.TIME
2 T.COMDIS O.PARTPROTCT
O.ACCESS
O.IDAUTH
ON.EXPORT
OE.PARTPROTCT
OE.PARTINTEGR
OE.TIME
3 T.NOHALT O.IDAUTH
O.ACCESS
O.IDSCAN
O.IDSENS
O.IDANLZ
OE.COLLECTEVENTVULN
4 T.PRIVIL O.PARTPROTCT
O.ACCESS
O.IDAUTH
OE.PARTPROTCT
OE.PARTINTEGR
OE.TIME
5 T.IMPCON O.EADMIN
O.ACCESS
O.IDAUTH
ON.INSTALL
6 T.INFLUX O.OFLOWS
OE.OFLOWS
7 T.FACCNT O.AUDITS
8 T.SCNCFG O.IDSCAN
O.IDBLOCK
OE.COLLECTEVENTVULN
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
39
Item Threat Name Security Objective
9 T.SCNMLC O.IDSCAN
O.IDBLOCK
OE.COLLECTEVENTVULN
10 T.SCNVUL O.IDSCAN
OE.COLLECTEVENTVULN
11 T.FALASC O.IDANLZ
12 T.MISUSE O.IDSENS
13 T.TRANSMIT OE.PROTCTCOMM
T.COMINT: An unauthorized user may attempt to compromise the integrity of the data collected and produced
by the TOE by bypassing a security mechanism. T.COMINT is countered by:
• O.PARTPROTCT: The TOE when invoked by the underlying host OS must protect itself from
unauthorized modifications and access to its functions and data within the TOE, through its own
interfaces. This objective provides for access controls that protect the TSF data from unauthorized
modifications and accesses.
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAUTH objective by only permitting authorized users to access TSF
data.
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for authentication of users prior to any TSF data access.
• O.PARTINTEGR: The TOE with the support of the underlying host OS must ensure the integrity of all
audit and defense perspective data, through its own interfaces. This objective provides for the integrity
of all audit and defense perspective data.
• OE.PARTINTEGR: The IT Environment must ensure the integrity of all audit and defense perspective
data, through the IT Environment’s interfaces within its scope of control. This objective provides for the
integrity of all audit and defense perspective data by the IT Environment.
• OE.PARTPROTCT: The IT Environment must protect itself from unauthorized modifications and access
to its functions and data within the TOE, through the IT Environment’s interfaces within its scope of
control. This objective provides for the IT Environment to protect itself from unauthorized modifications
and access to its functions and data within the TOE.
• OE.TIME: The underlying operating system will provide reliable time stamps. This objective provides
for the IT Environment to provide reliable time stamps
T.COMDIS: An unauthorized user may attempt to disclose the data collected and produced by the TOE by
bypassing a security mechanism. T.COMDIS is countered by:
• O.PARTPROTCT: The TOE when invoked by the underlying host OS must protect itself from
unauthorized modifications and access to its functions and data within the TOE, through its own
interfaces. This objective provides for access controls that protect the TSF data from unauthorized
modifications and accesses.
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAuth objective by only permitting authorized users to access TSF
data.
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for authentication of users prior to any TSF data access.
• ON.EXPORT: When any IDS component makes its data available to other IDS components, the IT
Environment will ensure the confidentiality of the defense perspective data. This objective provides for
the IT Environment to provide encryption capabilities to protect the TSF data from being disclosed.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
40
• OE.PARTINTEGR: The IT Environment must ensure the integrity of all audit and defense perspective
data, through the IT Environment’s interfaces within its scope of control. This objective provides for the
integrity of all audit and defense perspective data by the IT Environment.
• OE.PARTPROTCT: The IT Environment must protect itself from unauthorized modifications and access
to its functions and data within the TOE, through the IT Environment’s interfaces within its scope of
control. This objective provides for the IT Environment to protect itself from unauthorized modifications
and access to its functions and data within the TOE.
• OE.TIME: The underlying operating system will provide reliable time stamps. This objective provides
for the IT Environment to provide reliable time stamps
T.NOHALT: An unauthorized user may attempt to compromise the continuity of the System’s collection and
analysis functions by halting execution of the TOE. T.NOHALT is countered by:
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for authentication of users prior to any TSF data access
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAUTH objective by only permitting authorized users to access TSF
data.
• O.IDSCAN: The TOE must collect and store static configuration information that might be indicative of
the potential for a future intrusion or the occurrence of a past intrusion of an IT System. This objective
ensures the TOE collects and stores static configuration information that might be indicative of the
potential for a future intrusion or the occurrence of a past intrusion of an IT System. This includes
attempts at halting the TOE.
• O.IDSENS: The TOE must collect and store information about all events that are indicative of
inappropriate activity that may have resulted from misuse, access, or malicious activity of IT System
assets and the IDS. This objective ensures the TOE collects and stores information about all events
including attempts at halting the TOE.
• O.IDANLZ: The TOE must accept data from IDS Sensors or IDS Scanners and then apply analytical
processes and information to derive conclusions about intrusions (past, present, or future). This
objective ensures that the TOE must apply analysis to the event data gathered by the TOE. This
includes attempts at halting the TOE.
• OE.COLLECTEVENTVULN: The IT Environment must collect event and vulnerability data of an IT
System. This objective ensures that the IT Environment collect event and vulnerability data that might
be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System.
This includes attempts at halting the TOE.
T.PRIVIL: An unauthorized user may gain access to the TOE and exploit system privileges to gain access to
TOE security functions and data. T.PRIVIL is countered by:
• O.PARTPROTCT: The IT Environment must protect itself from unauthorized modifications and access
to its functions and data within the TOE, through the IT Environment’s interfaces within its scope of
control. This objective provides for access controls that protect the TSF data from unauthorized
modifications and accesses.
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAUTH objective by only permitting authorized users to access TSF
data.
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for authentication of users prior to any TSF data access.
• OE.PARTINTEGR: The IT Environment must ensure the integrity of all audit and defense perspective
data, through the IT Environment’s interfaces within its scope of control. This objective provides for the
integrity of all audit and defense perspective data by the IT Environment.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
41
• OE.PARTPROTCT: The IT Environment must protect itself from unauthorized modifications and access
to its functions and data within the TOE, through the IT Environment’s interfaces within its scope of
control. This objective provides for the IT Environment to protect itself from unauthorized modifications
and access to its functions and data within the TOE.
• OE.TIME: The underlying operating system will provide reliable time stamps. This objective provides
for the IT Environment to provide reliable time stamps
T.IMPCON: An unauthorized user may inappropriately change the configuration of the TOE causing potential
intrusions to go undetected. T.IMPCON is addressed by:
• O.EADMIN: The TOE must include a set of functions that allow effective management of its functions
and data. This objective ensures the TOE has all the necessary administrator functions to manage the
product.
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAUTH objective by only permitting authorized users to access TSF
data.
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for authentication of users prior to any TSF data access.
• ON.INSTALL: Those responsible for the TOE must ensure that the TOE is delivered, installed,
managed, and operated in a manner which is consistent with IT security. This objective provides for the
secure installation and operation of the TOE.
T.INFLUX: An unauthorized user may cause malfunction of the TOE by creating an influx of data that the TOE
cannot handle. T.INFLUX is countered by:
• O.OFLOWS: The TOE must appropriately handle potential audit and defense perspective data storage
overflows, through its own interfaces This objective counters this threat by requiring the TOE handle
data storage overflows.
• OE.OFLOWS: The IT Environment must appropriately handle potential audit and defense perspective
data storage overflows, through the IT Environment’s interfaces This objective counters this threat by
requiring the IT Environment to handle data storage overflows.
T.FACCNT: Unauthorized attempts to access TOE data or security functions may go undetected. T.FACCNT is
countered by:
• O.AUDITS: The TOE must record audit records for accesses and use of the System blocking function.
This objective counters this threat by requiring the TOE to audit attempts for data accesses and use of
TOE functions.
T.SCNCFG: Improper security configuration settings may exist in the IT System the TOE monitors. T.SCNCFG
is countered by:
• O.IDSCAN: The TOE must collect and store static configuration information that might be indicative of
the potential for a future intrusion or the occurrence of a past intrusion of an IT System. This objective
provides for the TOE collecting and storing static configuration information that may be indicative of a
configuration settings change.
• O.IDBLOCK: The TOE must block network security threats or out-of-policy applications. This objective
provides for the TOE taking corrective actions to configure the network appliances and IT Systems the
TOE monitors to isolate network security threats.
• OE.COLLECTEVENTVULN: The IT Environment must collect event and vulnerability data of an IT
System. This objective ensures that the IT Environment collects event and vulnerability data that might
be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
42
T.SCNMLC: Users could execute malicious code on an IT System that the TOE monitors which causes
modification of the IT System protected data or undermines the IT System security functions. T.SCNMLC is
countered by:
• O.IDSCAN: The TOE must collect and store static configuration information that might be indicative of
the potential for a future intrusion or the occurrence of a past intrusion of an IT System. This objective
provides for the TOE collecting and storing static configuration information from the IT Systems the TOE
monitors. Static configuration information may be indicative of, or may be modified so as to indicate, the
past action or presence of malicious code.
• O.IDBLOCK: The TOE must block network security threats or out-of-policy applications. The TOE
isolates out-of-policy applications thru taking corrective actions to configure the network appliances and
IT Systems the TOE monitors. These corrective actions could prevent the execution of, or mitigate the
effects of executing malicious code.
• OE.COLLECTEVENTVULN: The IT Environment must collect event and vulnerability data of an IT
System. This objective ensures that the IT Environment collect event and vulnerability data that might
be indicative of malicious code being present on IT Systems the TOE monitors.
T.SCNVUL: Vulnerabilities may exist in the IT System the TOE monitors. T.SCNVUL is countered by:
• O.IDSCAN: The TOE must collect and store static configuration information that might be indicative of
the potential for a future intrusion or the occurrence of a past intrusion of an IT System. This objective
provides for the TOE collecting and storing static configuration information from the IT Systems the TOE
monitors. Static configuration information may be indicative of vulnerabilities on the IT systems the TOE
monitors.
• OE.COLLECTEVENTVULN: The IT Environment must collect event and vulnerability data of an IT
System. This objective ensures that the IT Environment collect event and vulnerability data that might
be indicative of the potential for a vulnerability that exists in the IT Systems the TOE monitors.
T.FALASC: The TOE may fail to identify vulnerabilities or inappropriate activity based on association of IDS data
received from all data sources. T.FALASC is countered by:
• O.IDANLZ: The TOE must accept data from IDS Sensors or IDS Scanners and then apply analytical
processes and information to derive conclusions about intrusions (past, present, or future). This
objective provides the function that the TOE will identify vulnerabilities or inappropriate activity based on
association of IDS data received from all data sources.
T.MISUSE: Unauthorized accesses and activity indicative of misuse may occur on an IT System the TOE
monitors. T.MISUSE is countered by:
• O.IDSENS: The TOE must collect and store information about all events that are indicative of
inappropriate activity that may have resulted from misuse, access, or malicious activity of IT System
assets and the IDS. This objective ensures the TOE collects and stores information about all events
including attempts at misuse.
T.TRANSMIT: TSF data may be disclosed or modified by an attacker while being transmitted between the TOE
and its users.
• OE.PROTCTCOMM: The IT environment must protect communications between the TOE and its
components. This objective ensures the IT environment will protect communications between the TOE
and its components.
8.1.2 Organizational Security Policies
Table 8-2 shows that all the identified organizational security policies are covered by Security
Objectives for the TOE and IT Environment. Rationale is provided for each organizational security
policy below the table.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
43
Table 8-2 All Organizational Security Policies are addressed
Item Organizational
Security
Policy
Security Objective
1 P.DETECT O.AUDITS
O.IDSENS
O.IDSCAN
OE.COLLECTEVENTVULN
2 P.ANALYZ O.IDANLZ,
O.IDBLOCK
3 P.MANAGE ON.PERSON
O.EADMIN
ON.INSTALL
O.IDAUTH
O.ACCESS
ON.CREDEN
O.PARTPROTCT
4 P.ACCESS O.IDAUTH
O.ACCESS
O.PARTPROTCT
5 P.ACCACT O.AUDITS
O.IDAUTH
6 P.INTGTY O.PARTINTEGR
7 P.PROTCT O.OFLOWS
ON.PHYCAL
OE.OFLOWS
P.DETECT: Static configuration information that might be indicative of the potential for a future intrusion or the
occurrence of a past intrusion of an IT System or events that are indicative of inappropriate activity that may
have resulted from misuse, access, or malicious activity of IT System assets must be collected. P.DETECT is
covered by:
• O.AUDITS: The TOE must record audit records for accesses and use of the System blocking function.
This objective ensures the TOE will audit attempts for data accesses and use of TOE functions.
• O.IDSENS: The TOE must collect and store information about all events that are indicative of
inappropriate activity that may have resulted from misuse, access, or malicious activity of IT System
assets and the IDS. This objective ensures the TOE collects and stores information about all events.
• O.IDSCAN: The TOE must collect and store static configuration information that might be indicative of
the potential for a future intrusion or the occurrence of a past intrusion of an IT System. This objective
ensures the TOE collects and stores static configuration information that might be indicative of the
potential for a future intrusion or the occurrence of a past intrusion of an IT System.
• OE.COLLECTEVENTVULN: The IT Environment must collect event and vulnerability data of an IT
System. This objective ensures that the IT Environment collect event and vulnerability data that might
be indicative of the potential for a future intrusion or the occurrence of a past intrusion of an IT System.
This includes attempts at halting the TOE.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
44
P.ANALYZ: Analytical processes and information to derive conclusions about intrusions (past, present, or
future) must be applied to Defense Perspective data and appropriate response actions taken. P.ANALYZ is
covered by:
• O.IDANLZ: The TOE must accept data from IDS Sensors or IDS Scanners and then apply analytical
processes and information to derive conclusions about intrusions (past, present, or future). This
objective requires analytical processes are applied to data collected from Sensors and Scanners.
• O.IDBLOCK: The TOE must block network security threats or out-of-policy applications. This objective
requires that the TOE provide a blocking mechanism.
P.MANAGE: The TOE shall only be managed by authorized users. P.MANAGE is covered by:
• ON.PERSON: Personnel working as authorized administrators shall be carefully selected and trained for
proper operation of the System. This objective ensures that the authorized administrators will be
competent and well trained.
• O.EADMIN: The TOE must include a set of functions that allow effective management of its functions
and data. This objective ensures the TOE has all the necessary administrator functions to manage the
product.
• ON.INSTALL: Those responsible for the TOE must ensure that the TOE is delivered, installed,
managed, and operated in a manner which is consistent with IT security. This objective supports the
ON.PERSON objective by ensuring administrators follow all provided documentation and maintain the
security policy.
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for the identification and authentication of users prior to any
TSF data access.
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAUTH objective by only permitting authorized users to access TSF
data.
• ON.CREDEN: Those responsible for the TOE must ensure that all access credentials are protected by
the users in a manner which is consistent with IT security. This objective requires administrators protect
all authentication data.
• O.PARTPROTCT: The TOE when invoked by the underlying host OS must protect itself from
unauthorized modifications and access to its functions and data within the TOE, through its own
interfaces. This objective provides for access controls that protect the TSF data from unauthorized
modifications and accesses. This objective provides TOE self-protection.
P.ACCESS: All data collected and produced by the TOE shall only be used for authorized purposes.
P.ACCESS is covered by:
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for the identification and authentication of users prior to any
TSF data access.
• O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
This objective builds upon the O.IDAUTH objective by only permitting authorized users to access TSF
data.
• O.PARTPROTCT: The TOE when invoked by the underlying host OS must protect itself from
unauthorized modifications and access to its functions and data within the TOE, through its own
interfaces. This objective provides for access controls that protect the TSF data from unauthorized
modifications and accesses. This objective provides TOE self-protection.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
45
P.ACCACT: Users of the TOE shall be accountable for their actions when configuring and initiating blocks within
the IDS. P.ACCACT is covered by:
• O.AUDITS: The TOE must record audit records for accesses and use of the System blocking function.
This objective requires the TOE to audit attempts for data accesses and use of TOE functions.
• O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data. This objective provides for the identification and authentication of users prior to any
TSF data access.
P.INTGTY: Data collected and produced by the TOE shall be protected from modification. P.INTGTY is covered
by:
• O.PARTINTEGR: The TOE with the support of the underlying host OS must ensure the integrity of all
audit and defense perspective data, through its own interfaces. This objective provides for the integrity
of all audit and defense perspective data
P.PROTCT: The TOE shall be protected from unauthorized accesses and disruptions of TOE data and
functions. P.PROTCT is covered by:
• O.OFLOWS: The TOE must appropriately handle potential audit and defense perspective data storage
overflows, through its own interfaces. This objective counters this threat by requiring the TOE handle
data storage overflows.
• ON.PHYCAL: Those responsible for the TOE must ensure that those parts of the TOE critical to
security policy are protected from any physical attack. This objective provides for the physical
protection of the TOE by authorized administrators.
• OE.OFLOWS: The IT Environment must appropriately handle potential audit and defense perspective
data storage overflows, through the IT Environment’s interfaces This objective counters this threat by
requiring the IT Environment to handle data storage overflows.
8.1.3 Assumptions
Table 8-3 shows that all the identified assumptions are covered by Security Objectives for the TOE
and IT Environment. Rationale is provided for each assumption below the table.
Table 8-3 All Assumptions Addressed
Item Name Objective
1 A.ACCESS ON.INTROP
2 A.DYNAMIC ON.INTROP
ON.PERSON
3 A.MANAGE ON.PERSON
4 A.NOEVIL ON.INSTALL
ON.PHYCAL
ON.CREDEN
5 A.PASSWD ON.PASSWD
6 A.PROTCT ON.PHYCAL
7 A.PROTCTCOMM ON.PRTCTCOMM
8 A.SCOPE ON.INTROP
9 A.TRUSTED ON.PHYCAL
ON.CREDEN
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
46
A.ACCESS: The TOE has access to all the IT security management data and defense perspective data it needs
to perform its functions. A.ACCESS is covered by:
• ON.INTROP: The TOE is interoperable with the IT System it monitors. This objective ensures the TOE
has the needed access to the IT System.
A.DYNAMIC: The TOE will be managed in a manner that allows it to appropriately address changes in the IT
System the TOE monitors. A.DYNAMIC is covered by:
• ON.INTROP: The TOE is interoperable with the IT System it monitors. This objective ensures the TOE
has the needed access to the IT System.
• ON.PERSON: Personnel working as authorized administrators shall be carefully selected and trained for
proper operation of the System. This objective ensures that the TOE will be managed appropriately.
A.MANAGE: There will be one or more competent individuals assigned to manage the TOE and the security of
the information it contains. A.MANAGE is covered by:
• ON.PERSON: Personnel working as authorized administrators shall be carefully selected and trained for
proper operation of the System. This objective ensures that all authorized administrators are qualified
and trained to manage the TOE.
A.NOEVIL: The authorized administrators are not careless, willfully negligent, or hostile, and will follow and
abide by the instructions provided by the TOE documentation. A.NOEVIL is covered by:
• ON.INSTALL: Those responsible for the TOE must ensure that the TOE is delivered, installed,
managed, and operated in a manner which is consistent with IT security. This objective ensures that
the TOE is properly installed and operated.
• ON.PHYCAL: Those responsible for the TOE must ensure that those parts of the TOE critical to
security policy are protected from any physical attack. This objective provides for the physical
protection of the TOE by authorized administrators.
• ON.CREDEN: Those responsible for the TOE must ensure that all access credentials are protected by
the users in a manner which is consistent with IT security. This objective supports this assumption by
requiring protection of all authentication data.
A.PASSWD: The TOE has access to all the IT security management data and defense perspective data it
needs to perform its functions. A.PASSWD is covered by:
• ON.PASSWD: Personnel working as authorized users must follow the password policy parameters in
the TOE guidance about choosing good passwords such as minimum length requirements. This
objective provides for authorized administrators following the supplied guidance to create good
passwords.
A.PROTCT: The TOE hardware and software critical to security policy enforcement will be protected from
unauthorized physical modification. A.PROTCT is covered by:
• ON.PHYCAL: Those responsible for the TOE must ensure that those parts of the TOE critical to
security policy are protected from any physical attack. This objective provides for the physical
protection of the TOE hardware and software.
A.PROTCTCOMM: Those responsible for the TOE will ensure the communications between the TOE
components are secure via a SSL secure
• OE.PROTCTCOMM: Those responsible for the TOE will ensure the communications between the TOE
components are secure via a SSL secure channel. This objective is a restatement of the assumption.
This objective ensures those responsible for the TOE will ensure the communications between the TOE
components are secure via a SSL secure channel.
A.SCOPE: The TOE is appropriately scalable to the IT System the TOE monitors. A.SCOPE is covered by:
• ON.INTROP: The TOE is interoperable with the IT System it monitors. This objective ensures the TOE
has the necessary interactions with the IT System it monitors.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
47
A.TRUSTED: There will be no untrusted users of the TOE and no untrusted software loaded on the TOE host
platforms. A.TRUSTED is covered by:
• ON.PHYCAL: Those responsible for the TOE must ensure that those parts of the TOE critical to
security policy are protected from any physical attack. This objective provides for the physical
protection of the TOE hardware and software to protect against unauthorized access.
• ON.CREDEN: Those responsible for the TOE must ensure that all access credentials are protected by
the users in a manner which is consistent with IT security. This objective supports this assumption by
requiring protection of all authentication data.
Table 8-4 is included as a consistency check to show that all security objectives of the TOE map to at
least one threat or organizational security policy.
Table 8-4 Reverse Mapping of Security Objectives of the TOE map to Threat/Policies
No. Objective Name Threat/Policy
1 O.PARTPROTCT T.COMINT
T.COMDIS
T.PRIVIL
P.MANAGE
P.ACCESS
2 O.IDBLOCK T.SCNCFG
T.SCNMLC
P.ANALYZ
3 O.IDSCAN T.NOHALT
T.SCNCFG
T.SCNMLC
T.SCNVUL
P.DETECT
4 O.IDSENS T.NOHALT
T.MISUSE
P.DETECT
5 O.IDANLZ T.FALASC
P.ANALYZ
6 O.EADMIN T.IMPCON
P.MANAGE
7 O.ACCESS T.IMPCON
T.COMDIS
T.NOHALT
P.MANAGE
P.ACCESS
8 O.IDAUTH T.COMINT
T.COMDIS
T.NOHALT
T.PRIVIL
T.IMPCON
P.MANAGE
P.ACCESS
P.ACCACT
9 O.OFLOWS T.INFLUX
P.PROTCT
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
48
No. Objective Name Threat/Policy
10 O.AUDITS T.FACCNT
P.ACCACT
P.DETECT
11 O.PARTINTEGR T.COMINT
P.INTGTY
Table 8-5 is included as a consistency check to show that all security objectives of the IT Environment
map to at least one threat, organizational security policy, or assumption.
Table 8-5 Reverse Mapping of Security Objectives of the IT Environment to
Threat/Policies/Assumptions
No. Objective Name Threat/Policy/Assumption
12 OE.COLLECTEVENTVULN T.NOHALT
T.SCNCFG
T.SCNMLC
T.SCNVUL
P.DETECT
13 OE.OFLOWS T.INFLUX
P.PROTCT
14 OE.PARTINTEGR T.PRIVIL
15 OE.PARTPROTCT T.PRIVIL
16 OE.PROTCTCOMM T.TRANSMIT
17 OE.TIME T.COMINT
T.COMDIS
T.PRIVIL
Table 8-6 is included as a consistency check to show that all security objectives of the IT Environment
map to at least one threat, organizational security policy, or assumption.
Table 8-6 Reverse Mapping of Security Objectives of the Non-IT Environment to
Threat/Policies/Assumptions
Objective Name Threat/Policy/Assumption
ON.INSTALL P.MANAGE
A.NOEVIL
T.IMPCON
ON.PHYCAL A.NOEVIL
A.PROTCT
A.TRUSTED
P.PROTCT
ON.CREDEN P.MANAGE
A.NOEVIL
A.TRUSTED
ON.PERSON P.MANAGE
A.DYNAMIC
A.MANAGE
ON.INTROP A.ACCESS
A.DYNAMIC
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
49
Objective Name Threat/Policy/Assumption
A.SCOPE
ON.EXPORT T.COMDIS
ON.PASSWD A.PASSWD
ON.PRTCTCOMM A.PROTCTCOMM
8.2 Security Requirements Rationale
8.2.1 Functional Requirements
Table 8-7 shows that all of the security objectives of the TOE are satisfied.
Table 8-7 All Objectives Met by Functional Components
Item Objective Security Functional
Requirement
Component Name
FMT_MTD.1* Management of TSF data
FPT_RVM_EXP.1 Non-bypassability of the TSP
1 O.PARTPROTCT
IDS_STG_EXP.1-1 Guarantee of Defense perspective data
Availability
2 O.IDBLOCK IDS_SR_EXP.1 Security response
3 O.IDSCAN IDS_DPD_EXP.1 Defense perspective data collection
IDS_DPD_EXP.1 Defense perspective data collection
IDS_SA_EXP.1 Security alarms
4 O.IDSENS
IDS_SR_EXP.1 Security response
5 O.IDANLZ IDS_ANL_EXP.1 Analyzer analysis
FIA_ATD.1* User attribute definition
FAU_SAR.1 Audit review
FMT_MTD.1* Management of TSF data
FMT_SMF.1 Specification of management functions
FMT_SMR.1 Security roles
IDS_RDR_EXP.1 Restricted data review
6 O.EADMIN
IDS_DRS_EXP.1 Data Reporting
FAU_SAR.2 Restricted audit review
FIA_UAU.2 User authentication before any action
FIA_UID.2 User identification before any action
FMT_MTD.1* Management of TSF data
IDS_RDR_EXP.1 Restricted Data Review
7 O.ACCESS
IDS_STG_EXP.1-1 Guarantee of Defense perspective data
Availability
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
50
Item Objective Security Functional
Requirement
Component Name
FIA_UAU.2 User authentication before any action
FIA_UID.2 User identification before any action
8 O.IDAUTH
FIA_SOS.1 Verification of secrets
9 O.OFLOWS IDS_STG_EXP.1-1 Guarantee of Defense perspective data
Availability
FAU_LOG_EXP.1 Audit log generation
10 O.AUDITS
FAU_GEN.2 User identity association
11 O.PARTINTEGR IDS_STG_EXP.1-1 Guarantee of Defense perspective data
Availability
O.PARTPROTCT: The TOE when invoked by the underlying host OS must protect itself from unauthorized
modifications and access to its functions and data within the TOE, through its own interfaces O.PARTPROTCT
is addressed by:
• FMT_MTD.1* Management of TSF data, which specifies the management of TSF Data according to
assigned roles.
• FPT_RVM_EXP.1 Non-bypassability of the TSP, which requires that TSP enforcement functions are
invoked and succeed before a security-relevant function is allowed to proceed.
• IDS_STG_EXP.1-1 Guarantee of Defense perspective data Availability, the TOE shall protect the stored
defense perspective data from unauthorized deletion and modification.
O.IDBLOCK: The TOE must block network security threats or out-of-policy applications.
• IDS_SR_EXP.1 Security response, which requires the TSF to take specified actions based upon the
equipment and location of a detected threat.
O.IDSCAN: The TOE must collect and store static configuration information that might be indicative of the
potential for a future intrusion or the occurrence of a past intrusion of an IT System. O.IDSCAN is addressed
by:
• IDS_DPD_EXP.1 Defense perspective data collection, which requires that the TOE be able to collect
specified information from targeted IT System resource(s).
O.IDSENS: The TOE must collect and store information about all events that are indicative of inappropriate
activity that may have resulted from misuse, access, or malicious activity of IT System assets and the IDS.
O.IDSENS is addressed by:
• IDS_DPD_EXP.1 Defense perspective data collection, which requires that the TOE be able to collect
specified information from targeted IT System resource(s).
• IDS_SA_EXP.1 Security alarms, which requires the TSF to take action to send an alert to the QRadar
console, send the alert to the syslog, or send a notification via e-mail upon detection of a potential
security violation
• IDS_SR_EXP.1 Security response, which requires the TSF to take specified actions based upon the
equipment and location of a detected threat.
O.IDANLZ: The TOE must accept data from IDS Sensors or IDS Scanners and then apply analytical processes
and information to derive conclusions about intrusions (past, present, or future). O.IDANLZ is addressed by:
• IDS_ANL_EXP.1 Analyzer analysis, which requires the TOE to perform statistical, signature, and
behavioral analysis function(s) on all IDS data received.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
51
O.EADMIN: The TOE must include a set of functions that allow effective management of its functions and data.
O.EADMIN is addressed by:
• FIA_ATD.1* User attribute definition, which requires that the TSF maintain security attributes of users.
• FAU_SAR.1 Audit review, which requires that the auditor be able to read audit records.
• FMT_MTD.1* Management of TSF data, which specifies the management of TSF Data according to
assigned roles.
• FMT_SMF.1 Specification of management functions, which requires the TSF is capable of performing
the specified security management functions.
• FMT_SMR.1 Security roles, which requires that the TSF maintain multiple administrative roles.
• IDS_RDR_EXP.1 Restricted data review, which requires the TOE to provide the authorized
administrator with the capability to read all data from the defense perspective data, and in a manner
suitable for the authorized administrator to interpret the information.
• IDS_DRS_EXP.1 Data reporting, which requires the TSF be able to report collected event data using
automatically generated reports. In addition, the TSF is capable of generating user defined reports and
real-time views.
O.ACCESS: The TOE must allow authorized users to access only appropriate TOE functions and data.
O.ACCESS is addressed by:
• FAU_SAR.2 Restricted audit review, which requires the TSF to prohibit all users read access to the
audit records, except those users that have been granted explicit read-access.
• FIA_UAU.2 User authentication before any action, which requires each user to be successfully
authenticated before allowing access to the TOE.
• FIA_UID.2 User identification before any action, which requires that users be successfully identified
before allowing access to the TOE.
• FMT_MTD.1* Management of TSF data, which specifies the management of TSF Data according to
assigned roles.
• IDS_RDR_EXP.1 Restricted Data Review, which specifies the TOE shall provide the Administrator with
the capability to read all data from the defense perspective data and in a manner suitable for the user to
interpret the information.
• IDS_STG_EXP.1-1 Guarantee of Defense perspective data Availability, the TOE shall protect the stored
Defense perspective data from unauthorized deletion and modification.
O.IDAUTH: The TOE must be able to identify and authenticate users prior to allowing access to TOE functions
and data. O.IDAUTH is addressed by:
• FIA_UAU.2 User authentication before any action, which requires each user to be successfully
authenticated before allowing access to the TOE.
• FIA_UID.2 User identification before any action, which requires that users be successfully identified
before allowing access to the TOE.
• FIA_SOS.1 Verification of secrets, which requires that the TSF provide a mechanism to verify that
secrets meet the specified password policy.
O.OFLOWS: The TOE must appropriately handle potential audit and defense perspective data storage
overflows, through its own interfaces O.OFLOWS is addressed by:
• IDS_STG_EXP.1-1 Guarantee of Defense perspective data Availability, which requires the TOE shall
protect the stored Defense Perspective data from unauthorized deletion and modification through its
own TSFI, the TOE shall ensure that the most recent, limited by available storage space, defense
perspective data will be maintained when defense perspective data storage exhaustion occurs, and the
TOE shall send an alarm if the storage capacity has been reached..
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
52
O.AUDITS: The TOE must record audit records for accesses and use of the System blocking function.
O.AUDITS is addressed by:
• FAU_LOG_EXP.1 Audit log generation, which requires the ability to audit specified events.
• FAU_GEN.2 User identity association, which requires the ability to associate an auditable event with a
specific user.
O.PARTINTEGR: The TOE with the support of the underlying host OS must ensure the integrity of all audit and
defense perspective data, through its own interfaces. O.PARTINTEGR is addressed by:
• IDS_STG_EXP.1-1 Guarantee of Defense perspective data Availability, the TOE shall protect the stored
defense perspective data from unauthorized deletion and modification.
Table 8-8 is included as a consistency check to show that all SFRs map to Security Objectives of the
TOE
Table 8-8 Reverse Mapping of SFRs to Objectives
No. SFRs Objectives
1. FAU_LOG_EXP.1 O.AUDITS
2. FAU_GEN.2 O.AUDITS
3. FAU_SAR.1 O.EADMIN
4. FAU_SAR.2 O.ACCESS
5. FIA_ATD.1* O.EADMIN
6. FIA_SOS.1 O.IDAUTH
7. FIA_UAU.2 O.IDAUTH
O.ACCESS
8. FIA_UID.2 O.IDAUTH
O.ACCESS
9. FMT_MTD.1* O.PARTPROTCT
O.EADMIN
O.ACCESS
10. FMT_SMF.1 O.EADMIN
11. FMT_SMR.1 O.EADMIN
12. FPT_RVM_EXP.1-1 O.PARTPROTCT
13. IDS_DPD_EXP.1 O.IDSCAN
O.IDSENS
14. IDS_ANL_EXP.1 O.IDANLZ
15. IDS_SA_EXP.1 O.IDSENS
16. IDS_SR_EXP.1 O.IDBLOCK
O.IDSENS
17. IDS_RDR_EXP.1 O.EADMIN
O.ACCESS
18. IDS_STG_EXP.1-1 O.ACCESS
O.OFLOWS
O.PARTINTEGR
O.PARTPROTCT
19. IDS_DRS_EXP.1 O.EADMIN
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
53
8.2.2 Dependencies
Table 8-9 shows the dependencies between the functional requirements. All dependencies are
satisfied. Dependencies that are satisfied by a hierarchical component are denoted by an (H)
following the dependency reference. If the TOE dependency is met by an SFR in the IT environment
an “E” will be next to the reference number. For the SFRs in Part 2 with a dependency on
FAU_GEN.1, this dependency is satisfied by the explicit SFR FAU_LOG_EXP.1. The only difference
is that FAU_LOG_EXP.1 does not require audit of startup and shutdown of the audit function.
Table 8-9 TOE Dependencies Satisfied
No. Component Component Name Dependencies
1. FAU_LOG_EXP.1 Audit log generation FPT_STM.1
FAU_LOG_EXP.1
2. FAU_GEN.2 User identity association
FIA_UID.1
3. FAU_SAR.1 Audit review FAU_LOG_EXP.1
4. FAU_SAR.2 Restricted audit review FAU_SAR.1
5. FIA_ATD.1* User attribute definition None
6. FIA_SOS.1 Verification of secrets None
7. FIA_UAU.2 User authentication before any action FIA_UID.1
8. FIA_UID.2 User identification before any action None
FMT_SMR.1
9. FMT_MTD.1* Management of TSF data
FMT_SMF.1
10. FMT_SMF.1 Specification of management functions None
11. FMT_SMR.1 Security roles FIA_UID.1
12. FPT_RVM_EXP.1-1 Non-bypassability of the TSP None
13. IDS_DPD_EXP.1 Defense perspective data collection None
IDS_DPD_EXP.1
IDS_EVD_EXP.1
14. IDS_ANL_EXP.1 Analyzer analysis
FPT_STM.1
15. IDS_SA_EXP.1 Security alarms IDS_ANL_EXP.1
16. IDS_SR_EXP.1 Security response IDS_ANL_EXP.1
IDS_DPD_EXP.1
17. IDS_RDR_EXP.1 Restricted data review
IDS_EVD_EXP.1
IDS_DPD_EXP.1
18. IDS_STG_EXP.1-1 Guarantee of defense perspective data availability
IDS_EVD_EXP.1
IDS_DPD_EXP.1
19. IDS_DRS_EXP.1 Data reporting
IDS_EVD_EXP.1
Table 8-10 IT Environment Dependencies are Satisfied
No Component Component Name Dependencies
20. FAU_STG_EXP.2 Guarantees of audit data availability FAU_LOG_EXP.1
21. FPT_RVM_EXP.1-1 Non-bypassability of the TSP None
22. FPT_SEP_EXP.1 TSF domain separation None
23. FPT_STM.1 Reliable time stamps None
24. FTP_ITC.1 Trusted path/channels None
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
54
No Component Component Name Dependencies
25. IDS_STG_EXP.1-2 Prevention of Defense Perspective data
loss
None
26. IDS_EVD_EXP.1 Event and vulnerability data collection None
8.2.3 Strength of Function
A strength of function level of SOF-Basic counters an attack level of low. The environment is one
where the potential attacker is unsophisticated, with access to only standard equipment and public
information about the product. A user password is required to be used when accessing the QRadar
GUI. The recommended password policy for administrators, users, and Customer Support users is
defined in the Administrator’s guide.
8.2.4 Assurance Requirements
Evaluation Assurance Level EAL2 was chosen to provide a basic level of assurance due to the low
level threat of malicious attacks.
8.2.5 Rationale that IT Security Requirements are Internally Consistent
The IT Security Requirements are internally consistent. There are no requirements that conflict with
one another. When different IT security requirements apply to the same event, operation, or data
there is no conflict between the security requirements. The requirements mutually support each other
to apply to the event, operation, or data.
For auditing, each of the SFRs builds on the others. For example, FAU_LOG_EXP.1 details the
auditable events generated by the TSF. FAU_GEN.2 provides for the TSF to associate each
auditable event with the identity of the user that caused the event. FAU_SAR.1 states that the TSF
shall provide the Siebel Administrator with the capability to read all audit information from the audit
records. FAU_SAR.2 builds on FAU_SAR.1 by stating the TSF shall prohibit all users read access to
the audit records, except those users that have been granted explicit read-access. IDS_STG_EXP.1-
1 provides protection of the stored audit records from unauthorized deletion and modifications.
Login processing brings in elements of many requirements, but all in a complementary way.
FIA_ATD.1* defines the security attributes belonging to administrators, Customer Support users, and
users. FIA_SOS.1 specifies the password policy that user’s password must comply with. This policy
is supported in the IT environment by training users to use strong passwords. FIA_UID.2 requires the
user to be identified before allowing any other operations and FIA_UAU.2 requires the user to be
authenticated before allowing any other operations.
The management requirements (FMT_) are related to many of the mechanisms involved with other
requirements. FMT_MTD.1* specifies the management of TSF Data according to assigned roles
which are defined in FMT_SMR.1. FMT_SMF.1 specifies the security management functions of the
TSF. In many cases, the other mechanisms will enforce the settings made through management
functions. Installation mechanisms (see ADO_IGS.1) rely on management functions. The
administrator guidance (see AGD_ADM.1) documents the management functions.
FPT_RVM_EXP.1-1 makes certain the TSP enforcement functions are invoked and succeed before
any other functions within the TOE’s Scope of Control are allowed to proceed.
The IDS requirements describe the intrusion detection system requirements of the TOE.
IDS_DPD_EXP.1 requires the TOE to be able to collect the specified information. IDS_ANL_EXP.1
requires the TOE to perform statistical, signature, and behavioral analysis on all defense perspective
data collected (IDS_DPD_EXP.1). IDS_SA_EXP.1 requires the TSF to send an alert to the Offence
Manager view of the QRadar Console, syslog, pager, or via e-mail. IDS_SR_EXP.1 allows the TSF to
take action based upon a detected threat. IDS_RDR_EXP.1 requires the TOE to provide the
Administrator with the capability to read all data from the defense perspective data and in a manner
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
55
suitable for the user to interpret the information. IDS_STG_EXP.1-1 requires the TOE to protect the
stored defense perspective data from unauthorized deletion and modification. In addition, it requires
the TOE to overwrite the oldest stored defense perspective data and send an alarm if the storage
capacity has been reached. IDS_DRS_EXP.1 requires the TSF to be able to report collected event
data using automatically generated reports. In addition the TOE is capable of generating user
defined reports and the following real-time views.
8.2.6 Explicitly Stated Requirements Rationale
A refinement adds additional detail and narrows the scope, but has to be iterated to meet the original
scope of the SFR. FPT_RVM_EXP.1-1 had to be explicitly stated because it provides partial TOE
self-protection while relying on the OS and Hardware platforms to provide the full protection.
According to CCIMB RI#19, which states the following: “Where necessary to cover different aspects of
the same requirement (e.g. identification of more than one type of user), repetitive use (i.e. applying
the operation of iteration) of the same Part 2 components to cover each aspect is possible. The
statement of TOE security requirements shall define the functional and assurance security
requirements that the TOE and the supporting evidence for its evaluation need to satisfy in order to
meet the security objectives for the TOE. Since the iterations of FPT_RVM_EXP.1 span both the
TOE requirements and IT Environment, they must be explicitly stated. FPT_SEP_EXP.1 had to be
explicitly stated because it applies only to the IT environment. FAU_STG_EXP.2 had to be explicitly
stated because it describes measures taken in the IT Environment to protect audit data stored in the
IT Environment.
FAU_LOG_EXP.1 had to be explicitly stated, because the TOE does not provide the ability to audit of
startup and shutdown of the audit function as required by FAU_GEN.1. However, in the TOE the
audit capability is always enabled, and, since the TOE does audit startup and shutdown of the TOE,
the auditing of startup or shutdown of the TOE is logically equivalent to startup or shutdown of the
audit function.
A family of IDS requirements was created to specifically address the data collected and analyzed by
an IDS. The purpose of this family of requirements is to address the unique nature of IDS data and
provide for requirements about collecting, reviewing and managing the data. IDS_DPD_EXP.1 had to
be explicitly stated because there is not an existing SFR in the CC Part 2 that describes defense
perspective data collection function. IDS_ANL_EXP.1 had to be explicitly stated because there is not
an existing SFR in the CC Part 2 that describes an analyzer analysis function. IDS_SA_EXP.1 had to
be explicitly stated because there is not an existing SFR in the CC Part 2 that describes send an alert
generated in response to the data collected and analyzed by an IDS. IDS_SR_EXP.1 had to be
explicitly stated because there is not an existing SFR in the CC Part 2 that describes a security
response function. IDS_RDR_EXP.1 had to be explicitly stated because there is not an existing SFR
in the CC Part 2 that describes a restricted data review function. IDS_STG_EXP.1-1 had to be
explicitly stated because there is not an existing SFR in the CC Part 2 that describes the protection of
data from unauthorized deletion other than audit data. IDS_DRS_EXP.1 had to be explicitly stated
because there is not an existing SFR in the CC Part 2 that describes reporting of the data collected
and analyzed by an intrusion detection system. IDS_EVD_EXP.1 had to be explicitly stated because
there is not an existing SFR in the CC Part 2 that describes collection of information from targeted IT
system resources.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
56
8.2.7 Requirements for the IT Environment
Table 8-11 shows that all of the security objectives for the IT environment are satisfied. Rationale for
each objective is included below the table.
Table 8-11 All Objectives for the IT Environment map to Requirements in the IT environment
Item IT Environment Objective IT Environment Objective Description IT Environment
SFR
12 OE.COLLECTEVENTVULN The IT Environment must collect event and
vulnerability data of an IT System
IDS_EVD_EXP.1
FAU_STG_EXP.2
13 OE.OFLOWS The IT Environment must appropriately handle
potential audit and defense perspective data
storage overflows, through the IT Environment’s
interfaces
IDS_STG_EXP.1-2
FAU_STG_EXP.2
14 OE.PARTINTEGR The IT Environment must ensure the integrity of all
audit and defense perspective data, through the IT
Environment’s interfaces within its scope of
control.
IDS_STG_EXP.1-2
FPT_RVM_EXP.1-2
15 OE.PARTPROTCT The IT Environment must protect itself from
unauthorized modifications and access to its
functions and data within the TOE, through the IT
Environment’s interfaces within its scope of
control.
FPT_SEP_EXP.1
16 OE.PROTCTCOMM The IT environment must protect communications
between the TOE and its components.
FTP_ITC.1
17 OE.TIME The underlying operating system will provide
reliable time stamps.
FPT_STM.1
OE.COLLECTEVENTVULN: The IT Environment must collect event and vulnerability data of an IT System.
OE.COLLECTEVENTVULN is addressed by:
• IDS_EVD_EXP.1 Event and vulnerability data collection, which requires the IT Environment to collect
the following information from the targeted IT System resource(s): event data from network devices that
produce Netflow, Jflow, and Sflow events, and vulnerability data.
OE.OFLOWS: The IT Environment must appropriately handle potential audit and defense perspective data
storage overflows, through the IT Environment’s interfaces OE.OFLOWS is addressed by:
• FAU_STG_EXP.2 Guarantees of audit data availability, which requires that the IT Environment protect
the stored audit records from unauthorised deletion and modifications.
• IDS_STG_EXP.1-2 Guarantee of Defense perspective data Availability, the IT Environment shall protect
the stored defense perspective data from unauthorized deletion and modification.
OE.PARTINTEGR: The IT Environment must ensure the integrity of all audit and defense perspective data,
through the IT Environment’s interfaces within its scope of control. OE.PARTINTEGR is addressed by:
• FAU_STG_EXP.2 Guarantees of audit data availability, which requires that the IT Environment protect
the stored audit records from unauthorised deletion and modifications.
• IDS_STG_EXP.1-2 Guarantee of Defense perspective data Availability, the IT Environment shall protect
the stored defense perspective data from unauthorized deletion and modification.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
57
OE.PARTPROTCT: The IT Environment must protect itself from unauthorized modifications and access to its
functions and data within the TOE, through the IT Environment’s interfaces within its scope of control.
OE.PARTPROTCT is addressed by:
• FPT_RVM_EXP.1-2 Non-bypassability of the TSP, which requires that the IT Environment ensures the
OS enforcement functions are invoked and succeed before a security-relevant function is allowed to
proceed.
• FPT_SEP_EXP.1 TSF domain separation, which requires the Operating System to maintain a security
domain for its own execution that protects it from interference and tampering by untrusted subjects
initiating actions through the Operating System’s Interface. The IT environment will enforce separation
between security domains of subjects in the Operating System’s Scope of Control.
OE.PROTCTCOMM: The IT environment must protect communications between the TOE and its components.
OE.PROTCTCOMM is addressed by:
• FTP_ITC.1 Inter-TSF trusted channel, which requires the IT environment to provide a communication
channel between itself and a remote trusted IT product that is logically distinct from other
communication channels and provides assured identification of its end points and protection of the
channel data from modification or disclosure.
OE.TIME: The underlying operating system will provide reliable time stamps. OE.Time is addressed by:
• FPT_STM.1 Reliable time stamps, which require that time stamps be provided by the IT environment.
Table 8-12 Reverse Mapping of Security Requirements for the Environment to IT Security
Objectives of the Environment
No. IT Environment SFR IT Environment Security Objective
22 FAU_STG_EXP.2 OE.PARTINTEGR
OE.OFLOWS
23 FPT_RVM_EXP.1-2 OE.PARTPROTCT
24 FPT_SEP_EXP.1 OE.PARTPROTCT
25 FPT_STM.1 OE.TIME
26 FTP_ITC.1 OE.PROTCTCOMM
27 IDS_STG_EXP.1-2 OE.PARTINTEGR
OE.OFLOWS
28 IDS_EVD_EXP.1 OE.COLLECTEVENTVULN
8.3 TOE Summary Specification Rationale
8.3.1 IT Security Functions
Table 8-13 shows that the IT Security Functions in the TOE Summary Specification (TSS) address all
of the TOE Security Functional Requirements.
Table 8-13 Mapping of Functional Requirements to TOE Summary Specification
Requirement is met by:
No Functional
Component
Functional Requirement
Security
Function
Ref. No
Rationale
1 FAU_LOG_EXP.1 Audit log generation AU-1 Specifies the types of events to
be audited.
2 FAU_GEN.2 User identity association AU-2 Specifies that each auditable
event is associated with the
identity of the user that caused
the event.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
58
Requirement is met by:
No Functional
Component
Functional Requirement
Security
Function
Ref. No
Rationale
3 FAU_SAR.1 Audit review AU-3 Specifies the authorized
administrator has the capability
to read all audit information from
the audit records.
4 FAU_SAR.2 Restricted audit review AU-4 Specifies that only specific users
have read access to the audit
records.
5a FIA_ATD.1-1 User attribute definition IA-1 Specifies the security attributes
maintained for Customer Support
and administrator user.
5b FIA_ATD.1-2 User attribute definition IA-2 Specifies the security attributes
maintained for each user.
6 FIA_SOS.1 User authentication IA-3 Specifies that QRadar has a
password policy.
7 FIA_UAU.2 User authentication before any
action
IA-3 Specifies that the QRadar
Administrator Interface requires
each user to successfully
authenticate with a password
before being allowed any other
actions.
8 FIA_UID.2 User identification before any
action
IA-4 Specifies that the QRadar
Administrator Interface requires
each user to identify
himself/herself before being
allowed to perform any other
actions.
9a FMT_MTD.1-1 Management of TSF data SM-1 Specifies that the TOE restricts
the ability to access data
regarding the Administration of
Security Functions.
9b FMT_MTD.1-2 Management of TSF data SM-2 Specifies that the TOE restricts
the ability to access data
regarding Users with Privileges.
9c FMT_MTD.1-3 Management of TSF data SM-3 Specifies that the TOE restricts
the ability to access data
regarding Users sharing
privileges.
9d FMT_MTD.1-4 Management of TSF data SM-4 Specifies that the TOE restricts
the ability to access data
regarding Customer Support
Users.
9e FMT_MTD.1-5 Management of TSF data SM-5 Specifies that the TOE restricts
the ability to access data
regarding the management of
passwords.
10 FMT_SMF.1 Specification of Management
Functions
SM-6 Specifies the security
management functions provided
by the TOE.
11 FMT_SMR.1 Security roles SM-7 Specifies the roles maintained in
the TOE.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
59
Requirement is met by:
No Functional
Component
Functional Requirement
Security
Function
Ref. No
Rationale
12 FPT_RVM_EXP.1-1 Non-bypassability of the TSP SP-1 Specifies that the TSF ensures
that the TSP enforcement
functions are invoked and
succeed before each function is
allowed to proceed.
13 IDS_DPD_EXP.1 Defense perspective data
collection
IDS-1 Specifies that the TOE collects
the specified defense
perspective data.
14 IDS_ANL_EXP.1 Analyzer analysis IDS-2 Specifies that the TOE performs
statistical, signature, and
behavioral analysis on all IDS
data received.
15 IDS_SA_EXP.1 Security alarms IDS-3 Specifies that an alert will be
sent upon detection of a potential
security violation.
16 IDS_SR_EXP.1 Security response IDS-4 Specifies that the TSF will take
action when a threat is detected.
17 IDS_RDR_EXP.1 Restricted Data Review IDS-5 Specifies that the TOE provide
the administrator with the
capability to read all data from
the defense perspective data and
in a manner suitable for the user
to interpret the information.
18 IDS_STG_EXP.1-1 Guarantee of Defense perspective
data Availability
IDS-6 Specifies that the TOE will
protect stored defense
perspective data from
unauthorized deletion and
modification. In addition, that the
TOE will overwrite the oldest
stored defense perspective data
and send an alarm if the storage
capacity is exceeded.
19 IDS_DRS_EXP.1 Data Reporting IDS-7 Specifies that the TSF be able to
collect event data using
automatically generated reports.
In addition, the TSF is capable of
generating user defined reports
and real-time views.
8.3.2 Assurance Measures
The assurance measures rationale shows how all assurance requirements are satisfied. The
rationale is provided in Table 8-14.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
60
Table 8-14 Assurance Measures Rationale
Component Evidence
Requirements
How Satisfied Rationale
ACM_CAP.2 CM Documentation
• CM Proof
• Configuration Item
List
A Configuration list was
provided
• CM Proof
- Show proof that CM
system is being used
for development.
• Configuration Item List(s)
- is comprised of a list of
the source code files
and version numbers
- is comprised of a list of
design documents with
version numbers
- is comprised of test
documents with version
numbers
- user and administrator
documentation with
version numbers
ADO_DEL.1 Delivery Procedures Delivery procedures were
provided
Provides a description of all
procedures that are necessary
to maintain security when
distributing software to the
user’s site.
- Applicable across all phases
of delivery from packaging,
storage, distribution
ADO_IGS.1 Installation,
generation, and start-
up procedures
An Installation Guide was
provided
Provides detailed instructions
on how to install the product.
Provides rationale that TSF is
fully represented
Describes the TSF interfaces
and TOE functionality
ADV_FSP.1 Functional
Specification
A Functional Specification was
provided
Describes TOE functionality
ADV_HLD.1 High-Level Design A High Level Designs was
provided
Describes the TOE subsystems
and their associated security
functionality
ADV_RCR.1 Representation
Correspondence
Documentation was provided
that includes correspondence
analysis between:
1. TSS and functional
specification;
2. functional specification and
high-level design;
3. high-level design and the
low-level design; and
4. low-level design and
implementation representation
subset.
Provides the following two
dimensional mappings:
1. TSS and functional
specification;
2. functional specification and
high-level design.
AGD_ADM.1 Administrator
Guidance
An Administrator Guide was
provided.
Describes how to administer
the TOE securely.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
61
Component Evidence
Requirements
How Satisfied Rationale
AGD_USR.1 User Guidance Not applicable for this product Describes the secure use of
the TOE.
ATE_COV.1 Test Coverage
Analysis
Test Coverage was provided Shows correspondence
between the tests identified in
the test documentation and the
TSF as described in the
functional specification.
ATE_FUN.1 Test Documentation Test Documentation (Test
Plans) provided
Test documentation includes
test plans and procedures and
expected and actual results.
ATE_IND.2 TOE for Testing TOE for Testing The TOE was provided for
testing.
AVA_SOF.1 SOF Analysis SOF Analysis was reviewed. Provides a rationale that each
mechanism identified in the ST
as having an SOF meets or
exceeds the minimum strength
level specified there.
AVA_VLA.1 Vulnerability Analysis Vulnerability Analysis was
reviewed
Provide an analysis of the TOE
deliverables for obvious ways
in which a user can violate the
TSP, including the disposition
of obvious vulnerabilities.
8.4 PP Claims Rationale
Not applicable. There are no PP claims.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
62
9 Appendix
9.1 Acronyms
Table 9-1 Acronyms
Acronym Definition
ACM Configuration Management
ADO Delivery and Operation
ADV Development
AGD Guidance Documents
ALC Life cycle support
ATE Tests
AVA Vulnerability assessment
CC Common Criteria [for IT Security Evaluation]
DSM Device Support Module
EAL Evaluation Assurance Level
FAU Security Audit
FCO Communication
FCS Cryptographic Support
FDP User Data Protection
FIA Identification and Authentication
FMT Security Management
FPT Protection of the TSF
FTA TOE Access
FTP Trusted Channels/Path
GUI Graphical User Interface
ID Identifier
IDS Intrusion Detection System
IT Information Technology
NIDS Network Intrusion Detection System
NMAP Open Source Network Mapper
SF Security Function
SFP Security Function Policy
ST Security Target
TOE Target of Evaluation
TSC TSF Scope of Control
TSF TOE Security Functions
TSFI TOE Security Functions Interface
TSP TOE Security Policy
VA Vulnerability Assessment
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
63
9.2 References
Table 9-2 References
Common Criteria for Information Technology Security Evaluation,
CCIMB-2004-01-002, Version 2.2, January 2004.
QRadar 3.0 Administrator Guide Document release v5.1.1 July, 2006
QRadar 3.0 User Guide Document release v5.1 May, 2006
QRadar Installation Guide, release v5.1 May, 2006
QRadar Hardware Installation Guide, release v5.1 May, 2006
Getting Started Guide, release v5.1 May, 2006
9.3 Glossary
Table 9-3 Customer Specific Terms
Term Definition
Alert Once the defense perspective data is analyzed by correlating the event with the various
types of raw data, normalized data, and Offences, then weighted Offence alerts can be
generated.
Block Prevent network traffic from moving through the network.
Customer
network
The domain of network and host traffic to be analyzed by the TOE.
Defense
Perspective
Data
The complete set of information provided on the customer network which includes: flow
information, event collection information, and general analysis data generated by the TSF.
Device Support
Module
A DSM is a multi-faceted capability of the Event Collector and Event Processor to collect,
normalize, and preprocess incoming events. (Note: The DSM is to be considered as
something to be “plugged in” and the actual amount of DSMs that can be accessed is
unlimited. (These DSMs are outside of the TOE.)
Offence
Manager
The Offence Manager is the name given to the GUI screen tab menu option view (interface)
to the core processing component that implements the Judicial System Logic (JSL),
specifically the Magistrate sub component of the Engine component of the TOE. The JSL is
the foundation for event processing and correlation in the Offence Manager view.
External event
device
An external IT Entity network device that provides the TOE external event data (traps or
events) and vulnerability data for analysis to detect threats, and/or receives from the TOE
blocking data (to fill in) to prevent the threat from proliferating throughout the network.
External event
information
The aggregated and normalized data provided by the external event devices. Also referred
to as part of Defense Perspective data.
Flow A single stream of related data packets.
Flow
information
The aggregated and normalized flow data collected by the QFlow Collectors.
IDS data Intrusion Detection System data that is made up of defense perspective data, alerts, blocks
generated by the TSF, and any configuration data related to these. Also referred to as part
of Defense Perspective data.
Raw
normalized
event data
Raw normalized event data is collected from a device and transformed onto a well –known
processing format and stored in the appropriate Raw Normalized Event Storage proprietary
database.
Q1 Labs - All Rights Reserved Unclassified
Security Target Version 2.0.4 January 30, 2007
64
Term Definition
Offence Model The Offence Model is a relational database that stores a variety of data displayed in the
Offence Manager view. These include Rap Sheet analysis, Defense Perspective analysis,
Custom Rules Engine (Offences), Offence Describer and analysis, Offence Statistics, Worm
Propagation/Offence Chaining analysis, and Judgment modules data.
Security
Management
Data
TOE configuration data and audit data.
Surveillance
information
Includes a database of flow information, a set of analysis data, and a database of external
event information.
Violations Violations are generated by the TSF and are the results of the analysis of the Defense
Perspective Data.
Table 9-4 CC Specific Terms
Term Definition
Authorised user A user who may, in accordance with the TSP, perform an operation.
External IT entity Any IT product or system, untrusted or trusted, outside of the TOE that interacts with
the TOE.
Role A predefined set of rules establishing the allowed interactions between a user and the
TOE.
TOE Security
Functions (TSF)
A set consisting of all hardware, software, and firmware of the TOE that must be
relied upon for the correct enforcement of the TSP.
User Any entity (human user or external IT entity) outside the TOE that interacts with the
TOE.