Transcription
AlienVault USM for Government v4.12 and RTLogin CyberC4:Alert v4.12Security TargetVersion 2.2October 16, 2015Prepared ForAlienVault1875 S. Grant Street, Suite 200San Mateo, CA, USA 94402Prepared By7925 Jones Branch Drive Suite 5400 McLean, VA 22102-3378 703 848-0883 Fax 703 848-0985
AlienVault USM for Government v4.12 Security TargetTable of ContentsSection1PageSECURITY TARGET INTRODUCTION.5SECURITY TARGET REFERENCE .51.11.2TOE REFERENCE .51.3TOE OVERVIEW .51.3.1 TOE Product Type .51.3.2 TOE Usage.61.3.3 TOE Security Functionality.61.4TOE DESCRIPTION .71.5TOE ARCHITECTURE .71.5.1 Sensor .81.5.2 Server .81.5.3 Logger .91.6TOE BOUNDARIES .91.6.1 Data .91.6.2 Physical Boundary .91.6.3 Logical Boundary .71.6.3.81.6.41.6.52SECURITY OBJECTIVES FOR THE TOE .18SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT .19EXTENDED COMPONENTS DEFINITION .205.16THREATS .16ORGANIZATIONAL SECURITY POLICIES (OSPS) .16ASSUMPTIONS .17SECURITY OBJECTIVES .184.14.25COMMON CRITERIA CONFORMANCE CLAIM .15PROTECTION PROFILE CLAIM .15PACKAGE CLAIM .15CONFORMANCE RATIONALE.15SECURITY PROBLEM DEFINITION.163.13.23.34Excluded Functionality .13TOE Guidance and Reference Documents .14CONFORMANCE CLAIMS .152.12.22.32.43Security Audit . 11Cryptographic Support . 11User Data Protection . 12Identification and Authentication . 12Security Management . 12Protection of the TSF . 12TOE access . 13Trusted path/channels. 13EXTENDED SECURITY FUNCTIONAL COMPONENTS RATIONALE .20SECURITY REQUIREMENTS .216.1SECURITY FUNCTIONAL REQUIREMENTS .216.1.1 Security Audit (FAU) .236.1.1.1FAU GEN.1 Audit Data Generation . 23AlienVault Proprietary2 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security Target6.1.1.26.1.1.36.1.2Cryptographic Support 6.1.2.76.1.2.86.1.2.96.1.3FPT SKP EXT.1 Extended: Protection of TSF Data (for reading of all symmetric keys) . 30FPT APW EXT.1 Extended: Protection of Administrator Passwords . 30FPT STM.1 Reliable Time Stamps . 30FPT TUD EXT.1 Extended: Trusted Update . 30FPT TST EXT.1: TSF Testing . 30TOE Access (FTA) .316.1.7.16.1.7.26.1.7.36.1.7.46.1.8FMT MTD.1 Management of TSF Data (for general TSF data) . 29FMT SMF.1 Specification of Management Functions. 29FMT SMR.2 Restrictions on Security Roles . 29Protection of the TSF (FPT) .306.1.6.16.1.6.26.1.6.36.1.6.46.1.6.56.1.7FIA PMG EXT.1 Extended: Password Management . 27FIA UIA EXT.1 Extended: User Identification and Authentication . 27FIA UAU EXT.2 Extended: Password-based Authentication Mechanism . 27FIA UAU.7 Protected Authentication Feedback . 27Security Management (FMT) .296.1.5.16.1.5.26.1.5.36.1.6FDP RIP.2 Full Residual Information Protection . 27Identification and Authentication (FIA) .276.1.4.16.1.4.26.1.4.36.1.4.46.1.5FCS CKM.1 Cryptographic Key Generation (for asymmetric keys) . 25FCS CKM EXT.4 Extended: Cryptographic Key Zeroization . 25FCS COP.1(1) Cryptographic Operation (for data encryption/decryption) . 25FCS COP.1(2) Cryptographic Operation (for cryptographic signature) . 25FCS COP.1(3) Cryptographic Operation (for cryptographic hashing) . 26FCS COP.1(4) Cryptographic Operation (for keyed-hash message authentication) . 26FCS RBG EXT.1 Extended: Cryptographic Operation (Random Bit Generation) . 26FCS HTTPS EXT.1 Extended: HTTPS . 26FCS TLS EXT.1 Extended: TLS . 26User Data Protection (FDP) .276.1.3.16.1.4FAU GEN.2 User Identity Association . 24FAU STG EXT.1 Extended: External Audit Trail Storage . 24FTA SSL EXT.1 TSF-initiated Session Locking . 31FTA SSL.3 TSF-initiated Termination . 31FTA SSL.4 User-initiated Termination. 31FTA TAB.1 Default TOE Access Banners . 31Trusted Path/Channels (FTP) .326.1.8.16.1.8.2FTP ITC.1 Inter-TSF Trusted Channel . 32FTP TRP.1 Trusted Path . 326.2SECURITY ASSURANCE REQUIREMENTS .336.2.1 Security Assurance Requirements for the TOE .336.2.2 Security Assurance Requirements Rationale .356.2.3 Extended Assurance Activities .356.2.3.16.2.3.26.2.3.36.2.3.46.2.3.5Class ADV Assurance Activities . 36Class AGD Assurance Activities . 36Class ALC Assurance Activities . 37Class ATE Assurance Activities . 38Class AVA Assurance Activities . 396.2.4 Extended Assurance Activities .396.3RATIONALE .406.3.1 TOE SFR Dependencies.407TOE SUMMARY SPECIFICATION .427.17.27.37.47.5SECURITY AUDIT .43CRYPTOGRAPHIC SUPPORT .43USER DATA PROTECTION .47IDENTIFICATION AND AUTHENTICATION .47SECURITY MANAGEMENT .49AlienVault Proprietary3 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security Target7.67.77.88PROTECTION OF THE SECURITY FUNCTIONALITY .49TOE ACCESS .51TRUSTED PATH/CHANNELS .51ACRONYMS AND TERMINOLOGY.528.1.18.1.2Acronyms .52Product Acronyms and Terminology .52Figures and TablesFiguresPageFIGURE 1: TOE ARCHITECTURE .8FIGURE 2: TOE LAYOUT .10FIGURE 3: TOE EXAMPLE DEPLOYMENT AND BOUNDARY .11TablesPageTABLE 1: TOE PLATFORMS.5TABLE 2: HARDWARE SPECIFICATIONS .10TABLE 3: USER GUIDANCE DOCUMENTS .14TABLE 4: ST REFERENCE DOCUMENTS .14TABLE 5: TOE THREATS (FORMAL) .16TABLE 6: ORGANIZATIONAL SECURITY POLICIES (FORMAL) .17TABLE 7: TOE ASSUMPTIONS (FORMAL) .17TABLE 8: TOE SECURITY OBJECTIVES (FORMAL) .18TABLE 9: SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT (FORMAL) .19TABLE 10: EXTENDED COMPONENTS.20TABLE 11: TOE SECURITY FUNCTIONAL COMPONENTS .22TABLE 12: AUDITABLE EVENTS .23TABLE 13: NDPP ASSURANCE COMPONENTS .33TABLE 14: ADV FSP.1 BASIC FUNCTIONAL SPECIFICATION .33TABLE 15: AGD OPE.1 OPERATIONAL USER GUIDANCE .33TABLE 16: AGD PRE.1 PREPARATIVE PROCEDURES .34TABLE 17: ALC CMC.1 LABELING OF THE TOE.34TABLE 18: ALC CMS.1 TOE CM COVERAGE .34TABLE 19: ATE IND.1 INDEPENDENT TESTING – CONFORMANCE .35TABLE 20: AVA VAN.1 VULNERABILITY SURVEY .35TABLE 21: SFR DEPENDENCIES .40TABLE 22: SECURITY FUNCTIONS MAPPED TO SECURITY OBJECTIVES .42TABLE 23: TOE CRYPTOGRAPHY .44TABLE 24: NIST SP 800-56B IMPLEMENTATION .45TABLE 25: TOE CSPS .46TABLE 26: ACRONYMS .52TABLE 27: TERMINOLOGY .52AlienVault Proprietary4 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security Target1 Security Target Introduction1.1 Security Target ReferenceST Title:AlienVault USM for Government, Version 4.12 and RT LogicCyberC4:Alert v4.12 Security TargetST Version:v2.2ST Author:CygnaCom Solutions Inc.ST Date:10/16/2015Protection Profile:U.S. Government Standard Protection Profile for Network Devices,Version 1.1, 08 June 20121.2 TOE ReferenceTOE Developer:AlienVaultEvaluation Sponsor: AlienVaultTOE Identification: AlienVault USM for Government v4.12 and RT Logic CyberC4:Alertv4.12CC Identification:Common Criteria for Information Technology Security Evaluation,Version 3.1, Revision 4, September 2012.Table 1: TOE PlatformsPlatformsVersionDevice ModelAlienVault USM for Governmentv4.12.13All-In-OneNote: The TOE is also offered as an OEM product through RT Logic, known as the CyberC4: Alert. CyberC4:Alert isan OEM version of USM for Government. The products are identical in terms of hardware, code, functionality.There are no differences between the two. CyberC4:Alert is simply rebranded under RT Logic's product offeringsusing the same documentation for as USM for Government v4.12.1.3 TOE Overview1.3.1 TOE Product TypeThe Target of Evaluation [TOE] is a Network Device as defined by the protection profile: “Anetwork device is a device composed of hardware and software that is connected to thenetwork and has an infrastructure role in the overall enterprise”.AlienVault Proprietary5 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security Target1.3.2 TOE UsageThe TOE is AlienVault’s Unified Security Management (USM) for Government v4.12. The TOEis a network appliance that provides centralized network and compliance monitoringfunctionality. The TOE offers network administrators with the four essential capabilities in asingle platform: asset discovery, behavioral monitoring, vulnerability monitoring, and networksecurity monitoring.The TOE does not implement a proactive response capability and is purely a monitoringsystem. The TOE is capable of integrating with external security tools to create a unifiedmonitoring solution, but such external tools are considered part of the operational environmentand their use and functionality are outside the scope of this evaluation.All TOE appliances are shipped ready for immediate access through a remote Web Interfaceor the local console interface. Some basic features are enabled by default. To ensure secureuse, the product must be configured prior to being deployed into a production environment asspecified in the user guidance.1.3.3 TOE Security Functionality Security Audito Generate audit logs for security-relevant eventso Supports secure communications to remote syslog serversCryptographic Supporto Validated cryptographic algorithmso Data zeroizationUser Data Protectiono Residual information clearingIdentification and Authenticationo Password and user access policiesSecurity Managemento Local and remote administrationProtection of the TOE Security Function (TSF)o Self-test on power-upo Trusted updateTOE Accesso Role-based access controlo Session timeout and lockoutTrusted Path/Channelso Trusted path for remote administratorsAlienVault Proprietary6 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security Target1.4 TOE DescriptionAlienVault USM for Government v4.12 (AlienVault USM) or Target of Evaluation (TOE) is aSecurity Information and Event Management (SIEM) appliance; a network device that allowsmonitoring of a distributed enterprise network from a single appliance. AlienVault USM isdesigned to integrate with a broad range of external applications and network devices that arecapable of generating security-relevant events.The TOE is a hardware appliance built on an Intel-based server platform. The embeddedsoftware consists of a hardened Operating System (OS) running modular software, whereimplemented functionality of the appliance is defined by enabling a specific profile on thedevice.The TOE can be subdivided into the following profiles: Sensor, Logger, and Server. By default,the All-In-One installation will enable full functionality and all profiles. In the evaluatedconfiguration, the TOE operates as a standalone, non-distributed appliance. The All-In-Oneconfiguration of AlienVault USM is pre-installed on a specific hardware is the evaluatedconfiguration for the TOE.The TOE is capable of integrating with external IT entities, and that includes other instances ofthe TOE. It is possible to disable the Server and Logger profiles, and only have the Sensorprofile enabled on additional instances of the TOE. These custom configurations are not partof the evaluated configuration; in such cases, these additional instances of the TOE aretreated as part of the operational environment.1.5 TOE ArchitectureThe underlying architecture of the TOE consists of computer hardware that supports ahardened Linux-based OS that manages the disk, memory, and network resources andprovides all necessary support to run the embedded modular software. A dedicatedcryptographic module provides cryptographic functionality that implements securecommunications and protects critical security parameters.There is no direct user-space access to the underlying OS, and the TOE does not provide anygeneral-purpose computing capabilities other than the limited subset necessary for itsoperation. A determined administrator with physical access to the hardware device can alwaysgain access to the OS, but such mode of operation is outside the scope of the evaluation.The TOE can be subdivided into the following profiles: Sensor Server LoggerFigure 1 outlines the TOE Architecture.AlienVault Proprietary7 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security TargetCORRELATIONSTORAGERISK ASSESSMENTINTEGRITYPOLICIESLEGAL EVIDENCECATEGORIZATIONDIGITAL ensorFigure 1: TOE Architecture1.5.1 SensorThe TOE Sensor has been designed to collect a wide range of information about its localenvironment, inspect network traffic, detect anomalous activity through various methods, andcollect information on suspected attack vectors without affecting overall network performance.The Sensor aggregates all collected information, coordinates threat detection, and monitorscompliance within the monitored network. Additional Sensors can be installed on networksegments and remote locations, further increasing coverage.The Sensor integrates an arsenal of monitoring technology into a single logical device,reporting to the network administrators along five different areas: Intrusion DetectionAnomaly DetectionVulnerability DetectionDiscovery, Learning and Network ProfilingInventory ManagementEvery TOE deployment, using both active scanning and passive monitoring, creates a highlydetailed topography and usage profile of the monitored network. The extensive usage profile ispart of the anomaly detection capability. Vulnerability detection algorithms scan and identifylatent network threats and can enable network administrator to address them before they canbe successfully exploited. The TOE utilizes both signature-based and heuristic methods todetect known and predicted attack vectors in near-real time. The network information gatheredby Sensors provides a detailed status in near real-time regarding the network usage of eachhost in the network monitored by the TOE.1.5.2 ServerSensors gather and normalize events before sending them to the Server and Logger. Thisinformation, stored by the Server, is of vital importance when a host or network attack is inprogress. Prior knowledge of existing system settings and vulnerabilities is critical whenAlienVault Proprietary8 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security Targetassessing the risk associated with an attack, prioritizing the severity of the attack, alertingpersonnel, and implementing appropriate countermeasures.The Server provides data mining and analytic capabilities, including: Risk AssessmentEvent CorrelationPolicy ComplianceReporting and AlarmsAvailability MonitoringThe Server component utilizes an internal database to store normalized information,supporting TOE data mining capabilities. The TOE is designed to operate on a busy corporatenetwork and process millions of recorded events per day.1.5.3 LoggerThe Logger stores audit events in a forensically secure form. All stored events are digitallysigned ensuring their authenticity and integrity.1.6 TOE Boundaries1.6.1 DataThe data managed by the TOE can be categorized as TSF data and Non-TSF data.TSF data includes the following: Configuration data used to manage and operate the TOE Audit data produced by the internal security-relevant events Critical security parameters used by cryptographic functionsNon-TSF data includes: All data collected from the monitored network Analytical data derived from the analyzed events Threat and vulnerability signatures1.6.2 Physical BoundaryThe TOE’s hardware is based on an Intel Quad-Core Xeon E5 blade server running Debian“Wheezy” 7.8 based on a Linux 3.4 kernel.The physical boundary of the TOE is the hardware appliance. For the physical boundary, onlythe USM All-In-One hardware configuration included in scope of this evaluation. (See Table 2:Hardware Specifications for details)AlienVault Proprietary9 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security TargetFigure 2: TOE LayoutThe TOE has two power supplies that operate in an N 1 configuration. An audible alarmoperates if either of the power supplies fail or there is a loss of external power.Table 2: Hardware SpecificationsAlienVault USM All-In-OneForm FactorLength x Width x Height (in)Power SupplyNetwork InterfacesCPUStorage Capacity (TB)Disk Array ConfigurationMemory (GB)1U26.6 x 17.2 x1.72 x 700/750W6 x 1GbE2 x Intel Xeon E51.8RAID 1024The TOE can be configured to utilize a number of other components in its operationalenvironment that are not included in the evaluation. A Management Workstation with a modern browser for Web Interface access.A Syslog Server for external storage of the audit log.A NTP Server for reliable time.A SMTP Server for administrator alert notifications and warnings.An external Authentication, Authorization, and Accounting server.Additional instances of the TOE.Figure 3 depicts the TOE boundary with the operational environment and relevant interfaces.AlienVault Proprietary10 of 52CygnaCom Solutions Proprietary
AlienVault USM for Government v4.12 Security TargetTOE BoundaryManagementWorkstationSMTP ServerServerAlienVault USM v4.12PeerMonitoredNetworkNTP ServerAudit ServerFigure 3: TOE Example Deployment and Boundary1.6.3 Logical BoundaryThe logical boundary of the TOE is defined by implemented security functions. These securityfunctions are further described in the following subsections:1.6.3.1 Security AuditThe TOE generates audit records related to cryptographic functionality, identification andauthentication, and management actions. For each security relevant event, the TOE recordsthe date and time, the type of event, the subject identity, and the outcome of the event logged.Auditing is enable by default. The TOE also implements timestamps to ensure that reliableaudit information is available. The logs can be accessed through the appropriate menu of theWeb Interface. The TOE can be configured to duplicate audit messages to an external SyslogServer.1.6.3.2 Cryptographic SupportThe TOE implements a cryptographic module that performs the following cryptographicoperations: Secure channel with the following parameters:o TLS 1.0 protocolo TLS RSA WITH AES 128 CBC SHATLS RSA
AlienVault USM for Government v4.12 Security Target AlienVault Proprietary 6 of 52 CygnaCom Solutions Proprietary 1.3.2 TOE Usage The TOE is AlienVault's Unified Security Management (USM) for Government v4.12. The TOE is a network appliance that provides centralized network and compliance monitoring functionality.
