Transcription
RSA, The Security Division of EMCenVision platform v4.0 SP 1Security TargetEvaluation Assurance Level: 3 Document Version: 0.8Prepared for:Prepared by:RSA, The Security Division of EMCCorsec Security, Inc.174 Middlesex TurnpikeBedford, MA 0173010340 Democracy Lane, Suite 201Fairfax, VA 22030Phone: (877) 772-4900Phone: (703) 267-6050Fax: (781) 515-5010Fax: (703) 267-6810http://www.corsec.comhttp://www.rsa.com 2009 RSA, The Security Division of EMC
Security Target, Version 0.8December 11, 2009Table of ContentsTABLE OF CONTENTS .2TABLE OF FIGURES .3TABLE OF TABLES .31SECURITY TARGET INTRODUCTION .41.1PURPOSE .41.2SECURITY TARGET AND TOE REFERENCES .51.3TOE OVERVIEW .51.3.1Brief Description of the Components of the TOE .71.3.2TOE Environment .81.4TOE DESCRIPTION .81.4.1Physical Scope .81.4.2Logical Scope . 101.4.3Product Physical/Logical Features and Functionality not included in the TOE . 122CONFORMANCE CLAIMS . 133SECURITY PROBLEM DEFINITION . 143.1THREATS TO SECURITY. 143.2ORGANIZATIONAL SECURITY POLICIES . 153.3ASSUMPTIONS . 154SECURITY OBJECTIVES . 174.1SECURITY OBJECTIVES FOR THE TOE. 174.2SECURITY OBJECTIVES FOR THE OPERATIONAL ENVIRONMENT . 175EXTENDED COMPONENTS DEFINITION . 195.1EXTENDED TOE SECURITY FUNCTIONAL COMPONENTS . 195.1.1Class EAN: EAN Component Requirements . 205.2EXTENDED TOE SECURITY ASSURANCE COMPONENTS . 266SECURITY REQUIREMENTS . 276.1CONVENTIONS . 276.2SECURITY FUNCTIONAL REQUIREMENTS . 276.2.1Class FAU: Security Audit. 296.2.2Class FIA: Identification and Authentication . 316.2.3Class FMT: Security Management . 336.2.4Class FPT: Protection of the TSF . 356.2.5Class FRU: Resource Utilization . 366.2.6Class FTA: TOE Access . 376.2.7Class EAN: EAN Component Requirements (EXP) . 386.3SECURITY ASSURANCE REQUIREMENTS . 407TOE SUMMARY SPECIFICATION . 417.1TOE SECURITY FUNCTIONS. 417.1.1Security Audit . 427.1.2Identification and Authentication . 427.1.3Security Management . 437.1.4Protection of the TSF. 437.1.5Resource Utilization . 437.1.6TOE Access . 447.1.7EAN Component Requirements . 448RATIONALE . 458.1CONFORMANCE CLAIMS RATIONALE . 458.2SECURITY OBJECTIVES RATIONALE. 45Page 2 of 61RSA enVision platform v4.0 SP 1 2009 RSA, The Security Division of EMC
Security Target, Version 0.8December 11, 20098.2.1Security Objectives Rationale Relating to Threats . 458.2.2Security Objectives Rationale Relating to Policies. 488.2.3Security Objectives Rationale Relating to Assumptions . 508.3RATIONALE FOR EXTENDED SECURITY FUNCTIONAL REQUIREMENTS . 528.4RATIONALE FOR EXTENDED TOE SECURITY ASSURANCE REQUIREMENTS . 528.5SECURITY REQUIREMENTS RATIONALE . 528.5.1Rationale for Security Functional Requirements of the TOE Objectives. 538.5.2Security Requirements Rationale for Refinement . 558.5.3Security Assurance Requirements Rationale . 568.5.4Dependency Rationale . 569ACRONYMS AND TERMINOLOGY . 589.1.1Acronyms . 589.1.2Terminology . 60Table of FiguresFIGURE 1 – LS DEPLOYMENT CONFIGURATION OF THE TOE .6FIGURE 2 – ES DEPLOYMENT CONFIGURATION OF THE TOE .7FIGURE 3 – LS PHYSICAL TOE BOUNDARY .9FIGURE 4 – ES PHYSICAL TOE BOUNDARY . 10FIGURE 5 – EAN: EAN COMPONENT REQUIREMENTS CLASS DECOMPOSITION . 20FIGURE 6 – EAN ANALYZER ANALYSIS FAMILY DECOMPOSITION . 21FIGURE 7 – EAN EVENT DATA COLLECTION FAMILY DECOMPOSITION . 23FIGURE 8 –ANALYZER REACT FAMILY DECOMPOSITION . 24FIGURE 9 –ANALYZER REACT FAMILY DECOMPOSITION . 25Table of TablesTABLE 1 – ST AND TOE REFERENCES .5TABLE 2 – CC AND PP CONFORMANCE . 13TABLE 3 – THREATS . 14TABLE 4 – ORGANIZATIONAL SECURITY POLICIES . 15TABLE 5 – ASSUMPTIONS . 15TABLE 6 – SECURITY OBJECTIVES FOR THE TOE . 17TABLE 7 – ENVIRONMENTAL SECURITY OBJECTIVES . 17TABLE 8 – EXTENDED TOE SECURITY FUNCTIONAL REQUIREMENTS . 19TABLE 9 – TOE SECURITY FUNCTIONAL REQUIREMENTS . 27TABLE 10 – MANAGEMENT RULES FOR ANALYSIS AND REACTION BEHAVIOR. 33TABLE 11 – TOE DATA MANAGEMENT. 34TABLE 12 – ASSURANCE REQUIREMENTS. 40TABLE 13 – MAPPING OF TOE SECURITY FUNCTIONS TO SECURITY FUNCTIONAL REQUIREMENTS. 41TABLE 14 – THREATS:OBJECTIVES MAPPING . 45TABLE 15 – POLICIES:OBJECTIVES MAPPING . 48TABLE 16 – ASSUMPTIONS:OBJECTIVES MAPPING . 50TABLE 17 – OBJECTIVES:SFRS MAPPING . 53TABLE 18 – FUNCTIONAL REQUIREMENTS DEPENDENCIES . 56TABLE 19 – ACRONYMS . 58Page 3 of 61RSA enVision platform v4.0 SP 1 2009 RSA, The Security Division of EMC
Security Target, Version 0.8December 11, 20091 Security Target IntroductionThis section identifies the Security Target (ST), Target of Evaluation (TOE), and the ST organization. The Target ofEvaluation is RSA enVision platform v4.0 SP 1, and will hereafter be referred to as the TOE throughout thisdocument. The TOE is a Security Information and Event Management (SIEM) platform. The TOE collects raw logdata from monitored devices and formats the data into an Internet Protocol Data Base (IPDB). Users can access theIPDB through a web interface and perform deep analysis of monitored events in real time and generate detailedreports on their findings.1.1 PurposeThis ST contains the following sections to provide mapping of the Security Environment to the SecurityRequirements that the TOE meets in order to remove, diminish or mitigate the defined threats: Security Target Introduction (Section 1) – Provides a brief summary of the ST contents and describes theorganization of other sections within this document. It also provides an overview of the TOE securityfunctions and describes the physical and logical scope for the TOE, as well as the ST and TOE references. Conformance Claims (Section 2) – Provides the identification of any Common Criteria (CC), ST ProtectionProfile, and Evaluation Assurance Level (EAL) package claims. It also identifies whether the ST containsextended security requirements. Security Problem Definition (Section 3) – Describes the threats, organizational security policies, andassumptions that pertain to the TOE and its environment. Security Objectives (Section 4) – Identifies the security objectives that are satisfied by the TOE and itsenvironment. Extended Components Definition (Section 5) – Identifies new components (extended Security FunctionalRequirements (SFRs) and extended Security Assurance Requirements (SARs)) that are not included in CCPart 2 or CC Part 3. Security Requirements (Section 6) – Presents the SFRs and SARs met by the TOE. TOE Summary Specification (Section 7) – Describes the security functions provided by the TOE that satisfythe security functional requirements and objectives. Rationale (Section 8) – Presents the rationale for the security objectives, requirements, and SFRdependencies as to their consistency, completeness, and suitability. Acronyms and Terminology (Section 9) – Defines the acronyms and terminology used within this ST.Page 4 of 61RSA enVision platform v4.0 SP 1 2009 RSA, The Security Division of EMC
Security Target, Version 0.8December 11, 20091.2 Security Target and TOE ReferencesTable 1 – ST and TOE ReferencesST TitleST VersionST AuthorST Publication DateTOE ReferenceKeywordsRSA, The Security Division of EMC enVision platform v4.0 SP 1 Security TargetVersion 0.8Corsec Security, Inc.Greg Milliken and Amy Nicewick2009-12-111RSA enVision platform v4.0 SP 1 Build 0236SIEM, IPDB, Internet Protocol Database, Security Information and Event Management,log management, log analysis, forensics, compliance, RSA, enVision, LogSmart, All theData, EMC.1.3 TOE OverviewThe TOE Overview summarizes the usage and major security features of the TOE. The TOE Overview provides acontext for the TOE evaluation by identifying the TOE type, describing the product, and defining the specificevaluated configuration.The TOE is software running on the “60 Series” family of appliances that provide corporations with the power togather and use event data. The TOE is an Event Analyzer (EAN) that aggregates log data from a variety of systemsand provides an analysis interface for users to interpret the information contained in the logs. Corporations can usethe event data to understand security, compliance, or operational status of their organization in real-time or over anyperiod of time. The TOE provides efficient collection, analysis, and management of event data from a wide range ofInternet Protocol (IP) devices.An LS deployment of enVision includes Local Collector (LC), Database Server (D-SRV), and Application Server(A-SRV) components. These components each have their own hardware platform and represent the distributedarchitecture of the LS deployment of the TOE. The LC appliance is dedicated to event collection, and storescollected data in Network Attached Storage (NAS). The D-SRV services requests for collected data. The A-SRV isresponsible for performing analysis of data and generating reports. The LS deployment of the TOE has a highlyscalable architecture; multiple appliances can be deployed in the same roles in order to increase capacity andperformance.An ES deployment of enVision includes all of the functionality present in the LS on a single hardware platform. ESdeployments of the TOE can use a NAS device, a Direct Attached Storage (DAS) device, or local storage. Localstorage is the hard disk on the ES hardware platform.1The TOE version number 4.0 SP 1 indicates that this is the exact 4.0 SP 1 version without additional patches orservice packs. RSA distributes only one build of the 4.0 SP 1 version.Page 5 of 61RSA enVision platform v4.0 SP 1 2009 RSA, The Security Division of EMC
Security Target, Version 0.8December 11, 2009The same software is installed on each appliance, with configuration options determining whether an appliance is anES, an LC, a D-SRV, or an A-SRV. The software runs on top of a hardened installation of Microsoft WindowsServer 2003 Release 2 Enterprise Edition with Service Pack 2.Figure 1 shows the details of the deployment configuration of the LS deployment of the TOE. The evaluated LSconfiguration is a single enVision site that includes one LC, one A-SRV, and one D-SRV, with Network AttachedStorage (NAS). The Web User Interface (UI) coordinates with the A-SRV and D-SRV to retrieve and analyze dataon monitored devices. The A-SRV provides alerting, reporting, and data export capabilities—including execu
RSA enVision platform v4.0 SP 1 1 Build 0236 Keywords SIEM, IPDB, Internet Protocol Database, Security Information and Event Management, log management, log analysis, forensics, compliance, RSA, enVision, LogSmart, All the Data, EMC. 1.3 TOE Overview The TOE Overview sum
