IBM Security QRadar SIEM - NIST Security QRadar SIEM. 1 . 1 Introduction . This document is the non-proprietary Security Policy for the IBM Security . QRadar SIEM Version 7.2 ...

Download IBM Security QRadar SIEM - NIST   Security QRadar  SIEM. 1 . 1 Introduction . This document is the non-proprietary Security Policy for the IBM  Security . QRadar  SIEM Version 7.2 ...

Post on 23-Mar-2018

219 views

Category:

Documents

7 download

Embed Size (px)

TRANSCRIPT

  • IBM Security QRadar SIEM

    i

    IBM Security QRadar SIEM Hardware Version 7.2

    Firmware Version 7.2

    FIPS 140-2

    Non-Proprietary Security Policy

    Policy Version 1.2

    August 13, 2016

    IBM Corporation 80 Bishop Dr. Unit B Fredericton, NB E3C 1B2 Canada

    Copyright International Business Machines Corporation, 2016. This document may be reproduced only in its original entirety without revision.

  • IBM Security QRadar SIEM

    ii

    Table of Contents 1 Introduction .............................................................................................................. 1

    1.1 Acronyms and Abbreviations ............................................................................................................ 2

    2 IBM Security QRadar SIEM .................................................................................. 3 2.1 Functional Overview ......................................................................................................................... 3 2.2 Module Specification ........................................................................................................................ 3 2.3 Module Interfaces ............................................................................................................................. 4 2.4 Roles, Services, and Authentication ................................................................................................. 7

    2.4.1 Authorized Roles........................................................................................................................ 7 2.4.2 Services ..................................................................................................................................... 7 2.4.3 Crypto Officer Role Services ..................................................................................................... 7 2.4.4 FIPS Admin Role Services ........................................................................................................ 9 2.4.5 User Services .......................................................................................................................... 11 2.4.6 Authentication Mechanisms ..................................................................................................... 13

    2.5 Physical Security ............................................................................................................................ 14 2.6 Operational Environment................................................................................................................ 15 2.7 Cryptographic Key Management .................................................................................................... 15

    2.7.1 Key Generation ........................................................................................................................ 19 2.7.2 Key Entry and Output ............................................................................................................... 19 2.7.3 Key/CSP Storage and Zeroization ........................................................................................... 19

    2.8 EMI/EMC ........................................................................................................................................ 19 2.9 Self-Tests ....................................................................................................................................... 19

    2.9.1 Power-Up Self-Tests................................................................................................................ 20 2.9.2 Conditional Self-Tests .............................................................................................................. 20

    2.10 Design Assurance .......................................................................................................................... 20 2.11 Mitigation of Other Attacks ............................................................................................................. 20

    3 Secure Operation ................................................................................................... 21 3.1 Initial Setup ..................................................................................................................................... 21

    3.1.1 Obtaining Replacement Baffles and Tamper-Evident Labels .................................................. 21 3.1.2 Installing Baffles ....................................................................................................................... 22 3.1.3 Installing Tamper Evident Labels ............................................................................................. 24

    3.2 Secure Management ...................................................................................................................... 27 3.2.1 Initialization .............................................................................................................................. 27 3.2.2 Management ............................................................................................................................ 30 3.2.3 Zeroization ............................................................................................................................... 30

    3.3 User Guidance ............................................................................................................................... 30

    4 References ............................................................................................................. 30

  • IBM Security QRadar SIEM

    iii

    List of Tables Table 1: Cryptographic Module Security Requirements. ................................................. 1 Table 2: FIPS 140-2 Logical Interface Mappings ............................................................ 6 Table 3: Crypto Officer Services ..................................................................................... 8 Table 4: FIPS Admin Role Services .............................................................................. 10 Table 5: FIPS User Role Services ................................................................................. 11 Table 6: Strength of Authentication Methods ................................................................ 13 Table 7 FIPS-Approved Algorithm Implementations .................................................. 15 Table 8 List of Cryptographic Keys, Cryptographic Key Components, and CSPs ..... 16

    List of Figures Figure 1 Module Block Diagram ................................................................................... 4 Figure 2 IBM Security QRadar SIEM Features and Indicators ..................................... 5 Figure 3 PCI Cover Install (Baffle 1 of 4).................................................................... 22 Figure 4 NDC Cover Install (Baffle 2 of 4) .................................................................. 22 Figure 5 VFlash Cover Install (Baffle 3 of 4) .............................................................. 23 Figure 7 Top Cover Tamper Evident Labels 1 and 2 of 24. ....................................... 24 Figure 8 Top Cover Tamper Evident Labels 3 and 4 of 24. ....................................... 25 Figure 9 Hard Disk Drive Tamper Evident Labels 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, and 16, of 24. ................................................................................................................ 25 Figure 10 Bezel Labels 17 and 18 of 24: ................................................................... 26 Figure 11 Filler Labels 19, 20 21, and 22, of 24 (2) per filler: ..................................... 26 Figure 12 Cards Filler Tamper Labels: Labels 23 and 24 of 24: ................................ 27

  • IBM Security QRadar SIEM

    1

    1 Introduction

    This document is the non-proprietary Security Policy for the IBM Security QRadar SIEM Version 7.2 cryptographic module. This Security Policy specifies the security rules under which the module shall operate to meet the requirements of FIPS 140-2 Level 2. It describes how the module functions to meet the FIPS requirements, and the actions that operators must take to maintain the security of the module. The module is referred to in this document as the appliance, cryptographic module, or the module.

    This Security Policy describes the features and design of the IBM Security QRadar SIEM Version 7.2 using the terminology contained in the FIPS 140-2 specification. FIPS 140-2, Security Requirements for Cryptographic Modules specifies the security requirements that will be satisfied by a cryptographic module utilized within a security system protecting sensitive but unclassified information. The NIST Cryptographic Module Validation Program (CMVP) validates cryptographic modules to FIPS 140-2 and other cryptography-based standards. Validated products are accepted by the Federal agencies of both the USA and Canada for the protection of sensitive or designated information. The FIPS 140-2 standard and information on the CMVP can be found at http://csrc.nist.gov/groups/STM/cmvp. This Security Policy contains only non-proprietary information. This document may be freely reproduced and distributed whole and intact. All other documentation submitted for FIPS 140-2 conformance testing and validation is IBM - Proprietary and is releasable only under appropriate non-disclosure agreements. The IBM Security QRadar cryptographic module meets the overall requirements applicable to Level 2 security for FIPS 140-2 as shown in Table 1. Table 1: Cryptographic Module Security Requirements.

    Security Requirements Section Level Cryptographic Module Specification 2 Cryptographic Module Ports and Interfaces 2 Roles and Services and Authentication 2 Finite State Machine Model 2 Physical Security 2 Operational Environment N/A Cryptographic Key Management 2 EMI/EMC 2 Self-Tests 2 Design Assurance 2 Mitigation of Other Attacks N/A

    http://csrc.nist.gov/groups/STM/cmvp/index.html

  • IBM Security QRadar SIEM

    2

    1.1 Acronyms and Abbreviations Acronym Definition AES Advanced Encryption Standard API Application Programming Interface CMVP Cryptographic Module Validation Program CBC Cipher-Block Chaining CFB Cipher Feedback CSE Communications Security Establishment CSP Critical Security Parameter CTR Counter Mode DES Data Encryption Standard DRBG Deterministic Random Bit Generator ECB Electronic Code Book FIPS Federal Information Processing Standard HMAC Keyed-Hashing for Message Authentication KAT Known Answer Test NDRNG Non-deterministic Random Number Generator NIST National Institute of Standards and Technology OFB Output Feedback PUB Publication RAM Random Access Memory RNG Random Number Generator RSA Rivest, Shamir and Adleman SHA Secure Hash Algorithm

  • IBM Security QRadar SIEM

    3

    2 IBM Security QRadar SIEM

    2.1 Functional Overview IBM Security QRadar SIEM version 7.2family of products provides a security intelligence platform that integrates critical functions including SIEM, log management, configuration monitoring, network behavior anomaly detection, risk management, vulnerability management, network vulnerability scanning, full packet capture and network forensics into a comprehensive intelligence solution. IBM Security QRadar version 7.2 delivers these enhanced features:

    QRadar QFlow Collector component provides improved Gbps QFlow collection and processing.

    Enables security information to be retrieved and updated from third-party systems with the Offense API.

    Enhanced threat intelligence feed provides hourly update of threat intelligence with additional context and categorization data.

    Flow burst handling helps ensure that data loss is minimized during very high bursts of network flow data.

    Improved big data integration enables more easily configurable data forwarding profiles.

    IBM Security QRadar Data Node enhancements enable historic data to be stored separately, helping deliver historic searches and analytics without impacting real-time security operations.

    Contains crossover cable high availability user interface configuration designed to simplify high available setup.

    Supports silent installation, enabling full automation of QRadar installs in public and private clouds and enterprise networks.

    The module provides security functions for encryption, decryption, random number generation, hashing, getting the status of the integrity test, and running the self-tests. The library is used by the application.

    2.2 Module Specification

    The IBM Security QRadar version 7.2 SIEM is a multi-chip standalone hardware module that meets overall Level 2 FIPS 140-2 requirements. The cryptographic boundary of the QRadar is defined by the opaque and hard metal appliance chassis, which surrounds all the hardware and software components.

    Following is a block diagram of the module.

  • IBM Security QRadar SIEM

    4

    Figure 1 Module Block Diagram

    2.3 Module Interfaces

    Interfaces on the module can be categorized as the following FIPS 140-2 logical interfaces:

    Data Input Interface Data Output Interface Control Input interface Status Output Interface Power Interface

  • IBM Security QRadar SIEM

    5

    Figure 2 IBM Security QRadar SIEM Features and Indicators

    Front Panel

    Back Panel

  • IBM Security QRadar SIEM

    6

    The physical interfaces described in Figure 1 map to logical interfaces defined by FIPS 140-2, as described in Table 2. Table 2: FIPS 140-2 Logical Interface Mappings

    Logical Interface

    Physical Ports

    Data input Ethernet interfaces vFlash media card slot Serial connector USB ports Emulex FC Host Bus Adapter

    Data output Ethernet interfaces vFlash media card slot Serial connector Video connectors USB ports Emulex FC Host Bus Adapter

    Control input System management interface Ethernet interfaces NMI button Power button Serial connector iDRAC port

    Status output

    System management interface Hard drive status and activity indicators Ethernet interfaces Diagnostic indicators Ethernet interface activity and link indicators Power supply status indicators Serial connector Video connector iDRAC port iDRAC Direct LED Quick Sync interface

    Power Power inputs

    The following features or indicators are not FIPS 140-2 logical interfaces:

  • IBM Security QRadar SIEM

    7

    Information tag (documentation only) Empty PCIe slots (unused). System ID button and connector outside the scope of evaluation.

    2.4 Roles, Services, and Authentication The following sections described the authorized roles supported by the module, the services provided for those roles, and the authentication mechanisms employed.

    2.4.1 Authorized Roles

    The module supports role-based authentication, providing three authorized roles that an operator explicitly assumes: a Crypto-Officer (CO) role, a FIPS Admin role, and a User role. The module does not support concurrent operators.

    Crypto-User (cryptographic officer) The Crypto-Officer ro...

Recommended

View more >