PRODUCT DESCRIPTION

The Q1 Labs QRadar v5.1.2 product is an administrator configurable network security management and response system. QRadar collects and processes data both from network taps and from event collectors installed on network devices. The product produces prioritized security events by real-time event matching and by comparing the collected data to historical flow-based behavior patterns. The security events are then correlated by the product to produce weighted alerts which are sent to the product users.

The Target of Evaluation (TOE), which is software only, includes the QRadar v5.1.2 server software and user interface components, the product modules Offence Resolution v1.0 and Offence Manager Software and user interface components, the product’s collectors that access network taps, and the interface to the External Event Collector and the Device Support Module.

SECURITY EVALUATION SUMMARY

The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) processes and procedures. QRadar V5.1.2 was evaluated against the criteria contained in the Common Criteria for Information Technology Security Evaluation, Version 2.2. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 2.2. CygnaCom Solutions has determined that the product meets the security criteria in the Security Target, which specifies an assurance level of EAL2. A Validator, on behalf of the CCEVS Validation Body, monitored the evaluation. The evaluation was completed in January 2007.

ENVIRONMENTAL STRENGTHS

The TOE’s Security Functions include:

Security Audit:QRadar provides the ability to audit blocks generated by the TOE and the addition, modification, and deletion of configuration information that specifies the blocks. QRadar is able to associate the auditable events with identified users.

Identification and Authentication: QRadar provides user identification and authentication independent of that provided by the operating system through the use of user identifiers and passwords.

Security Management: QRadar supports administrative roles and limits the management of TSF Data to users with the appropriate privileges and network access. Security management functionality provided by QRadar includes the management of security management data, collected event data and collected network data, CIDR ranges assigned to users, blocks, and passwords.

Partial TSF Self-Protection: QRadar provides for non-bypassability and for protection of the audit data and defense perspective data, in conjunction with the operating system platform.

Intrusion Detection: QRadar provides for customer network data collection and processing to create the set of surveillance information. This includes a database of flow information, a set of analysis data, and a database of external event information. The intrusion detection function provides the following capabilities:

• Reads network data in real-time including data from Gigabyte networks
• Allows for amount of payload information to be configured by bytes per Collector.
• Analyzes vulnerability data by correlating the event with the various types of raw data, normalized data, and Offences. As a result, weighted Offence alerts can be generated. 
• Provides behavioral and event correlation analysis on surveillance information
• Records results by date, time, and type
• Generates internal events and their associated violations
• Sends alerts based on analysis of defense perspective data
• Provides security responses to block network security threats based on analysis of defense perspective data.
• Generates automatic reports on defense perspective data.
• Provide Administrators and Users the ability to review the defense perspective data they are authorized to view.

Vendor Information

Q1 Labs, Inc.
Jason Corbin, Director of Product Management
781.250.5814
781.250.5880 (Fax)
jason.corbin@q1labs.com

http://www.q1labs.com