IBM CorporationIBM Security QRadar FIPS ApplianceHardware Part Number: QR24; Firmware Version: v7.1 MR1FIPS 140-2 Non-Proprietary Security PolicyFIPS Security Level: 2Document Version: 0.6Prepared for:Prepared by:IBM Corporation1 New Orchard RoadArmonk, NY 10504-1722United Stated of AmericaCorsec Security, Inc.13135 Lee Jackson Memorial Hwy, Suite 220Fairfax, VA 22033United States AmericaPhone: 1 914-499-1900 1 703-267-6050

Security Policy, Version 0.6November 13, 2014Table of Contents1INTRODUCTION . 41.1 PURPOSE . 41.2 REFERENCES . 41.3 DOCUMENT ORGANIZATION . 42IBM SECURITY QRADAR FIPS APPLIANCE . 52.1 OVERVIEW . 52.2 MODULE SPECIFICATION. 72.3 MODULE INTERFACES . 72.4 ROLES, SERVICES, AND AUTHENTICATION . 92.4.1 Authorized Roles . 92.4.2 Services . 92.4.3 Authentication Mechanisms . 132.5 PHYSICAL SECURITY .152.6 OPERATIONAL ENVIRONMENT.152.7 CRYPTOGRAPHIC KEY MANAGEMENT .152.7.1 Key Generation. 202.7.2 Key Entry and Output . 202.7.3 Key/CSP Storage and Zeroization . 202.8 EMI/EMC .202.9 SELF-TESTS .202.9.1 Power-Up Self-Tests . 202.9.2 Conditional Self-Tests . 202.10 MITIGATION OF OTHER ATTACKS .213SECURE OPERATION . 223.1 CRYPTO-OFFICER GUIDANCE .223.1.1 Appliance Setup . 223.1.2 Initialization . 243.1.3 Management . 253.1.4 Physical Inspection. 253.1.5 Zeroization . 253.2 USER GUIDANCE .253.3 NON-APPROVED MODE OF OPERATION .254ACRONYMS . 26Table of FiguresFIGURE 1 – IBM SECURITY QRADAR FIPS APPLIANCE .6FIGURE 2 – QRADAR FIPS APPLIANCE FRONT PANEL FEATURES AND INDICATORS .8FIGURE 3 – QRADAR FIPS APPLIANCE BACK PANEL FEATURES AND INDICATORS.8FIGURE 4 – TAMPER-EVIDENT SEAL APPLICATION POSITIONS (TOP) . 23FIGURE 5 – TAMPER-EVIDENT SEAL APPLICATION POSITIONS (TOP/SIDE) . 23FIGURE 6 – TAMPER-EVIDENT SEAL APPLICATION POSITIONS (TOP/REAR) . 24FIGURE 7 – TAMPER-EVIDENT SEAL APPLICATION POSITIONS (REAR) . 24FIGURE 8 – TAMPER-EVIDENT SEAL APPLICATION POSITIONS (FRONT) . 24List of TablesTABLE 1 – SECURITY LEVEL PER FIPS 140-2 SECTION .6TABLE 2 – FIPS 140-2 LOGICAL AND PHYSICAL INTERFACE MAPPINGS .8TABLE 3 – CRYPTO-OFFICER ROLE’S SERVICES . 10IBM Security QRadar FIPS Appliance 2014 IBM CorporationThis document may be freely reproduced and distributed whole and intact including this copyright notice.Page 2 of 28

Security Policy, Version 0.6November 13, 2014TABLE 4 – FIPS ADMIN ROLE’S SERVICES . 10TABLE 5 – USER ROLE’S SERVICES . 11TABLE 6 – AUTHENTICATION MECHANISMS EMPLOYED BY THE MODULE . 14TABLE 7 – APPROVED ALGORITHM IMPLEMENTATIONS. 15TABLE 8 – APPROVED KEY DERIVATION FUNCTION IMPLEMENTATIONS . 16TABLE 9 – CRYPTOGRAPHIC KEYS, CRYPTOGRAPHIC KEY COMPONENTS, AND CSPS. 17TABLE 10 – ACRONYMS . 26IBM Security QRadar FIPS Appliance 2014 IBM CorporationThis document may be freely reproduced and distributed whole and intact including this copyright notice.Page 3 of 28

Security Policy, Version 0.61November 13, 2014IntroductionThis section introduces the non-proprietary Security Policy for the IBM Security QRadar FIPS Appliance.1.1 PurposeThis is a non-proprietary Cryptographic Module Security Policy for the IBM Security QRadar FIPSAppliance. This Security Policy describes how the IBM Security QRadar FIPS Appliance meets thesecurity requirements of FIPS Publication 140-2, which details the U.S. and Canadian Governmentrequirements for cryptographic modules. More information about the FIPS 140-2 standard and validationprogram is available on the National Institute of Standards and Technology (NIST) and theCommunications Security Establishment Canada (CSEC) Cryptographic Module Validation Program(CMVP) website at document also describes how to run the module in a secure FIPS-Approved mode of operation. Thispolicy was prepared as part of the Level 2 FIPS 140-2 validation of the module. The IBM Security QRadarFIPS Appliance is referred to in this document as QRadar, the cryptographic module, or the module.1.2 ReferencesThis document deals only with operations and capabilities of the module in the technical terms of a FIPS140-2 cryptographic module security policy. More information is available on the module from thefollowing sources: The IBM website ( contains information on the full line of solutions from IBM. The CMVP website 0-1/140val-all.htm)contains contact information for individuals to answer technical or sales-related questions for themodule.1.3 Document OrganizationThe Security Policy document is one document in a FIPS 140-2 Submission Package. In addition to thisdocument, the Submission Package contains: Vendor Evidence document Finite State Model document Other supporting documentation as additional referencesThis Security Policy and the other validation submission documentation were produced by Corsec Security,Inc. under contract to IBM Corporation. With the exception of this Non-Proprietary Security Policy, theFIPS 140-2 Submission Package is proprietary to IBM and is releasable only under appropriate nondisclosure agreements. For access to these documents, please contact IBM.IBM Security QRadar FIPS Appliance 2014 IBM CorporationThis document may be freely reproduced and distributed whole and intact including this copyright notice.Page 4 of 28

Security Policy, Version 0.62November 13, 2014IBM Security QRadar FIPSApplianceThis section describes the IBM Security QRadar FIPS Appliance by IBM Corporation.2.1 OverviewIBM’s QRadar Release v7.1 MR1 is a distributed network security management platform that providessituational awareness and compliance support through the combination of flow-based network knowledge,security event correlation, log management, and asset-based vulnerability assessment.QRadar integrates previously disparate functions (including risk management, log management, networkbehavior analytics, and security event management) into a total security intelligence solution, making it themost intelligent, integrated, and automated SIEM product available. Built on an IBM platform, the QRadarsolution provides users with crucial visibility into what is occurring with their networks, data centers, andapplications to better protect Information Technology (IT) assets and meet regulatory requirements.QRadar collects and processes data including log data (from security devices, network devices,applications, and databases); network activity data, or “flows” (from network taps, mirror ports, or thirdparty flow sources such as NetFlow), and vulnerability assessment data. The product produces securityevents by real-time event and flow matching and by comparing the collected data to historical flow-basedbehavior patterns. The security events are then correlated by the product to produce weighted alerts (i.e.offenses) which can be viewed in the web-based QRadar Graphical User Interface (GUI) as well as sent tousers or other solutions via email, syslog, or SNMP 1 trap.QRadar: Provides a customizable interface through which users can view summaries and detailedinformation about offenses, log and event activity, and network activity (flows) occurring on agiven network.Analyzes overall network security, vulnerability states, and network traffic behavior.Automatically discovers servers and hosts operating on a given network in order to build an assetprofile. User identity, vulnerability data and passively learned services information are correlatedback to the asset profile.Allows users to create, distribute, and manage reports for any data.QRadar tracks significant incidents and threats, and builds a history of supporting and relevant information.Information such as point-in-time, offending users or targets, attacker profiles, vulnerability state, assetvalue, active threats and records of previous offenses all help provide security teams with the intelligencethey need to act regardless of where they are.QRadar employs cryptographic functions to secure the GUI and the QConsole interface. The QConsole isused either locally or over Secure Shell (SSH) to manage t