The TOE generates audits for the events specified in the table included with the FAU_GEN.1(1).
Startup and shutdown of the audit function is equivalent to startup and shutdown of the WebDefend Software components. The following fields are included in all audit records, although not all fields are populated in all records:
Record ID
Date/time
User Name (subject identity)
User Source IP address (location)
User Source TCP Port
Application
Sensor Name
Sensor IP
Site Name
Manager IP (in the evaluated configuration, the Manager is the same as the Sensor)
Result
Action (Event)
When items with multiple parameters are configured, multiple records may be generated, recording one parameter value per record. The primary audit record indicates the item being configured, while the secondary audit records indicate the specific parameter values. Secondary audit records point to the item being configured by containing the Record ID of the associated primary audit record. Primary audit records either contain 0 or their own Record ID in this field.
The audits records are maintained by the TOE in the database on the WebDefend appliance in plain text and may be exported via the Console by Primary Administrators for review outside the TOE.
7.2 FAU_STG.2, FAU_STG.4
The user access functionality of the TOE does not provide any mechanism to modify or delete audit records. If no space is available in the database when the TOE attempts to insert a new audit record, the existing audit records are retained and the new audit record is discarded. When this occurs, a System Event is generated and a message is sent to the Alert destination configured for the Sensor.
7.3 FIA_AFL.1
The TOE tracks consecutive login failures for each defined user account. If three consecutive failures occur for any user account (for any combination of Console accesses), the user account is automatically locked. The account must be manually unlocked before logins against it are permitted.
7.4 FIA_ATD.1
The TOE maintains the following information for each user account:
User identity;
Password;
Role;
Organization;
Assigned Sites; and
Status (locked or unlocked).
User account information is stored in the database on the WebDefend appliance.
7.5 FIA_UAU.2, FIA_UID.2
The TOE requires all users of the Consoles to successfully identify and authenticate themselves via a username and password before access is granted to any TSF data or functions. Validation of the supplied credentials is performed by the TOE.
7.6 FMT_MTD.1
The TOE grants access to TSF data via Consoles according to the roles and permissions
specified in the table included with FMT_MTD.1(1). Consoles may only be used by authorized users. Access to TSF data other than that specified in the table is prevented.
7.7 FMT_SMF.1
The TOE provides functionality for authorized users to manage the following items via the Console:
User management (User Accounts);
Sensor management (Sensors);
Organization management (Organizations, Sites);
Site management (Application Defects, Applications, Policies, Security Events, Security Rules, Site Profiles, URL Profiles);
Report management (Report Templates, Reports).
7.8 FMT_SMR.1
All interactive users of the TOE are required to successfully complete I&A, at which time the role configured for the user account is associated with the user session. The role assigned to the user account determines the access permissions for the user per the table with FMT_MTD.1.
The roles that may be assigned to a user are: Primary Administrators, Organization
Administrators, Site Administrators, Primary Viewers, Organization Viewers, and Site Viewers.
7.9 IDS_SDC.1
The TOE collects network traffic for the configured Sites. The traffic is used for analysis against configured policies and to detect profile changes for sites and/or applications. When a security
event is generated, the network traffic associated with the event is stored with the event in the database on the WebDefend appliance.
7.10 IDS_ANL.1, IDS_RCT.1
As network traffic is collected, it is analyzed by the TOE. Analysis is performed for the following functions based upon the Exceptions and Policy associated with the applicable Site:
Profiles are generated and updated based on the interactions contained in the traffic.
Comparisons are made to signatures of known attacks (signature analysis).
Responses from the applications are monitored to detect abnormalities based on the profiles (integrity analysis).
Comparisons are made to previous message contents to detect anomalous behavior.
HTTP protocol violations are detected.
Invalid parameter values are detected.
Comparisons to BreachMarks are made to detect data leakage in messages sent from the protected web servers.
Excessive access violations (signature analysis) The following information is stored for Security Events:
Site
Severity
Host
Sensor
Date/Time
Description
Result
Entry/Informative Event
Exit Event
URL
Associated HTTP request and/or response messages
Status
The following information is stored for Application Defects:
Site
Severity
Total Count
Sensor
Date/Time of first and most recent occurrence
Issue Name
Referrer
URL
Associated HTTP message(s)
Prior to generating an Event and performing the configured action, the configured Exceptions are examined to determine if any overrides of the Policy apply. The configured Exceptions are checked in priority order to determine if any Exception conditions match the conditions associated with the Event. If so, the Exception actions are performed rather than the Policy actions. As soon as one matching Exception is found, Exception checking is halted.
When a configured condition is detected, the associated actions are performed as follows:
Log – A Security Event or Application Defect is generated and
Alert - The configured Alert parameters are used to send an SNMP, E-mail or Syslog message
TCP Reset – TCP Reset messages are sent to the web server and client.
Logout – An HTTP Logout message is sent to the web server.
Deny – The message being analyzed is dropped. This action is only available with the inline deployment mode.
7.11 IDS_RDR.1
The TOE provides authorized users with the ability to read Security Events, Application Defects, and captured traffic in a human readable form via the Consoles. The information is presented through views, dashboards, and reports. Access to information is limited to the Organizations and Sites each user is authorized to access.
7.12 IDS_STG.1, IDS_STG.2
The user access functionality of the TOE does not provide any mechanism to modify System data. System data may be deleted by authorized users. If no space is available in the database when the TOE attempts to insert new System data, the existing information is retained and the new information is discarded. When this occurs, a System Event is generated and a message is sent to the Alert destination configured for the Sensor.