Nortel Networks 7.11, 7.05 manual Identification and Authentication, Security Management

Page 47

Security Target, Version 3.9

March 18, 2008

 

 

VPN Information Flow Control SFP and Firewall Information Flow Control SFP: Both SFPs enforce a stateful Firewall. Each time a TCP connection is established from a host on the internal network to a host on the external network through the Nortel VPN Router, information about the connection is recorded in a stateful session flow table. The state table contains the source and destination addresses and port number(s) for each TCP connection associated with that particular host. This information creates a connection object in the Nortel VPN Router. Inbound packets are compared against session flows in the connection table and are permitted through the Nortel VPN Router only if an appropriate connection already exists to validate their passage. This connection object is terminated when the session is finished.

Both SFPs enforce Network Address Translation (NAT) functionality which helps to provide transparent routing between private IP address spaces. NAT allows the dynamic connection of multiple private networks via secure tunnels without requiring any address space reconfiguration. The NAT policy is configured by administrators either via the GUI or the CLI. The NAT policy in the TOE is associated with a security property and a security policy. The security property defines the type of service offered (including the service name, the protocol (TCP, UDP, ICMP), and the port number (or range) on which the service occurs). The security policy is a set of rules that specifies which service is allowed or denied.

Within the Nortel VPN Router, the source address of a packet is translated after the packet has gone through the Nortel VPN Router if a matching source NAT rule is found. A NAT policy consists of one or more NAT rules. A NAT rule describes the translation action to take for a particular source, destination, or service. NAT is applied to routed traffic passing through the TOE’s physical interfaces using separate NAT policies. The NAT policy is retrieved from the LDAP database after system initialization and packets are processed according to the NAT policy rules.

TOE Security Functional Requirements Satisfied: FDP_ACC.2, FDP_ACF.1, FDP_IFC.2(a), FDP_IFC.2(b), FDP_IFF.1(a), FDP_IFF.1(b), FDP_UCT.1, FDP_UIT.1.

6.1.4 Identification and Authentication

Users of the TOE can access it in three ways: via the Nortel VPN Client, the CLI, or the GUI. Users are processed and authorized by the TOE’s identification and authentication mechanism whenever they access any of these interfaces. TOE users can authenticate to the CLI and the management GUI by providing a valid username and its corresponding password. TOE users can authenticate to the Nortel VPN Client by providing either a valid username and its corresponding password or a valid digital certificate.7 Cryptographic functions relevant to the use of digital certificates are discussed in Section 6.1.2. Prior to identification and authentication of a user via the Nortel VPN Client, TOE users are given the opportunity to choose one of these authentication methods. This action (choosing an authentication method) can not be used by an attacker to disrupt the proper functioning of the TOE.

The TOE stores a username, a hashed password, and the roles associated with the user, for each TOE user in order to enable authentication via username/password. A user is authenticated when the hash of the password that has been entered matches the stored hashed password. The username/password authentication mechanism is the only implemented probabilistic security mechanism. In the CC mode of operation, the minimum required password length for users is eight characters (with a possible character set of at least 94 characters), which meets the Strength of Function (SOF) claim of SOF-basic.

TOE Security Functional Requirements Satisfied: FIA_UAU.1, FIA_UAU.5, FIA_UID.2.

6.1.5 Security Management

The TOE maintains three roles, the Primary Admin, the Restricted Admin, and the VPN User. The Primary Admin has full access to the TOE. The Restricted Admins have only the permissions granted to them by the Primary Admin. Permissions granted to the Restricted Admin by the Primary Admin may include access to administrative

7 See Footnote 3 for more information.

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 47 of 67

© 2008 Nortel Networks

 

Image 47
Contents Nortel Networks Corsec Security, Inc Version Modification Date Modified By Description of Changes Revision HistoryTable of Contents Rationale Table of FiguresTable of Tables Protection Profile ClaimsST, TOE, and CC Identification and Conformance Security Target IntroductionPurpose Security Target, TOE and CC Identification and ConformanceTerminology Conventions, Acronyms, and TerminologyConventions TerminologyPrimary Admin password Product Description TOE DescriptionProduct Type Branch Office Deployment Configuration of the TOE Physical Boundary TOE Boundaries and ScopeTOE Environment Logical BoundaryEnterprise WorldUser Data Protection Security AuditCryptographic Support Trusted Path/Channels Identification and AuthenticationSecurity Management Protection of the TOE Security FunctionsExcluded TOE Functionality Threats to Security TOE Security EnvironmentAssumptions Threats Addressed by the TOE Environment Threats Addressed by the TOESecurity Objectives for the TOE Security ObjectivesOE.TIME Security Objectives for the EnvironmentIT Security Objectives Non-IT Security ObjectivesST Operation IT Security RequirementsTOE Security Functional Requirements TOE Security Functional RequirementsDescription ST Operation Auditable Events Class FAU Security AuditFAUGEN.1 Audit Data Generation FAUSAR.1 Audit reviewDependencies FAUGEN.1 Audit data generation FCSCKM.4 Cryptographic key destruction Class FCS Cryptographic SupportFCSCKM.1a Cryptographic key generation Diffie-Hellman FCSCKM.1b Cryptographic key generation RSAFCSCOP.1e Cryptographic operation hashing FCSCOP.1b Cryptographic operation authenticationFCSCOP.1d Cryptographic operation random number generation Security Target, Version March 18 FDPIFC.2a Complete information flow control VPN FDPACC.2 Complete access controlFDPACF.1 Security attribute based access control Class FDP User Data ProtectionFDPIFF.1a Simple security attributes VPN FDPIFC.2b Complete information flow control FirewallFDPIFF.1b Simple security attributes Firewall FDPUIT.1.1 FDPUCT.1 Basic data exchange confidentialityFDPUIT.1 Data exchange integrity FDPUCT.1.1FIAUID.2 User identification before any action Class FIA Identification and AuthenticationFIAUAU.1 Timing of authentication FIAUAU.5 Multiple authentication mechanismsDependencies No dependencies FMTMSA.1a Management of security attributes Class FMT Security ManagementFMTMOF.1a Management of security functions behaviour FMTMOF.1b Management of security functions behaviourFMTMSA.2.1 FMTMSA.1c Management of security attributesFMTMSA.2 Secure security attributes FMTMSA.3a Static attribute initialisationFMTSMR.1 Security roles FMTSMF.1 Specification of Management FunctionsFMTMSA.3b Static attribute initialisation FMTMSA.3c Static attribute initialisationFMTSMR.1.2 FPTRPL.1 Replay detection FPTAMT.1 Abstract machine testingFPTTST.1 TSF testing Class FPT Protection of the TSFFTPTRP.1.2 Class FTP Trusted Path/ChannelsFTPTRP.1 Trusted path FTPTRP.1.1FPTSTM.1 Reliable time stamps Security Functional Requirements on the IT EnvironmentFPTRVM.1 Non-bypassability of the TSP FPTSEP.1 TSF domain separationSecurity Target, Version 3.9March 18 Assurance Requirements Assurance RequirementsAssurance Components Description Function TOE Summary SpecificationTOE Security Functions TOE SecuritySecurity Log Configuration LogSecurity Audit Accounting LogsEvent Log System LogValidation Modules Fips 140-2 Certificate # Cryptographic SupportFips Validated Modules FIPS-Validated Cryptographic AlgorithmsUser Data Protection Security Management Identification and AuthenticationConditional Self-Tests Power-Up Self-TestsProtection of the TOE Security Functions Assurance Assurance Measure Component TOE Security Assurance MeasuresTrusted Path/Channels TOE Security Functional Requirements Satisfied FTPTRP.1Augmentation to EAL 4+ assurance level Protection Profile Reference Protection Profile ClaimsTOE Objectives Environmental Objectives Non-IT RationaleSecurity Objectives Rationale Relationship of Security Threats to ObjectivesHack Certificate OE.CERTIFICATE Security Functional Requirements RationaleObjectives Requirements Relationship of Security Requirements to ObjectivesEnv Functions and dataFMTMSA.3a,b,c Able to access such functionalityIntegrity Reject packets based on their attributesFunctional Requirements Dependencies Security Assurance Requirements RationaleRationale for Strength of Function Dependency RationaleFCSCOP.1 TOE Summary Specification Rationale Development Configuration ManagementSecure Delivery and Operation Tests Guidance DocumentationLife Cycle Support Documents Vulnerability and TOE Strength of Function Analyses Strength of FunctionDoD AcronymsAcronyms Acronym DefinitionSHA