Nortel Networks 7.05, 7.11 manual Security Objectives Rationale

Page 52

Security Target, Version 3.9

March 18, 2008

 

 

8 Rationale

This section provides the rationale for the selection of the security requirements, objectives, assumptions, and threats. In particular, it shows that the security requirements are suitable to meet the security objectives, which in turn are shown to be suitable to cover all aspects of the TOE security environment.

8.1 Security Objectives Rationale

This section provides a rationale for the existence of each assumption, threat, and policy statement that compose the Security Target. Table 11 demonstrates the mapping between the assumptions, threats, and polices to the security objectives is complete. The following discussion provides detailed evidence of coverage for each assumption, threat, and policy.

Table 11 - Relationship of Security Threats to Objectives

O.I&A

 

 

 

TOE Objectives

 

 

 

 

 

Environmental Objectives

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

IT

 

 

 

Non-IT

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

O.AUDIT

O.SELFPROTECT

 

O.CONFIDENT

O.INTEGRITY

O.FILTER

O.FUNCTIONS

 

O.ADMIN

O.TEST

O.REPLAY

 

OE.TIME

OE.CERTIFICATE

 

OE.DOMSEP

OE.PHYS-SEC

 

OE.TRAINED

 

OE.DELIVERY

 

 

 

 

 

 

 

 

 

T.UNDETECT

 

 

 

 

 

 

 

 

 

 

 

 

 

TOE

 

 

T.AUTH-ERROR

 

 

 

 

 

 

 

 

 

 

 

 

 

 

T.DATA-MOD

 

 

 

 

 

 

 

Threats

 

 

 

 

 

 

T.HACK-CRYPTO

 

 

 

 

 

 

 

 

 

 

 

 

 

T.HACK

 

 

 

 

 

 

 

 

TOE

Environment

 

TE.PHYSICAL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TE.AUDIT_FAILURE

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

TE.BAD_CERT

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Assumptions

 

 

 

 

A.TRAINED-ADMIN

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.TIMESTAMPS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.PHYSICAL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.CERTIFICATE

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.INSTALL

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.ACCESS

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

A.DOMSEP

 

 

 

 

 

 

 

 

 

 

T.UNDETECT An attacker may gain undetected access due to missing, weak, and/or incorrectly implemented access controls for the restricted files or TSF Data in order to cause violations of integrity, confidentiality, or availability of the information protected by and flowing through the TOE.

The TOE identifies and authenticates users prior to allowing access to TOE functions and data (O.I&A). The TOE records audit records for data accesses and use of the System functions (O.AUDIT). The TOE provides functionality that enables only authorized user to establish VPN sessions with the TOE using IPSec protocol (O.FUNCTIONS). The TOE provides functionality that enables testing of its correct functioning and integrity (O.TEST).

O.I&A, O.AUDIT, O.FUNCTIONS, and O.TEST combined ensure that this threat is removed.

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 52 of 67

© 2008 Nortel Networks

 

Image 52
Contents Nortel Networks Corsec Security, Inc Revision History Version Modification Date Modified By Description of ChangesTable of Contents Table of Figures Table of TablesProtection Profile Claims RationaleSecurity Target Introduction PurposeSecurity Target, TOE and CC Identification and Conformance ST, TOE, and CC Identification and ConformanceConventions, Acronyms, and Terminology ConventionsTerminology TerminologyPrimary Admin password Product Type TOE DescriptionProduct Description Branch Office Deployment Configuration of the TOE TOE Boundaries and Scope Physical BoundaryLogical Boundary TOE EnvironmentWorld EnterpriseCryptographic Support Security AuditUser Data Protection Identification and Authentication Security ManagementProtection of the TOE Security Functions Trusted Path/ChannelsExcluded TOE Functionality Assumptions TOE Security EnvironmentThreats to Security Threats Addressed by the TOE Threats Addressed by the TOE EnvironmentSecurity Objectives Security Objectives for the TOESecurity Objectives for the Environment IT Security ObjectivesNon-IT Security Objectives OE.TIMEIT Security Requirements TOE Security Functional RequirementsTOE Security Functional Requirements ST OperationDescription ST Operation Class FAU Security Audit FAUGEN.1 Audit Data GenerationFAUSAR.1 Audit review Auditable EventsDependencies FAUGEN.1 Audit data generation Class FCS Cryptographic Support FCSCKM.1a Cryptographic key generation Diffie-HellmanFCSCKM.1b Cryptographic key generation RSA FCSCKM.4 Cryptographic key destructionFCSCOP.1d Cryptographic operation random number generation FCSCOP.1b Cryptographic operation authenticationFCSCOP.1e Cryptographic operation hashing Security Target, Version March 18 FDPACC.2 Complete access control FDPACF.1 Security attribute based access controlClass FDP User Data Protection FDPIFC.2a Complete information flow control VPNFDPIFC.2b Complete information flow control Firewall FDPIFF.1a Simple security attributes VPNFDPIFF.1b Simple security attributes Firewall FDPUCT.1 Basic data exchange confidentiality FDPUIT.1 Data exchange integrityFDPUCT.1.1 FDPUIT.1.1Class FIA Identification and Authentication FIAUAU.1 Timing of authenticationFIAUAU.5 Multiple authentication mechanisms FIAUID.2 User identification before any actionDependencies No dependencies Class FMT Security Management FMTMOF.1a Management of security functions behaviourFMTMOF.1b Management of security functions behaviour FMTMSA.1a Management of security attributesFMTMSA.1c Management of security attributes FMTMSA.2 Secure security attributesFMTMSA.3a Static attribute initialisation FMTMSA.2.1FMTSMF.1 Specification of Management Functions FMTMSA.3b Static attribute initialisationFMTMSA.3c Static attribute initialisation FMTSMR.1 Security rolesFMTSMR.1.2 FPTAMT.1 Abstract machine testing FPTTST.1 TSF testingClass FPT Protection of the TSF FPTRPL.1 Replay detectionClass FTP Trusted Path/Channels FTPTRP.1 Trusted pathFTPTRP.1.1 FTPTRP.1.2Security Functional Requirements on the IT Environment FPTRVM.1 Non-bypassability of the TSPFPTSEP.1 TSF domain separation FPTSTM.1 Reliable time stampsSecurity Target, Version 3.9March 18 Assurance Components Assurance RequirementsAssurance Requirements TOE Summary Specification TOE Security FunctionsTOE Security Description FunctionConfiguration Log Security AuditAccounting Logs Security LogSystem Log Event LogCryptographic Support Fips Validated ModulesFIPS-Validated Cryptographic Algorithms Validation Modules Fips 140-2 Certificate #User Data Protection Identification and Authentication Security ManagementProtection of the TOE Security Functions Power-Up Self-TestsConditional Self-Tests TOE Security Assurance Measures Trusted Path/ChannelsTOE Security Functional Requirements Satisfied FTPTRP.1 Assurance Assurance Measure ComponentAugmentation to EAL 4+ assurance level Protection Profile Claims Protection Profile ReferenceRationale Security Objectives RationaleRelationship of Security Threats to Objectives TOE Objectives Environmental Objectives Non-ITHack Certificate Security Functional Requirements Rationale OE.CERTIFICATERelationship of Security Requirements to Objectives Objectives RequirementsFunctions and data EnvAble to access such functionality FMTMSA.3a,b,cReject packets based on their attributes IntegritySecurity Assurance Requirements Rationale Rationale for Strength of FunctionDependency Rationale Functional Requirements DependenciesFCSCOP.1 TOE Summary Specification Rationale Secure Delivery and Operation Configuration ManagementDevelopment Life Cycle Support Documents Guidance DocumentationTests Strength of Function Vulnerability and TOE Strength of Function AnalysesAcronyms AcronymsAcronym Definition DoDSHA