Nortel Networks 7.11, 7.05 manual Branch Office Deployment Configuration of the TOE

Page 9

Security Target, Version 3.9

March 18, 2008

 

 

mode, a Nortel VPN Router on one Enterprise network segment will establish a VPN tunnel with another Nortel VPN Router on another Enterprise network segment. All communications between the two network segments are protected by the VPN tunnel. Figure 2 below shows a typical deployment configuration for Branch Office mode:

Figure 2 – Branch Office Deployment Configuration of the TOE

VPN sessions between the TOE components (the Nortel VPN Client and the Nortel VPN Router) can be established using various tunneling protocols, including L2TP, L2F, PPTP, and/or IP Security (IPSec); however, IPSec is the only tunneling protocol that can be used to establish a VPN session in the Common Criteria (CC) mode of operation. For this reason, IPSec is the only tunneling protocol that is discussed in detail in this Security Target document. Although a thorough discussion and analysis of the IPSec protocol is beyond the scope of this document, a brief description of the protocol is given below.

The IPSec protocol is designed to mitigate security threats to IP datagrams in three main areas: “spoofing” of IP addresses; IP datagram tampering and/or replaying; and IP datagram confidentiality. IPSec provides these security services at the Open Systems Interconnection (OSI) Network Layer (which is the layer containing the IP protocol) via combinations of cryptographic protocols and other security mechanisms. IPSec enables systems to dynamically select and require certain security protocols and cryptographic algorithms, and generate and utilize the cryptographic material (i.e., keys) required to provide the requested services. These services include:

Access control to network elements

Data origin authentication

Integrity for connection-less protocols (such as User Datagram Protocol (UDP))

Detection and rejection of replayed IP packets (i.e. IP datagrams)

Data confidentiality via encryption

Partial traffic-flow confidentiality

These services are available for transparent use by any protocols which operate at higher levels in the OSI network stack.1

The TOE also provides stateful inspection firewall functionality which protects the private network from attack by parties on the public network. The firewall inspects the packets flowing through the router and uses administrator- configurable rules to determine whether or not to allow each packet to pass through to its intended destination.

TOE users fall into two groups:

1)Users who have access to the administrative functionality of the TOE.

2)Users who can only establish a VPN session with the TOE in order to have access to the network protected by the TOE.

1 Davis, Carlton R. IPSec: Securing VPNs. RSA Press, 2001.

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 9 of 67

© 2008 Nortel Networks

 

Page 8 Page 10
Image 9
Page 8 Page 10
Contents Nortel Networks Corsec Security, Inc Version Modification Date Modified By Description of Changes Revision HistoryTable of Contents Table of Tables Table of FiguresProtection Profile Claims RationalePurpose Security Target IntroductionSecurity Target, TOE and CC Identification and Conformance ST, TOE, and CC Identification and ConformanceConventions Conventions, Acronyms, and TerminologyTerminology TerminologyPrimary Admin password TOE Description Product TypeProduct Description Branch Office Deployment Configuration of the TOE Physical Boundary TOE Boundaries and ScopeTOE Environment Logical BoundaryEnterprise WorldSecurity Audit Cryptographic SupportUser Data Protection Security Management Identification and AuthenticationProtection of the TOE Security Functions Trusted Path/ChannelsExcluded TOE Functionality TOE Security Environment AssumptionsThreats to Security Threats Addressed by the TOE Environment Threats Addressed by the TOESecurity Objectives for the TOE Security ObjectivesIT Security Objectives Security Objectives for the EnvironmentNon-IT Security Objectives OE.TIMETOE Security Functional Requirements IT Security RequirementsTOE Security Functional Requirements ST OperationDescription ST Operation FAUGEN.1 Audit Data Generation Class FAU Security AuditFAUSAR.1 Audit review Auditable EventsDependencies FAUGEN.1 Audit data generation FCSCKM.1a Cryptographic key generation Diffie-Hellman Class FCS Cryptographic SupportFCSCKM.1b Cryptographic key generation RSA FCSCKM.4 Cryptographic key destructionFCSCOP.1b Cryptographic operation authentication FCSCOP.1d Cryptographic operation random number generationFCSCOP.1e Cryptographic operation hashing Security Target, Version March 18 FDPACF.1 Security attribute based access control FDPACC.2 Complete access controlClass FDP User Data Protection FDPIFC.2a Complete information flow control VPNFDPIFF.1a Simple security attributes VPN FDPIFC.2b Complete information flow control FirewallFDPIFF.1b Simple security attributes Firewall FDPUIT.1 Data exchange integrity FDPUCT.1 Basic data exchange confidentialityFDPUCT.1.1 FDPUIT.1.1FIAUAU.1 Timing of authentication Class FIA Identification and AuthenticationFIAUAU.5 Multiple authentication mechanisms FIAUID.2 User identification before any actionDependencies No dependencies FMTMOF.1a Management of security functions behaviour Class FMT Security ManagementFMTMOF.1b Management of security functions behaviour FMTMSA.1a Management of security attributesFMTMSA.2 Secure security attributes FMTMSA.1c Management of security attributesFMTMSA.3a Static attribute initialisation FMTMSA.2.1FMTMSA.3b Static attribute initialisation FMTSMF.1 Specification of Management FunctionsFMTMSA.3c Static attribute initialisation FMTSMR.1 Security rolesFMTSMR.1.2 FPTTST.1 TSF testing FPTAMT.1 Abstract machine testingClass FPT Protection of the TSF FPTRPL.1 Replay detectionFTPTRP.1 Trusted path Class FTP Trusted Path/ChannelsFTPTRP.1.1 FTPTRP.1.2FPTRVM.1 Non-bypassability of the TSP Security Functional Requirements on the IT EnvironmentFPTSEP.1 TSF domain separation FPTSTM.1 Reliable time stampsSecurity Target, Version 3.9March 18 Assurance Requirements Assurance ComponentsAssurance Requirements TOE Security Functions TOE Summary SpecificationTOE Security Description FunctionSecurity Audit Configuration LogAccounting Logs Security LogEvent Log System LogFips Validated Modules Cryptographic SupportFIPS-Validated Cryptographic Algorithms Validation Modules Fips 140-2 Certificate #User Data Protection Security Management Identification and AuthenticationPower-Up Self-Tests Protection of the TOE Security FunctionsConditional Self-Tests Trusted Path/Channels TOE Security Assurance MeasuresTOE Security Functional Requirements Satisfied FTPTRP.1 Assurance Assurance Measure ComponentAugmentation to EAL 4+ assurance level Protection Profile Reference Protection Profile ClaimsSecurity Objectives Rationale RationaleRelationship of Security Threats to Objectives TOE Objectives Environmental Objectives Non-ITHack Certificate OE.CERTIFICATE Security Functional Requirements RationaleObjectives Requirements Relationship of Security Requirements to ObjectivesEnv Functions and dataFMTMSA.3a,b,c Able to access such functionalityIntegrity Reject packets based on their attributesRationale for Strength of Function Security Assurance Requirements RationaleDependency Rationale Functional Requirements DependenciesFCSCOP.1 TOE Summary Specification Rationale Configuration Management Secure Delivery and OperationDevelopment Guidance Documentation Life Cycle Support DocumentsTests Vulnerability and TOE Strength of Function Analyses Strength of FunctionAcronyms AcronymsAcronym Definition DoDSHA
Top Page Image Contents