Nortel Networks 7.05, 7.11 manual User Data Protection, Page 46 of

for reuse. This ensures that the keys are completely destroyed before any other process might have access to that memory location.

TOE Security Functional Requirements Satisfied: FCS_CKM.1(a), FCS_CKM.1(b), FCS_CKM.4, FCS_COP.1(a), FCS_COP.1(b)., FCS_COP.1(d), FCS_COP.1(e)

6.1.3 User Data Protection

The TOE enforces access controls on each administrator and user of the TOE based on the privileges held by that user.

Access Control SFP: The TOE enforces the Access Control SFP on administrators by assigning privileges to administrators. The TOE configuration parameters can only be modified by those administrative users granted permission to do so by the Primary Admin. Administrators (specifically Restricted Admins) have a restricted level of access based on the permissions granted to them by the Primary Admin. Details of these privilege levels can be found in Section 2.3.2.5. All administrators must be authenticated before access is granted. The Primary Admin has access to all administrative functions after successfully being identified and authenticated to the TOE.

VPN Information Flow Control SFP: The TOE enforces the VPN Information Flow Control SFP by allowing connections only from VPN Clients who authenticate to the remote Nortel VPN Router (via the Nortel VPN Client) with either a username/password combination or via a digital certificate. The VPN Information Flow Control SFP is also enforced based on user identity and authentication credentials. The VPN Information Flow Control SFP enforces session tunnel filtering based on a packets protocol ID, direction, source and destination IP addresses, source and destination ports, and service.

The TSF enforces the VPN Information Flow Control SFP on user data in order to protect sent or received data from modification, deletion, insertion, or replay. Thus, the TSF can determine if the data has been modified, deleted, inserted, or replayed via the VPN Information Flow Control SFP.

The connection attributes configured in the Nortel VPN Router enable the remote user to create a tunnel into the Nortel VPN Router. The actual connection to the Nortel VPN Router is a tunnel that is started from the remote user’s PC, through the public network, and ends at the Nortel VPN Router on the private network. The Nortel VPN Router associates all remote users with a group which dictates the attributes (and privileges) that are assigned to a remote user session.

The VPN Information Flow Control SFP enforces the IPSec protocol for establishing a VPN. The VPN session that is established by remote users creates a trusted communications path between the remote user and the TOE. This communications path is logically distinct from other paths due to the cryptography that is used to encrypt the trusted session.

The TOE supports “split-tunneling,” which assigns a unique IP address to an established IPSec tunnel, which is different than (and is held simultaneously with) the IP address assigned to the host machine which established the tunnel. During split-tunneling, any packet sent from the host machine to the public network must have as its source address the IP address assigned to the tunnel. Any packet sent to the public network with the host’s IP address (or any other address) as the source address is dropped. For example, a user’s host might have an IP address of 192.168.21.3. This user might then establish an IPSec connection with a host on the public network. This IPSec tunnel might be assigned a tunnel IP address of 192.192.192.192. In this case, any packets that attempt to pass outward through the tunnel with a source IP address of 192.168.21.3 (or any address other than 192.192.192.192) are dropped.

Firewall Information Flow Control SFP: The TOE enforces the Firewall Information Flow Control SFP by allowing connections only from hosts on either side of a Nortel VPN Router. The Firewall Information Flow Control SFP is also enforced on packets based on their source and destination interface, source and destination IP addresses, source and destination ports, direction, and service.

The TOE’s Firewall examines both incoming and outgoing packets and compares them to a security policy. If the packet sequence numbers indicate a repeated packet, the TOE drops the packets as an identified replay attack.