Nortel Networks 7.11, 7.05 manual Identification and Authentication, Security Management

VPN Information Flow Control SFP and Firewall Information Flow Control SFP: Both SFPs enforce a stateful Firewall. Each time a TCP connection is established from a host on the internal network to a host on the external network through the Nortel VPN Router, information about the connection is recorded in a stateful session flow table. The state table contains the source and destination addresses and port number(s) for each TCP connection associated with that particular host. This information creates a connection object in the Nortel VPN Router. Inbound packets are compared against session flows in the connection table and are permitted through the Nortel VPN Router only if an appropriate connection already exists to validate their passage. This connection object is terminated when the session is finished.

Both SFPs enforce Network Address Translation (NAT) functionality which helps to provide transparent routing between private IP address spaces. NAT allows the dynamic connection of multiple private networks via secure tunnels without requiring any address space reconfiguration. The NAT policy is configured by administrators either via the GUI or the CLI. The NAT policy in the TOE is associated with a security property and a security policy. The security property defines the type of service offered (including the service name, the protocol (TCP, UDP, ICMP), and the port number (or range) on which the service occurs). The security policy is a set of rules that specifies which service is allowed or denied.

Within the Nortel VPN Router, the source address of a packet is translated after the packet has gone through the Nortel VPN Router if a matching source NAT rule is found. A NAT policy consists of one or more NAT rules. A NAT rule describes the translation action to take for a particular source, destination, or service. NAT is applied to routed traffic passing through the TOE’s physical interfaces using separate NAT policies. The NAT policy is retrieved from the LDAP database after system initialization and packets are processed according to the NAT policy rules.

TOE Security Functional Requirements Satisfied: FDP_ACC.2, FDP_ACF.1, FDP_IFC.2(a), FDP_IFC.2(b), FDP_IFF.1(a), FDP_IFF.1(b), FDP_UCT.1, FDP_UIT.1.

6.1.4 Identification and Authentication

Users of the TOE can access it in three ways: via the Nortel VPN Client, the CLI, or the GUI. Users are processed and authorized by the TOE’s identification and authentication mechanism whenever they access any of these interfaces. TOE users can authenticate to the CLI and the management GUI by providing a valid username and its corresponding password. TOE users can authenticate to the Nortel VPN Client by providing either a valid username and its corresponding password or a valid digital certificate.7 Cryptographic functions relevant to the use of digital certificates are discussed in Section 6.1.2. Prior to identification and authentication of a user via the Nortel VPN Client, TOE users are given the opportunity to choose one of these authentication methods. This action (choosing an authentication method) can not be used by an attacker to disrupt the proper functioning of the TOE.

The TOE stores a username, a hashed password, and the roles associated with the user, for each TOE user in order to enable authentication via username/password. A user is authenticated when the hash of the password that has been entered matches the stored hashed password. The username/password authentication mechanism is the only implemented probabilistic security mechanism. In the CC mode of operation, the minimum required password length for users is eight characters (with a possible character set of at least 94 characters), which meets the Strength of Function (SOF) claim of SOF-basic.

TOE Security Functional Requirements Satisfied: FIA_UAU.1, FIA_UAU.5, FIA_UID.2.

6.1.5 Security Management

The TOE maintains three roles, the Primary Admin, the Restricted Admin, and the VPN User. The Primary Admin has full access to the TOE. The Restricted Admins have only the permissions granted to them by the Primary Admin. Permissions granted to the Restricted Admin by the Primary Admin may include access to administrative

7 See Footnote 3 for more information.