That are used to enforce the SFP FMTMSA.3a,b,c

Security Target, Version 3.9	March 18, 2008

required to use SHA-1 and it must be implemented according to RFC 3174 [FCS_CKM.1(a), FCS_CKM.4, and FCS_COP.1(a,b,c,d,e,f)].

O.CONFIDENT The TOE must use the IPSec tunneling protocol to ensure confidentiality of data transmitted between the Nortel VPN Client and the Nortel VPN Router, and/or between two Nortel VPN Routers.

The TOE is required to use the specified tunneling protocol to better protect the confidentiality of the data transmitted between its different parts. The RSA suite of algorithms and the Diffie- Hellman algorithm used by the TOE for cryptographic operations must be implemented according to RFC 3447 for RSA and RFC 2631 for Diffie-Hellman. The TOE is required to destroy unused keys by zeroizing them. For encryption and decryption operations, the TOE is required to use the 3DES and AES algorithms and they must be implemented according to FIPS 46-3 for 3DES and FIPS 197 for AES. For authentication, the TOE is required to use HMAC-SHA-1 and it must be implemented according to RFC 2104. For hashing, the TOE is required to use SHA-1 and it must be implemented according to RFC 3174 [FCS_CKM.1(a), FCS_CKM.4, and FCS_COP.1(a,b,d,c,e,f)].

All the operations between the different parts of the TOE must be scrutinized by the TOE against the VPN information flow control SFP and the Firewall information flow control SFP using specific security attributes. During this task, the TOE is required to make use of its Firewall, NAT, and IPSec tunneling protocol implementations [FDP_IFC.2(a), FDP_IFF.1(a), FDP_UCT.1, and FDP_UIT.1].

O.FUNCTIONS The TOE must provide functionality that enables only authorized user to establish VPN sessions with the TOE using IPSec protocol.

	Using the Access Control SFP, the TSF is required to provide the ability to restrict managing the
	behavior, and modifying the security attributes of functions of the TOE to authorized users of the
	TOE [FMT_MOF.1(a,b)]. The TOE is required to only accept secure values for security attributes
	[FMT_MSA.2]. The TOE SFPs are required to provide restrictive default values and to
	alternatively provide authorized users the ability to override default values for security attributes
	that are used to enforce the SFP [FMT_MSA.3(a,b,c)].
	The TSF is required to perform security management functions such as create log-ins and assign
	roles to user log-in IDs [FMT_SMF.1]. The TOE must be able to recognize the different
	administrative and user roles that exist for the TOE [FMT_SMR.1].
	The TSF is required to provide a logically distinct and protected communication path for secure
	VPN communication with remote users [FTP_TRP.1].
O.ADMIN	The TOE will provide facilities to enable an authorized administrator to effectively manage
	the TOE and its security function, and will ensure that only authorized administrators are
	able to access such functionality.
	The TSF is required to provide the ability to restrict managing the behavior, and modifying the
	security attributes of functions of the TOE to authorized users of the TOE [FMT_MOF.1(a,b)].
	The TSF is required to enforce the Access Control SFP to restrict the ability to modify the security
	attributes to authorized administrators [FMT_MSA.1(a,b,c,d,e)].
	The TOE is required to only accept secure values for security attributes [FMT_MSA.2]. The TOE
	SFPs are required to provide restrictive default values and to alternatively provide authorized users
	the ability to override default values for security attributes that are used to enforce the SFP
	[FMT_MSA.3(a,b,c)].

Nortel VPN Router v7.05 and Client Workstation v7.11	Page 58 of 67
© 2008 Nortel Networks

Nortel Networks 7.05, 7.11 manual that are used to enforce the SFP FMTMSA.3a,b,c

Models: 7.11 7.05

that are used to enforce the SFP [FMT_MSA.3(a,b,c)].