Archived
TD0162: Consistency of mapping between Security Objectives and SFRs
Publication Date
2017.03.15
Protection Profiles
PP_ND_IPS_EP_V1.0
Other References
PP_ND_IPS_EP_V1.0
Issue Description
Inconsistent list of security objectives between the SPD (Section 3) and the "Security Objectives for the TOE" (Section 7.2.1) as well as inconsistency of mappings between security objectives and SFRs (Table 7-4).
Resolution
Section 3.1
Replace sub-section 3.1 (System Monitoring) with the following:
3.1 Traffic Monitoring (or similar title) To be able to analyze and react to potential network policy violations, the IPS must be able to collect and store essential data elements of network traffic on monitored networks. (O.IPSSENSE -> FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FMT_MOF.1, FMT_MTD.1(2), FMT_SMR.1(2), FPT_FLS.1, FRU_RSA.1)
Section 3.2 Update Section 3.2 as follows: (O.IPSANALYZE -> FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FRU_RSA.1)
Section 3.3 Update Section 3.3 as follows: (O.IPSREACT -> FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FRU_RSA.1)
Section 3.4 Update Section 3.4 as follows: (O.TOE_ADMINISTRATION -> FMT_SMF.1(2), FAU_GEN.1(2), FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FMT_MOF.1, FMT_MTD.1(2), FMT_SMR.1(2), FPT_FLS.1, FRU_RSA.1)
Update Table 7-5 as follows:
Objective
|
Description
|
O.IPSSENSE
|
To be able to analyze and react to potential network policy violations, the IPS must be able to collect and store essential data elements of network traffic on monitored networks.
|
O.IPSANALYZE
|
Entities that reside on or communicate across monitored networks must have network activity effectively analyzed for potential violations of approved network usage.
The TOE must be able to effectively analyze data collected from monitored networks to reduce the risk of unauthorized disclosure of information, inappropriate access to services, and misuse of network resources.
|
O.IPSREACT
|
The TOE must be able to react in real-time as configured by the IPS administrators to terminate and/or blocking traffic flows that have been determined to violate administrator-defined IPS policies.
|
O.TOE_ADMINISTRATION
|
To address the issues involved with a trusted means of administration of the intrusion prevention capability this security objective, which originated in the NDPP, is extended as follows.
Compliant TOEs will provide the functions necessary for an administrator to configure the IPS policies that are enforced by the TOE. Note it is assumed that use of the functions indicated below is protected in accordance with the requirements in the NDPP.
|
Compliant TOEs will provide the functions necessary for an administrator to configure the IPS policies that are enforced by the TOE. Note it is assumed that use of the functions indicated below is protected in accordance with the requirements in the NDPP.
Update Table 7-4 follows:
Threat, OSP or Assumption
|
Security Objective(s)
|
SFRs
|
A.CONNECTIONS
|
OE.CONNECTIONS
|
N/A
|
T.NETWORK_DISCLOSURE
|
O.IPSSENSE
O.IPSANALYZE
O.IPSREACT
O.TOE_ADMINISTRATION
|
FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FMT_SMF.1(2)
Optional SFRs:
FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FMT_MOF.1, FMT_MTD.1(2), FMT_SMR.1(2), FPT_FLS.1, FRU_RSA.1
|
T.NETWORK_ACCESS
|
O.IPSSENSE
O.IPSANALYZE
O.IPSREACT
O.TOE_ADMINISTRATION
|
FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FMT_SMF.1(2)
Optional SFRs:
FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FMT_MOF.1, FMT_MTD.1(2), FMT_SMR.1(2), FPT_FLS.1, FRU_RSA.1
|
T.NETWORK_MISUSE
|
O.IPSSENSE
O.IPSANALYZE
O.IPSREACT
O.TOE_ADMINISTRATION
|
FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FMT_SMF.1(2)
Optional SFRs:
FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FMT_MOF.1, FMT_MTD.1(2), FMT_SMR.1(2), FPT_FLS.1, FRU_RSA.1
|
T.NETWORK_DOS
|
O.IPSSENSE
O.IPSANALYZE
O.IPSREACT
O.TOE_ADMINISTRATION
|
FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1, FMT_SMF.1(2)
Optional SFRs:
FAU_ARP.1, FAU_SAR.1, FAU_SAR.2, FAU_SAR.3, FAU_STG.1, FAU_STG.4, FMT_MOF.1, FMT_MTD.1(2), FMT_SMR.1(2), FPT_FLS.1, FRU_RSA.1
|
P.ANALYZ
|
O.IPSANALYZE
|
FAU_GEN.1(2), IPS_NTA_EXT.1, IPS_IPB_EXT.1, IPS_SBD_EXT.1, IPS_ABD_EXT.1
Optional SFRs:
FRU_RSA.1
|
Justification
Maintain consistency of definitions and mappings of Security Objectives and SFRs throughout EP.
|