O.ADDRESS_FILTERING
|
FPF_RUL_EXT.1
|
This SFR supports the objective by requiring the TSF to filter network traffic based on network address information.
|
FTA_VCM_EXT.1 (optional)
|
This SFR supports the objective by optionally allowing the TOE to assign a private IP address to a VPN client so that traffic bound for an alternative address can be flagged as invalid.
|
O.AUTHENTICATION
|
FCS_IPSEC_EXT.1 (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to implement the IPsec protocol as a method of authenticating external entities.
|
FIA_X509_EXT.1/Rev (from Base-PP)
|
This SFR supports the objective by requiring the TOE to implement X.509 validation functions so that it can authenticate remote entities that assert their identity using X.509 certificates.
|
FIA_X509_EXT.2 (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to implement X.509 authentication functions so that it can authenticate remote entities that assert their identity using X.509 certificates.
|
FIA_X509_EXT.3 (from Base-PP)
|
This SFR supports the objective by requiring the TOE to have the ability to generate a certificate request so that it can be issued an X.509 certificate that allows the TSF to offer proof of its own authenticity to external entities.
|
FTP_ITC.1/VPN
|
This SFR supports the objective by requiring the TOE to use an IPsec trusted channel to communicate with external entities so that these entities may be authenticated.
|
FTA_SSL.3/VPN (optional)
|
This SFR supports the objective by optionally allowing the TSF to terminate inactive VPN sessions so that an unattended session cannot be used to bypass authentication mechanisms.
|
FTA_TSE.1 (optional)
|
This SFR supports the objective by optionally defining alternative mechanisms to determine the validity of a subject to reject unauthorized or impersonated authentication attempts.
|
FIA_PSK_EXT.1 (selection-based)
|
This SFR supports the objective by defining requirements for the use of pre-shared keys for IPsec authentication when the TOE supports this authentication method.
|
O.CRYPTOGRAPHIC_FUNCTIONS
|
FCS_COP.1/DataEncryption (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to implement AES in a specified manner.
|
FCS_IPSEC_EXT.1 (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to implement the IPsec protocol in a specified manner.
|
FCS_CKM.1/IKE
|
This SFR supports the objective by requiring the TOE to generate cryptographic keys used for IKE in a specified manner.
|
FIA_PSK_EXT.1 (selection-based)
|
This SFR supports the objective by requiring the TOE to generate pre-shared keys used for IPsec in a specified manner if the TSF supports this authentication mechanism.
|
O.FAIL_SECURE
|
FPT_TST_EXT.1 (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to execute self-tests that allow the TSF to determine if it is in a failed state.
|
FPT_TUD_EXT.1 (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to validate software updates before applying them to reduce the risk of the TOE entering a failed state.
|
FPT_FLS.1/SelfTest
|
This SFR supports the objective by requiring the TOE to preserve a secure state if a self-test failure is detected.
|
FPT_TST_EXT.3
|
This SFR supports the objective by requiring the TOE to verify the integrity of its executable code to ensure that it will operate in a known state.
|
O.PORT_FILTERING
|
FPF_RUL_EXT.1
|
This SFR supports the objective by requiring the TSF to filter network traffic based on port information.
|
O.SYSTEM_MONITORING
|
FAU_GEN.1 (refined from Base-PP)
|
This SFR supports the objective by specifying the auditable events required by the TOE, which includes auditing of VPN behavior.
|
FPF_RUL_EXT.1
|
This SFR supports the objective by requiring the TOE to have the ability to log network traffic that matches certain characteristics.
|
O.TOE_ADMINISTRATION
|
FMT_MTD.1/CryptoKeys (refined from Base-PP)
|
This SFR supports the objective by requiring the TOE to implement a key management function and ensure that only authorized users can use it.
|
FMT_SMF.1 (refined from Base-PP)
|
This SFR supports the objective by refining the Base-PP requirement to mandate the inclusion of certain optional management functions that are needed to support VPN gateway functionality. It also specifies the management functions required specifically for VPN gateway functionality.
|