TD0545: NIT Technical Decision for Conflicting FW rules cannot be configured (extension of RfI#201837)
Publication Date
2020.10.15
Protection Profiles
MOD_CPP_FW_v1.3, MOD_CPP_FW_v1.4e
Other References
FWMOD SD v1.3, FWMOD SD v1.4e, FFW_RUL_EXT.1.8
Issue Description
The NIT has issued a technical decision for Conflicting FW rules cannot be configured (extension of RfI#201837) Resolution
For FFW_RUL_EXT.1.8 TSS Section the following paragraph shall be added: "If the TOE implements a mechanism that ensures that no conflicting rules can be configured, the TSS shall describe the underlying mechanism.” For FFW_RUL_EXT.1.8 Test 1 shall be replaced as follows: Test 1: If the TOE implements a mechanism that ensures that no conflicting rules can be configured, the evaluator shall try to configure two conflicting rules and verify that the TOE rejects the conflicting rule(s). It is important to verify that the mechanism is implemented in the TOE but not in the non-TOE environment. If the TOE does not implement a mechanism that ensures that no conflicting rules can be configured, the evaluator shall devise two equal stateful traffic filtering rules with alternate operations – permit and drop. The rules should then be deployed in two distinct orders and in each case the evaluator shall ensure that the first rule is enforced in both cases by generating applicable packets and using packet capture and logs for confirmation. For further information, please see the NIT interpretation at: https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRfi202013.pdf Justification
See issue description. |