Archived
TD0656: Missing EAs for VPN GW Optional Headend SFRs
Publication Date
2022.06.24
Protection Profiles
MOD_VPNGW_v1.2
Other References
MOD_VPNGW-SD_V1.2, FTA_SSL.3/VPN, FTA_TSE.1, FTA_VCM_EXT.1
Issue Description
The evaluation activities for the three implementation dependent optional requirements were unintentionally excluded from the supporting document for MOD_VPNGW_V1.2. Resolution
MOD_VPNGW-SD_v1.2 is modified as follows:
The following EAs are added for optional requirement FTA_SSL.3/VPN: TSS The evaluator shall examine the TSS to verify that it describes the ability of the TSF to terminate an inactive VPN client session. Guidance The evaluator shall examine the operational guidance to verify that it provides instructions to the administrator on how to configure the time limit for termination of an active VPN client session. Tests The evaluator shall perform the following tests:
The following EAs are added for optional requirement FTA_TSE.1: TSS The evaluator shall examine the TSS to verify that it describes the methods by which the TSF can deny the establishment of an otherwise valid remote VPN client session (e.g., client credential is valid, not expired, not revoked, etc.), including day, time, and IP address at a minimum. Guidance The evaluator shall review the operational guidance to determine that it provides instructions for how to enable an access restriction that will deny VPN client session establishment for each attribute described in the TSS. Tests The evaluator shall perform the following tests:
The following EAs are added for optional requirement FTA_VCM_EXT.1: TSS The evaluator shall check the TSS to verify that it asserts the ability of the TSF to assign a private IP address to a connected VPN client. Guidance There are no guidance EAs for this component. Tests The evaluator shall connect a remote VPN client to the TOE and record its IP address as well as the internal IP address of the TOE. The evaluator shall verify that the two IP addresses belong to the same network. The evaluator shall disconnect the remote VPN client and verify that the IP address of its underlying platform is no longer part of the private network identified in the previous step. Justification
See issue description |