TD0806: Corrections to FAU_SAA.1 and FMT_SMF.1.1/WIDS
Publication Date
2023.12.19
Protection Profiles
MOD_WIDS_V1.0
Other References
FAU_SAA.1, FAU_SAA.1.2, FMT_SMF.1.1/WIDS, MOD_WIDS_V1.0-SD
Issue Description
An ACE work unit assessment uncovered issues with FAU_SAA.1.2 and FMT_SMF.1/WIDS regarding showing assignment completions and refinements. “Wi-Fi Protected Setup” authentication is not a feature of enterprise class wireless access points and there is no delineation between an alert and audit event in several evaluation activities. FAU_SAA.1.2 in MOD_WIDS_V1.0 has several issues:
Test 27: Detection of the physical location of an identified WLAN threat by using triangulation: Step 1: Deploy a non-allowlisted AP or EUD within range of the TSF. Step 2: Verify that the TSF can track and locate the AP or EUD to within 5 meters. Resolution
This TD consolidates changes made in TDs 0558, 0750, and 0799, which are now archived.
FAU_SAA.1.2 in MOD_WIDS_V1.0 is updated as follows, with green-highlighted underlines denoting additions and red-highlighted strikethroughs denoting deletions:
FAU_SAA.1.2 The TSF shall enforce the following rules for monitoring wireless traffic: a. Accumulation or combination of [selection: [assignment: subset of defined auditable events], no defined auditable events] known to indicate a potential security violation, b. [Detection of non-allowlisted AP, c. Detection of non-allowlisted EUD, d. Detection of authorized EUD establishing peer-to-peer connection with any other EUD, e. Detection of EUD bridging two network interfaces, f. Detection of unauthorized point-to-point wireless bridges by allowlisted APs, g. Alert generated by violation of user defined signature, h. Detection of ICS connection,
i j k l m no. Detection of active probing, o p q r s t u v w x y z aa ab ac
ad Application Note: These rules are used to detect a potential security violation. A malicious actor who has gained unauthorized access to the TSF possesses the ability to alter its configuration and overall security posture. Maintenance of the rules by adding, modifying or deletion of rules from the set of rules is handled by FMT_SMF.1/WIDS.
There is no expectation that the TOE classify or categorize audit records related to TSF configuration changes as malicious activity. If a potential security violation is detected the alert generated for the Administrator is handled by FAU_ARP.1.
FMT_SMF.1/WIDS is updated as follows, with green underlined highlighting denoting additions (bolding of "for WIDS functionality and italicizing of first 6 bullets):
FMT_SMF.1.1/WIDS The TSF shall be capable of performing the following management functions for WIDS functionality: [ - Define an inventory of authorized APs based on [selection: MAC addresses, [assignment: other unique device identifier]], - Define an inventory of authorized EUDs based on MAC addresses, - Define rules for monitoring and alerting on the wireless traffic, - Define authorized SSID(s), - Define authorized WLAN authentication schemes, - Define authorized WLAN encryption schemes, ... ]].
The guidance activity, tests 8, 27, and 30 for FAU_SAA.1 in MOD_WIDS_V1.0-SD are modified as follows, with green-highlighted underlines denoting additions and red-highlighted strikethroughs denoting deletions: Guidance If the ability of the TSF to detect the different potential security violations is configurable, the evaluator shall verify that the operational guidance provides instructions on how to configure the TOE. The TSF should generate an alert or audit event for all potential violations contained within rule set forth in FAU_SAA.1
Test 27: Detection of the physical location of an identified WLAN threat by using triangulation:
Justification
See Issue Description. |