Version | Date | Comment |
---|---|---|
2.4 | 2022-03-31 | Incorporation of TC feedback |
2.3 | 2021-08-10 | Support for MDF, Bluetooth updates |
2.2 | 2021-01-05 | Update release |
2.1 | 2019-11-14 | Initial Release |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Extended Package (EP) | A deprecated document form for collecting SFRs that implement a particular protocol, technology, or functionality. See Functional Packages. |
Functional Package (FP) | A document that collects SFRs for a particular protocol, technology, or functionality. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Administrator | A user that has administrative privilege to configure the TOE in privileged mode. |
Authorized | An entity granted access privileges to an object, system or system entity. |
Critical Security Parameter (CSP) | Security related information, e.g. secret and private cryptographic keys, and authentication data such as passwords and PINs, whose disclosure or modification can compromise the security of a cryptographic module. |
Entropy Source | This cryptographic function provides a seed for a random number generator by accumulating the outputs from one or more noise sources. The functionality includes a measure of the minimum work required to guess a given output and tests to ensure that the noise sources are operating properly. |
IT Environment | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Private Network | A network that is protected from access by unauthorized users or entities. |
Privileged Mode | A TOE operational mode that allows a user to perform functions that require IT Environment administrator privileges. |
Public Network | A network that is visible to all users and entities and does not protect against unauthorized access (e.g. internet). |
Threat Agent | An entity that tries to harm an information system through destruction, disclosure, modification of data, or denial of service. |
An entity (device or user) who has not been authorized by an authorized administrator to access the TOE or private network. | |
Unprivileged Mode | A TOE operational mode that only provides VPN client functions for the VPN Client user. |
VPN Client | The TOE; allows remote users to use client computers to establish an encrypted IPsec tunnel across an unprotected public network to a private network. |
VPN Client User | A user operating the TOE in unprivileged mode. |
VPN Gateway | A component that performs encryption and decryption of IP packets as they cross the boundary between a private network and a public network. |
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
This document does not define any additional OSPs.Threat, Assumption, or OSP | Security Objectives | Rationale |
T.UNAUTHORIZED_ACCESS | O.AUTHENTICATION | The TOE mitigates the threat of unauthorized access by requiring IPsec communications to be properly authenticated. |
O.CRYPTOGRAPHIC_FUNCTIONS | The TOE mitigates the threat of unauthorized access by implementing IPsec using strong cryptographic algorithms. | |
T.TSF_CONFIGURATION | O.KNOWN_STATE | The TOE mitigates the threat of inadequate configuration by providing a management interface that allows all security-relevant functionality to be configured. |
OE.TRUSTED_CONFIG | This objective mitigates the threat of misconfiguration by ensuring that a malicious actor is not given direct administrative control over the TOE. | |
T.USER_DATA_REUSE | O.NONDISCLOSURE | The TOE mitigates the threat of data reuse by ensuring that persistently stored data is protected from unauthorized access, non-persistently stored data is appropriately purged, and potentially to ensure that no network traffic is inadvertently transmitted outside of the IPsec tunnel. |
T.TSF_FAILURE | O.KNOWN_STATE | The TOE mitigates the threat of TSF failure by enforcing the use of self-tests so that the TOE remains in a known state, and potentially to generate audit records that allow for potential failures to be diagnosed. |
A.NO_TOE_BYPASS | OE.NO_TOE_BYPASS | This assumption is satisfied by the environmental objective that ensures network routes do not exist that allow traffic to be transmitted from the TOE system to its intended destination without going through the TOE’s IPsec tunnel. |
A.PHYSICAL | OE.PHYSICAL | This assumption is satisfied by the environmental objective that ensures the TOE is not deployed on a system that is vulnerable to loss of physical custody. |
A.TRUSTED_CONFIG | OE.TRUSTED_CONFIG | This assumption is satisfied by the environmental objective that ensures that anyone responsible for administering the TOE can be trusted not to misconfigure it, whether intentionally or not. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FCS_CKM.1/VPN | ||
No events specified | N/A | |
FCS_IPSEC_EXT.1 | ||
Decisions to DISCARD or BYPASS network packets processed by the TOE. | ||
Failure to establish an IPsec SA. | ||
Establishment/Termination of an IPsec SA. | ||
FDP_RIP.2 | ||
No events specified | N/A | |
FMT_SMF.1/VPN | ||
Success or failure of management function. | No additional information. | |
FPT_TST_EXT.1/VPN | ||
No events specified | N/A |
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
Objective | Addressed by | Rationale |
---|---|---|
O.AUTHENTICATION | FIA_X509_EXT.3 (when GPOS PP is Base-PP) | This SFR supports the objective by enforcing the use of X.509 certificate authentication for IPsec. |
FDP_IFC_EXT.1 (refined from MDF PP) | This SFR supports the objective by affirming that the TOE includes a VPN client. | |
FIA_X509_EXT.2 (refined from MDF PP) | This SFR supports the objective by enforcing the use of X.509 certificate authentication for IPsec. | |
FIA_X509_EXT.2 (refined from App PP) | This SFR supports the objective by enforcing the use of X.509 certificate authentication for IPsec. | |
FIA_X509_EXT.2 (refined from MDM PP) | This SFR supports the objective by enforcing the use of X.509 certificate authentication for IPsec. | |
FCS_IPSEC_EXT.1 | This SFR supports the objective by requiring the TOE’s implementation of IPsec to include requirements for how the remote VPN gateway or peer is authenticated. | |
FIA_BMA_EXT.1 (optional) | This SFR supports the objective by optionally defining the TOE's support for a platform-based biometric mechanism to use as an authentication mechanism. | |
FPF_MFA_EXT.1 (optional) | This SFR supports the objective by optionally enforcing a multifactor authentication requirement on an IPsec connection. | |
FCS_EAP_EXT.1 (selection-based) | This SFR supports the objective by optionally implementing EAP-TLS or EAP-TTLS as a mechanism for authentication. | |
FIA_HOTP_EXT.1 (selection-based) | This SFR supports the objective by optionally defining the implementation of HOTP as an authentication mechanism. | |
FIA_PSK_EXT.1 (selection-based) | This SFR supports the objective by optionally requiring support for pre-shared keys as an alternate authentication method for IPsec. | |
FIA_PSK_EXT.2 (selection-based) | This SFR supports the objective by optionally specifying whether the TOE generates its own pre-shared keys used for authentication or accept them from an external source. | |
FIA_PSK_EXT.3 (selection-based) | This SFR supports the objective by optionally defining the composition and use of password-based pre-shared keys used for authentication. | |
FIA_PSK_EXT.4 (selection-based) | This SFR supports the objective by optionally defining HOTP as an authentication mechanism. | |
FIA_PSK_EXT.5 (selection-based) | This SFR supports the objective by optionally defining TOTP as an authentication mechanism. | |
FIA_TOTP_EXT.1 (selection-based) | This SFR supports the objective by optionally defining the implementation of TOTP as an authentication mechanism. | |
O.CRYPTOGRAPHIC_FUNCTIONS | FCS_CKM.1 (refined from GPOS PP) | This SFR supports the objective by requiring that the TOE implement key generation using certain methods. |
FCS_CKM.2 (refined from GPOS PP) | This SFR supports the objective by requiring that the TOE implement key establishment using certain methods. | |
FCS_COP.1/1 (refined from GPOS PP) | This SFR supports the objective by requiring that the TOE implement symmetric encryption and decryption using certain methods. | |
FTP_ITC.1 (when GPOS PP is Base-PP) | This SFR supports the objective by requiring the TOE to support the use of IPsec as a trusted channel. | |
FCS_CKM.1 (refined from MDF PP) | This SFR supports the objective by requiring that the TOE implement key generation using certain methods. | |
FCS_CKM.2/UNLOCKED (refined from MDF PP) | This SFR supports the objective by requiring that the TOE implement key establishment using certain methods. | |
FCS_COP.1/ENCRYPT (refined from MDF PP) | This SFR supports the objective by requiring that the TOE implement symmetric encryption and decryption using certain methods. | |
FTP_ITC_EXT.1 (refined from MDF PP) | This SFR supports the objective by requiring the TOE to support the use of IPsec as a trusted channel. | |
FCS_CKM.1/AK (refined from App PP) | This SFR supports the objective by requiring the TOE to implement key generation using certain methods or to support invoking this function from its OS platform. | |
FCS_CKM.2 (refined from App PP) | This SFR supports the objective by requiring the TOE to implement key establishment using certain methods or to support invoking this function from its OS platform. | |
FCS_CKM_EXT.1 (refined from App PP) | This SFR supports the objective by requiring the TOE to specify whether it implements its own cryptographic primitives or invokes platform cryptographic services for these functions. | |
FCS_COP.1/SKC (refined from App PP) | This SFR supports the objective by requiring that the TOE implement symmetric encryption and decryption using certain methods. | |
FTP_DIT_EXT.1 (refined from App PP) | This SFR supports the objective by requiring the TOE to support the use of IPsec as a trusted channel. | |
FCS_CKM.1 (refined from MDM PP) | This SFR supports the objective by requiring the TOE to implement key generation using certain methods or to support invoking this function from its OS platform. | |
FCS_CKM.2 (refined from MDM PP) | This SFR supports the objective by requiring the TOE to implement key establishment using certain methods or to support invoking this function from its OS platform. | |
FCS_COP.1/1 (refined from MDM PP) | This SFR supports the objective by requiring that the TOE implement symmetric encryption and decryption using certain methods or invoke platform functionality that provides this capability. | |
FPT_ITT.1/1 (if applicable, refined from MDM PP) | If the MDM TOE includes a claim of this PP-Module to support protection of communications between distributed TOE components, this SFR supports the objective by requiring the TOE to support the use of IPsec for that interface. | |
FTP_ITC.1/1 (if applicable, refined from MDM PP) | If the MDM TOE includes a claim of this PP-Module to support protection of communications between the TOE and one or more trusted external IT entities, this SFR supports the objective by requiring the TOE to support the use of IPsec for that interface. | |
FTP_TRP.1/1 (if applicable, refined from MDM PP) | If the MDM TOE includes a claim of this PP-Module to support protection of communications between remote administrators and the TOE, this SFR supports the objective by requiring the TOE to support the use of IPsec for that interface. | |
FCS_CKM.1/VPN | This SFR supports the objective by requiring the TOE to generate keys used for IKE using certain methods. | |
FCS_IPSEC_EXT.1 | This SFR supports the objective by requiring the TOE to implement the IPsec protocol in the specified manner. | |
FCS_EAP_EXT.1 (selection-based) | This SFR supports the objective by optionally defining the TOE's implementation of EAP-TLS or EAP-TTLS. | |
O.KNOWN_STATE | FMT_SMF_EXT.1 (refined from MDF PP) | This SFR supports the objective by requiring the portion of the TOE described by the Base-PP to include a management capability for the VPN client. |
FMT_SMF.1/VPN | This SFR supports the objective by requiring the TOE to implement certain administratively-configurable functions. | |
FPT_TST_EXT.1/VPN | This SFR supports the objective by requiring the TOE to execute self-tests that demonstrate that its integrity is maintained. | |
FAU_GEN.1/VPN (optional) | This SFR supports the objective by optionally requiring the TOE to generate audit records of its behavior. | |
FAU_SEL.1/VPN (optional) | This SFR supports the objective by optionally requiring the TOE to allow for the configuration of what behavior is audited. | |
O.NONDISCLOSURE | FCS_CKM_EXT.2 (when GPOS PP is Base-PP) | This SFR supports the objective by requiring the TOE to store sensitive data in the OS’ key storage. |
FCS_CKM_EXT.2 (when App PP is Base-PP) | This SFR supports the objective by requiring the TOE or its platform to store sensitive data in the OS' key storage. | |
FCS_CKM_EXT.4 (when App PP is Base-PP) | This SFR supports the objective by requiring the TOE or its platform to zeroize key data when no longer needed. | |
FDP_RIP.2 | This SFR supports the objective by requiring the TOE or its platform to ensure that residual data is purged from the system. | |
FDP_VPN_EXT.1 (optional) | This SFR supports the objective by optionally requiring the TOE to prohibit split-tunneling so that network traffic cannot be transmitted outside of an established IPsec tunnel. | |
FPF_MFA_EXT.1 (optional) | This SFR supports the objective by optionally requiring the TOE to prohibit transmission of packet data aside from those packets needed to perform multifactor authentication. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.UNAUTHORIZED_ACCESS | The threat of an attacker gaining access to a network interface or data that is transmitted over it is consistent with the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats in the GPOS PP. |
T.TSF_CONFIGURATION | The threat of a misconfigured VPN client is consistent with the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats on the GPOS PP because misconfiguration could allow VPN traffic to be subjected unexpectedly to unauthorized modification or disclosure.. |
T.USER_DATA_REUSE | Inadvertent disclosure of user data to an unauthorized recipient is consistent with the T.NETWORK_EAVESDROP threat in the GPOS PP. |
T.TSF_FAILURE | A failure of TSF functionality could compromise the local system, which is consistent with the T.LOCAL_ATTACK threat in the GPOS PP. |
A.NO_TOE_BYPASS | The A.NO_TOE_BYPASS assumption assumes that the OE is configured in such a manner that the only network route to the protected network is through the TOE. This does not conflict with the GPOS PP because the GPOS PP makes no assumptions about the network architecture in which the TOE is deployed. |
A.PHYSICAL | The assumption that physical security is provided by the environment is not explicitly stated in the GPOS PP but is consistent with the A.PLATFORM assumption defined in the GPOS PP, which expects the computing platform to be trusted. |
A.TRUSTED_CONFIG | The assumption that personnel responsible for the TOE’s configuration are trusted to follow the guidance is consistent with the A.PROPER_ADMIN defined in the GPOS PP. |
The security objectives defined by this PP-Module (see sections 4.1 and 4.2) supplement those defined in the GPOS PP as follows: The objectives for the TOEs are consistent with the VPN Clients PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUTHENTICATION | This objective is consistent with the O.PROTECTED_COMMS objective of the GPOS PP, which also expects that trusted remote channels will enforce authentication of remote endpoints. |
O.CRYPTOGRAPHIC_FUNCTIONS | This objective is consistent with the O.PROTECTED_COMMS objective of the GPOS PP, which also expects that secure cryptographic functions are used to implement trusted communications. |
O.KNOWN_STATE | This objective is consistent with the O.INTEGRITY objective of the GPOS PP, which expects a conformant TOE to implement measures to maintain its own integrity. |
O.NONDISCLOSURE | This objective is consistent with the O.PROTECTED_STORAGE objective of the GPOS PP, which ensures that sensitive data is not disclosed without authorization. |
The objectives for the TOE's OE are consistent with the VPN Clients PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.NO_TOE_BYPASS | This objective addresses behavior that is out of scope of the GPOS PP and does not define an environment that a GPOS TOE is incapable of existing in. |
OE.PHYSICAL | This is part of satisfying OE.PLATFORM as defined in the GPOS PP because physical security is required for hardware to be considered ‘trusted’ |
OE.TRUSTED_CONFIG | The expectation of trusted configuration is consistent with OE.PROPER_USER and OE.PROPER_ADMIN in the GPOS PP. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
FCS_CKM.1 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FCS_CKM.2 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified |
FCS_COP.1/1 | The SFR is refined to list an additional AES mode that must be supported to address VPN client requirements; the use of this mode for VPN connectivity does not impact the ability of the GPOS to satisfy any of its other security requirements. |
Additional SFRs | |
FCS_CKM_EXT.2 | Storage of key data related to VPN functionality can be accomplished using the same mechanism defined by FCS_STO_EXT.1 in the GPOS PP. |
FIA_X509_EXT.3 | This SFR defines additional uses for X.509 certificate functionality that do not conflict with those defined in the GPOS PP. |
FTP_ITC.1 | This SFR defines a trusted channel for IPsec, which is added functionality that does not prevent the existing GPOS functions from being performed. |
Mandatory SFRs | |
FCS_CKM.1/VPN | Generation of IKE peer authentication keys is added functionality that does not prevent the existing GPOS functions from being performed. |
FCS_IPSEC_EXT.1 | This SFR defines the VPN client’s IPsec implementation, which is added functionality that does not interfere with the GPOS functions. |
FDP_RIP.2 | The requirement to protect against re-use of residual data is a property of the VPN client behavior and does not impact the GPOS functionality. |
FMT_SMF.1/VPN | The ability to configure the VPN client behavior does not affect whether the GPOS as a whole can perform its security functions. |
FPT_TST_EXT.1/VPN | Self-testing of the VPN client functionality does not impact the ability of the GPOS to perform its security functions. |
Optional SFRs | |
FIA_BMA_EXT.1 | This SFR relates to biometric authentication, which does not conflict with the GPOS PP because it may be a function offered by the part of the TOE described by the GPOS PP. |
FPF_MFA_EXT.1 | This SFR relates specifically to the handling of traffic that is used for the establishment of IPsec connections. |
Objective SFRs | |
FAU_GEN.1/VPN | Audit records generated by the VPN client do not interfere with GPOS functionality. The possibility of the underlying OS platform generating audit records is consistent with the GPOS PP, which already contains FAU_GEN.1. |
FAU_SEL.1/VPN | The ability to suppress the generation of certain audit records related to VPN activity does not interfere with the ability of the GPOS to satisfy its security functionality. |
Implementation-based SFRs | |
FDP_VPN_EXT.1 | The ability of the VPN client to prevent split tunneling of IPsec traffic requires it to have hooks into lower-level OS behavior, but there are no requirements in the GPOS PP that would prevent this functionality from being supported. |
Selection-based SFRs | |
FCS_EAP_EXT.1 | This SFR defines an additional cryptographic protocol that is beyond the scope of those defined in the GPOS PP but does not prevent any GPOS PP functionality from being implemented. |
FIA_HOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.1 | This SFR defines the use of pre-shared keys, which is behavior that only relates to the establishment of IPsec connections. |
FIA_PSK_EXT.2 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.3 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.4 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.5 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_TOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.UNAUTHORIZED_ACCESS | The threat of an attacker gaining access to a network interface or data that is transmitted over it is consistent with the T.NETWORK and T.EAVESDROP threats in the MDF PP. |
T.TSF_CONFIGURATION | The threat of a misconfigured VPN client is consistent with the T.NETWORK and T.EAVESDROP threats in the MDF PP because failure to mitigate against misconfiguration makes these threats more significant. |
T.USER_DATA_REUSE | Inadvertent disclosure of user data to an unauthorized recipient is consistent with the T.EAVESDROP threat in the MDF PP. |
T.TSF_FAILURE | A failure of TSF functionality could compromise the local system, which is consistent with the T.FLAWAPP threat in the MDF PP. |
A.NO_TOE_BYPASS | The A.NO_TOE_BYPASS assumption assumes that the OE is configured in such a manner that the only network route to the protected network is through the TOE. This does not conflict with the MDF PP because the MDF PP makes no assumptions about the network architecture in which the TOE is deployed. |
A.PHYSICAL | The MDF PP includes the A.NOTIFY and A.PRECAUTION assumptions to mitigate the risk of physical theft of the TOE. This is consistent with the A.PHYSICAL assumption in this PP-Module because the MDF PP includes reasonable assumptions about the physical security of the TOE. |
A.TRUSTED_CONFIG | This assumption is consistent with the MDF PP because the MDF PP includes the A.CONFIG assumption which assumes that all security functions are appropriately configured. |
The security objectives defined by this PP-Module (see sections 4.1 and 4.2) supplement those defined in the MDF PP as follows: The objectives for the TOEs are consistent with the VPN Clients PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUTHENTICATION | This objective is consistent with the O.AUTH objective of the MDF PP, which also expects that trusted remote channels will enforce authentication of remote endpoints. |
O.CRYPTOGRAPHIC_FUNCTIONS | This objective is consistent with the O.COMMS objective of the MDF PP, which also expects that secure cryptographic functions are used to implement trusted communications. |
O.KNOWN_STATE | This objective is consistent with the O.INTEGRITY objective of the MDF PP, which expects a conformant TOE to implement measures to maintain its own integrity. |
O.NONDISCLOSURE | This objective is consistent with the O.STORAGE objective of the MDF PP, which ensures that sensitive data is not disclosed without authorization. |
The objectives for the TOE's OE are consistent with the VPN Clients PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.NO_TOE_BYPASS | This objective addresses behavior that is out of scope of the MDF PP and does not define an environment that an MDF TOE is incapable of existing in. |
OE.PHYSICAL | The operational environment of a mobile device cannot guarantee physical security, but the OE.PRECAUTION objective in the MDF PP ensures that an appropriate level of physical security is provided. |
OE.TRUSTED_CONFIG | The expectation of trusted configuration is consistent with OE.CONFIG in the MDF PP. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
FCS_CKM.1 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FCS_CKM.2/UNLOCKED | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FCS_COP.1/ENCRYPT | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FDP_IFC_EXT.1 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FIA_X509_EXT.2 | This PP-Module adds IPsec as a new trusted protocol where x.509 certificate authentication is used. |
FMT_SMF_EXT.1 | This PP-Module modifies management function 45 regarding Always-on VPN protection. |
FTP_ITC_EXT.1 | This PP-Module adds IPsec as a new protocol that is used to implement trusted channels. |
Additional SFRs | |
This PP-Module does not add any requirements when the VPN Clients PP is the base. | |
Mandatory SFRs | |
FCS_CKM.1/VPN | This SFR defines the method of key generation for IKE peer authentication, which is a function that does not interfere with the functionality defined in the MDF PP. |
FCS_IPSEC_EXT.1 | This SFR defines the VPN client’s IPsec implementation, which is added functionality that does not interfere with the MDF functions. |
FDP_RIP.2 | The requirement to protect against re-use of residual data is a property of the VPN client behavior and does not impact the MDF functionality. |
FMT_SMF.1/VPN | The ability to configure the VPN client behavior does not affect whether the MDF as a whole can perform its security functions. |
FPT_TST_EXT.1/VPN | Self-testing of the VPN client functionality does not impact the ability of the MDF to perform its security functions |
Optional SFRs | |
FIA_BMA_EXT.1 | This SFR relates to biometric authentication, which does not conflict with the MDF PP because it may be a function offered by the part of the TOE described by the MDF PP. |
FPF_MFA_EXT.1 | This SFR relates specifically to the handling of traffic that is used for the establishment of IPsec connections. |
Objective SFRs | |
FAU_GEN.1/VPN | Audit records generated by the VPN client do not interfere with MDF functionality. The possibility of the underlying MDF platform generating audit records is consistent with the MDF PP, which already contains FAU_GEN.1. |
FAU_SEL.1/VPN | The ability to suppress the generation of certain VPN client audit records does not interfere with MDM functionality. The MDF PP already contains FAU_SEL.1 as an objective SFR which means that this functionality does not conflict with the expected behavior of a mobile device. |
Implementation-based SFRs | |
FDP_VPN_EXT.1 | The ability of the VPN client to prevent split tunneling of IPsec traffic requires it to have hooks into lower-level mobile device behavior, but there are no requirements in the MDF PP that would prevent this functionality from being supported. |
Selection-based SFRs | |
FCS_EAP_EXT.1 | This SFR defines an additional cryptographic protocol that is beyond the scope of those defined in the MDF PP but does not prevent any MDF PP functionality from being implemented. |
FIA_HOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.1 | This SFR defines the use of pre-shared keys, which is behavior that only relates to the establishment of IPsec connections. |
FIA_PSK_EXT.2 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.3 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.4 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.5 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_TOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.UNAUTHORIZED_ACCESS | The threat of an attacker gaining access to a network interface or data that is transmitted over it is consistent with the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats in the App PP. |
T.TSF_CONFIGURATION | The threat of a misconfigured VPN client is consistent with the T.LOCAL_ATTACK threat in the App PP. |
T.USER_DATA_REUSE | Inadvertent disclosure of user data to an unauthorized recipient is consistent with the T.NETWORK_EAVESDROP threat in the App PP. |
T.TSF_FAILURE | A failure of TSF functionality could compromise the local system, which is consistent with the T.LOCAL_ATTACK threat in the App PP. |
A.NO_TOE_BYPASS | The A.NO_TOE_BYPASS assumption assumes that the OE is configured in such a manner that the only network route to the protected network is through the TOE. This does not conflict with the App PP because the App PP makes no assumptions about the network architecture in which the TOE is deployed. |
A.PHYSICAL | The assumption that physical security is provided by the environment is not explicitly stated in the App PP but is consistent with the A.PLATFORM assumption defined in the App PP, which expects the computing platform to be trusted. |
A.TRUSTED_CONFIG | The assumption that personnel responsible for the TOE’s configuration are trusted to follow the guidance is consistent with the A.PROPER_ADMIN defined in the App PP. |
The security objectives defined by this PP-Module (see sections 4.1 and 4.2) supplement those defined in the App PP as follows: The objectives for the TOEs are consistent with the App PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUTHENTICATION | This objective is consistent with the O.PROTECTED_COMMS objective of the App PP, which also expects that trusted remote channels will enforce authentication of remote endpoints. |
O.CRYPTOGRAPHIC_FUNCTIONS | This objective is consistent with the O.PROTECTED_COMMS objective of the App PP, which also expects that secure cryptographic functions are used to implement trusted communications. |
O.KNOWN_STATE | This objective is consistent with the O.INTEGRITY objective of the App PP, which expects a conformant TOE to implement measures to maintain its own integrity. |
O.NONDISCLOSURE | This objective is consistent with the O.PROTECTED_STORAGE objective of the App PP, which ensures that sensitive data is not disclosed without authorization. |
The objectives for the TOE's OE are consistent with the App PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.NO_TOE_BYPASS | This objective addresses behavior that is out of scope of the App PP and does not define an environment that is globally applicable to all software applications. |
OE.PHYSICAL | This is part of satisfying OE.PLATFORM as defined in the App PP because physical security is required for the underlying platform to be considered ‘trustworthy’. |
OE.TRUSTED_CONFIG | The expectation of trusted configuration is consistent with OE.PROPER_USER and OE.PROPER_ADMIN in the App PP. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
FCS_CKM.1/AK | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. Additionally, this behavior is selection-based in the App PP but is made mandatory since it is required for VPN client functionality. |
FCS_CKM.2 | The ST author is instructed to make specific selections at minimum to address VPN client requirements and is modified to include Diffie-Hellman Group 14 as an additional supported method for key establishment. |
FCS_CKM.1 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; specifically, since key generation services are required in some capacity in order to support VPN functionality, the ST author loses the choice of stating that the application does not have any key generation functionality. Additionally, this behavior is selection-based in the App PP but is made mandatory since it is required for VPN client functionality |
FCS_COP.1/SKC | The ST author is given guidance to make specific selections if this selection-based SFR is claimed in support of IPsec functionality. The SFR behavior itself is unmodified. |
FIA_X509_EXT.2 | This PP-Module adds IPsec as a new trusted protocol where x.509 certificate authentication is used. |
FTP_DIT_EXT.1 | This PP-Module is for the VPN Client application and does not maintain any sensitive data of its own. Therefore, there is no need to protect (through FTP_DIT_EXT.1.1) VPN-client-specific data. |
Additional SFRs | |
FCS_CKM_EXT.2 | This PP-Module adds a requirement for key storage, which is new functionality when compared to the App PP but does not interfere with its existing security functions. |
FCS_CKM_EXT.4 | This PP-Module adds a requirement for key destruction, which is new functionality when compared to the App PP but does not interfere with its existing security functions. |
Mandatory SFRs | |
FCS_CKM.1/VPN | This SFR defines the method of key generation for IKE peer authentication, which is a function that does not interfere with the functionality defined in the App PP. |
FCS_IPSEC_EXT.1 | This SFR defines the VPN client’s IPsec implementation, which is added functionality that does not interfere with the application functions. |
FDP_RIP.2 | The requirement to protect against re-use of residual data is a property of the VPN client behavior and does not impact the general application functionality. |
FMT_SMF.1/VPN | The ability to configure the VPN client behavior does not affect whether the application as a whole can perform its security functions. |
FPT_TST_EXT.1/VPN | Self-testing of the VPN client functionality does not impact the ability of the application to perform its security functions |
Optional SFRs | |
FIA_BMA_EXT.1 | This SFR relates to biometric authentication, which does not conflict with the App PP because it may be a function offered by the OE in which a TOE defined by the App PP is deployed. |
FPF_MFA_EXT.1 | This SFR relates specifically to the handling of traffic that is used for the establishment of IPsec connections. |
Objective SFRs | |
FAU_GEN.1/VPN | Audit records generated by the VPN client do not interfere with application functionality. For cases where auditing is performed by the TOE platform, a software application is installed on a general-purpose OS or mobile device, both of which can reasonably be expected to provide audit functionality. |
FAU_SEL.1/VPN | The ability to suppress the generation of certain audit records related to VPN activity does not interfere with the ability of the application to satisfy its security functionality. |
Implementation-based SFRs | |
FDP_VPN_EXT.1 | The ability of the VPN client to prevent split tunneling of IPsec traffic requires it to have hooks into lower-level OS behavior, but there are no requirements in the App PP that would prevent this functionality from being supported. |
Selection-based SFRs | |
FCS_EAP_EXT.1 | This SFR defines an additional cryptographic protocol that is beyond the scope of those defined in the App PP but does not prevent any App PP functionality from being implemented. |
FIA_HOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.1 | This SFR defines the use of pre-shared keys, which is behavior that only relates to the establishment of IPsec connections. |
FIA_PSK_EXT.2 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.3 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.4 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.5 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_TOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
PP-Module Threat, Assumption, OSP | Consistency Rationale |
---|---|
T.UNAUTHORIZED_ACCESS | The threat of an attacker gaining access to a network interface or data that is transmitted over it is consistent with the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats in the MDM PP. |
T.TSF_CONFIGURATION | The threat of a misconfigured VPN client is consistent with the T.NETWORK_ATTACK and T.NETWORK_EAVESDROP threats in the MDM PP because failure to mitigate against misconfiguration makes these threats more significant. |
T.USER_DATA_REUSE | Inadvertent disclosure of user data to an unauthorized recipient is consistent with the T.NETWORK_EAVESDROP threat in the MDM PP |
T.TSF_FAILURE | A failure of TSF functionality could compromise the implementation of the IPsec channel, which would lead to an exploitation of the T.NETWORK_ATTACK threat. |
A.NO_TOE_BYPASS | The A.NO_TOE_BYPASS assumption assumes that the OE is configured in such a manner that the only network route to the protected network is through the TOE. This does not conflict with the MDM PP because the MDM PP makes no assumptions about the network architecture in which the TOE is deployed. |
A.PHYSICAL | The assumption that physical security is provided by the environment is not explicitly stated in the MDM PP but is consistent with the A.MDM_SERVER_PLATFORM assumption defined in the MDM PP, which expects the computing platform to be trusted. |
A.TRUSTED_CONFIG | The assumption that personnel responsible for the TOE’s configuration are trusted to follow the guidance is consistent with the A.PROPER_ADMIN defined in the MDM PP. |
The security objectives defined by this PP-Module (see sections 4.1 and 4.2) supplement those defined in the MDM PP as follows: The objectives for the TOEs are consistent with the MDM PP based on the following rationale:
PP-Module TOE Objective | Consistency Rationale |
---|---|
O.AUTHENTICATION | This objective is consistent with the O.DATA_PROTECTION_TRANSIT objective of the MDM PP, which also expects that trusted remote channels will enforce authentication of remote endpoints. |
O.CRYPTOGRAPHIC_FUNCTIONS | This objective is consistent with the O.DATA_PROTECTION_TRANSIT objective of the MDM PP, which also expects that secure cryptographic functions are used to implement trusted communications. |
O.KNOWN_STATE | This objective is consistent with the O.INTEGRITY objective of the MDM PP, which expects a conformant TOE to implement measures to maintain its own integrity. |
O.NONDISCLOSURE | There are no objectives in the MDM PP that directly relate to this objective, but it could be considered to support both the O.ACCOUNTABILITY and O.MANAGEMENT objectives in the MDM PP by ensuring that stored data cannot be modified through unauthorized mechanisms that may allow for access control and logging functions to be bypassed. |
The objectives for the TOE's OE are consistent with the MDM PP based on the following rationale:
PP-Module OE Objective | Consistency Rationale |
---|---|
OE.NO_TOE_BYPASS | This objective addresses behavior that is out of scope of the MDM PP and does not define an environment that an MDM TOE is incapable of existing in. |
OE.PHYSICAL | This is part of satisfying OE.IT_ENTERPRISE as defined in the MDM PP because provisioning of physical security is a reasonable expectation for an IT enterprise. |
OE.TRUSTED_CONFIG | The expectation of trusted configuration is consistent with OE.PROPER_USER and OE.PROPER_ADMIN in the MDM PP. |
PP-Module Requirement | Consistency Rationale |
---|---|
Modified SFRs | |
FCS_CKM.1 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified |
FCS_CKM.2 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FCS_COP.1/1 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified |
FIA_X509_EXT.2 | The ST author is instructed to make specific selections at minimum to address VPN client requirements; the SFR behavior itself is unmodified. |
FPT_ITT.1/1 | When this SFR relates to the PP-Module’s functionality, the ST author is instructed to make specific selections to implement this behavior using the VPN client. This is done by forcing the ST author to make specific selections that are already present in the MDM PP definition of the SFR; no new behavior is introduced by this. |
FTP_ITC.1/1 | When this SFR relates to the PP-Module’s functionality, the ST author is instructed to make specific selections to implement this behavior using the VPN client at minimum. This is done by forcing the ST author to make a specific selection that is already present in the MDM PP definition of the SFR and by removing a selection option; no new behavior is introduced by this. |
FTP_TRP.1/1 | When this SFR relates to the PP-Module’s functionality, the ST author is instructed to make specific selections to implement this behavior using the VPN client at minimum. This is done by forcing the ST author to make a specific selection that is already present in the MDM PP definition of the SFR and by removing a selection option; no new behavior is introduced by this. |
Additional SFRs | |
This PP-Module does not add any requirements when the MDM PP is the base. | |
Mandatory SFRs | |
FCS_CKM.1/VPN | This SFR defines the method of key generation for IKE peer authentication, which is a function that does not interfere with the functionality defined in the MDM PP |
FCS_IPSEC_EXT.1 | This SFR defines the VPN client’s IPsec implementation, which is added functionality that does not interfere with the MDM functions. |
FDP_RIP.2 | The requirement to protect against re-use of residual data is a property of the VPN client behavior and does not impact the MDM functionality. |
FMT_SMF.1/VPN | The ability to configure the VPN client behavior does not affect whether the MDM as a whole can perform its security functions. |
FPT_TST_EXT.1/VPN | Self-testing of the VPN client functionality does not impact the ability of the MDM to perform its security functions. |
Optional SFRs | |
FIA_BMA_EXT.1 | This SFR relates to biometric authentication, which does not conflict with the MDM PP because it may be a function offered by the part of the TOE described by the MDM PP. |
FPF_MFA_EXT.1 | This SFR relates specifically to the handling of traffic that is used for the establishment of IPsec connections. |
Objective SFRs | |
FAU_GEN.1/VPN | Audit records generated by the VPN client do not interfere with MDM functionality. The possibility of the MDM as a whole generating audit records is consistent with the MDM PP, which already contains FAU_GEN.1 |
FAU_SEL.1/VPN | The ability to suppress the generation of certain VPN client audit records does not interfere with MDM functionality. The MDM PP already contains FAU_SEL.1 as an optional SFR which means that this functionality does not conflict with the expected behavior of an MDM. |
Implementation-based SFRs | |
FDP_VPN_EXT.1 | The ability of the VPN client to prevent split tunneling of IPsec traffic requires it to have hooks into lower-level OS behavior, but there are no requirements in the MDM PP that would prevent this functionality from being supported. |
Selection-based SFRs | |
FCS_EAP_EXT.1 | This SFR defines an additional cryptographic protocol that is beyond the scope of those defined in the MDM PP but does not prevent any MDM PP functionality from being implemented. |
FIA_HOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.1 | This SFR defines the use of pre-shared keys, which is behavior that only relates to the establishment of IPsec connections. |
FIA_PSK_EXT.2 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.3 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.4 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_PSK_EXT.5 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
FIA_TOTP_EXT.1 | This SFR relates to use of pre-shared keys, which is behavior that only applies to the establishment of IPsec connections. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FIA_BMA_EXT.1 | ||
No events specified | N/A | |
FPF_MFA_EXT.1 | ||
No events specified | N/A |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FAU_GEN.1/VPN | ||
No events specified | N/A | |
FAU_SEL.1/VPN | ||
All modifications to the audit configuration that occur while the audit collection functions are operating. | No additional information. |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FDP_VPN_EXT.1 | ||
No events specified | N/A |
Requirement | Auditable Events | Additional Audit Record Contents |
---|---|---|
FCS_EAP_EXT.1 | ||
No events specified | N/A | |
FIA_HOTP_EXT.1 | ||
No events specified | N/A | |
FIA_PSK_EXT.1 | ||
No events specified | N/A | |
FIA_PSK_EXT.2 | ||
No events specified | N/A | |
FIA_PSK_EXT.3 | ||
No events specified | N/A | |
FIA_PSK_EXT.4 | ||
No events specified | N/A | |
FIA_PSK_EXT.5 | ||
No events specified | N/A | |
FIA_TOTP_EXT.1 | ||
No events specified | N/A |
Functional Class | Functional Components |
---|---|
Cryptographic Support (FCS) | FCS_CKM_EXT Cryptographic Key Management FCS_EAP_EXT EAP-TLS FCS_IPSEC_EXT IPsec |
Identification and Authentication (FIA) | FIA_BMA_EXT Biometric Activation FIA_HOTP_EXT HMAC-Based One-Time Password Pre-Shared Keys FIA_PSK_EXT Pre-Shared Key Composition FIA_TOTP_EXT Time-Based One-Time Password Pre-Shared Keys FIA_X509_EXT X.509 Certificate Use and Management |
Packet Filtering (FPF) | FPF_MFA_EXT Multifactor Authentication Filtering |
Protection of the TSF (FPT) | FPT_TST_EXT TSF Self-Test |
User Data Protection (FDP) | FDP_VPN_EXT Subset Information Flow Control |
FCS_CKM_EXT.2, Cryptographic Key Storage, requires the TSF to securely store key data when not in use.
FCS_CKM_EXT.4, Cryptographic Key Destruction, requires the TSF to destroy key data when no longer required.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: No dependencies.
No specific management functions are identified.
There are no auditable events foreseen.
FCS_IPSEC_EXT.1, IPsec, requires the TSF to securely implement the IPsec protocol.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to:
FCS_CKM.1 Cryptographic Key Generation
FCS_CKM.2 Cryptographic Key Distribution
FCS_COP.1 Cryptographic Operation
FCS_EAP_EXT.1, EAP-TLS, defines the use of EAP-TLS.
No specific management functions are identified.
No specific audit functions are identified.
Hierarchical to: No other components.
Dependencies to: FCS_IPSEC_EXT.1 IPsec
FIA_X509_EXT.3, X.509 Certificate Use and Management, requires the TOE to perform X.509 certificate authentication and describes the behavior that is followed if the status of the certificate is unknown or invalid.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FIA_X509_EXT.1 X.509 Certificate Validation
FPT_TST_EXT.1 TSF Self-Test
FPT_TUD_EXT.1 Trusted Update
FIA_BMA_EXT.1, Biometric Activation, defines the use of biometrics when using the VPN client.
No specific management functions are identified.
No specific audit functions are identified.
FIA_HOTP_EXT.1, HMAC-Based One-Time Password Pre-Shared Keys, defines the implementation of HOTP.
No specific management functions are identified.
No specific audit functions are identified.
Hierarchical to: No other components.
Dependencies to: FIA_PSK_EXT.4 HMAC-Based One-Time Password Pre-shared Keys Support
FIA_PSK_EXT.1, Pre-Shared Key Composition, defines the use and composition of pre-shared keys used for IPsec.
FIA_PSK_EXT.2, Generated Pre-Shared Keys, defines the use and composition of generated pre-shared keys used for IPsec.
FIA_PSK_EXT.3, Password-Based Pre-Shared Keys, defines the use and composition of password-based pre-shared keys used for IPsec.
FIA_PSK_EXT.4, HMAC-Based One-Time Password Pre-shared Keys Support, defines the use and composition of HOTP pre-shared keys used for IPsec.
FIA_PSK_EXT.5, Time-Based One-Time Password Pre-shared Keys Support, defines the use and composition of TOTP pre-shared keys used for IPsec.
No specific management functions are identified.
No specific audit functions are identified.
Hierarchical to: No other components.
Dependencies to: FCS_IPSEC_EXT.1 IPsec
No specific management functions are identified.
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FIA_PSK_EXT.1
No specific management functions are identified.
The following actions should be auditable if FAU_GEN Security Audit Data Generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FIA_PSK_EXT.1
No specific management functions are identified.
No specific audit functions are identified.
Hierarchical to: No other components.
Dependencies to: FIA_PSK_EXT.1
No specific management functions are identified.
No specific audit functions are identified.
Hierarchical to: No other components.
Dependencies to: FIA_PSK_EXT.1
FIA_TOTP_EXT.1, Time-Based One-Time Password Pre-Shared Keys, defines the implementation of TOTP.
No specific management functions are identified.
No specific audit functions are identified.
Hierarchical to: No other components.
Dependencies to: FIA_PSK_EXT.5 Time-Based One-Time Password Pre-shared Keys Support
FPF_MFA_EXT.1, Multifactor Authentication Filtering, defines the use and composition of multifactor authentication filtering.
No specific management functions are identified.
No specific audit functions are identified.
FPT_TST_EXT.1/VPN, TSF Self-Test, requires the TOE to perform power on self-tests to verify its functionality and the integrity of its stored executable code.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: No dependencies.
FDP_VPN_EXT.1, Split Tunnel Prevention, requires the TSF to process all IP traffic through its VPN client functionality.
No specific management functions are identified.
There are no auditable events foreseen.
This appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP-Module. These requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP-Module provides evidence that these controls are present and have been evaluated.
Table 9: Implicitly Satisfied RequirementsRequirement | Rationale for Satisfaction |
FCS_CKM.2 – Cryptographic Key Distribution, or FCS_COP.1 – Cryptographic Operation | FCS_CKM.1 (which is defined in this PP-Module as FCS_CKM.1/VPN) requires one of FCS_CKM.2 or FCS_COP.1 to be claimed so that the generated keys can serve some security-relevant purpose. Each of the Base-PPs for this PP-Module define an iteration of FCS_COP.1 for symmetric cryptography that is expected to use the IKE keys generated by FCS_CKM.1/VPN. Therefore, this dependency is satisfied through requirements defined in the Base-PPs. |
FCS_CKM.4 – Cryptographic Key Destruction |
FCS_CKM.1 (which is defined in this PP-Module as
FCS_CKM.1/VPN) requires FCS_CKM.4 to be claimed so that
the generated keys are not disclosed through improper or
nonexistent key destruction methods. Each of the supported Base-PPs except for the App PP define FCS_CKM_EXT.4 as an extended SFR, which defines key destruction functionality consistent with FCS_CKM.4, but with additional details that are specific to the respective technology types of the Base-PP. When the App PP is the Base-PP, this PP-Module defines its own instance of FCS_CKM_EXT.4 to achieve the same purpose. The dependency on FCS_CKM.4 is considered to be satisfied through the fact that a compliant TOE will always claim FCS_CKM_EXT.4, which is intended to satisfy the same purpose. |
FCS_COP.1 – Cryptographic Operation | FCS_IPSEC_EXT.1 has a dependency on FCS_COP.1 because of the cryptographic operations that are needed in support of implementing the IPsec protocol. FCS_COP.1 is not defined in this PP-Module because each of the supported Base-PPs define iterations of FCS_COP.1 that support the functions that are relevant to IPsec. |
FMT_MTD.1 – Management of TSF Data |
FAU_SEL.1/VPN has a dependency on FMT_MTD.1 to enforce
appropriate access controls on the audit configuration, as this
is TSF data. This SFR is not explicitly defined in any of the
supported Base-PPs but the dependency is implicitly
addressed by each Base-PP in the following manner:
|
FPT_STM.1 – Reliable Time Stamps |
FAU_GEN.1/VPN has a dependency on FPT_STM.1 because
audit records are required to have timestamps that are based
on reliable clock data. All of the supported Base-PPs either
define this requirement explicitly or provide rationale for why
the reader should expect that a reliable clock service should
be present. Depending on the claimed Base-PP, the
dependency is satisfied in the following manner:
|
FPT_STM.1 – Reliable Time Stamps | FAU_GEN.1 has a dependency on FPT_STM.1. While not explicitly stated in the PP, it is assumed that this will be provided by the underlying hardware platform on which the TOE is installed. This is because the TOE is installed as a software or firmware product that runs on general-purpose computing hardware so a hardware clock is assumed to be available. |
FPT_STM.1 – Reliable Time Stamps | FIA_X509_EXT.1 has a dependency on FPT_STM.1. While not explicitly stated in the PP, it is assumed that this will be provided by the underlying hardware platform on which the TOE is installed. This is because the TOE is installed as a software or firmware product that runs on general-purpose computing hardware so a hardware clock is assumed to be available. |
Acronym | Meaning |
---|---|
AES | Advanced Encryption Standard |
Base-PP | Base Protection Profile |
CC | Common Criteria |
CEM | Common Evaluation Methodology |
cPP | Collaborative Protection Profile |
CRL | Certificate Revocation List |
CSP | Critical Security Parameter |
DH | Diffie-Hellman |
DN | Distinguished Name |
DSS | Digital Signature Standard |
ECC | Elliptic Curve Cryptography |
EP | Extended Package |
ESP | Encapsulating Security Protocol |
EUD | End-User Device |
FFC | Finite Field Cryptography |
FIPS | Federal Information Processing Standards |
FP | Functional Package |
FQDN | Fully Qualified Domain Name |
IKE | Internet Key Exchange |
IP | Internet Protocol |
IT | Information Technology |
MD | Mobile Device (Fundamentals) |
NAT | Network Address Translation |
NIST | National Institute of Standards and Technology |
OCSP | Online Certificate Status Protocol |
OE | Operational Environment |
OS | (General Purpose) Operating System |
OSP | Organizational Security Policy |
PP | Protection Profile |
PP-Configuration | Protection Profile Configuration |
PP-Module | Protection Profile Module |
PUB | Publication |
RBG | Random Bit Generation |
RFC | Request For Comment |
SA | Security Association |
SAR | Security Assurance Requirement |
SD | Supporting Document |
SFR | Security Functional Requirement |
SHA | Secure Hash Algorithm |
SPD | Security Policy Database |
ST | Security Target |
TOE | Target of Evaluation |
TSF | TOE Security Functionality |
TSFI | TSF Interface |
TSS | TOE Summary Specification |
VPN | Virtual Private Network |
Identifier | Title |
---|---|
[CC] | Common Criteria for Information Technology Security Evaluation -
|
[App PP] | Protection Profile for Application Software, Version 1.4, October 2021 |
[GPOS PP] | Protection Profile for General Purpose Operating Systems, Version 4.2.1, April 2019 |
[MD PP] | Protection Profile for Mobile Device Fundamentals, Version 3.1, June 2017 |
[MDM PP] | Protection Profile for Mobile Device Management, Version 4.0, April 2019 |
[SD] | Supporting Document Mandatory Technical Document, PP-Module for Virtual Private Network (VPN) Clients, Version 2.1, November 2019 |