Version: 1.0
2022-12-05
National Information Assurance Partnership
| Version | Date | Comment |
|---|---|---|
| 1.0 | 2022-12-05 | Initial Release |
Assurance | Grounds for confidence that a TOE meets the SFRs [CC]. |
Base Protection Profile (Base-PP) | Protection Profile used as a basis to build a PP-Configuration. |
Collaborative Protection Profile (cPP) | A Protection Profile developed by international technical communities and approved by multiple schemes. |
Common Criteria (CC) | Common Criteria for Information Technology Security Evaluation (International Standard ISO/IEC 15408). |
Common Criteria Testing Laboratory | Within the context of the Common Criteria Evaluation and Validation Scheme (CCEVS), an IT security evaluation facility accredited by the National Voluntary Laboratory Accreditation Program (NVLAP) and approved by the NIAP Validation Body to conduct Common Criteria-based evaluations. |
Common Evaluation Methodology (CEM) | Common Evaluation Methodology for Information Technology Security Evaluation. |
Distributed TOE | A TOE composed of multiple components operating as a logical whole. |
Operational Environment (OE) | Hardware and software that are outside the TOE boundary that support the TOE functionality and security policy. |
Protection Profile (PP) | An implementation-independent set of security requirements for a category of products. |
Protection Profile Configuration (PP-Configuration) | A comprehensive set of security requirements for a product type that consists of at least one Base-PP and at least one PP-Module. |
Protection Profile Module (PP-Module) | An implementation-independent statement of security needs for a TOE type complementary to one or more Base-PPs. |
Security Assurance Requirement (SAR) | A requirement to assure the security of the TOE. |
Security Functional Requirement (SFR) | A requirement for security enforcement by the TOE. |
Security Target (ST) | A set of implementation-dependent security requirements for a specific product. |
Target of Evaluation (TOE) | The product under evaluation. |
TOE Security Functionality (TSF) | The security functionality of the product under evaluation. |
TOE Summary Specification (TSS) | A description of how a TOE satisfies the SFRs in an ST. |
Enterprise Session Controller (ESC) | A voice/video over IP (VVoIP) infrastructure device that is used to set up and tear down calls between VVoIP endpoints. |
H.323 | A communications protocol defined by the ITU Telecommunications Standardization Sector (ITU-T) that is used for creating, modifying, and terminating multimedia sessions with multiple participants. |
Media Gateway Control Protocol (MGCP) | A means of communication between a media gateway and a media gateway controller. |
Secure Real-Time Transport Protocol (SRTP) | A protocol that is used to provide multimedia (voice/video) streaming services with added security of encryption, message authentication and integrity, and replay protection. |
Session Initiation Protocol (SIP) | A communications protocol defined by the Internet Engineering Task Force (IETF) that is used for creating, modifying, and terminating multimedia sessions with multiple participants. |
This PP-Module inherits exact conformance as required from the specified Base-PP and as defined in the CC and CEM addenda for Exact Conformance, Selection-Based SFRs, and Optional SFRs (dated May 2017).
No PPs or PP-Modules may be specified in a PP-Configuration with this PP-Module other than the Base-PP specified in Section 1.1 Overview.
An organization deploying the TOE is expected to satisfy the organizational security policy listed below in addition to all organizational security policies defined by the claimed Base-PP.
This document does not define any additional OSPs.| Threat, Assumption, or OSP | Security Objectives | Rationale |
| T.MALICIOUS_TRAFFIC | O.SYSTEM_MONITORING | The TOE mitigates the threat of malformed traffic causing a system crash by ensuring that any such instances are logged so that their cause can be diagnosed and prevented in the future. |
| O.TRAFFIC_FILTERING | The TOE mitigates the threat of malformed traffic causing a failure of the TOE by providing a mechanism to prevent the TSF from processing it. | |
| T.NETWORK_ACCESS | O.AUTHORIZED_ADMINISTRATION | The TOE mitigates the threat of unauthorized network access by giving the administrator the ability to configure traffic filtering rules to block unauthorized traffic. |
| O.PROTECTED_COMMUNICATIONS | The TOE mitigates the threat of unauthorized network access by enforcing the use of protected communications channels that prevent impersonation of legitimate subjects. | |
| O.SYSTEM_MONITORING | The TOE mitigates the threat of unauthorized network access by ensuring that any such instances are logged so that their cause can be diagnosed and prevented in the future. | |
| O.TOPOLOGY_HIDING | The TOE mitigates the threat of unauthorized network access by hiding its topology so that an attacker on an external network cannot discover or enumerate devices on the TOE’s internal network. | |
| O.TRAFFIC_FILTERING | The TOE mitigates the threat of unauthorized network access by enforcing traffic filtering rules that prevent devices on the internal network from being accessed. | |
| T.RESOURCE_EXHAUSTION | O.AUTHORIZED_ADMINISTRATION | The TOE mitigates the threat of resource exhaustion by giving administrators the ability to configure traffic rules so that traffic flooding attempts can be discarded. |
| O.RESOURCE_AVAILABILITY | The TOE mitigates the threat of the transmission of network traffic that causes the inability of the TOE to perform its functions, by protecting against disruptive traffic. | |
| O.SYSTEM_MONITORING | The TOE mitigates the threat of unauthorized network access by ensuring that any such instances are logged so that their cause can be diagnosed and prevented in the future. | |
| O.TRAFFIC_FILTERING | The TOE mitigates the threat of resource exhaustion by providing the ability to filter network traffic that could cause a DoS. | |
| T.UNTRUSTED_COMMUNICATION_CHANNELS | O.PROTECTED_COMMUNICATIONS | The TOE mitigates the threat of disclosure of data in transit by enforcing the use of protected communications channels that prevent transmitted data from unauthorized disclosure. |
| T.USER_DATA_REUSE | O.USER_DATA_DELIVERY | The TOE mitigates the threat of inadvertently sending user data to an unintended destination by implementing measures that ensure that data is only sent to the intended recipient. |
| Requirement | Auditable Events | Additional Audit Record Contents |
|---|---|---|
| FAU_ARP_EXT.1 | None | |
| FAU_SAA.1 | None | |
| FAU_SEL.1 | None | |
| FCS_SRTP_EXT.1 | None | |
| FDP_IFC.1 | None | |
| FDP_IFF.1 | Any modifications to the B2BUA policy | None |
| FFW_ACL_EXT.1 | Application of traffic filtering rules | Source and destination of observed traffic |
| Rule relevant to observed traffic | ||
| Result of rule evaluation | ||
| FFW_ACL_EXT.2 | Application of traffic filtering rules | Source and destination of observed traffic |
| Rule relevant to observed traffic | ||
| Result of rule evaluation | ||
| FFW_DPI_EXT.1 | Application of deep packet inspection rules | Source and destination of observed traffic |
| Rule relevant to observed traffic | ||
| Result of rule evaluation | ||
| FFW_NAT_EXT.1 | None | |
| FIA_SIPS_EXT.1 | Call Detail Record (CDR) | Calling party |
| Called party | ||
| Start time of the call | ||
| Call duration | ||
| Call type | ||
| FIA_SIPT_EXT.1 | All SIP trunk authentication attempts | Username and IP address of the service provider |
| FMT_SMF.1/SBC | All management actions | Identifier of initiator |
| FRU_PRS_EXT.1 | None | |
| FRU_RSA.1 | None | |
| FTP_ITC.1/ESC | Initiation of the trusted channel | Identification of the initiator and target of the trusted channel |
| Termination of the trusted channel | ||
| Failure of the trusted channel functions | ||
| FTP_ITC.1/H323 (selection-based) | Initiation of the trusted channel | Identification of the initiator and target of the trusted channel |
| Termination of the trusted channel | ||
| Failure of the trusted channel functions | ||
| FTP_ITC.1/VVoIP | Initiation of the trusted channel | Identification of the initiator and target of the trusted channel |
| Termination of the trusted channel | ||
| Failure of the trusted channel functions | ||
The following rationale provides justification for each security objective for the TOE,
showing that the SFRs are suitable to meet and achieve the security objectives:
| Objective | Addressed by | Rationale |
|---|---|---|
| O.AUTHORIZED_ADMINISTRATION | FMT_SMF.1/SBC | This SFR supports the objective by defining TSF management functions that require authorizations to use. |
| O.PROTECTED_COMMUNICATIONS | FCS_TLSC_EXT.1 (refined from Base-PP) | This SFR supports the objective by requiring TLS for SIP trunking and ESC signaling channel communications. |
| FCS_TLSC_EXT.2 (refined from Base-PP) | This SFR supports the objective by requiring mutually-authenticated TLS for SIP trunking. | |
| FCS_TLSS_EXT.1 (refined from Base-PP) | This SFR supports the objective by requiring TLS for SIP trunking and ESC signaling channel communications. | |
| FCS_TLSS_EXT.2 (refined from Base-PP) | This SFR supports the objective by requiring mutually-authenticated TLS for SIP trunking. | |
| FIA_X509_EXT.1/Rev (refined from Base-PP) | This SFR supports the objective by defining requirements for the X.509 validation algorithm used by the TOE’s TLS implementation. | |
| FIA_X509_EXT.2 (refined from Base-PP) | This SFR supports the objective by defining requirements for the X.509 validation algorithm used by the TOE’s TLS implementation. | |
| FIA_X509_EXT.3 (refined from Base-PP) | This SFR supports the objective by defining a mechanism by which the TOE obtains the certificates it uses for TLS client and server connections. | |
| FTP_ITC.1 (refined from Base-PP) | This SFR supports the objective by defining external interfaces that require protected communications as well as the trusted protocols used to protect those communications. | |
| FCS_SRTP_EXT.1 | This SFR supports the objective by defining the TOE’s implementation of the SRTP protocol that is used to protect VVoIP endpoint communications. | |
| FIA_SIPT_EXT.1 | This SFR supports the objective by defining secure behavior for SIP trunking. | |
| FTP_ITC.1/ESC | This SFR supports the objective by defining how communications of potential security violations are protected. | |
| FTP_ITC.1/ESC | This SFR supports the objective by defining how communications with an external ESC are protected. | |
| FTP_ITC.1/VVoIP | This SFR supports the objective by defining how communications with an external VVoIP endpoint are protected. | |
| FTP_ITC.1/H323 (selection-based) | This SFR supports the objective by defining H.323 as a permitted method of protected communications for when a conformant TOE implements this logical interface. | |
| O.RESOURCE_AVAILABILITY | FRU_PRS_EXT.1 | This SFR supports the objective by requiring the TSF to implement priority of service to ensure that low-priority traffic cannot cause a DoS. |
| FRU_RSA.1 | This SFR supports the objective by enforcing quotas for TSF resources to prevent DoS. | |
| O.SYSTEM_MONITORING | FAU_ARP_EXT.1 | This SFR supports the objective by defining the ability to generate security violations that are transmitted to external entities. |
| FAU_GEN.1/SBC | This SFR supports the objective by iterating a Base-PP requirement to define additional auditable events that are specific to SBC functionality. | |
| FAU_SAA.1 | This SFR supports the objective by defining a set of rules to monitor auditable events for potential security violations. | |
| FAU_SEL.1 | This SFR supports the objective by allowing for some monitoring functions to be selectively enabled and disabled as needed so that the generation of lower-priority audit records can be suppressed when it is not practical to generate those records for performance reasons. | |
| FTP_ITC.1/ARP | This SFR supports the objective by defining the trusted channel used to securely communicate potential security violations. | |
| O.TOPOLOGY_HIDING | FDP_IFC.1 | This SFR supports the objective by defining a B2BUA policy so that VVoIP endpoints are only connected to each other through the TOE as an intermediary. |
| FDP_IFF.1 | This SFR supports the objective by defining the specific rules that the B2BUA policy enforces. | |
| FFW_NAT_EXT.1 | This SFR supports the objective by defining the use of NAT to obfuscate IP addresses of endpoint devices on the TOE’s internal network. | |
| O.TRAFFIC_FILTERING | FFW_ACL_EXT.1 | This SFR supports the objective by defining capabilities for traffic filtering of network packets. |
| FFW_ACL_EXT.2 | This SFR supports the objective by defining specific methods of stateful traffic inspection for specific protocols. | |
| FFW_DPI_EXT.1 | This SFR supports the objective by defining the capability to perform DPI for certain network traffic. | |
| O.USER_DATA_DELIVERY | FDP_IFC.1 | This SFR supports the objective by defining a B2BUA policy that is used by the TOE to establish connections between VVoIP endpoints. |
| FDP_IFF.1 | This SFR supports the objective by defining the rules that the B2BUA policy enforces. | |
| FFW_NAT_EXT.1 | This SFR supports the objective by requiring the use of NAT to maintain a unique relationship between how external entities identify entities on the TOE’s internal network and how they are actually addressed by that network. | |
| FIA_SIPT_EXT.1 | This SFR supports the objective by defining the use of SIP trunking, which requires authentication of endpoints to ensure data is only transmitted to the intended endpoint. | |
| FIA_SIPS_EXT.1 (implementation-based) | This SFR supports the objective by defining an optional capability to handle SIP registration in cases where the OE does not include an ESC that will provide that functionality. |
| PP-Module Threat, Assumption, OSP | Consistency Rationale |
|---|---|
| T.MALICIOUS_TRAFFIC | The Base-PP does not define a threat for malicious traffic because all of its security-relevant external interfaces define the network device as the endpoint. This PP-Module defines interfaces where the TOE is facilitating a connection between two external entities, such that traffic between them will flow through the TOE as opposed to to and from the TOE. This threat is consistent with the Base-PP because it is only applied to the interfaces defined in this PP-Module where it is relevant; it does not apply to the interfaces defined in the Base-PP. |
| T.NETWORK_ACCESS | The Base-PP does not define a threat for access to network resources because all of its security-relevant external interfaces define the network device as the endpoint. This PP-Module defines interfaces where the TOE is facilitating a connection between two external entities, such that traffic between them will flow through the TOE as opposed to into and out of the TOE. This threat is consistent with the Base-PP because it is only applied to the interfaces defined in this PP-Module where it is relevant; it does not apply to the interfaces defined in the Base-PP. |
| T.RESOURCE_EXHAUSTION | The threat of network traffic causing the TOE to be unable to perform its functions is similar to T.SECURITY_FUNCTIONALITY_FAILURE in the Base-PP because the intent of the threat is to cause the TSF to fail. The Base-PP does not define DoS protections because it does not define logical interfaces that are intended to process large volumes of network traffic. This PP-Module extends the threat by defining a specific example of it that applies to an SBC device that has this functionality. |
| T.UNTRUSTED_COMMUNICATION_CHANNELS | The threat of disclosure of data in transit is fundamentally the same as the NDcPP threat with the same name. This PP-Module extends the threat to apply to the external interfaces that are defined specifically in support of SBC functions. |
| T.USER_DATA_REUSE | The Base-PP does not define a threat of user data transmitted to the wrong destination because all of its security-relevant external interfaces define the network device as the endpoint. This PP-Module defines interfaces where the TOE is facilitating a connection between two external entities, such that traffic between them will flow through the TOE as opposed to to and from the TOE. This threat is consistent with the Base-PP because it is only applied to the interfaces defined in this PP-Module where it is relevant; it does not apply to the interfaces defined in the Base-PP. |
The objectives for the TOEs are consistent with the NDcPP based on the following rationale:
| PP-Module TOE Objective | Consistency Rationale |
|---|---|
| O.AUTHORIZED_ADMINISTRATION | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| O.PROTECTED_COMMUNICATIONS | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| O.RESOURCE_AVAILABILITY | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| O.SYSTEM_MONITORING | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| O.TOPOLOGY_HIDING | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| O.TRAFFIC_FILTERING | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| O.USER_DATA_DELIVERY | The NDcPP does not define any TOE objectives; instead, it maps SFRs directly to threats. This TOE objective is consistent with the NDcPP because the individual security functions needed to satisfy the objective do not contradict with the security functions required by the NDcPP. |
| PP-Module Requirement | Consistency Rationale |
|---|---|
| Modified SFRs | |
| FCS_TLSC_EXT.1 | This PP-Module mandates the inclusion of this selection-based SFR because it is required to implement the trusted communications required by the PP-Module. |
| FCS_TLSC_EXT.2 | This PP-Module mandates the inclusion of this optional SFR because it is required to implement the trusted communications required by the PP-Module. |
| FCS_TLSS_EXT.1 | This PP-Module mandates the inclusion of this selection-based SFR because it is required to implement the trusted communications required by the PP-Module. |
| FCS_TLSS_EXT.2 | This PP-Module mandates the inclusion of this optional SFR because it is required to implement the trusted communications required by the PP-Module. |
| FIA_X509_EXT.1/Rev | This PP-Module mandates the inclusion of this selection-based SFR because it is a dependency of the TLS requirements that it also mandates. |
| FIA_X509_EXT.2 | This PP-Module mandates the inclusion of this selection-based SFR because it is a dependency of the TLS requirements that it also mandates. |
| FIA_X509_EXT.3 | This PP-Module mandates the inclusion of this selection-based SFR because it is a dependency of the TLS requirements that it also mandates. |
| FTP_ITC.1 | This PP-Module refines the Base-PP SFR to mandate the use of one of the trusted protocols defined by the Base-PP. |
| Additional SFRs | |
| This PP-Module does not add any requirements when the NDcPP is the base. | |
| Mandatory SFRs | |
| FAU_ARP_EXT.1 | This SFR applies to the generation of alerts when a given auditable event is detected, which is beyond the original scope of the Base-PP. |
| FAU_GEN.1/SBC | This SFR is an iteration of a Base-PP requirement that defines additional auditable events for SBC functionality that the Base-PP could not be expected to cover. |
| FAU_SAA.1 | This SFR applies to the detection of auditable events as potential security violations requiring the generation of alerts, which is beyond the original scope of the Base-PP. |
| FAU_SEL.1 | This SFR applies to the behavior of the audit function with respect to the auditable events defined in this PP-Module. It does not affect the audit functions that apply to the Base-PP. |
| FCS_SRTP_EXT.1 | This SFR applies to the implementation of SRTP, which is a protocol that is not used for any Base-PP functionality. |
| FDP_IFC.1 | This SFR applies to the TOE’s implementation of a B2BUA policy, which applies to the TOE’s through-traffic interfaces and is therefore beyond the original scope of the Base-PP. |
| FDP_IFF.1 | This SFR applies to the TOE’s implementation of a B2BUA policy, which applies to the TOE’s through-traffic interfaces and is therefore beyond the original scope of the Base-PP. |
| FFW_ACL_EXT.1 | This SFR applies to traffic filtering, which applies to the TOE’s through-traffic interfaces and is therefore beyond the original scope of the Base-PP. |
| FFW_ACL_EXT.2 | This SFR applies to traffic filtering, which applies to the TOE’s through-traffic interfaces and is therefore beyond the original scope of the Base-PP. |
| FFW_DPI_EXT.1 | This SFR applies to DPI, which applies to the TOE’s through-traffic interfaces and is therefore beyond the original scope of the Base-PP. |
| FFW_NAT_EXT.1 | This SFR applies to NAT, which applies to the TOE’s through-traffic interfaces and is therefore beyond the original scope of the Base-PP. |
| FIA_SIPT_EXT.1 | This SFR applies to SIP trunking, which is a logical interface that is beyond the original scope of the Base-PP. |
| FMT_SMF.1/SBC | This SFR is an iteration of a Base-PP requirement that defines additional management functions for SBC functionality that the Base-PP could not be expected to cover. |
| FRU_PRS_EXT.1 | This SFR applies to enforcement of bandwidth priority of service, which is a mechanism that is beyond the scope of the Base-PP and does not interfere with the ability of the Base-PP to process valid network traffic securely. |
| FRU_RSA.1 | This SFR applies to enforcement of resource quotas, which is a mechanism that is beyond the scope of the Base-PP and does not interfere with the ability of the Base-PP to process valid network traffic securely. |
| FTP_ITC.1/ARP | This SFR is used to specify the trusted channel used for transmission of alerts as specified in FAU_ARP_EXT.1. |
| FTP_ITC.1/ESC | This PP-Module iterates an SFR defined in the Base-PP to define a new external interface for communications with an ESC. This does not interfere with the ability of the Base-PP to enforce its security functionality on the existing logical interfaces. |
| FTP_ITC.1/VVoIP | This PP-Module iterates an SFR defined in the Base-PP to define a new external interface for communications with a VVoIP endpoint. This does not interfere with the ability of the Base-PP to enforce its security functionality on the existing logical interfaces. |
| Optional SFRs | |
| This PP-Module does not define any Optional requirements. | |
| Objective SFRs | |
| This PP-Module does not define any Objective requirements. | |
| Implementation-based SFRs | |
| FIA_SIPS_EXT.1 | This SFR applies to SIP registration, which is beyond the original scope of the Base-PP. |
| Selection-based SFRs | |
| FTP_ITC.1/H323 | This PP-Module iterates an SFR defined in the Base-PP to define a new external interface for communications using H.323. This does not interfere with the ability of the Base-PP to enforce its security functionality on the existing logical interfaces. |
This PP-Module does not define any Strictly Optional SFRs.
This PP-Module does not define any Objective SFRs.
| Functional Class | Functional Components |
|---|---|
| Cryptographic Support (FCS) | FCS_SRTP_EXT Secure Real-Time Transport Protocol |
| Firewall (FFW) | FFW_ACL_EXT Traffic Filtering FFW_DPI_EXT Deep Packet Inspection FFW_NAT_EXT Network Address Translation |
| Identification and Authentication (FIA) | FIA_SIPS_EXT Session Initiation Protocol Registration FIA_SIPT_EXT Session Initiation Protocol Trunking |
| Resource Utilization (FRU) | FRU_PRS_EXT Limited Priority of Service |
| Security Audit (FAU) | FAU_ARP_EXT Security Audit Automatic Response |
FCS_SRTP_EXT.1, Secure Real-Time Transport Protocol, requires the TSF to implement SRTP in accordance with specified standards, and for some of this functionality to be configurable.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FMT_SMR.1 Security Roles
FTP_ITC.1 Inter-TSF Trusted ChannelFFW_ACL_EXT.1, Real-Time Communications Traffic Filtering, requires the TSF to implement traffic filtering rules based on network protocol attributes.
FFW_ACL_EXT.2, Stateful VVoIP Traffic Filtering, requires the TSF to perform stateful traffic filtering on traffic that matches certain unauthorized state conditions.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: None
No specific management functions are identified.
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: None
FFW_DPI_EXT.1, Deep Packet Inspection, defines traffic that the TSF is expected to be able to perform DPI on, the specific elements of that traffic that is subject to DPI, and the action that is taken when invalid traffic is discovered by the DPI mechanism.
No specific management functions are identified.
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: None
FFW_NAT_EXT.1, Topology Hiding/NAT Traversal, requires the TSF to implement NAT for defined network protocols.
The following actions could be considered for the management functions in FMT:
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FDP_IFC.1 Subset Information Flow Control
FMT_SMR.1 Security RolesFIA_SIPT_EXT.1, Session Initiation Protocol Trunking, requires the TSF to implement SIP trunking using defined authentication and encryption methods.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: FCS_TLSC_EXT.1 TLS Client Protocol without Mutual Authentication
FCS_TLSC_EXT.2 TLS Client Support for Mutual Authentication FCS_TLSS_EXT.1 TLS Server Protocol without Mutual Authentication FCS_TLSC_EXT.2 TLS Server Support for Mutual Authentication FTP_ITC.1 Inter-TSF Trusted ChannelFIA_SIPS_EXT.1, Session Initiation Protocol Registration, defines requirements for how the TSF must implement SIP registration, including protocol implementations and constraints on authentication.
The following actions could be considered for the management functions in FMT:
The following actions should be auditable if FAU_GEN Security audit data generation is included in the PP/ST:
Hierarchical to: No other components.
Dependencies to: None
FRU_PRS_EXT.1, Limited Priority of Service, requires the TSF to implement mechanisms to limit the amount of network bandwidth that is available to subjects based on certain attributes.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: None
FAU_ARP_EXT.1, Security Audit Automatic Response, defines the mechanism used by the TOE to securely transmit security alerts to the OE.
No specific management functions are identified.
There are no auditable events foreseen.
Hierarchical to: No other components.
Dependencies to: FAU_SAA.1 Potential Violation Analysis
FTP_ITC.1 Inter-TSF Trusted ChannelThis appendix lists requirements that should be considered satisfied by products successfully evaluated against this PP-Module. These requirements are not featured explicitly as SFRs and should not be included in the ST. They are not included as standalone SFRs because it would increase the time, cost, and complexity of evaluation. This approach is permitted by [CC] Part 1, 8.2 Dependencies between components.
This information benefits systems engineering activities which call for inclusion of particular security controls. Evaluation against the PP-Module provides evidence that these controls are present and have been evaluated.
Table 5: Implicitly Satisfied Requirements| Requirement | Rationale for Satisfaction |
| FMT_MSA.3 – Static Attribute Initialization | FDP_IFF.1 has a dependency on FMT_MSA.3 to define the default security posture of security attributes for the purpose of information flow control enforcement. This SFR has not been defined by this PP-Module because the enforcement of FDP_IFF.1 is not dependent on the initial state of security attributes. For example, FDP_IFF.1.2 requires the TSF to determine if a communication attempt is valid before authorizing it. This is true regardless of whether the default value of security attributes associated with the connection attempt are permissive or restrictive; there is no difference in how the TSF determines “validity” in this case. The default values of security attributes do not cause the information flow control policy to behave differently for those rules that must always be enforced by the TSF. FDP_IFF.1.4 requires that all allowlisted calling parties be authorized while all denylisted calling parties be rejected. It does not matter for the purpose of enforcing this SFR whether the absence of a calling party from both the allowlist and the denylist means they are authorized or rejected by default. |
| Requirement | Description | Distributed TOE SFR Allocation |
| FAU_ARP_EXT.1 | Security Audit Automatic Response | Feature Dependent |
| FAU_GEN.1/SBC | Audit Data Generation (Session Border Controller) | All |
| FAU_SAA.1 | Potential Violation Analysis | Feature Dependent |
| FAU_SEL.1 | Selective Audit | Feature Dependent |
| FCS_SRTP_EXT.1 | Secure Real-Time Transport Protocol | Feature Dependent |
| FDP_IFC.1 | Subset Information Flow Control | Feature Dependent |
| FDP_IFF.1 | Simple Security Attributes | Feature Dependent |
| FFW_ACL_EXT.1 | Real-Time Communications Traffic Filtering | Feature Dependent |
| FFW_ACL_EXT.2 | Stateful VVoIP Traffic Filtering | Feature Dependent |
| FFW_DPI_EXT.1 | Deep Packet Inspection | Feature Dependent |
| FFW_NAT_EXT.1 | Topology Hiding/NAT Traversal | Feature Dependent |
| FIA_SIPS_EXT.1 (implementation-based) | Session Initiation Protocol Registration | Feature Dependent |
| FIA_SIPT_EXT.1 | Session Initiation Protocol Trunking | Feature Dependent |
| FMT_SMF.1/SBC | Specification of Management Functions (SBC) | Feature Dependent |
| FRU_PRS_EXT.1 | Limited Priority of Service | Feature Dependent |
| FRU_RSA.1 | Maximum Quotas | Feature Dependent |
| FTP_ITC.1/ESC | Inter-TSF Trusted Channel (ESC Communications) | Feature Dependent |
| FTP_ITC.1/H323 (selection-based) | Inter-TSF Trusted Channel (H.323 Communications) | Feature Dependent |
| FTP_ITC.1/VVoIP | Inter-TSF Trusted Channel (VVoIP Communications) | Feature Dependent |
| Acronym | Meaning |
|---|---|
| ACL | Access Control List |
| B2BUA | Back-To-Back User Agent |
| Base-PP | Base Protection Profile |
| CC | Common Criteria |
| CDR | Call Detail Record |
| CEM | Common Evaluation Methodology |
| cPP | Collaborative Protection Profile |
| DoS | Denial of Service |
| DPI | Deep Packet Inspection |
| ESC | Enterprise Session Controller |
| IP-PBX | Internet Protocol Public Branch Exchange |
| MGCP | Media Gateway Control Protocol |
| NAT | Network Address Translation |
| OE | Operational Environment |
| PP | Protection Profile |
| PP-Configuration | Protection Profile Configuration |
| PP-Module | Protection Profile Module |
| QoS | Quality of Service |
| RTCP | RTP Control Protocol |
| RTP | Real-Time Transport Protocol |
| SAR | Security Assurance Requirement |
| SDES | Security Descriptions for Media Streams |
| SDP | Session Description Protocol |
| SFR | Security Functional Requirement |
| SIP | Session Initiation Protocol |
| SRTP | Secure Real-Time Transport Protocol |
| ST | Security Target |
| TOE | Target of Evaluation |
| TSF | TOE Security Functionality |
| TSFI | TSF Interface |
| TSS | TOE Summary Specification |
| VVoIP | Voice/Video Over IP |
| Identifier | Title |
|---|---|
| [CC] | Common Criteria for Information Technology Security Evaluation -
|
| [NDcPP] | collaborative Protection Profile for Network Devices, Version 2.2e, March 23, 2020 |
| [NDcPP SD] | Supporting Document - Evaluation Activities for Network Device cPP, Version 2.2, December 2019 |