PD-0036: Distinction between Internal and External Networks in a Firewall PP

This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.

Issue

Is the distinction between internal and external networks in a firewall PP useful?

Resolution

The use of internal and external networks in a firewall PP may in some instances (e.g., when only two network interfaces are present) may provide clarity in expressing the intent of requirements. If more than two network interfaces are allowed in the evaluated configuration there does not appear to be any meaningful reason for using the terms internal and external and in fact, this may lead to confusion.

Support

The TOE administrator will typically assign a firewall's interfaces to networks and the TOE assigns no meaning to this assignment. The firewall is responsible for enforcing the firewall policy on an assigned interface and whether the interface is internal or external is inconsequential. In addition, if a firewall allows more than two network interfaces (e.g., on for the internet, one for a DMZ, one for site A, one for site B) internal and external may have no meaning.

Modification History:

2004-08-12

Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)

References:

• ALFWPPv1.c

Related NIs:

• None

Related CCIMB-INTERPs:

• None

Source OD: 0103