![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0095: User in the Loop for Policy Enforcement
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2003-07-08 |
| Last Modified | 2006-08-02 |
Issue
May an information flow policy in FDP_IFC and FDP_IFF ask a user to determine the TSF's behavior?
Many security products (e.g., firewalls) can be configured to allow or deny an information flow based on one or more specific characteristics associated with that information flow (e.g., port ID, protocol); if the information flow criteria or rules do not explicitly address, either intentionally or unintentionally, a specific characteristic or value, some products can also be configured to require that the administrator or other authorized user be asked what must be done with the information flow.
Resolution
An untrusted user should not be allowed to make an access control decision unless the decision concerns an object that such a user owns. For TOEs, such as firewalls, which do not have users in the usual sense but which do allow an administrator to set up the rules to be enforced for an information flow policy, that same administrator (or another person holding the administrator privilege) should be allowed to respond to the TSF's query.
The functionality in question is a reasonable mechanism. It is not a case of the TOE giving up control of policy enforcement. In fact, the authorized user's decision should be considered to be part of the access control policy or the information flow policy in that such a user is asked to determine the action (e.g., allow, deny, query) that the TSF will then enforce.
This policy may be defined in either ACC/ACF, IFC/IFF, or as an explicitly stated requirement.
The user whom the TSF queries must be assumed to be authorized to decide the TSF's action(s) -- for example, a firewall administrator or the owner of a file -- and such an assumption needs to be explicitly stated in the ST. Furthermore, the ST needs to include another explicit assumption: that the authorized user has been trained to know how to respond to the TSF's requests. Finally, the ST needs to include the authorized user's participation in the security functional requirements that describe the information flow or access control policy, and the TOE Summary Specification needs to explain how the applicable security functional requirements are met.
Modification History:
- 2004-08-12
- Updated effective date to reflect the date the PD was issued. (August 2004 NIB 6.c.xiv)
References:
- CC v2.1 Part 2 Subclause 6.5 FDP_IFC
- CC v2.1 Part 2 Subclause 6.6 FDP_IFF
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0215