![[Public Interpretations Database]](http://www.niap-ccevs.org/assets/images/precedent-db.jpg){kind=small}
PD-0124: Depth of Protocol or Interface Examination
This decision represents a long-term technical decision based on an OD, and may not be the same as the final results of the source OD. With respect to published criteria documentation and scheme documents, it provides suggested guidance on evaluation direction, but is not authoritative. Authoritative decisions are provided through the published criteria documents and published scheme and international interpretations thereof. With respect to published PPs, PDs are authoritative corrections to the PP, based on input from the PP author (if available), that are in force until the publication of the next revision of that PP.
| Effective Date: | 2005-08-23 |
| Last Modified | 2006-08-02 |
Issue
If a protocol requires examination, how broad must that examination be? For example, if a network interface accepts TCP connections on a port for a specific service, must it also be examined for a response on every other port?
Resolution
Interfaces and protocols that an attacker can reasonably manipulate that have the potential to alter the security behavior of the TOE must be evaluated.
Support
This divides interface testing into two realms. Functional testing is applied to the TSF-affecting interfaces. Penetration testing can be conducted against all interfaces.
Decomposition should be performed only as exhaustively as the TOE user's threat environment dictates.
For example an internet attacker against a firewall could manipulate datagrams, but not the electrical signaling. Thus the depth of testing could reasonably stop before the signaling. Further, only certain types of datagrams are likely to reach the public interface because of routing. An example of this might be a requirement that ICMP traffic be dropped by the router before reaching the firewall interface, so ICMP traffic could also be excluded. In this case an assumption that no hostile user will appear between the firewall and the public router may be required, and/or that all network attacks are assumed to originate from outside the router.
Consider the following two additional examples:
-
TCP ports: Consider an ST where the TOE environment requirement is that all TCP network traffic other than port 80 be blocked at the upstream router. In this case, the other ports need not be examined (assuming no other condition exists that would make those ports a vulnerability in the TOE environment).
-
Physical ports: Serial/Parallel/USB/SCSI/Etc. ports on a system would not need to be examined if A) they don't support TSF, and B) there is an assumption of physical protection of the TOE. An ATM cash machine in a public place might not be able to assume "B" and thus require physical interfaces and the protocols on them to be examined.
Reference
If the TOE claims an interface or protocol conforms to a standard, refer to interpretation I-0427 Identification of Standards for guidance on documenting the conformance.
Modification History:
- 2005-08-23
- PD Created. [August 2005 ODRB Agenda Item 4.b.ii]
- 2005-11-07
- Based on comments from the cc-cmt discussion, corrected a typographic error and added additional examples for clarity. (November 2005 ODRB Agenda Item 4.d.i)
- 2006-03-23
- Based on comments from the cc-cmt discussion, modified title and resolution to resolve ambiguity. (March 2006 ODRB Agenda Item 4.d.i)
References:
- None
Related NIs:
- None
Related CCIMB-INTERPs:
- None
Source OD: 0163