NIAP: View Technical Decision Details
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
Archived TD0179:  Management Capabilities in VPN GW EP 2.1

Publication Date

Protection Profiles

Other References

Issue Description

The VPN GW requires more assurance than the NDcPP/FWcPP does. Digital signature will remain mandatory and hash comparison will remain optional. FMT_SMF.1.1 will also be updated to permit the management of the firewall rules if the product claims compliance to the CPP_FW_V1.0.


In Section 5.1.3, FMT_SMF.1.1, Bullet 4 is modified as follows:

Ability to update the TOE, and to verify the updates using [refinement] digital signature and [selection: hash comparison, no other] capability prior to installing those updates; 


Section 5.2 is replaced as follows:

5.2 FWcPP Security Functional Requirements Direction

The FWcPP defines a large number of SFRs that are identical to those defined in the NDcPP. All of the NDcPP SFRs that are impacted by the inclusion of this EP as part of the TOE are also present in the FWcPP with the same wording and assurance activities except for FMT_SMF.1. Therefore, VPN Gateway TOEs that conform to the FWcPP should perform the same SFR modifications that are defined in section 5.1 of this EP with the exception of FMT_SMF.1 which is defined below.

The evaluator shall evaluate these SFRs by performing the Assurance Activities as specified in the Supporting Documents for the FWcPP except where explicitly stated by this EP.

Section 5.2.1 is added as follows:

FMT_SMF.1 Specification of Management Functions

FMT_SMF.1.1 The TSF shall be capable of performing the following management functions:


·         Ability to administer the TOE locally and remotely;

·         Ability to configure the access banner;

·         Ability to configure the session inactivity time before session termination or locking;

·         Ability to update the TOE, and to verify the updates using [refinement] digital signature and [selection: hash comparison, no other] capability prior to installing those updates; 

·         Ability to configure firewall rules;

·         Ability to configure the cryptographic functionality;

·         Ability to configure the IPsec functionality;

·         Ability to import X.509v3 certificates;

·         Ability to enable, disable, determine and modify the behavior of all the security functions of the TOE identified in this EP to the Administrator;

·         Ability to configure all security management functions identified in other sections of this EP;


·         Ability to configure audit behavior;

·         Ability to configure the list of TOE-provided services available before an entity is identified and authenticated, as specified in FIA_UIA_EXT.1;

·         No other capabilities].


Application Note: In order to prevent redundancy, an ST claiming conformance to this EP should not select “Ability to configure the cryptographic functionality” as defined in the FWcPP when completing FMT_SMF.1 since it is already mandated by this EP.

The following assurance activity is to be performed in addition to the assurance activities specified by the NDcPP Supporting Documents for this SFR.

Assurance Activity


The evaluator shall verify that the TSS describes how the traffic filter rules for VPN traffic can be configured. Note that this activity can be addressed in parallel with the TSS assurance activities for FPF_RUL_EXT.1.


The evaluator shall verify that the operational guidance describes how to configure the traffic filter rules, including how to set any configurable defaults and how to configure each of the applicable rule attributes, actions, and associated interfaces. The evaluator must ensure that the operational guidance also provides instruction that would allow an administrator to ensure that configured rules are properly ordered. Note that this activity should have been addressed with the Guidance assurance activities for FPF_RUL_EXT.1.


The evaluator shall devise tests that demonstrate that the functions used to configure the TSF yield expected changes in the rules and that they are correctly enforced. A number of rule combination and ordering scenarios need to be configured and tested by attempting to pass both valid and invalid network traffic through the TOE. Note that this activity should have been addressed with a combination of the Test assurance activities for FPF_RUL_EXT.1


See issue description.

Site Map              Contact Us              Home