TD0418: Clarifications for ESC EP
FAU_STG.1/VVR, FAU_STG_EXT.1, FMT_SMF.1, FTP_ITC.1
FTP_ITC.1.1/ESC has some issues with what was done in TD0159 to modify the SFR from the NDcPP. Also, the EP refers to a sunsetted version of the NDcPP.
This TD supersedes TD0159, TD0270, and TD0350, which will be archived.
The ESC EP v1.0 is modified as follows:
5.1.4 Security Management (FMT)
FMT_SMF.1 is replaced with the following:
FMT_SMF.1 Specification of Management Functions
FMT_SMF.1.1 The TSF shall be capable of performing the following management functions:
· Ability to administer the TOE locally and remotely;
· Ability to configure the access banner;
· Ability to configure the session inactivity time before session termination or locking;
· Ability to update the TOE, and to verify the updates using digital signature capability prior to installing those updates;
· Ability to display the real-time connection status of all VVoIP endpoints(hardware and software) and telecommunications devices;
· Ability to clear all TSF data stored on disk;
o Ability to start and stop services;
o Ability to configure audit behavior;
o Ability to modify the behavior of the transmission of audit data to an external IT entity, the handling of audit data, the audit functionality when Local Audit Storage Space is full;
o Ability to configure the list of TOE-provided services available before an entity is identified and authenticated, as specified in FIA_UIA_EXT.1;
o Ability to manage the cryptographic keys;
o Ability to configure the cryptographic functionality;
o Ability to configure thresholds for SSH rekeying;
o Ability to configure the lifetime for IPsec SAs;
o Ability to configure the interaction between TOE components;
o Ability to enable or disable automatic checking for updates or automatic updates;
o Ability to re-enable an Administrator account;
o Ability to set the time which is used for time-stamps;
o Ability to configure NTP;
o Ability to configure the reference identifier for the peer;
o Ability to manage the TOE's trust store and designate X509.v3 certificates as trust anchors;
o Ability to import X.509v3 certificates to the TOE's trust store;
o Ability to configure the password policy;
o Ability to specify the set of audited events;
o Ability to configure the behavior of the TOE in response to a self-test failure;
o Ability to enable/disable voice and video recordings for any registered VVoIP endpoint;
o No other capabilities.]
Application Note: The TOE developer is encouraged, but not required, to provide a more sophisticated password strength policy than what is prescribed by FIA_PMG_EXT.1 as defined in the NDcPP. This may include the ability for an administrator to configure the metrics used to define an acceptable password. At minimum, the minimum password length must be configurable. If "have is selected in FAU_STG_EXT.1.1, then "Ability to enable/disable voice and video recordings for any registered VVoIP endpoint" must be selected.
The selection “Ability to configure NTP” shall be included in the ST if the TOE uses NTP for timestamp configuration. If selected, FCS_NTP_EXT.1 from the NDcPP shall be included in the ST as well.
In addition to the assurance activities specified in the NDcPP Supporting Documents for this SFR, the evaluator shall perform the following activities:
If "Ability to enable/disable voice and video recordings for any registered VVoIP endpoint" is selected, the evaluator shall examine the guidance document to verify it describes how to enable or disable recordings of voice and video calls.
Test 1 (Conditional): If "Ability to enable/disable voice and video recordings for any registered VVoIP endpoint" is selected, the evaluator shall deploy a test environment with two or more registered VVoIP endpoints. The evaluator shall choose two endpoints and configure the TOE to enable voice/video recording between them. The evaluator shall place a call between the two selected endpoints, verify that the call is successfully established, then terminate the call and verify that a recording is generated. The evaluator shall then configure the TOE to disable voice/video recording between the same two endpoints, repeat the call, verify that the call is established, then terminate the call. The evaluator shall examine the location where the first recording was generated and verify that no new recording is generated.
Test 2: The evaluator shall deploy a test environment with two or more registered VVoIP endpoints. The evaluator shall choose two endpoints, place a call between them, and verify that the call is successfully established. While the call is active, the evaluator shall use the TSF to review active connections and verify that the call is listed. The evaluator shall discontinue the call and verify that the TSF no longer shows it as active.
Test 3 (Conditional): If “ability to configure the password policy” is selected, the evaluator shall observe what the password strength policy is configured to by default on the TOE and shall verify that it is enforced by defining several weak administrative passwords for a given administrator account that are appropriately rejected by the TSF. The evaluator shall then modify the TOE’s password policy in such a manner that at least one of these weak passwords would now be accepted by the policy. The evaluator shall repeat the attempted password changes and observe that the TSF correctly accepts or rejects the passwords based on the new policy.
5.1.5 Protection of the TSF (FTP)
This section is removed in favor of FPT_STM_EXT.1 in the NDcPP.
5.1.6 Trusted Path/Channels (FTP)
This section is removed in favor of FTP_ITC.1 in the NDcPP.
5.2.1 Security Audit (FAU)
FAU_STG_EXT.1 is added:
FAU_STG_EXT.1 Recording Voice and Video Call Data
FAU_STG_EXT.1.1 The TSF shall [selection: have, not have] the capability to record voice and video call data.
Application Note: If "have" is selected, FAU_STG.1/VVR must be claimed and “Ability to enable/disable voice and video recordings for any registered VVoIP endpoint” must be selected in FMT_SMF.1.1.
The evaluator shall examine the TSS to verify that it describes if the TSF has or does not have the capability to record voice and video call data.
The test for this SFR is performed as part of FMT_SMF.1.1’s Assurance Activity.
FAU_STG.1/VVR is moved to Annex B, and will be mandatory if "have" is selected in FAU_STG_EXT.1.1.
Annex E. References
The [NDcPP] entry is replaced with the following:
[NDcPP] collaborative Protection Profile for Network Devices, Version 2.1, 24 September 2018
See issue description.