NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0476:  NIT Technical Decision for Conflicting FW rules cannot be configured

Publication Date
2019.12.18

Protection Profiles
CPP_FW_V2.0E

Other References
FW SD V2.0, FFW_RUL_EXT.1.8, Test 1

Issue Description

The NIT has issued a technical decision for Conflicting FW rules cannot be configured

Resolution

For FFW_RUL_EXT.1.8 TSS Section the following paragraph shall be added:

If the TOE implements a mechanism that ensures that no conflicting rules can be configured, the TSS shall describe the underlying mechanism.”

For FFW_RUL_EXT.1.8 Test 1 shall be modified as follows:

Test 1: If the TOE implements a mechanism that ensures that no conflicting rules can be configured, the evaluator shall try to configure two conflicting rules and verify that the TOE rejects the conflicting rule(s). It is important to verify that the mechanism is implemented in the TOE but not in the non-TOE environment. If the TOE does not implement a mechanism that ensures that no conflicting rules can be configured, the evaluator shall devise two equal stateful traffic filtering rules with alternate operations permit and drop. The rules should then be deployed in two distinct orders and in each case the evaluator shall ensure that the first rule is enforced in both cases by generating applicable packets and using packet capture and logs for confirmation.

For further information, please see the NIT interpretation at:

https://www.niap-ccevs.org/Documents_and_Guidance/ccevs/NITDecisionRFI201837.pdf


 

Justification

See issue description

 
 
Site Map              Contact Us              Home