TD0558: Detection of excessive WPS negotiations
“Wi-Fi Protected Setup” authentication is not a feature of enterprise class wireless access points and there is no delineation between an alert and audit event in several evaluation activities.
In the PP-Module, the FAU_SAA.1.2 SFR is modified to:
Remove "ae. Detection of excessive WPS negotiations."
Replace "af. [assignment: any other rules]." with "ae. [assignment: any other rules]."
The FAU_SAA.1.2 Application Note is also replaced as follows:
Application Note: These rules are used to detect a potential security violation. A malicious actor who has gained unauthorized access to the TSF possesses the ability to alter its configuration and overall security posture. The TSF should generate an alert or auditable event for the rules defined in FAU_SAA.1. Maintenance of the rules by adding, modifying or deletion of rules from the set of rules is handled by FMT_SMF.1/WIDS.
There is no expectation that the TOE classify or categorize audit records related to TSF configuration changes as malicious activity. If a potential security violation is detected, the alert generated for the Administrator is handled by FAU_ARP.1.
In the SD, for FAU_SAA.1, the following changes are made:
The guidance activity is replaced as follows:
If the ability of the TSF to detect the different potential security violations is configurable, the evaluator shall verify that the operational guidance provides instructions on how to configure the TOE. The TSF should generate and alert or audit event for all potential violations contained within rule set forth in FAU_SAA.1
Test 30 is deleted in its entirety.
The WPS authentication capability has been replaced on current enterprise-level WIDS solutions.