NIAP: View Technical Decision Details
NIAP/CCEVS
  NIAP  »»  Protection Profiles  »»  Technical Decisions  »»  View Details  
TD0242:  FPF_RUL_EXT.1.7, Test 3 - Logging Dropped Packets

Publication Date
2017.11.08

Protection Profiles
EP_VPN_GW_V2.1

Other References
FPF_RUL_EXT.1.7

Issue Description

Test 3 for IPV4 is inconsistent with Test 6 for IPV6.

Resolution

FPF_RUL_EXT.1.7, Test 3 is modified to add "and logged."

Test 3: The evaluator shall configure the TOE to permit and log each defined IPv4 Transport Layer Protocol (see table 5-2) in conjunction with a specific source address and specific destination address, specific source address and wildcard destination address, wildcard source address and specific destination address, and wildcard source address and wildcard destination address. Additionally, the evaluator shall configure the TOE to deny and log each defined IPv4 Transport Layer Protocol (See table 5-2) in conjunction with different (than those permitted above) combinations of a specific source address and specific destination address, specific source address and wildcard destination address, wildcard source address and specific destination address, and wildcard source address and wildcard destination address. The evaluator shall generate packets matching each defined IPv4 Transport Layer Protocol and outside the scope of all source and destination addresses configured above in order to ensure that they are denied (i.e., by capturing no applicable packets passing through the TOE) and logged.

 

Justification

The logging of dropped packets can be beneficial to any network device access control lists (ACLs).  Logs of dropped packets can reveal if the “bad guys” are attacking a device by showing what or why the packet is being dropped.  Also these logs allow administrators to quickly identify whether the configured permit/deny access control lists are being implemented correctly.  Therefore, Test 3 (IPv4) should be consistent with Test 6 (IPv6) by adding the “and logged” at the end of the sentence.

 
 
Site Map              Contact Us              Home