The logical boundaries of the Apriva MESA VPN 3.0 are realized in the security functions that it implements. Each of these security functions is summarized below.

Security audit:

The TOE is able to generate logs for a wide range of security relevant events.  The TOE always stores the logs locally so they can be accessed by an administrator and can be configured to send the logs to a designated log server using TLS to protect the logs while in transit on the network.

Cryptographic support:

The TOE contains a CAVP-tested cryptographic module that provides key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher-level cryptographic protocols including IPsec, TLS, and SSH.

Identification and authentication:

The TOE requires users to be identified and authenticated before they can use functions mediated by the TOE, with the exception of specific ICMP response.  It provides the ability to perform password and public key authentication for administrative users.

Security management:

The TOE implements a limited command line interface (CLI) to allow authorized administrators to configure the TOE. This interface restricts the administrator to executing commands required to configure and administer the TOE. All administrative activity and functions including security management commands are limited to authorized users (i.e., administrators) only after they have provided acceptable user identification and authentication data to the TOE.

Packet filtering:

The TOE provides extensive packet filtering capabilities for IPv4, IPv6, TCP, and UDP.  The authorized administrator can define packet filtering rules that apply to most every field within the identified packet types.  The authorized administrator can define each rule to permit, deny, and log each decision.

Protection of the TSF:

The TOE implements a number of features to protect itself to ensure the reliability and integrity of its security features.

It protects particularly sensitive data such as stored passwords and cryptographic keys so that they are not accessible even by an administrator. It also provides its own timing mechanism to ensure that reliable time information is available (e.g., for log accountability).

The TOE includes functions to perform self-tests so that it might detect when it is failing. It also includes mechanisms (i.e., verification of the digital signature of each new image) so that the TOE itself can be updated while ensuring that the updates will not introduce malicious or other unexpected changes in the TOE.

TOE access:

The TOE can be configured to display a login banner when an administrator establishes an interactive session and subsequently will enforce an administrator-defined inactivity timeout value after which the inactive session (local or remote) will be terminated.  The TOE can also restrict VPN clients based on location and time and can assign a private VPN address to a client.

Trusted path/channels:

The TOE protects interactive communication with administrators using SSH for CLI access to ensure both integrity and disclosure protection.  If the negotiation of an encrypted session fails or if the user does not have authorization for remote administration, an attempted connection will not be established.

The TOE protects communication with the audit log server using TLS connections to prevent unintended disclosure or modification of logs.  The TOE can establish IPsec connections with clients and peers.