Nortel Networks Nortel Network VPN Router and Client Workstation 7.05 User Manual
Page 13
Security Target, Version 3.9
March 18, 2008
Nortel VPN Router v7.05 and Client Workstation v7.11
Page 13 of 67
© 2008 Nortel Networks
Nortel VPN Router: Each of the logical components contained within the physical Nortel VPN Router are
included within the TOE boundary. These components are:
o Nortel VPN Switch Software
o VxWorks OS
o Contivity Hardware Appliance.
Nortel VPN Client Workstation: The Nortel VPN Client software is part of the TOE but the underlying
OS and hardware are excluded from the TOE boundary.
The TOE’s logical boundary includes all of the TOE Security Functions (TSFs). The Security Functional
Requirements (SFRs) implemented by the TOE are usefully grouped under the following Security Function Classes:
FAU
Security Audit
FCS
Cryptographic Support
FDP
User Data Protection
FIA
Identification and Authentication
FMT
Security Management
FPT
Protection of the TOE Security Functions
FTP
Trusted Path/Channels
These functions are discussed in greater detail below.
2.3.2.1
Security Audit
The Security Audit function provides the generation and viewing of audit records. The TOE generates five
categories of audit data:
Accounting Log: contains information about user activities.
Security Log: contains information about security relevant activities.
Configuration Log: contains information about configuration relevant activities.
System Log: contains information about system relevant activities.
Event Log: contains the last 2000 logs entries of all activities.
Audit data is generated by the TOE and stored locally as flat files on internal storage. The TOE controls access to
the audit data, and direct access to these flat files by the TOE administrator is not possible. The TOE supports
automatic backup and archiving of the logs.
TOE users assigned to the appropriate user roles may read audit records but do not have write access. The audit data
is presented to TOE users in a manner suitable for human readability.
2.3.2.2
Cryptographic Support
The TOE implements and utilizes cryptographic algorithms and various other security algorithms in order to protect
information being transferred between physically separated parts of the TOE. These algorithms include Advanced
Encryption Standard (AES), Triple Data Encryption Standard (3DES), RSA (Rivest, Shamir, and Adleman), and
Diffie-Hellman; Secure Hash Algorithm (SHA-1) and Keyed-Hash Message Authentication Code (HMAC)-SHA-1
for hashing; and FIPS 140-2 key zeroization for key destruction.
2.3.2.3
User Data Protection
The TOE enforces the Access Control Security Functional Policy (SFP) on TOE subjects, objects, and operations.
The architecture of the TOE ensures that all operations between objects and subjects are regulated by the TOE based
upon the privilege criteria defined in the Access Control SFP.
The TOE enforces the VPN Information Flow Control (IFC) SFP and the Firewall IFC SFP through the use of
IPSec. The IPSec protocol ensures confidentiality of communications between remote Nortel VPN Clients and