User data protection – Nortel Networks Nortel Network VPN Router and Client Workstation 7.05 User Manual
Page 46
Security Target, Version 3.9
March 18, 2008
Nortel VPN Router v7.05 and Client Workstation v7.11
Page 46 of 67
© 2008 Nortel Networks
for reuse. This ensures that the keys are completely destroyed before any other process might have access to that
memory location.
TOE Security Functional Requirements Satisfied: FCS_CKM.1(a), FCS_CKM.1(b), FCS_CKM.4,
FCS_COP.1(a), FCS_COP.1(b)., FCS_COP.1(d), FCS_COP.1(e)
6.1.3 User Data Protection
The TOE enforces access controls on each administrator and user of the TOE based on the privileges held by that
user.
Access Control SFP: The TOE enforces the Access Control SFP on administrators by assigning privileges to
administrators. The TOE configuration parameters can only be modified by those administrative users granted
permission to do so by the Primary Admin. Administrators (specifically Restricted Admins) have a restricted level
of access based on the permissions granted to them by the Primary Admin. Details of these privilege levels can be
found in Section 2.3.2.5. All administrators must be authenticated before access is granted. The Primary Admin has
access to all administrative functions after successfully being identified and authenticated to the TOE.
VPN Information Flow Control SFP: The TOE enforces the VPN Information Flow Control SFP by allowing
connections only from VPN Clients who authenticate to the remote Nortel VPN Router (via the Nortel VPN Client)
with either a username/password combination or via a digital certificate. The VPN Information Flow Control SFP is
also enforced based on user identity and authentication credentials. The VPN Information Flow Control SFP
enforces session tunnel filtering based on a packets protocol ID, direction, source and destination IP addresses,
source and destination ports, and service.
The TSF enforces the VPN Information Flow Control SFP on user data in order to protect sent or received data from
modification, deletion, insertion, or replay. Thus, the TSF can determine if the data has been modified, deleted,
inserted, or replayed via the VPN Information Flow Control SFP.
The connection attributes configured in the Nortel VPN Router enable the remote user to create a tunnel into the
Nortel VPN Router. The actual connection to the Nortel VPN Router is a tunnel that is started from the remote
user’s PC, through the public network, and ends at the Nortel VPN Router on the private network. The Nortel VPN
Router associates all remote users with a group which dictates the attributes (and privileges) that are assigned to a
remote user session.
The VPN Information Flow Control SFP enforces the IPSec protocol for establishing a VPN. The VPN session that
is established by remote users creates a trusted communications path between the remote user and the TOE. This
communications path is logically distinct from other paths due to the cryptography that is used to encrypt the trusted
session.
The TOE supports “split-tunneling,” which assigns a unique IP address to an established IPSec tunnel, which is
different than (and is held simultaneously with) the IP address assigned to the host machine which established the
tunnel. During split-tunneling, any packet sent from the host machine to the public network must have as its source
address the IP address assigned to the tunnel. Any packet sent to the public network with the host’s IP address (or
any other address) as the source address is dropped. For example, a user’s host might have an IP address of
192.168.21.3. This user might then establish an IPSec connection with a host on the public network. This IPSec
tunnel might be assigned a tunnel IP address of 192.192.192.192. In this case, any packets that attempt to pass
outward through the tunnel with a source IP address of 192.168.21.3 (or any address other than 192.192.192.192)
are dropped.
Firewall Information Flow Control SFP: The TOE enforces the Firewall Information Flow Control SFP by
allowing connections only from hosts on either side of a Nortel VPN Router. The Firewall Information Flow
Control SFP is also enforced on packets based on their source and destination interface, source and destination IP
addresses, source and destination ports, direction, and service.
The TOE’s Firewall examines both incoming and outgoing packets and compares them to a security policy. If the
packet sequence numbers indicate a repeated packet, the TOE drops the packets as an identified replay attack.