Protection of the toe security functions – Nortel Networks Nortel Network VPN Router and Client Workstation 7.05 User Manual
Page 48
Security Target, Version 3.9
March 18, 2008
Nortel VPN Router v7.05 and Client Workstation v7.11
Page 48 of 67
© 2008 Nortel Networks
functions. The VPN User has no access to administrative functions and may only authenticate to the Nortel VPN
Router through the Nortel VPN Client in order to access the private network.
These roles determine a user’s level of access to security management functions provided by the TOE. These
security management functions include management of all audit and event records, management of access control,
and management of VPN and firewall functions. Each user assumes one role from the available roles.
Administrators manage TOE security functionality and change, query, modify, or delete security attributes via the
management GUI. All requests for services from either the management GUI or the Nortel VPN Client are passed
to the Nortel VPN Router, which mediates access control to those functions. The Nortel VPN Router makes the
access control decision by comparing the user’s role and the privilege requirement for the type of request made.
As described in the Security Functional Policies, management and modification of secure values are restricted to
ensure that only secure values are accepted for security attributes and that the default values used for initialization of
the security attributes are not altered.
TOE Security Functional Requirements Satisfied: FMT_MOF.1(a), FMT_MOF.1(b), FMT_MSA.1(a),
FMT_MSA.1(b),
FMT_MSA.1(c),
FMT_MSA.2,
FMT_MSA.3(a),
FMT_MSA.3(b),
FMT_MSA.3(c),
FMT_SMF.1, FMT_SMR.1.
6.1.6 Protection of the TOE Security Functions
The TOE’s FIPS 140-2 validated cryptographic module will offer its services only after all power-up self-tests (at
power-up) and all conditional self-tests (when creation of an IPSec tunnel is requested) have passed; if these self-
tests do not pass then the TOE enters an error state and logs the failure. All error states can be cleared by restarting
the module. If the self-tests do pass, then an IPSec tunnel is established, thus activating all of the IPSec security
features. The TOE runs continuous checks on the IPSec tunnel to detect replay attacks. If a replay attack is detected
then the associated packets are immediately dropped.
The TOE performs the following Start-Up and Conditional Self-Tests in order to ensure the secure and proper
operation of the TSF:
6.1.6.1
Power-Up Self-Tests
FIPS 140-2 validated power-up self-tests are executed automatically when the module is started. The Start-Up Self-
Tests performed by the TOE are described below:
Software Integrity Check: Verifies the integrity of the software binaries of the module using an HMAC-
SHA-1 keyed hash.
AES Known Answer Test (KAT): Verifies the correct operation of the AES algorithm implementation.
3DES KAT: Verifies the correct operation of the Triple-DES algorithm implementation.
SHA-1 KAT: Verifies the correct operation of the SHA-1 algorithm implementation.
HMAC-SHA-1 KAT: Verifies the correct operation of the HMAC-SHA-1 algorithm implementation.
FIPS 186-2 Random Number Generator (RNG) KAT: Verifies the correct operation of the FIPS 186-2
RNG implementation.
Alternating Bypass Mode Test: Verifies the integrity of the module’s bypass capability (hard-coded in the
filter driver).
6.1.6.2
Conditional Self-Tests
FIPS 140-2 validated conditional self-tests are executed automatically when certain criteria or events occur. The
TOE performs three conditional self-tests: a pair-wise consistency test each time the an RSA public/private key is
generated, a continuous random number generator test each time the module produces random data, and a software
load test for upgrades. The Conditional Self-Tests performed by the TOE are described below.
FIPS 186-2 Continuous RNG: Verifies that the Approved RNG is not failing to a constant value.