Professional Documents
Culture Documents
12/29/1998
Contents
1.
PP IDENTIFICATION...........................................................................................................................................2
PP OVERVIEW...................................................................................................................................................2
2.
3.
SECURITY ENVIRONMENT..........................................................................................................................4
3.1 INTRODUCTION..................................................................................................................................................4
3.1.1
Critical Assets.........................................................................................................................................4
3.1.2 Protection Needs..............................................................................................................................5
3.1.3
Threat Agents....................................................................................................................................5
3.2 ASSUMPTIONS...................................................................................................................................................6
3.3 THREATS............................................................................................................................................................7
3.4 ORGANIZATIONAL SECURITY POLICES..............................................................................................................8
4.
SECURITY OBJECTIVES................................................................................................................................9
4.1
4.2
5.
IT SECURITY REQUIREMENTS.................................................................................................................10
5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS...............................................................................................10
5.2 TOE SECURITY ASSURANCE REQUIREMENTS.................................................................................................21
5.2.1
Configuration Management Assurance Requirements.........................................................................22
5.2.2
Delivery and Operation Assurance Requirements...............................................................................22
5.2.3
Development Assurance Requirements.................................................................................................23
5.2.4
Guidance Documents Assurance Requirements...................................................................................24
5.2.5
Tests Assurance Requirements..............................................................................................................26
5.2.6
Vulnerability Assessment Assurance Requirements..............................................................................27
6.
RATIONALE.....................................................................................................................................................29
6.1
6.2
6.3
7.
ACRONYMS.....................................................................................................................................................33
8.
REFERENCES..................................................................................................................................................34
Emir Arslanagic
ENTS UMCP
CW-USA
12/29/1998
PP Identification
Title: Cable and Wireless USA Internet Backbone Protection Profile for Low-Risk
Environments.
Registration: <TBD>.
Keywords: Internet Backbone, Point of Presence (POP), Packet flow control, network security,
protection profile.
1.2
PP Overview
This Protection Profile specifies the Cable and Wireless minimum-security requirements for an
Internet Backbone network. The Protection Profile defines the assumptions about the security
aspects of the environment in which the POP will be located. It also defines the threats, the
implementation-independent security objectives of the POPs network nodes, and the functional
and assurance requirements to meet those objectives. Finally, PP provides a rationale
demonstrating how the requirements meet the security objectives.
Some POPs are also responsible for traffic exchange between different networks, called
Autonomous Systems (AS). In addition to the above connection, each POP has to be connected
to two or more POPs of the same AS in other to form Internet Backbone.
From the security point of view, the POP is the most critical place for the Internet Backbone
service providers. In order to provide services to its customers, the POP has to be highly visible
Emir Arslanagic
ENTS UMCP
CW-USA
12/29/1998
to the rest of the Internet community. In addition to services, it must support both inbound and
outbound management accesses.
Overall, the security function of the POP is to provide controlled and audited access to its
network nodes and services. It has to provide access from both inside and outside its own AS by
allowing or rejecting packet flow. In addition, it has to reject transit traffic coming into the AS as
well as prevent violent attacks to its customers. Figure 2.1 shows a logical representation of POP
network connections.
Internet Backbone Network Architecture Diagram
OSPF
Backbone Link
POP
C
POP
----------Server
Server
Server
Server
BGP
ring
Pee
rnet
Inte
Customer
POP
Customer
POP
Customer
Equipment
Customer Link
Customer Link
Customer Link
Router
Router
Router
UU-net
Mae-East
Mae-West
Sprint
Figure 2.1.
This Protection Profile specifies the minimum-security requirements for TOEs composed of
network nodes in the POPs, regardless of hardware-software implementation, capacity or internal
architecture.
The TOE describes data flows between:
ENTS UMCP
CW-USA
12/29/1998
processed by TOE for each individual originating points (Inside I, Customer C and Peering P). If
the Network Access Security Policy permits human users who are not privileged users may send
and receive information to FTP, e-mail, news or DNS servers in POP, than such users will have
to be identified and authenticated by the TOE before requests are authorized. From the set of
human users, only privileged users may access the TOE through remote means (telnet, rlogin,
etc). If a privileged user accesses the TOE remotely, after successful identification and
authentication (using a one-time authentication mechanism) a trusted channel using some type of
encryption with securely generated and distributed key values must be used. In addition to
remote access, authorized administrators may access the TOE through local means without
encryption, such as through a console in such case successful identification and authentication is
required.
External network nodes sending information through the TOE do not have to be identified and
authenticated, unless those functions are supported by the underlying service (e.g., FTP).
However, external network nodes attempting to send information to the TOE must always be
identified and authenticated. Those external network nodes that are successfully identified and
authenticated (using a one-time authentication mechanism) are authorized external network
nodes.
When recorded, audit trail data is stamped with a dependable date and time. Audit events include
modifications to the group of users associated with the privileged user role and use of the
identification and authentication mechanisms including any attempted of reuse of authentication
data. The TOE according to the Network Access Security Policy rules and the use of all security
functions makes information flow control decisions.
3. SECURITY ENVIRONMENT
3.1
Introduction
Routing Information
Network Bandwidth
Access List
User Accounts
Customer Accounts
Emir Arslanagic
ENTS UMCP
CW-USA
12/29/1998
Processor cycles
3.1.2 Protection Needs
Protection needs for the above mentioned assets are protection against:
Emir Arslanagic
ENTS UMCP
CW-USA
3.2
12/29/1998
Assumptions
Description
A.Personnel.1
It is assumed that one or more privileged users with high level of expertise are
assigned to manage the TOE and the security of the information it contains on
an on-going basis. Also privileged users should be trusted, not to deliberately
abuse their privileges so as to undermine security.
A.Personnel.2
Authorized users of the TOE are assumed to possess the necessary privileges to
access the information managed by the TOE.
A.Personnel.3
A.Personnel.4
A.Physical.1
A.Physical.2
The TOE hardware and software critical to security policy enforcement are
assumed to be physically protected from unauthorized modification by
potentially hostile outsiders.
A.Physical.3
Human users within the physically secure boundary protecting the TOE may
access the TOE from some direct connection.
A.Physical.4
The processing resources of the TOE that depend on hardware security features
will be located within controlled access facilities that mitigate unauthorized,
physical access.
A.Usage.1
A.Usage.2
Emir Arslanagic
ENTS UMCP
CW-USA
3.3
12/29/1998
Threats
A threat (as defined in the CC) is an undesirable event possibly caused by an identified threat
agent. They cause or may cause unauthorized disclosure, modification, or loss of use information
or infrastructure which we trying to protect.
Formal Threats Specifications.
Name
T.Availability.1
Description
An attacker may cause the TOE to temporarily or
permanently become unavailable for the service that it is
intended to provide.
T.Integrity.2
T.Integrity.3
T.Integrity.4
T.Integrity.5
T.Integrity.6
T.Integrity.E.1.
Emir Arslanagic
ENTS UMCP
CW-USA
3.4
12/29/1998
Destination
IP
IP
Cip
Cout
Cip
IP
Iin/ou
t
IP
IP
IP\Cwip
CWip
CWip
IP\CWip
Pin
Pout
Figure 2.1.
Cin Interface to the customer, direction towards the customer
Cout Interface to the customer, direction from the customer
Iin/out Interface to the another POP
Pin Interface to the peering partner, direction towards the peering
partner
Pout Interface to the peering partner, direction from the peering
partner
IP Set of all valid IP addresses
CWip Cable and Wireless IP set; CWip is subset of the IP
Cip Customers IP set; Cip is subset of the CWip.
Description
P.1.
P.2.
P.3.
Emir Arslanagic
ENTS UMCP
CW-USA
12/29/1998
and monitored.
P.3.
P.4
Emir Arslanagic
ENTS UMCP
CW-USA
12/29/1998
4. SECURITY OBJECTIVES
4.1
Description
O.Availability.1
The TOE must provide functionality that enables an authorized user to use
all services provided by the TOE for the authorize user without unpredicted
interruptions of services.
O.Availability.2
O.Confidentiality.1
O.Confidentiality.2
The TOE must protect the confidentiality of its dialogue with an authorized
administrator.
O.Confidentiality.3
The TOE must provide the means of allowing a subject to use resources or
services without the user identity being disclosed to other entities.
O.Integrity.1
The TOE must uniquely identify all users, and must authenticate the
claimed identify before granting a user access to the TOE services.
O.Integrity.2
The TOE must provide user accountability for privileged user use of
security functions.
O.Integrity.3
The TOE must provide user accountability for authorized use of all
services provided.
O.Integrity.4
The TOE must provide a means to record a readable audit trail of securityrelated events, with accurate dates and times, and a means to search and
sort the audit trail based on relevant attributes.
O.Integrity.5
O.Integrity.6
O.Integrity.7
O.DataFlow.1
The TOE must provide the means of allowing and denying data flow based
on organizational security policy.
Emir Arslanagic
10
ENTS UMCP
CW-USA
4.2
12/29/1998
The following are non-IT security objectives that are to be satisfied without imposing technical
requirements on the TOE. They will not require the implementation of functions in the TOE
hardware and/or software. Therefore, they will be satisfied largely through application of
procedural or administrative measures.
Name
Description
O.Personel.1
Those responsible for the TOE must ensure that the TOE is delivered, installed,
administered, and operated in a manner that maintains security.
O.Personel.2
Privileged users are trained to establish and maintain the sound security policies
and practices.
5. IT SECURITY REQUIREMENTS
The IT Security Requirements define the security functional requirements and assurance
requirement that must be satisfied by a Protection Profile compliant TOE. Functional
components from the part 2 of the CC are used for functional requirement and evaluation.
Assurance level components from the part 3 of the CC are used assurance requirements.
5.1
The security functional requirement for the TOE in compliance with this PP are represented in
the following table:
Key Functional Components
Name
Description
FAU_ARP.1
Security alarms
FAU_SAA.1
FAU_GEN.1
FAU_SAR.1
Audit review
FAU_SAR.3
FAU_STG.1
FAU_STG.4
FCS_CKM.1
FCS_CKM.2
Emir Arslanagic
11
ENTS UMCP
CW-USA
FCS_COP.1
Cryptographic operation
FDP_ACC.1
FDP_ACF.1
FDP_IFC.1
FDP_IFF.1
FIA_AFL.1
FIA_ATD.1
FIA_UAU.1
Timing of authentication
FIA_UAU.4
FIA_UID.1
Timing of identification
FMT_MOF.1
FMT_MSA.1
FMT_MSA.2
FMT_MSA.3
FMT_SMR.1
Security roles
FPR_ANO.1
Anonymity
FPT_FLS.1
FPT_SEP.1
FPT_STM.1
FRU_FLT.2
FTA_TAB.1
12/29/1998
Emir Arslanagic
12
ENTS UMCP
CW-USA
12/29/1998
Level
Auditable Event
FAU_ARP.1
Minimal
FAU_SAA.1
Minimal
FAU_SAR.1
Basic
FAU_STG.4
Basic
FCS_CKM.1
Minimal
FCS_CKM.2
Minimal
FCS_CKM.4
Minimal
FCS_COP.1
Minimal
FDP_IFF.1
Minimal
FDP_IFF.1
Basic
FIA_AFL.1
Minimal
Emir Arslanagic
13
ENTS UMCP
CW-USA
12/29/1998
Minimal
FIA_UAU.1
Basic
FIA_UAU.4
Minimal
FIA_UID.1
Minimal
FIA_UID.1
Basic
FMT_MOF.1
Basic
FMT_MSA.1
Basic
FMT_MSA.2
Minimal
FMT_MSA.3
Basic
FMT_SMR.1
Minimal
FPR_ANO.1
Minimal
FPT_FLS.1
Basic
FPT_STM.1
Minimal
FRU_FLT.2
Minimal
14
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
15
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
16
ENTS UMCP
CW-USA
12/29/1998
a) [subject: identified external IT entities that send and receive packets through
the TOE
b) information: IP originating and terminating IP address and service
c) operations: pass packet or block packet]
FDP_IFF.1 Simple security attributes
Simple security attributes requires security attributes on information, and on
subjects that cause that information to flow and on subjects that act as recipients
of that information. It specifies the rules that must be enforced by the function,
and describes how security attributes are derived by the function.
FDP_IFF.1.1 The TSF shall enforce the [Identified SFP] based on the following
types of subject and information security attributes:
a) [subject security attributes:
presumed IP address;
source subject;
destination subject;
service;
17
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
18
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
19
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
20
ENTS UMCP
CW-USA
12/29/1998
FPR_ANO.1.1 The TSF shall ensure that [authorized user] are unable to
determine the real user name bound to [privileged use and other authorized
users].
FPT_FLS.1 Failure with preservation of secure state
Failure with preservation of secure state, which requires that the TSF preserve a
secure state in the face of the identified failures.
FPT_FLS.1.1 The TSF shall preserve a secure state when the following types of
failures occur: [assignment: list of types of failures in the TSF].
FPT_SEP.1 TSF domain separation
TSF domain separation, provides a distinct protected domain for the TSF and
provides separation between subjects within the TSC.
FPT_SEP.1.1 The TSF shall maintain a security domain for its own execution
that protects it from interference and tampering by untrusted subjects.
FPT_SEP.1.2 The TSF shall enforce separation between the security domains of
subjects in the TSC.
FPT_STM.1 Reliable time stamps
Reliable time stamps, which requires that the TSF provide reliable time stamps for
TSF functions.
FPT_STM.1.1 The TSF shall be able to provide reliable time stamps for its own
use.
FRU_FLT.2 Limited fault tolerance
Limited fault tolerance requires the TOE to continue correct operation of all
capabilities in the event of identified failures.
FRU_FLT.2.1 The TSF shall ensure the operation of all the TOEs capabilities
when [assignment: list of type of failures] occur.
FTA_TAB.1 Default TOE access banners
Default TOE access banners provides the requirement for a TOE Access Banner.
This banner is displayed prior to the establishment dialogue for a session.
FTA_TAB.1.1 Before establishing a user session, the TSF shall display an
advisory warning message regarding unauthorized use of the TOE.
Emir Arslanagic
21
ENTS UMCP
CW-USA
5.2
12/29/1998
The assurance security requirements for TOE to satisfy this Protection Profile, are derived from
Part 3 of the CC. Those assurance security requirements compose EAL2 and could be broken
into 6 categories
1)Configuration management
ACM_CAP.2 Configuration items
2) Delivery and operation
ADO_DEL.1 Delivery procedures
ADO_IGS.1 Installation, generation, and start-up procedures
3) Development
ADV_FSP.1 Informal functional specification
ADV_HLD.1 Descriptive high-level design
ADV_RCR.1 Informal correspondence demonstration
4) Guidance documents
AGD_ADM.1 Administrator guidance
AGD_USR.1 User guidance
5) Tests
ATE_COV.1 Evidence of coverage
ATE_FUN.1 Functional testing
ATE_IND.2 Independent testing - sample
6) Vulnerability assessment
AVA_SOF.1 Strength of TOE security function evaluation
AVA_VLA.1 Developer vulnerability analysis
Emir Arslanagic
22
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
23
ENTS UMCP
CW-USA
12/29/1998
ADO_DEL.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADO_IGS.1 Installation, generation, and start-up procedures
Developer action elements:
ADO_IGS.1.1D The developer shall document procedures necessary for the secure
installation, generation, and start-up of the TOE.
Content and presentation of evidence elements:
ADO_IGS.1.1C The documentation shall describe the steps necessary for secure
installation, generation, and start-up of the TOE.
Evaluator action elements:
ADO_IGS.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADO_IGS.1.2E The evaluator shall determine that the installation, generation, and startup procedures result in a secure configuration.
5.2.3 Development Assurance Requirements
ADV_FSP.1 Informal functional specification
Developer action elements:
ADV_FSP.1.1D The developer shall provide a functional specification.
Content and presentation of evidence elements:
ADV_FSP.1.1C The functional specification shall describe the TSF and its external
interfaces using an informal style.
ADV_FSP.1.2C The functional specification shall be internally consistent.
ADV_FSP.1.3C The functional specification shall describe the purpose and method of
use of all external TSF interfaces, providing details of effects, exceptions and error
messages, as appropriate.
ADV_FSP.1.4C The functional specification shall completely represent the TSF.
Evaluator action elements:
ADV_FSP.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
ADV_FSP.1.2E The evaluator shall determine that the functional specification is an
accurate and complete instantiation of the TOE security functional requirements.
Emir Arslanagic
24
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
25
ENTS UMCP
CW-USA
12/29/1998
ADV_RCR.1.1E The evaluator shall confirm that the information provided meets all
requirements for content and presentation of evidence.
5.2.4 Guidance Documents Assurance Requirements
AGD_ADM.1 Administrator guidance
Developer action elements:
AGD_ADM.1.1D The developer shall provide administrator guidance
addressed to system administrative personnel.
Content and presentation of evidence elements:
AGD_ADM.1.1C The administrator guidance shall describe the
administrative functions and interfaces available to the administrator
of the TOE.
AGD_ADM.1.2C The administrator guidance shall describe how to
administer the TOE in a secure manner.
AGD_ADM.1.3C The administrator guidance shall contain warnings
about functions and privileges that should be controlled in a secure
processing environment.
AGD_ADM.1.4C The administrator guidance shall describe all
assumptions regarding user behavior that are relevant to secure
operation of the TOE.
AGD_ADM.1.5C The administrator guidance shall describe all security parameters
under the control of the administrator, indicating secure values as appropriate.
AGD_ADM.1.6C The administrator guidance shall describe each type
of security-relevant event relative to the administrative functions that
need to be performed, including changing the security characteristics
of entities under the control of the TSF.
AGD_ADM.1.7C The administrator guidance shall be consistent with
all other documents supplied for evaluation.
AGD_ADM.1.8C The administrator guidance shall describe all security
requirements on the IT environment that are relevant to the
administrator.
Evaluator action elements:
AGD_ADM.1.1E The evaluator shall confirm that the information
provided meets all requirements for content and presentation of
evidence.
AGD_USR.1 User guidance
Developer action elements:
Emir Arslanagic
26
ENTS UMCP
CW-USA
12/29/1998
27
ENTS UMCP
CW-USA
12/29/1998
ATE_FUN.1.1D The developer shall test the TSF and document the
results.
ATE_FUN.1.2D The developer shall provide test documentation.
Content and presentation of evidence elements:
ATE_FUN.1.1C The test documentation shall consist of test plans, test
procedure descriptions, expected test results and actual test results.
ATE_FUN.1.2C The test plans shall identify the security functions to be
tested and describe the goal of the tests to be performed.
ATE_FUN.1.3C The test procedure descriptions shall identify the tests
to be performed and describe the scenarios for testing each security
function. These scenarios shall include any ordering dependencies on
the results of other tests.
ATE_FUN.1.4C The expected test results shall show the anticipated
outputs from a successful execution of the tests.
ATE_FUN.1.5C The test results from the developer execution of the
tests shall demonstrate that each tested security function behaved as
specified.
Evaluator action elements:
ATE_FUN.1.1E The evaluator shall confirm that the information
provided meets all requirements for content and presentation of
evidence.
ATE_IND.2 Independent testing - sample
Developer action elements:
ATE_IND.2.1D The developer shall provide the TOE for testing.
Content and presentation of evidence elements:
ATE_IND.2.1C The TOE shall be suitable for testing.
ATE_IND.2.2C The developer shall provide an equivalent set of
resources to those that were used in the developers functional testing
of the TSF.
Evaluator action elements:
ATE_IND.2.1E The evaluator shall confirm that the information
provided meets all requirements for content and presentation of
evidence.
ATE_IND.2.2E The evaluator shall test a subset of the TSF as appropriate to confirm
that the TOE operates as specified.
Emir Arslanagic
28
ENTS UMCP
CW-USA
12/29/1998
ATE_IND.2.3E The evaluator shall execute a sample of tests in the test documentation to
verify the developer test results.
5.2.6 Vulnerability Assessment Assurance Requirements
AVA_SOF.1 Strength of TOE security function evaluation
Developer action elements:
AVA_SOF.1.1D The developer shall perform a strength of TOE security
function analysis for each mechanism identified in the ST as having a
strength of TOE security function claim.
Content and presentation of evidence elements:
AVA_SOF.1.1C For each mechanism with a strength of TOE security
function claim the strength of TOE security function analysis shall show
that it meets or exceeds the minimum strength level defined in the
PP/ST.
AVA_SOF.1.2C For each mechanism with a specific strength of TOE
security function claim the strength of TOE security function analysis
shall show that it meets or exceeds the specific strength of function
metric defined in the PP/ST.
Evaluator action elements:
AVA_SOF.1.1E The evaluator shall confirm that the information
provided meets all requirements for content and presentation of
evidence.
AVA_SOF.1.2E The evaluator shall confirm that the strength claims are correct.
AVA_VLA.1 Developer vulnerability analysis
Developer action elements:
AVA_VLA.1.1D The developer shall perform and document an analysis
of the TOE deliverables searching for obvious ways in which a user can
violate the TSP.
AVA_VLA.1.2D The developer shall document the disposition of
obvious vulnerabilities.
Content and presentation of evidence elements:
AVA_VLA.1.1C The documentation shall show, for all identified
vulnerabilities, based on CERT, that the vulnerability cannot be
exploited in the intended environment for the TOE.
Evaluator action elements:
Emir Arslanagic
29
ENTS UMCP
CW-USA
12/29/1998
Emir Arslanagic
30
ENTS UMCP
CW-USA
12/29/1998
6. RATIONALE
The PP Rationale provides a demonstration that the PP specifies a complete, coherent and
internally consistent set of security objectives and security requirements that are appropriate to
address the identified security problem.
6.1
O.Availability.1
FTA_TAB.1
FRU_FLT.2
O.Availability.2
FMT_SMR.1
FAU_STG.1
FAU_STG.4
FMT_MOF.1
O.Confidentiality.1
FAU_ARP.1
FIA_ATD.1
FIA_UAU.1
FIA_UAU.4
O.Confidentiality.2
FCS_COP.1
O.Confidentiality.3
FPR_ANO.1
O.Integrity.1
FIA_ATD.1
FIA_ATD.2
FIA_UAU.1
O.Integrity.1
FIA_ATD.1
FIA_ATD.2
FIA_UAU.1
Emir Arslanagic
O.Integrity.2
FAU_GEN.1
O.Integrity.3
FAU_GEN.1
31
ENTS UMCP
CW-USA
O.Integrity.4
12/29/1998
FPT_STM.1
FAU_GEN.1
FAU_SAR.1
FAU_SAR.3
O.Integrity.5
FIA_AFL.1
FPT_SEP.1
FAU_ARP.1
FAU_STG.1
FAU_STG.4
O.Integrity.6
FAU_GEN.1
FAU_SAR.1
6.2
O.Integrity.7
FMT_MAS.3
O.DataFlow.1
FDP_IFC.1
Functional Dependencies
Functional dependencies provide meaningful way to verify all functional dependencies in the PP.
Functional
Name
FAU_ARP.1
To Satisfy
O.Confidentiality.1
Dependence
FAU_SAA.1
O.Integrity.5
FAU_SAA.1
FAU_ARP.1
ADV_SPM.1
FMT_MSA.2
FAU_GEN.1
FPT_FLS.1
FAU_GEN.1
O.Integrity.2
FPT_STM.1
O.Integrity.3
O.Integrity.4
O.Integrity.6
Emir Arslanagic
32
ENTS UMCP
CW-USA
FAU_SAR.1
O.Integrity.4
12/29/1998
FAU_GEN.1
O.Integrity.6
FAU_SAR.3
O.Integrity.4
FAU_SAR.1
FAU_STG.1
O.Availability.2
FAU_GEN.1
O.Integrity.5
FAU_STG.4
O.Availability.2
FAU_STG.1
O.Integrity.5
FCS_CKM.1
FCS_CKM.2
FCS_COP.1
FCS_CKM.2
FCS_CKM.4
FCS_CKM.4
FCS_CKM.2
FMT_MSA.2
FCS_CKM.1
FCS_CKM.1
FCS_CKM.4
FMT_MSA.2
FCS_CKM.4
FCS_COP.1
FCS_CKM.1
FCS_CKM.1
FMT_MSA.2
FCS_CKM.2
FCS_COP.1
O.Confidentiality.2
FCS_CKM.1
FCS_CKM.4
FMT_MSA.2
FDP_ACC.1
FMT_MSA.1
FDP_ACF.1
FDP_ACF.1
FDP_ACF.1
FDP_ACC.1
FDP_ACC.1
FMT_MSA.3
FDP_IFC.1
O.DataFlow.1
FDP_IFF.1
FDP_IFF.1
FDP_IFC.1
FDP_IFC.1
FMT_MSA.3
FIA_AFL.1
Emir Arslanagic
O.Integrity.5
33
FIA_UAU.1
ENTS UMCP
CW-USA
FIA_ATD.1
12/29/1998
O.Confidentiality.1
O.Integrity.1
FIA_UAU.1
O.Confidentiality.1
FIA_UID.1
O.Integrity.1
FIA_UAU.4
O.Confidentiality.1
FIA_UID.1
FIA_UAU.1
FMT_MOF.1
O.Availability.2
FMT_SMR.1
FMT_MSA.1
FMT_MSA.3
FDP_ACC.1
FMT_MSA.2
FMT_SMR.1
FCS_COP.1
ADV_SPM.1
FCS_CKM.1
FDP_IFC.1
FCS_CKM.4
FMT_MSA.1
FCS_CKM.2
FMT_SMR.1
O.Integrity.7
FMT_MSA.1
FMT_MSA.2
FMT_MSA.3
FMT_SMR.1
6.3
FMT_SMR.1
O.Availability.2
FPR_ANO.1
O.Confidentiality.3
FPT_FLS.1
FRU_FLT.2
FPT_SEP.1
O.Integrity.5
FPT_STM.1
O.Integrity.4
FRU_FLT.2
O.Availability.1
FTA_TAB.1
O.Availability.1
FIA_UID.1
ADV_SPM.1
FPT_FLS.1
Security access control in this TOE is based on information flow control therefore components
that required security attribute based access control FDP_ACC.1, FDP_ACF.1 does not have to
be satisfied.
Emir Arslanagic
34
ENTS UMCP
CW-USA
12/29/1998
7. Acronyms
The following abbreviations from the Common Criteria are used in this
Protection Profile:
CC
Common Criteria
Evaluation
EAL
FTP
HTTP
IT
Information Technology
PP
Protection Profile
SFP
ST
Security Target
TOE
Target of Evaluation
TSC
TSF
TSP
POP
Point Of Presence
AS
Autonomous System
Emir Arslanagic
for
35
Information
Technology
Security
ENTS UMCP
CW-USA
12/29/1998
8. References
Building Internet Firewalls, Chapman & Zwicky, OReilly & Associates, Inc., November
1995.
Emir Arslanagic
36
ENTS UMCP