Thread Links Date Links
Thread Prev Thread Next Thread Index Date Prev Date Next Date Index

[2600] External environment is an asset?

During the last meeting, we had a discussion on “External environment is an asset?”

The main point of our discussion was input/output filtering (to be required/or not from MFDs). I had an assignment to supply PP examples on why and how input/output filtering is required. Given the subject (network traffic filtering) I have looked for examples in firewall PPs.

 

 

US PPs before the Consistency Instruction Manual

--------------------------------------------------------------

U.S. Government Traffic-Filter Firewall Protection Profile for Low-Risk Environments”

            http://www.commoncriteriaportal.org/public/files/ppfiles/PP_TFFWPP-LR_V1.1.pdf

            T.MEDIAT An unauthorized person may send impermissible information through the TOE which results in the exploitation of resources on the internal network.

 

US PPs after the CIM

--------------------------

U.S. Government Virtual Private Network (VPN) Boundary Gateway Protection Profile For Medium Robustness Environments”

http://www.commoncriteriaportal.org/public/files/ppfiles/PP_VPN-MR_V1.0-PP.pdf

    O.MEDIATE The TOE must mediate the flow of information between sets of TOE network interfaces or between a network interface and the TOE itself in accordance with its security policy.

            T.UNAUTHORIZED_ACC ESS An unauthorized user may gain access to user or TOE data for which they are not authorized by the security policy.

 

US PPs after the CIM (after March 2004) are applying CIM generic threats and objectives:

    O.MEDIATE: The TOE must protect user data in accordance with its security policy.

        T.UNAUTHORIZED_ ACCESS: A user may gain access to user data for which they are not authorized according to the TOE security policy (FDP_AC*, FDP_IF*)

 

French PP

------------

“Profil de protection Firewall d'interconnexion IP »

http://www.commoncriteriaportal.org/public/files/ppfiles/pp0605.pdf

Paragraph 3.1.1: Assets protected by the TOE

    D.DONNEES_RESEAU_PRIVE (D.DATA_PRIVATE_LAN)

    The TOE contributes to protect users’ data included in the category "information and services from the protected  LAN", by filtering the flow that that might access or modify these assets.

Paragraph 3.4: Organizational security policies

    OSP.FILTRAGE (OSP.FILTERING)

    The TOE must apply the filtering policy defined by the IT security administrator.

Paragraph 4.1.1 TOE Security objectives

    O.APPLICATION_POL_FILTRAGE (O.APPLY_FILTERING_POLICY): The TOE must apply the filtering policy defined by the IT security administrator.

 

Best regards,
_________________________________________________________
 
Carmen AUBRY,
GSNA, CISSP
Oce Print Logic Technologies S.A. -R&D -http://www.oce.com
Phone: +33 (0)1 48 98 80 22 - Fax: +33 (0)1 48 98 54 50
1, rue Jean Lemoine  -  BP 113  -  94015 Créteil Cedex  - FRANCE
_________________________________________________________
 

This message and attachment(s) are intended solely for use by the addressee and may contain information that is privileged, confidential or otherwise exempt from disclosure under applicable law. If you are not the intended recipient or agent thereof responsible for delivering this message to the intended recipient, you are hereby notified that any dissemination, distribution or copying of this communication is strictly prohibited. If you have received this communication in error, please notify the sender immediately by telephone and with a 'reply' message. Thank you for your co-operation.