Nortel Networks 7.11, 7.05 User Manual

Nortel Networks

Prepared for:

Prepared by:

Nortel Networks

Corsec Security, Inc.

600 Technology Park Drive

Billerica, MA 01821

10340 Democracy Lane, Suite 201

Fairfax, VA 22030

Phone: (800) 466-7835

Phone: (703) 267-6050

http://www.nortel.com

http://www.corsec.com

VPN Router v7.05 and Client

Workstation v7.11

Security Target

Evaluation Assurance Level: EAL 4+

Document Version: 3.9

© 2008 Nortel Networks

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 2 of 67

© 2008 Nortel Networks

Version

Modification Date

Modified By

Description of Changes

1.0

2005-05-31

Kiran Kadambari

Initial draft.

2.0

2006-01-17

Nathan Lee

Revised to use new document layout; addressed lab
verdicts; other miscellaneous edits to all sections for
accuracy, consistency, flow, and readability.

2.1

2006-09-04

Christie Kummers

Revised dependencies for SFRs. Minor updates
throughout.

3.0

2006-09-29

Christie Kummers

Minor updates throughout.

3.1

2006-10-25

Nathan Lee

Minor updates throughout.

3.2

2006-12-19

Christie Kummers

Updates and changes in response to Lab verdicts.

3.3

2007-3-02

Christie Kummers

Nathan Lee

Updates and changes in response to Lab verdicts.

3.4

2007-06-04

Christie Kummers

Updates and changes in response to Lab verdicts.

3.5

2008-02-05

Nathan Lee

Updated TOE version number and responded to
several lab verdicts.

3.6

2008-02-12

Nathan Lee

Updated TOE version build numbers.

3.7

2008-02-21

Nathan Lee

Updates and changes in response to Lab verdicts.

3.8

2008-03-18

Nathan Lee and Matt

Keller

Updates based on lab verdict clarifications and FIPS
validation details.

3.9

2008-03-18

Nathan Lee

Updated FIPS certificate numbers on 2009-01-21.
Marked document publication/revision date as “2008­03-18” by request of CSEC.

Revision History

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 3 of 67

© 2008 Nortel Networks

Table of Contents

REVISION HISTORY ................................................................................................................................................ 2

TABLE OF CONTENTS ............................................................................................................................................ 3

TABLE OF FIGURES ................................................................................................................................................ 4

TABLE OF TABLES .................................................................................................................................................. 4

1 SECURITY TARGET INTRODUCTION ........................................................................................................ 5

1.1 PURPOSE ......................................................................................................................................................... 5

1.2 SECURITY TARGET, TOE AND CC IDENTIFICATION AND CONFORMANCE ...................................................... 5

1.3 CONVENTIONS, ACRONYMS, AND TERMINOLOGY .......................................................................................... 6

1.3.1 Conventions ........................................................................................................................................... 6

1.3.2 Terminology ........................................................................................................................................... 6

2 TOE DESCRIPTION .......................................................................................................................................... 8

2.1 PRODUCT TYPE ............................................................................................................................................... 8

2.2 PRODUCT DESCRIPTION .................................................................................................................................. 8

2.3 TOE BOUNDARIES AND SCOPE ..................................................................................................................... 10

2.3.1 Physical Boundary ............................................................................................................................... 10

2.3.2 Logical Boundary ................................................................................................................................ 11

2.3.3 Excluded TOE Functionality................................................................................................................ 15

3 TOE SECURITY ENVIRONMENT ............................................................................................................... 16

3.1 ASSUMPTIONS .............................................................................................................................................. 16

3.2 THREATS TO SECURITY................................................................................................................................. 16

3.2.1 Threats Addressed by the TOE ............................................................................................................ 17

3.2.2 Threats Addressed by the TOE Environment ....................................................................................... 17

4 SECURITY OBJECTIVES .............................................................................................................................. 18

4.1 SECURITY OBJECTIVES FOR THE TOE ........................................................................................................... 18

4.2 SECURITY OBJECTIVES FOR THE ENVIRONMENT ........................................................................................... 19

4.2.1 IT Security Objectives .......................................................................................................................... 19

4.2.2 Non-IT Security Objectives .................................................................................................................. 19

5 IT SECURITY REQUIREMENTS .................................................................................................................. 20

5.1 TOE SECURITY FUNCTIONAL REQUIREMENTS ............................................................................................. 20

5.1.1 Class FAU: Security Audit ................................................................................................................... 22

5.1.2 Class FCS: Cryptographic Support ..................................................................................................... 24

5.1.3 Class FDP: User Data Protection ....................................................................................................... 27

5.1.4 Class FIA: Identification and Authentication ................................................................ ...................... 31

5.1.5 Class FMT: Security Management ...................................................................................................... 33

5.1.6 Class FPT: Protection of the TSF ................................................................................................ ........ 37

5.1.7 Class FTP: Trusted Path/Channels ..................................................................................................... 38

5.2 SECURITY FUNCTIONAL REQUIREMENTS ON THE IT ENVIRONMENT ............................................................ 39

5.3 ASSURANCE REQUIREMENTS ........................................................................................................................ 41

6 TOE SUMMARY SPECIFICATION .............................................................................................................. 42

6.1 TOE SECURITY FUNCTIONS .......................................................................................................................... 42

6.1.1 Security Audit ....................................................................................................................................... 43

6.1.2 Cryptographic Support ........................................................................................................................ 45

6.1.3 User Data Protection ........................................................................................................................... 46

6.1.4 Identification and Authentication ........................................................................................................ 47

6.1.5 Security Management .......................................................................................................................... 47

6.1.6 Protection of the TOE Security Functions ........................................................................................... 48

6.1.7 Trusted Path/Channels ........................................................................................................................ 49

6.2 TOE SECURITY ASSURANCE MEASURES ...................................................................................................... 49

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 4 of 67

© 2008 Nortel Networks

7 PROTECTION PROFILE CLAIMS ............................................................................................................... 51

7.1 PROTECTION PROFILE REFERENCE ............................................................................................................... 51

8 RATIONALE ..................................................................................................................................................... 52

8.1 SECURITY OBJECTIVES RATIONALE .............................................................................................................. 52

8.2 SECURITY FUNCTIONAL REQUIREMENTS RATIONALE .................................................................................. 55

8.3 SECURITY ASSURANCE REQUIREMENTS RATIONALE .................................................................................... 60

8.4 RATIONALE FOR STRENGTH OF FUNCTION ................................................................................................... 60

8.5 DEPENDENCY RATIONALE ............................................................................................................................ 60

8.6 TOE SUMMARY SPECIFICATION RATIONALE ................................................................................................ 62

8.6.1 TOE Summary Specification Rationale for the Security Functional Requirements ............................. 62

8.6.2 TOE Summary Specification Rationale for the Security Assurance Requirements .............................. 63

8.7 STRENGTH OF FUNCTION .............................................................................................................................. 65

9 ACRONYMS ...................................................................................................................................................... 66

Table of Figures

FIGURE 1 – VPN CLIENT DEPLOYMENT CONFIGURATION OF THE TOE.......................................................................... 8

FIGURE 2 – BRANCH OFFICE DEPLOYMENT CONFIGURATION OF THE TOE .................................................................... 9

FIGURE 3 - PHYSICAL TOE BOUNDARY ........................................................................................................................ 10

FIGURE 4 - PHYSICAL TOE BOUNDARY IN BRANCH OFFICE TUNNEL MODE ................................................................ 10

FIGURE 5 - TOE LOGICAL BOUNDARY ......................................................................................................................... 12

FIGURE 6 - TOE LOGICAL BOUNDARY IN BRANCH OFFICE TUNNEL MODE ................................................................. 12

Table of Tables

TABLE 1 - ST, TOE, AND CC IDENTIFICATION AND CONFORMANCE .............................................................................. 5

TABLE 2 - TERMINOLOGY ............................................................................................................................................... 6

TABLE 3 - TOE SECURITY FUNCTIONAL REQUIREMENTS ............................................................................................. 20

TABLE 4 - AUDITABLE EVENTS .................................................................................................................................... 22

TABLE 5 - IT ENVIRONMENT SECURITY FUNCTIONAL REQUIREMENTS ........................................................................ 39

TABLE 6 - ASSURANCE COMPONENTS .......................................................................................................................... 41

TABLE 7 - MAPPING OF TOE SECURITY FUNCTIONS TO SECURITY FUNCTIONAL REQUIREMENTS ............................... 42

TABLE 8 - FIPS-VALIDATED CRYPTOGRAPHIC ALGORITHMS ...................................................................................... 45

TABLE 9 - ASSURANCE MEASURES MAPPING TO TOE SECURITY ASSURANCE REQUIREMENTS (SARS) ...................... 49

TABLE 10 - RELATIONSHIP OF SECURITY THREATS TO OBJECTIVES ............................................................................. 52

TABLE 11 - RELATIONSHIP OF SECURITY REQUIREMENTS TO OBJECTIVES ................................................................... 56

TABLE 12 - FUNCTIONAL REQUIREMENTS DEPENDENCIES ........................................................................................... 60

TABLE 13 - MAPPING OF SECURITY FUNCTIONAL REQUIREMENTS TO TOE SECURITY FUNCTIONS ............................. 62

TABLE 14 - ACRONYMS ................................................................................................................................................ 66

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 5 of 67

© 2008 Nortel Networks

ST Title

Nortel Networks VPN Router v7.05 and Client Workstation v7.11 Security Target

ST Version

Version 3.8

Author

Corsec Security, Inc.
Nathan Lee

TOE Identification

Nortel VPN Router v7.05 and Client Workstation v7.11

Common Criteria (CC)

Identification and

Conformance

Common Criteria for Information Technology Security Evaluation, Version 2.3 (aligned
with ISO/IEC 15408:2004), Part 2 conformant, Part 3 conformant; Parts 2 and 3
Interpretations from the Interpreted CEM as of October 25, 2006 were reviewed, and no
interpretations apply to the claims made in this ST.

PP Identification

None

Evaluation Assurance

Level

EAL 4 Augmented with Flaw Remediation

1 Security Target Introduction

This section identifies the Security Target (ST), Target of Evaluation (TOE) identification, ST conventions, ST
conformance claims, and the ST organization. The Targets of Evaluation are models 600, 1010, 1050, 1100, 1750,
2750, and 5000 of the Nortel VPN Router v7.05 and Client Workstation v7.11. These devices are functionally
identical and will hereafter be referred to, collectively, as “the TOE” throughout this document. The TOE is a
Virtual Private Network (VPN) Router that ensures end-to-end network security by establishing a fully encrypted
and authenticated VPN connection across the Internet between a Nortel VPN Router and either a user’s remote
computer or another remote Nortel VPN Router. It also provides firewall functionality to protect the private
network from attack from the public network.

1.1 Purpose

This ST contains the following sections to provide mapping of the Security Environment to the Security
Requirements that the TOE meets in order to remove, diminish, or mitigate the defined threats:

Security Target Introduction (Section 1) – Provides a brief summary of the content of the ST and describes

the organization of other sections of this document.

TOE Description (Section 2) – Provides an overview of the TOE security functions and describes the

physical and logical boundaries for the TOE.

TOE Security Environment (Section 3) – Describes the threats and assumptions that pertain to the TOE and

its environment.

Security Objectives (Section 4) – Identifies the security objectives that are satisfied by the TOE and its

environment.

IT Security Requirements (Section 5) – Presents the Security Functional Requirements (SFRs) and Security

Assurance Requirements (SARs) met by the TOE and by the TOE’s environment.

TOE Summary Specification (Section 6) – Describes the security functions provided by the TOE to satisfy

the security requirements and objectives.

Protection Profile Claims (Section 7) – Provides the identification of any ST Protection Profile claims as

well as a justification to support such claims.

Rationale (Section 8) – Presents the rationale for the security objectives, requirements, and the TOE

summary specifications as to their consistency, completeness, and suitability.

Acronyms (Section 9) – Defines the acronyms used within this ST.

1.2 Security Target, TOE and CC Identification and Conformance

Table 1 - ST, TOE, and CC Identification and Conformance

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 6 of 67

© 2008 Nortel Networks

Keywords

VPN, Router, Firewall, IPSec

Term

Explanation

Technology

Contivity

Refers to the marketing name of the Nortel VPN Router.

User Types

Primary Admin

The Primary Admin account has the ability to conduct all administrative privileges and
rights of the TOE. The Primary Admin also has the ability to create and assign various
rights to additional administrators. There can only be one Primary Admin of the TOE.

Restricted Admin

A Restricted Admin of the TOE has various administrative privileges as assigned by
the Primary Admin. The types of privileges available to Restricted Admins are:

Manage Nortel VPN Router
View Nortel VPN Router
Subgroups
Manage Users
View Users

Administrators

Refers to all administrators of the TOE (both the Primary Admin and any assigned
Restricted Admins)

Users

Refers to VPN users or any person authorized to use the TOE but lacking
administrative privileges.

Operators

Refers to any human that interacts with the TOE, including Administrators and Users.

Privilege Types

1.3 Conventions, Acronyms, and Terminology

1.3.1 Conventions

There are several font variations used within this ST. Selected presentation choices are discussed here to aid the
Security Target reader.

The CC allows for several operations to be performed on security requirements: assignment, refinement, selection
and iteration. All of these operations are used within this ST. These operations are presented in the same manner in
which they appear in Parts 2 and 3 of the CC with the following exceptions:

Completed assignment statements are identified using [italicized text within brackets].
Completed selection statements are identified using [underlined italicized text within brackets].
Refinements are identified using bold text. Any text removed is stricken (Example: TSF Data) and should

be considered as a refinement.

Iterations are identified by appending a letter in parenthesis following the component title. For example,

FAU_GEN.1(a) Audit Data Generation would be the first iteration and FAU_GEN.1(b) Audit Data
Generation would be the second iteration.

1.3.2 Terminology

The acronyms used within this ST are described in Section 9 – “Acronyms.” TOE-specific terminology used
throughout the Security Target is explained in Table 2 below:

Table 2 - Terminology

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 7 of 67

© 2008 Nortel Networks

Term

Explanation

Manage Nortel VPN Router

Grants administrative rights to view (monitor) and manage (configure) Nortel VPN
Router configuration settings or user rights settings. This is the highest level of
administrative privilege. The only permission not granted to this level is access to the
Primary Admin password.

View Nortel VPN Router

Grants administrative rights to view (monitor) most Nortel VPN Router configuration
settings or user rights settings; however, this user cannot manage (change) them. This
user cannot view the System Log, Graphs, and Guided Configuration.

Subgroups

Grants rights to add and delete subgroups under a directory for which the user has
View Nortel VPN Router rights.

Manage Users

Grants administrative rights to view (monitor) and manage (configure) all group
information for specified user groups.

View Users

Grants administrative rights to view (monitor) all group information for specified user
groups.

None

The user does not have administrative rights to view (monitor) or manage (configure)
the Nortel VPN Router settings or to manage user settings.

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 8 of 67

© 2008 Nortel Networks

The World Enterprise

Corporate

Servers

Corporate

Network

Internet

CLI Workstation Management

Workstation

VPN Tunnel

Nortel

VPN Client

Workstation

Nortel VPN Router

2 TOE Description

This section provides a general overview of the TOE as an aid to understanding the general capabilities and security
requirements provided by the TOE. The TOE description provides a context for the TOE evaluation by identifying
the product type and describing the evaluated configuration.

2.1 Product Type

The Nortel VPN Router v7.05 and Client Workstation v7.11 is a hardware and software TOE which combines
network data routing, Virtual Private Network (VPN) connection and acceleration, and firewall capabilities in one
device. This product class makes use of public telecommunication infrastructure (most commonly the Internet) in
order to connect physically discontiguous private network segments to one “virtually contiguous” private network.
Privacy and security of corporate data is maintained through the use of encrypted tunneling protocols within the
VPN connection and various other security procedures when it is in transit over the public network.

A VPN connection requires the creation and operation of a secure tunnel between a VPN client on a remote device
(such as personal computer (PC)) and VPN server software on a VPN security gateway, such as a Nortel VPN
Router.

2.2 Product Description

The TOE is a VPN Router/Firewall which provides three main areas of functionality: it efficiently routes network
traffic to its intended destination; it enables secure Internet Protocol (IP) VPN connections across the public data
network; and it protects the private network from attack by parties on the public network. Each of these functions
are discussed in greater detail below.

The TOE’s primary purpose is to allow users of a private (Enterprise) network to have secure access to that network
from a remote location. The TOE provides firewall, routing, encryption and decryption, authentication, and data
integrity services to ensure that data is securely tunneled across IP networks (including the Internet). The Nortel
VPN Router and the Nortel VPN Client are the two components that compose the TOE. Figure 1 below shows a
typical deployment configuration of the TOE:

Figure 1 – VPN Client Deployment Configuration of the TOE

The Nortel VPN Router can also be configured to operate in Branch Office mode. Branch Office mode allows two
separate portions of an Enterprise network to be securely connected to each other via the Internet. In Branch Office

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 9 of 67

© 2008 Nortel Networks

mode, a Nortel VPN Router on one Enterprise network segment will establish a VPN tunnel with another Nortel
VPN Router on another Enterprise network segment. All communications between the two network segments are
protected by the VPN tunnel. Figure 2 below shows a typical deployment configuration for Branch Office mode:

Figure 2 – Branch Office Deployment Configuration of the TOE

VPN sessions between the TOE components (the Nortel VPN Client and the Nortel VPN Router) can be established
using various tunneling protocols, including L2TP, L2F, PPTP, and/or IP Security (IPSec); however, IPSec is the
only tunneling protocol that can be used to establish a VPN session in the Common Criteria (CC) mode of operation.
For this reason, IPSec is the only tunneling protocol that is discussed in detail in this Security Target document.
Although a thorough discussion and analysis of the IPSec protocol is beyond the scope of this document, a brief
description of the protocol is given below.

The IPSec protocol is designed to mitigate security threats to IP datagrams in three main areas: “spoofing” of IP
addresses; IP datagram tampering and/or replaying; and IP datagram confidentiality. IPSec provides these security
services at the Open Systems Interconnection (OSI) Network Layer (which is the layer containing the IP protocol)
via combinations of cryptographic protocols and other security mechanisms. IPSec enables systems to dynamically
select and require certain security protocols and cryptographic algorithms, and generate and utilize the cryptographic
material (i.e., keys) required to provide the requested services. These services include:

Access control to network elements
Data origin authentication
Integrity for connection-less protocols (such as User Datagram Protocol (UDP))
Detection and rejection of replayed IP packets (i.e. IP datagrams)
Data confidentiality via encryption
Partial traffic-flow confidentiality

These services are available for transparent use by any protocols which operate at higher levels in the OSI network
stack.1

The TOE also provides stateful inspection firewall functionality which protects the private network from attack by
parties on the public network. The firewall inspects the packets flowing through the router and uses administrator­configurable rules to determine whether or not to allow each packet to pass through to its intended destination.

TOE users fall into two groups:

1) Users who have access to the administrative functionality of the TOE.

2) Users who can only establish a VPN session with the TOE in order to have access to the network protected

by the TOE.

1

Davis, Carlton R. IPSec: Securing VPNs. RSA Press, 2001.

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 10 of 67

© 2008 Nortel Networks

Legend:

TOE Boundary

The World Enterprise

Corporate

Servers

Corporate

Network

Internet

CLI Workstation Management

Workstation

VPN Tunnel

Nortel

VPN Client

Workstation

Nortel VPN Router

Configuration of the TOE is performed via a Command Line Interface (CLI) by physically connecting a device
(such as a laptop) to the serial interface of the TOE and utilizing dumb-terminal software. After the TOE is
configured, it can be managed remotely via a Graphical User Interface (GUI) which is accessed by a management
workstation connected to the protected and trusted internal network.

2.3 TOE Boundaries and Scope

This section identifies the physical and logical components of the TOE that are included in this evaluation.

2.3.1 Physical Boundary

Figure 3 and Figure 4 below illustrates the physical boundary of this CC evaluation:

Figure 3 - Physical TOE Boundary

Figure 4 - Physical TOE Boundary in Branch Office Tunnel Mode

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 11 of 67

© 2008 Nortel Networks

In Figure 3 above, the TOE is installed at the boundary of the private (“Enterprise”) network and the public
(“Internet”) network. In Figure 4 above, the TOE is installed at the boundary of the two private (“Enterprise”)

networks. The essential physical components of the TOE are:

Nortel VPN Router v7.05 build 100: The Nortel VPN Router is a dedicated hardware/software appliance

running a Nortel-hardened version of the VxWorks OS. All non-essential OS processes have been removed
and direct access to the OS is impossible. The Nortel VPN Router is produced at seven performance levels
(models 600, 1010, 1050, 1100, 1750, 2750, and 5000) which provide identical functionality; they differ
only in network throughput and performance.

Nortel VPN Client Workstation v7.11 build 100: The Nortel VPN Client is used to access to establish

VPN sessions with the Nortel VPN Router from a remote location.

2.3.1.1 TOE Environment

The TOE environment is composed of the following:

Nortel VPN Client Workstation2

o Provides the underlying OS (Microsoft Windows 2000 SP4 or XP SP2) and general-purpose

computing hardware platform for the VPN user to connect to the Nortel VPN Router.

Management Workstation

o Provides the underlying OS and general-purpose computing hardware platform for the TOE user

to interact with the administrative GUI provided by the TOE.

CLI Workstation

o Provides the underlying OS and general-purpose computing hardware platform for the TOE user

to interact with the administrative CLI provided by the TOE.

Corporate Servers

o Provide data and services to VPN users through the VPN services provided by the TOE.

2.3.2 Logical Boundary

Figure 5 and Figure 6 below illustrates the logical boundary of this CC evaluation:

2

Note that the Nortel VPN Client Software is included within the TOE boundary but the underlying OS and

hardware are not.

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 12 of 67

© 2008 Nortel Networks

Legend:

TOE Boundary

The World Enterprise

Corporate

Network

Internet

Nortel

VPN Client

Workstation

Nortel VPN Router

VPN TunnelWindows OS

General Purpose

Computing Hardware

Nortel VPN Client

Software

Nortel VPN Switch

Software

VxWorks OS

Contivity Hardware

Appliance

Figure 5 - TOE Logical Boundary

Figure 6 - TOE Logical Boundary in Branch Office Tunnel Mode

The essential logical components of the TOE are:

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 13 of 67

© 2008 Nortel Networks

Nortel VPN Router: Each of the logical components contained within the physical Nortel VPN Router are

included within the TOE boundary. These components are:

o Nortel VPN Switch Software
o VxWorks OS
o Contivity Hardware Appliance.

Nortel VPN Client Workstation: The Nortel VPN Client software is part of the TOE but the underlying

OS and hardware are excluded from the TOE boundary.

The TOE’s logical boundary includes all of the TOE Security Functions (TSFs). The Security Functional
Requirements (SFRs) implemented by the TOE are usefully grouped under the following Security Function Classes:

FAU Security Audit
FCS Cryptographic Support
FDP User Data Protection
FIA Identification and Authentication
FMT Security Management
FPT Protection of the TOE Security Functions
FTP Trusted Path/Channels

These functions are discussed in greater detail below.

2.3.2.1 Security Audit

The Security Audit function provides the generation and viewing of audit records. The TOE generates five
categories of audit data:

Accounting Log: contains information about user activities.
Security Log: contains information about security relevant activities.
Configuration Log: contains information about configuration relevant activities.
System Log: contains information about system relevant activities.
Event Log: contains the last 2000 logs entries of all activities.

Audit data is generated by the TOE and stored locally as flat files on internal storage. The TOE controls access to
the audit data, and direct access to these flat files by the TOE administrator is not possible. The TOE supports
automatic backup and archiving of the logs.

TOE users assigned to the appropriate user roles may read audit records but do not have write access. The audit data
is presented to TOE users in a manner suitable for human readability.

2.3.2.2 Cryptographic Support

The TOE implements and utilizes cryptographic algorithms and various other security algorithms in order to protect
information being transferred between physically separated parts of the TOE. These algorithms include Advanced
Encryption Standard (AES), Triple Data Encryption Standard (3DES), RSA (Rivest, Shamir, and Adleman), and
Diffie-Hellman; Secure Hash Algorithm (SHA-1) and Keyed-Hash Message Authentication Code (HMAC)-SHA-1
for hashing; and FIPS 140-2 key zeroization for key destruction.

2.3.2.3 User Data Protection

The TOE enforces the Access Control Security Functional Policy (SFP) on TOE subjects, objects, and operations.
The architecture of the TOE ensures that all operations between objects and subjects are regulated by the TOE based
upon the privilege criteria defined in the Access Control SFP.

The TOE enforces the VPN Information Flow Control (IFC) SFP and the Firewall IFC SFP through the use of
IPSec. The IPSec protocol ensures confidentiality of communications between remote Nortel VPN Clients and

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 14 of 67

© 2008 Nortel Networks

Nortel VPN Routers, as well as providing protection against external attack. The architecture of the TOE ensures
that VPN data is subject to enforcement of the VPN IFC SFP, and that all data passing through the firewall is subject
to enforcement of the Firewall IFC SFP. These SFPs are enforced by the TOE based upon the privilege criteria
defined in the SFPs.

2.3.2.4 Identification and Authentication

All identification and authentication for the TOE occurs on the Nortel VPN Router and is based on user attributes.
Each user has a username, password, and one or more assigned roles. The TOE ensures that users are authenticated
prior to any use of the TOE functions, and user authentication is performed using a unique username and password
combination.

TOE users must identify and authenticate their identities in order to gain access to services provided by the TOE.
Identification and authentication is enforced by the Nortel VPN Router, the GUI, and the CLI. The Nortel VPN
Client accepts two types of authentication credentials: a username/password combination or a digital certificate.3
The GUI and CLI accepts username/password authentication.

2.3.2.5 Security Management

The TOE maintains three main user roles:

Primary Admin
Restricted Admin
VPN User

The Primary Admin has full administrative access to the TOE; the Restricted Admin has access to specific
administrative functions as defined by the Primary Admin; and the VPN User has no administrative privileges and
can only connect to the Nortel VPN Router via the Nortel VPN Client.

The Primary Admin and Restricted Admins perform administrative and troubleshooting tasks via the GUI, and they
perform configuration tasks via the CLI. VPN Users utilize the Nortel VPN Client to access the private network
through the Nortel VPN Router. After successful authentication to the TOE, users can access only the management
functions to which their role grants them access. As described in the SFP, management and modification of TOE
security attributes is restricted to authorized administrators in order to ensure that only secure values are accepted for
those security attributes and that the default values used for initialization of the security attributes are not
maliciously altered.

2.3.2.6 Protection of the TOE Security Functions

The TOE runs a series of self-tests both at initial TOE start-up and periodically during normal TOE operation.
These tests check for the correct operation of the TSFs. The TOE is able to detect IPSec sessions replay attacks and
take appropriate countermeasures (by dropping the suspect packets) while performing the self-tests. The TOE’s
architecture is specifically designed to eliminate the possibility of any user bypassing the TSFs. Users must be
identified and authenticated before the TOE will make any actions on their behalf. The underlying OS is not
accessible by any TOE user (authorized or unauthorized).

2.3.2.7 Trusted Path/Channels

Connections from the Nortel VPN Client to the Nortel VPN Router are initiated by the VPN Users. IPSec is
required during these connections in order to ensure that the communication is via a trusted path. The architecture
of the TOE and of the IPSec protocol ensures that the trusted paths between the Nortel VPN Router and the Nortel
VPN Clients are logically distinct and secure.

3

The Nortel VPN Client also supports the use of Smart Cards for authentication. Smart Card authentication is

beyond the scope of this evaluation and is not included in the evaluated configuration.

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 15 of 67

© 2008 Nortel Networks

2.3.3 Excluded TOE Functionality

The following product features and functionality are excluded from the evaluated configuration of the TOE:

Remote VPN connections using a tunneling protocol other than IPSec
Remote authentication using a Smart Card or a hardware or software token Card

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 16 of 67

© 2008 Nortel Networks

A.TRAINED-ADMIN

It is assumed that administrators will be trained in the secure use of the TOE and will
follow the policies and procedures defined in the TOE documentation for secure
administration of the TOE. Administrators are assumed to be non-hostile.

A.TIMESTAMPS

It is assumed that the TOE relies on the operating environment of TOE to provide
accurate clock time in order to create an accurate time stamp for audit events.
Administrators are responsible for the maintenance of a reliable time source for use with
audit operations.

A.PHYSICAL

It is assumed that the TOE may be susceptible to physical attacks by an attacker. It is
assumed that the TOE will be housed within a physically secure environment in order to
mitigate this risk.

A.CERTIFICATE

It is assumed that the environment will provide the necessary infrastructure to ensure that
certificates can be validated when digital certificates are used for authentication. This
may mean the environment provides a connection to a trusted Certificate Authority, or
that the required certificates are otherwise available to the TOE. It is assumed that the
appropriate infrastructure is properly maintained in order to ensure the accuracy and
security of the certificates (e.g., certificates are revoked in a timely manner).

A.INSTALL

It is assumed that the TOE is delivered, installed, and setup in accordance with
documented delivery and installation/setup procedures.

A.ACCESS

It is assumed that the TOE has access to all of the Information Technology (IT) System
data it needs to perform its functions.

A.DOMSEP

It is assumed that the IT environment will maintain a security domain for the Nortel VPN
software that protects it from interference and tampering by untrusted subjects.

3 TOE Security Environment

This section describes the security aspects of the environment in which the TOE will be used and the manner in
which the TOE is expected to be employed. Section 3.1 provides assumptions about the secure usage of the TOE,
including physical, personnel, and connectivity aspects. Section 3.2 lists the known and presumed threats countered
by either the TOE or by the security environment.

3.1 Assumptions

This section contains assumptions regarding the security environment and the intended usage of the TOE. The
following specific conditions are required to ensure the security of the TOE and are assumed to exist in an
environment where this TOE is employed.

3.2 Threats to Security

This section identifies the threats to the IT assets (private networks) against which protection is required by the TOE
or by the security environment. The threat agents are divided into two categories:

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 17 of 67

© 2008 Nortel Networks

T.UNDETECT

An attacker may gain undetected access due to missing, weak, and/or incorrectly
implemented access controls for the restricted files or TSF Data in order to cause
violations of integrity, confidentiality, or availability of the information protected by and
flowing through the TOE.

T.AUTH-ERROR

An authorized user may accidentally alter the configuration of a policy that permits or
denies information flow through the TOE, thereby affecting the integrity of the transmitted
information.

T.DATA-MOD

An attacker may intercept and alter the data transmitted between the Nortel VPN Client
and the Nortel VPN Router, and/or between two Nortel VPN Routers, in order to deceive
the intended recipient.

T. HACK-CRYPTO

An attacker may successfully intercept and decrypt, then recover and modify the encrypted
data that is in transit between the Nortel VPN Router and VPN Client, and/or between two
Nortel VPN Routers.

T.HACK

An attacker may use malformed IP packets or similar attack methods against the TSF or
user data protected by the TOE in order to corrupt normal operation.

TE.PHYSICAL

An attacker may physically attack the Hardware appliance in order to compromise its
secure operation.

TE.AUDIT_FAILURE

An attacker may conduct an undetected attack on the information protected by the TOE
as a result of unreliable time stamps used by the audit mechanism, which may result in
failure to prevent further attacks using the same method.

TE.BAD_CERT

An attacker may successfully authenticate to the VPN Router using a revoked, expired
or untrusted certificate in order to gain access to information residing on the private
network.

Attackers who are not TOE users: These attackers have no knowledge of how the TOE operates and are

assumed to possess a low skill level, a low level of motivation, limited resources to alter TOE configuration
settings/parameters, and no physical access to the TOE.

TOE users: These attackers have extensive knowledge of how the TOE operates and are assumed to

possess a high skill level, moderate resources to alter TOE configuration settings/parameters, and physical
access to the TOE, but no motivation to do so.

The threats are mitigated through the objectives identified in Section 4 - Security Objectives.

3.2.1 Threats Addressed by the TOE

The following threats are to be addressed by the TOE:

3.2.2 Threats Addressed by the TOE Environment

The following threats are addressed by the TOE environment:

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 18 of 67

© 2008 Nortel Networks

O.I&A

The TOE must be able to identify and authenticate users prior to allowing access to TOE
functions and data.

O.AUDIT

The TOE must record audit records for data accesses and use of the System functions.

O.SELFPROTECT

The TOE must protect itself from unauthorized modifications and access to its functions
and data.

O.FUNCTIONS

The TOE must provide functionality that enables only authorized users to establish VPN
sessions with the TOE using the IPSec protocol.

O.ADMIN

The TOE must provide facilities to enable an authorized administrator to effectively
manage the TOE and its security function, and must ensure that only authorized
administrators are able to access such functionality.

O.TEST

The TOE must provide functionality that enables testing of its correct functioning and
integrity.

O.REPLAY

The TOE must provide functionality that enables detection of replay attack and take
appropriate action if an attack is detected.

O.CONFIDENT

The TOE must use the IPSec tunneling protocol to ensure confidentiality of data
transmitted between the Nortel VPN Client and the Nortel VPN Router, and/or between
two Nortel VPN Routers.

O.INTEGRITY

The TOE must use the IPSec tunneling protocol to ensure integrity of data transmitted
between the Nortel VPN Client and the Nortel VPN Router, and/or between two Nortel
VPN Routers.

O.FILTER

The TOE must filter all incoming and outgoing packets that pass through it, and accept or
reject packets based on their attributes.

4 Security Objectives

This section identifies the security objectives for the TOE and its supporting environment. The security objectives
identify the responsibilities of the TOE and its environment in meeting the security needs.

4.1 Security Objectives for the TOE

The specific security objectives are as follows:

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 19 of 67

© 2008 Nortel Networks

OE.TIME

The environment must provide reliable timestamps for the time-stamping of audit events.

OE.CERTIFICATE

The environment must provide the required certificate infrastructure so that the validity of
certificates can be verified. The certificate infrastructure must be properly and securely
maintained so that the status of certificates is accurately provided to the TOE.

OE.DOMSEP

The environment must maintain a security domain for the Nortel VPN Client software that
protects it from interference and tampering by untrusted subjects.

OE.PHYS-SEC

The TOE must be physically protected so that only TOE users who possess the appropriate
privileges have access.

OE.TRAINED

Those responsible for the TOE must train TOE users to establish and maintain sound security
policies and practices.

OE.DELIVERY

Those responsible for the TOE must ensure that it is delivered, installed, managed and
operated in accordance with documented delivery and installation/setup procedures.

4.2 Security Objectives for the Environment

4.2.1 IT Security Objectives

The following IT security objectives are to be satisfied by the environment:

4.2.2 Non-IT Security Objectives

The following non-IT environment security objectives are to be satisfied without imposing technical requirements
on the TOE. That is, they will not require the implementation of functions in the TOE hardware and/or software.
Thus, they will be satisfied largely through application of procedural or administrative measures.

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 20 of 67

© 2008 Nortel Networks

SFR ID

Description

ST Operation

Selection
Assignment

Refinement

Iteration

FAU_GEN.1

Audit Data Generation





FAU_SAR.1

Audit Review

 FCS_CKM.1(a)

Cryptographic Key Generation



FCS_CKM.4

Cryptographic Key Destruction



FCS_COP.1(a)

Cryptographic Operation

  FCS_COP.1(b)

Cryptographic Operation

  FCS_COP.1(d)

Cryptographic Operation





FCS_COP.1(e)

Cryptographic Operation





FCS_CKM.1(b)

Cryptographic Key Generation

 FDP_ACC.2

Complete Access Control

 FDP_ACF.1

Security Attribute Based Access Control



FDP_IFC.2(a)

Complete Information Flow Control





FDP_IFC.2(b)

Complete Information Flow Control

  FDP_IFF.1(a)

Simple Security Attributes

  FDP_IFF.1(b)

Simple Security Attributes





FDP_UCT.1

Basic Data Exchange Confidentiality





FDP_UIT.1

Data Exchange Integrity





FIA_UAU.1

Timing of Authentication

 FIA_UAU.5

Multiple Authentication Mechanisms



FIA_UID.2

User Identification Before any Action

FMT_MOF.1(a)

Management of Security Functions Behavior



 

FMT_MOF.1(b)

Management of Security Functions Behavior



 

FMT_MSA.1(a)

Management of Security Attributes



 

5 IT Security Requirements

This section defines the Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs)
met by the TOE as well as SFRs met by the TOE IT environment. These requirements are presented following the
conventions identified in Section 1.3.1.

5.1 TOE Security Functional Requirements

This section specifies the SFRs for the TOE. This section organizes the SFRs by CC class. Table 3 identifies all
SFRs implemented by the TOE and indicates the ST operations performed on each requirement.

Table 3 - TOE Security Functional Requirements

Security Target, Version 3.9

March 18, 2008

Nortel VPN Router v7.05 and Client Workstation v7.11

Page 21 of 67

© 2008 Nortel Networks

SFR ID

Description

ST Operation

FMT_MSA.1(b)

Management of Security Attributes



 

FMT_MSA.1(c)

Management of Security Attributes



 

FMT_MSA.2

Secure Security Attributes

FMT_MSA.3(a)

Static Attribute Initialization



 

FMT_MSA.3(b)

Static Attribute Initialization



 

FMT_MSA.3(c)

Static Attribute Initialization



 

FMT_SMF.1

Specification of Management Functions



FMT_SMR.1

Security Roles



FPT_AMT.1

Abstract Machine Testing



FPT_RPL.1

Replay Detection



FPT_TST.1

TSF Testing





FTP_TRP.1

Trusted Path





Section 5.1 contains the functional components from the Common Criteria (CC) Part 2 with the operations
completed. For the conventions used in performing CC operations please refer to Section 1.3.1.