Security Target, Version 3.9 March 18, 2008Nortel VPN Router v7.05 and Client Workstation v7.11 Page 46 of 67© 2008 Nortel Networksfor reuse. This ensures that the keys are completely destroyed before any other process might have access to thatmemory location.TOE Security Functional Requirements Satisfied: FCS_CKM.1(a), FCS_CKM.1(b), FCS_CKM.4,FCS_COP.1(a), FCS_COP.1(b)., FCS_COP.1(d), FCS_COP.1(e)6.1.3 User Data ProtectionThe TOE enforces access controls on each administrator and user of the TOE based on the privileges held by thatuser.Access Control SFP: The TOE enforces the Access Control SFP on administrators by assigning privileges toadministrators. The TOE configuration parameters can only be modified by those administrative users grantedpermission to do so by the Primary Admin. Administrators (specifically Restricted Admins) have a restricted levelof access based on the permissions granted to them by the Primary Admin. Details of these privilege levels can befound in Section 2.3.2.5. All administrators must be authenticated before access is granted. The Primary Admin hasaccess to all administrative functions after successfully being identified and authenticated to the TOE.VPN Information Flow Control SFP: The TOE enforces the VPN Information Flow Control SFP by allowingconnections only from VPN Clients who authenticate to the remote Nortel VPN Router (via the Nortel VPN Client)with either a username/password combination or via a digital certificate. The VPN Information Flow Control SFP isalso enforced based on user identity and authentication credentials. The VPN Information Flow Control SFPenforces session tunnel filtering based on a packets protocol ID, direction, source and destination IP addresses,source and destination ports, and service.The TSF enforces the VPN Information Flow Control SFP on user data in order to protect sent or received data frommodification, deletion, insertion, or replay. Thus, the TSF can determine if the data has been modified, deleted,inserted, or replayed via the VPN Information Flow Control SFP.The connection attributes configured in the Nortel VPN Router enable the remote user to create a tunnel into theNortel VPN Router. The actual connection to the Nortel VPN Router is a tunnel that is started from the remoteuser’s PC, through the public network, and ends at the Nortel VPN Router on the private network. The Nortel VPNRouter associates all remote users with a group which dictates the attributes (and privileges) that are assigned to aremote user session.The VPN Information Flow Control SFP enforces the IPSec protocol for establishing a VPN. The VPN session thatis established by remote users creates a trusted communications path between the remote user and the TOE. Thiscommunications path is logically distinct from other paths due to the cryptography that is used to encrypt the trustedsession.The TOE supports “split-tunneling,” which assigns a unique IP address to an established IPSec tunnel, which isdifferent than (and is held simultaneously with) the IP address assigned to the host machine which established thetunnel. During split-tunneling, any packet sent from the host machine to the public network must have as its sourceaddress the IP address assigned to the tunnel. Any packet sent to the public network with the host’s IP address (orany other address) as the source address is dropped. For example, a user’s host might have an IP address of192.168.21.3. This user might then establish an IPSec connection with a host on the public network. This IPSectunnel might be assigned a tunnel IP address of 192.192.192.192. In this case, any packets that attempt to passoutward through the tunnel with a source IP address of 192.168.21.3 (or any address other than 192.192.192.192)are dropped.Firewall Information Flow Control SFP: The TOE enforces the Firewall Information Flow Control SFP byallowing connections only from hosts on either side of a Nortel VPN Router. The Firewall Information FlowControl SFP is also enforced on packets based on their source and destination interface, source and destination IPaddresses, source and destination ports, direction, and service.The TOE’s Firewall examines both incoming and outgoing packets and compares them to a security policy. If thepacket sequence numbers indicate a repeated packet, the TOE drops the packets as an identified replay attack.