Commit 2284c4aa authored by Valerie Aurora's avatar Valerie Aurora
Browse files

Map mitigations to security profiles and CRA requirements

parent e4a8616d

EN-304-620-1.md

+15 −6
Original line number Diff line number Diff line
@@ -457,7 +457,16 @@ Security profiles will be mapped to the security requirements necessary to mitig 


### 4.6.3 Mapping of security profile to technical requirements and mitigations



TBD

| Mitigation | SP-1 | SP-2 | SP-3 | SP-4 |

|------------|------|------|------|------|

| ROUT-1     |    Y |    Y |    Y |    Y |

| CONF-1     |    Y |    Y |    Y |    Y |

| NUTI-1     |    Y |    Y |    Y |    Y |

| NUTI-2     |    Y |    Y |    Y |    Y |

| AUTH-1     |    Y |    Y |    Y |    Y |

| AUTH-2     |    Y |    Y |    Y |    Y |

| AUTH-3     |    N |    Y |    Y |    Y |

| AUTH-4     |    N |    Y |    Y |    Y |



## 4.7 Essential functions
@@ -587,14 +596,14 @@ The VPN product offers the following security functionalities to other component 
| Secure design, development, production          |                                    |

| Secure by default configuration                 |                                    |

| Secure updates                                  |                                    |

| Authentication and access control mechanisms    |                                    |

| Confidentiality protection                      |                                    |

| Integrity protection for data and configuration |                                    |

| Authentication and access control mechanisms    | AUTH-*                             |

| Confidentiality protection                      | AUTH-*, CONF-1, ROUT-1             |

| Integrity protection for data and configuration | CONF-1                             |

| Data minimization                               |                                    |

| Availability protection                         |                                    |

| Minimize impact on other devices or services    |                                    |

| Limit attack surface                            |                                    |

| Exploit mitigation by limiting incident impact  |                                    |

| Limit attack surface                            | NUTI-2                              |

| Exploit mitigation by limiting incident impact  | NUTI-1                             |

| Logging and monitoring mechanisms               |                                    |

| Secure deletion and data transfer               |                                    |

clauses/5.Requirements.md

+1 −2
Original line number Diff line number Diff line
@@ -41,7 +41,7 @@ All mitigations are required for all products. 


The establishment and ending of a VPN connection shall not result in functional changes to the system configuration unless explicitly authorized by the user.



#### 5.2.X.x **[MI-CONF]** VPN client restores any configuration it changes to its previous state after the VPN connection ends

#### 5.2.X.x **[MI-CONF-1]** VPN client restores any configuration it changes to its previous state after the VPN connection ends



After the user knowingly deactivates the VPN connection, the VPN client shall restore any system configuration it has changed to a state that is functionally equivalent to the state it was in before the VPN connection began.
@@ -126,7 +126,6 @@ The VPN client or server shall detect when multiple clients are using credential 
| any          | AUTH-1, AUTH-2       |

| DAT >= 1     | AUTH-3, AUTH-4       |





### Logging



Threat: someone (maybe VPN provider) gets access to remote logs