Rewrite no untrusted traffic requirements to new format, add mappings

The VPN client and server shall implement or integrate with a policy engine (e.g., a packet filter or firewall) to enforce granular packet filtering by application, port, and endpoint identity, and shall only permit traffic explicitly authorized to transit the VPN connection.

* Test: attempt to send traffic that is explicitly blocked by the central policy engine directly to the network port used to route traffic into the VPN connection on the VPN client, repeat on VPN server

* Result: the packet is dropped, does not enter the VPN connection, and does not exit it

* Documentation: configuration file including the deny rule, packet capture of both incoming and outgoing interface, log message recording the denied traffic

  * Reference: TR-NUTI

  * Objective: Prevent unauthorized traffic in the VPN connection

  * Preparation: None

  * Activities: Attempt to send traffic that is explicitly blocked by the central policy engine directly to the network port used to route traffic into the VPN connection on the VPN client, repeat on VPN server

  * Verdict: The traffic does not enter the VPN connection, and does not exit it => PASS, otherwise FAIL

  * Evidence: Configuration file including the deny rule, packet capture of both incoming and outgoing interface, log message recording the denied traffic

#### 5.2.X.x **[MI-NUTI-2]** Protocol validity checks

The VPN client and server shall implement data validity checks on all incoming packets to ensure they conform to the expected format and protocol of the restricted network, preventing tunnel misuse.

The VPN client and server shall implement data validity checks on all incoming packets to ensure they conform to the expected format and protocol of the restricted network.

* Test: inject a packet into the receiving interface of the VPN client or server that contains an invalid IP header or a malformed routing address intended to escape the restricted network space

* Result: the VPN client or server shall discard the malformed packet and shall not attempt to forward it onto the internal restricted network

* Documentation: packet capture on both incoming and outgoing interface, log message or dropped packet counter show the packet was dropped

  * Reference: TR-NUTI

  * Objective: Prevent unauthorized traffic in the VPN connection

  * Preparation: Create packets for each protocol supported by the traffic policy engine that have invalid or malformed headers designed to bypass the traffic policy

  * Activities: For each malformed packet, inject the packet into the receiving interface of the VPN client or server

  * Verdict: Packet does not exit the VPN interface => PASS, otherwise FAIL

  * Evidence: Malformed packets, packet capture, any log messages showing packet was dropped

#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

All mitigations are required for all products.

| Risk factors | Requires mitigations |

|--------------|----------------------|

| DAT < 1      | NUTI-1               |

| all others   | NUTI-1, NUTI-2       |

| Security Profile | Requires mitigations |

|------------------|----------------------|

| UC-1             | NUTI-1               |

| UC-2, UC-3, UC-4 | NUTI-1, NUTI-2       |

### 5.2.X **[TR-AUTH]** Authentication of servers