@@ -774,19 +774,21 @@ All elements of the product that connect to nodes providing cybersecurity-releva
#### 5.2.8.7 MI-AUTH-6 Brute force protection (### 5.5.N AAC)
***\[REQ-AAC-v4ifa]**
***\[REQ-AAC-v4ifa]**The product shall use credentials with at least 128 bit of entropy, or rate-limit authentication attempts.
> TODO: Mitigation documenting that the operational environment must provide brute force protection.
[//]:#(### 6.5.N AAC)
> NOTE: Rate limiting can be implemented in various layers on the application layer or the network layer. If implemented on the application layer, the product is responsible for enforcing appropriate rate limiting in relation to the expected entropy of the credential. If implemented on the network layer, the mitigation may be transferred to the operational environment, in case the operational environment offers sufficient protections, such as firewalls that enforce brute-force protections.
[//]:#(### 6.5.N AAC)
* Reference: TR-AUTH
* Requirement: **REQ-AAC-v4ifa**
* Objective: Protect VPN connection from unauthorized use
* Preparation:
* Activities:
* Verdict:
* Evidence:
* Preparation: For each supported VPN protocol, reference the documentation to assess the entropy of the credentials.
* Activities: If credentials are low entropy credentials (below 128 bits) conduct a brute-force of credentials. Observe network responses.
* Verdict: If appropriate rate limiting is enforced => PASS, otherwise => FAIL
* Evidence: Network logs and package capture, Documentation
#### 5.2.8.8 MI-AUTH-7 Authorization of endpoints (### 5.5.N AAC)