@@ -282,7 +282,7 @@ Some VPN products also provide management capabilities to network administrators
### 4.3.2 VPN client
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit nodes. A VPN client typically uses authentication credentials provided by the manufacturer or administrator and input by the user to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
For the purpose of the current document, a VPN client is a software application responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit nodes. A VPN client typically uses authentication credentials provided by the manufacturer or administrator and input by the user to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network—this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and may be based on a combination of local user or administrator preferences and policies configured by the VPN manufacturer. A VPN client could have an option to perform traffic validation prior to sending the data through the established secure tunnel [\[i.12\]](#_ref_i.12).
@@ -304,7 +304,7 @@ The physical hardware the VPN product is using may be:
### 4.4.2 Logical/Software environment
VPNs can be expected to operate in a network environment alongside other Important PwDEs such as Identity and Access Management Systems, Network Interfaces, Routers, Firewalls, and SIEM systems. Manufacturers are expected to harden VPN attack surfaces against potential attack vectors from compromised PwDEs, but in particular those considered Important and Critical. See clause 4.5 for further information about the relationship between VPNs and related software.
VPNs can be expected to operate in a network environment alongside other Important products such as Identity and Access Management Systems, Network Interfaces, Routers, Firewalls, and SIEM systems. Manufacturers are expected to harden VPN attack surfaces against potential attack vectors from compromised PwDEs, but in particular those considered Important and Critical. See clause 4.5 for further information about the relationship between VPNs and related software.
A VPN requires an existing physical or virtual network whose resources it can use. The underlying network provides the functions necessary to connect to at least one node of the VPN.
@@ -323,7 +323,7 @@ Some possible reasons (non-exhaustive) the information in a signature envelope c
* Authority that issued the X.509 cert for one of the signing keys has been revoked
* Signing key has been removed from the set of valid signing keys in TUF/Uptane root metadata
* Reference: TU-SCUD
* Reference: TR-SCUD
* Objective: Ensure keys have not been revoked and are still valid, including their complete chain of trust
* Preparation: Create Repository Metadata signed with a formerly valid key that has been revoked
* Activities: Send the Repository Metadata signed with the revoked key to the device during an update check
@@ -354,7 +354,7 @@ Repository Metadata shall have an expiry date included in the signed portion of
* Verdict: Update check fails and error is reported => PASS, otherwise => FAIL
* Evidence: Error message, before and after comparison showing update metadata is not changed
### 5.2.5 TR-ROUT VPN traffic routed only through VPN connection during VPN connection
### 5.2.5 TR-ROUT: VPN traffic routed only through VPN connection during VPN connection
#### 5.2.5.1 Requirement
@@ -395,7 +395,7 @@ The VPN client shall by default be configured to route all network traffic from
* Verdict: All traffic from all applications is routed through the VPN connection.
* Evidence: Packet capture showing traffic from multiple applications going through the VPN interface.
### 5.2.6 TR-CONF VPN client preserves system configuration
### 5.2.6 TR-CONF: VPN client preserves system configuration
#### 5.2.6.1 Requirement
@@ -437,7 +437,7 @@ The VPN client shall provide a user or administrator documentation to restore an
The VPN client shall not reduce system security after the end of the VPN connection, even if normal connection shutdown tasks have not completed.
> NOTE: This is a "fail-closed" requirement—if something goes with the VPN connection, it is better to end with a more restricted/secure network configuration than the configuration before the VPN connection started, than a less restricted network configuration.
> NOTE: This is a "fail-closed" requirement—if the VPN connection experiences an unexpected failure, it is better to end with a more restricted/secure network configuration than the configuration before the VPN connection started, than a less restricted network configuration.
* Reference: TR-CONF
* Objective: Preserve cybersecurity of system
@@ -477,10 +477,10 @@ User interfaces, especially in regard to settings, shall be designed in a manner
* Objective: Prevent attack exposure from misconfigured VPN software
* Preparation: Access preferences or settings of VPN client
* Activities: Attempt to configure the software in a way which exposes the user or their traffic to an attacker
* Verdict: The VPN client does not permit reduced cybersecurity via configuration, or provides a clear, recallable warning about the impact of the users's configuration actions => PASS, otherwise FAIL
* Verdict: The VPN client does not permit reduced cybersecurity via configuration, or provides a clear, recallable warning about the impact of the user's configuration actions => PASS, otherwise FAIL
* Evidence: Recorded configuration options, annotation of settings which provided warning
### 5.2.7 TR-NUTI No untrusted traffic in the VPN connection
### 5.2.7 TR-NUTI: No untrusted traffic in the VPN connection
#### 5.2.7.1 Requirement
@@ -508,7 +508,7 @@ The VPN client and server shall implement data validity checks on all incoming p
* Verdict: Packet does not exit the VPN interface => PASS, otherwise FAIL
* Evidence: Malformed packets, packet capture, any log messages showing packet was dropped
### 5.2.8 TR-AUTH Authentication of nodes
### 5.2.8 TR-AUTH: Authentication of nodes
#### 5.2.8.1 Requirement
@@ -583,7 +583,7 @@ The VPN service shall provide a method to force revocation, temporary or permane
* Verdict:
* Evidence:
### 5.2.9 TR-DNSL DNS leak prevention
### 5.2.9 TR-DNSL: DNS leak prevention
#### 5.2.9.1 Requirement
@@ -721,13 +721,13 @@ The VPN client shall disable by default the capability for routing traffic from
#### 5.2.11.4 MI-TRAF-3: Notify user if routing traffic from other sources
The VPN client shall alert the user if traffic if the endpoint is allowing traffic from sources/destinations other than the endpoint to be routed through the endpoint.
The VPN client shall alert the user if the endpoint is allowing traffic from sources/destinations other than the endpoint to be routed through the endpoint.
* Reference: TR-TRAF
* Objective: Prevent unauthorized network access to endpoints
* Preparation: None
* Activities: Connect an endpoint, enable the routing of external traffic through it, and observe the UI and system
* Verdict: User receives some alert or notification that clearly indicates forwarding is enabled => PASS, FAIL
* Verdict: User receives some alert or notification that clearly indicates forwarding is enabled => PASS, otherwise FAIL
* Evidence: Record of UI change
#### 5.2.11.5 MI-TRAF-4: No routing traffic from other sources if not necessary for services
@@ -794,9 +794,9 @@ The VPN shall not store any Personal Data of the user on remote data processing
* Verdict: Policy is consistent with not storing Personal Data and samples of stored data contain no Personal Data
* Evidence: Policy, samples of stored data, documentation of why the samples don't contain Personal Data
### 5.2.13 TR-IPV6 Secure IPv6 Handling
### 5.2.13 TR-IPV6: Secure IPv6 Handling
#### 5.2.13.1 Requirement6
#### 5.2.13.1 Requirement
The VPN product shall handle IPv6 traffic in a secure manner that prevents data leaks.
