@@ -172,6 +172,7 @@ The following referenced documents may be useful in implementing an ETSI deliver
<spanid="_ref_i.11">[i.11]</span> Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) <https://eur-lex.europa.eu/eli/reg/2016/679/oj/eng#art_4>
<spanid="_ref_i.12">[i.12]</span> ETSI TS 104 103: "Cyber Security (CYBER); Encrypted Traffic Integration (ETI); Problem Statement review and requirements definition". <https://www.etsi.org/deliver/etsi_ts/104100_104199/104103/01.01.01_60/ts_104103v010101p.pdf>
* Filter traffic transiting a node according to complex rules
* Leave the restricted network
* Revoke the access of a node to the restricted use network
* Validate the payload prior to its encryption in VPN [\[i.12\]](#_ref_i.12)
## 4.3 Product architecture
@@ -321,9 +323,9 @@ Some VPN products also provide management capabilities to network administrators
### 4.3.2 VPN client
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit nodes. A VPN client typically uses authentication credentials provided by the manufacturer and input by the consumer to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit nodes. A VPN client typically uses authentication credentials provided by the manufacturer or administrator and input by the user to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network—this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and may be based on a combination of local user or administrator preferences and policies configured by the VPN manufacturer.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network—this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and may be based on a combination of local user or administrator preferences and policies configured by the VPN manufacturer. A VPN client could have an option to perform traffic validation prior to sending the data through the established secure tunnel [\[i.12\]](#_ref_i.12).
### 4.3.3 VPN server, VPN gateway
@@ -364,6 +366,7 @@ A VPN product runs on a node in the context of an operating system, as an applic
@@ -364,11 +364,11 @@ Repository Metadata shall have an expiry date included in the signed portion of
#### 5.2.5.1 Requirement
From the moment the user activates the VPN connection until the user knowingly deactivates the VPN connection, no network traffic intended for the VPN connection shall exit the endpoint via anything other than the VPN connection, whether not it is functioning.
From the moment the user activates the VPN connection until the user knowingly deactivates the VPN connection, no network traffic intended for the VPN connection shall exit the endpoint via anything other than the VPN connection, whether or not it is functioning.
#### 5.2.5.2 MI-ROUT-1 VPN routing stays in effect until VPN connection deactivated
The product shall only report that the VPN connection is established after it has configured the system in such a way that all traffic intended to be routed through the VPN connection will only exit through the VPN connection until the user knowingly deactivates the VPN connection. This assumes no other software on the user's endpoint changes relevant network configuration (network interfaces, routes, DNS).
The product shall only report that the VPN connection is established after it has configured the system in such a way that all traffic intended to be routed through the VPN connection will only exit through the VPN connection until the user or administrator knowingly deactivates the VPN connection. This assumes no other software on the user's endpoint changes relevant network configuration (network interfaces, routes, DNS).
* Reference: TR-ROUT
* Objective: Prevent VPN traffic leaks
@@ -508,7 +508,7 @@ The VPN client and server shall be able to be configured to enforce granular pac
The VPN client and server shall implement data validity checks on all incoming packets to ensure they conform to the expected format and protocol of the restricted network.
* Reference: TR-NUTI
* Objective: Prevent unauthorized traffic in the VPN connection
* Objective: Prevent unauthorized and/or malicious traffic in the VPN connection
* Preparation: Create packets for each protocol supported by the traffic policy engine that have invalid or malformed headers designed to bypass the traffic policy
* Activities: For each malformed packet, inject the packet into the receiving interface of the VPN client or server
* Verdict: Packet does not exit the VPN interface => PASS, otherwise FAIL
