@@ -9,6 +9,8 @@ CYBER; CRA; Harmonized Standards for essential cybersecurity requirements for Pr
CRA VPNs Topic # 20;<br/>
Part 1 of 2<br/>
Release #<br/>
@@ -106,6 +108,12 @@ The present document has been prepared under the Commission's standardisation re
Once the present document is cited in the Official Journal of the European Union under that Regulation, compliance with the normative clauses of the present document given in table A.1 confers, within the limits of the scope of the present document, a presumption of conformity with the corresponding requirements of that Regulation and associated EFTA regulations.
The present document is part 1 of a multi-part deliverable covering Cyber Security (CYBER); Essential cybersecurity requirements for products with digital elements with the function of virtual private networks (VPN)
Part 1: VPNs for secure remote access to private networks
Part 2: VPNs for private connection to public networks
## Transposition table
The Harmonised Standard shall have appropriate transposition periods specified. A Harmonised Standard confers presumption of conformity when it has been published in the Official Journal of the European Union (OJEU) and transposed by a member state.
@@ -170,8 +178,8 @@ This list clarifies products whose functionality might be confused with the in-s
- Enterprise VPNs: Products with an intended purpose of providing a VPN for an organization's workforce or for connecting data centers are not in the scope of this standard, as they are covered in a separate document.
- VPNs for industrial OT domains: Products with digital elements intended for use in the industrial OT (Operational Technology) domain are explicitly excluded from this standard, as their security requirements are covered under a different standard (EN 62443-5-XX).
- Products with a VPN as a component: Products whose core purpose is not a VPN, but which contain VPN functionality, cannot rely on this standard alone for a presumption of conformity. This may include devices like a home router with an integrated VPN client.
- VPN services without a provided client: Commercial actors that provide a VPN service solely by providing users with configuration details (e.g., an OpenVPN config file) and do not provide an associated end-user client or managed hardware are not in scope.
- Products with a VPN as a component: Products whose core purpose is not a VPN, but which contain VPN functionality, cannot rely on this standard alone for a presumption of conformity. This may include devices like a home router with an integrated VPN client and products such as firewalls and routers. While these devices may have integrated VPN capabilities, their primary function is network security or traffic control, which is addressed by other standards.
- VPN services without a component provided for the customer or end user. Commercial actors that provide a VPN service solely by providing users with configuration details (e.g., an OpenVPN config file) and do not provide an associated end-user client or managed hardware are not in scope.
- Unsecured network connections: This standard does not apply to software or hardware intended to link two or more networks without implementing a secure connection.
# 2 References
@@ -324,23 +332,19 @@ The following types of products have reduced or varied requirements under Regula
### 4.2.1 Product overview
### 4.2.2 Architecture
For the purpose of the current document, a VPN is a product with digital elements that provides a secure tunnel to one or more servers managed by the manufacturer, which then route traffic to its originally intended destination, typically on a public network like the Internet. The product consists of any client software installed on a user device as well as any remote data processing on the manufacturer servers required for the product to function as expected.
### 4.2.3 VPN client
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit notes controlled by the manufacturer. A VPN client typically uses authentication credentials provided by the manufacturer and input by the consumer to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
### 4.2.2 VPN client
TODO I don't think consumer mesh "VPN"s are covered by the CRA, perhaps investigate further
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit notes controlled by the manufacturer. A VPN client typically uses authentication credentials provided by the manufacturer and input by the consumer to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network - this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and is based on a combination of local user preferences and policies configured by the VPN manufacturer.
### 4.2.4 VPN server, VPN gateway
### 4.2.3 VPN server, VPN gateway
A VPN server is responsible for maintaining tunnels with VPN clients TODO
### 4.2.5 Management server
TODO based on RDPS, how much of this is permitted to be in scope?
A VPN server is responsible for maintaining tunnels between VPN clients and the resources they are requesting.
## 4.3 Use cases
@@ -351,7 +355,6 @@ See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
***UC-1** Individual consumer
* Client installed on personal devices like mobile phone, portable or desktop computer
* Securing traffic on untrusted networks
* Bypassing georestricted content
* User may lack advanced security knowledge
***UC-2** Privacy conscious household
@@ -360,7 +363,7 @@ See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
***UC-3** Journalist or activist
* At high risk of surveillance
* Actively circumventing censorship
* Actively circumventing observation from competitors, hackers, and unsanctioned state actors
***UC-4** Small enterprise, small not-for-profit organisation
* limited or no full-time IT/network administration
@@ -380,13 +383,9 @@ See [i.3] for formal definitions of micro, small, and medium-sized enterprises.
The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below. Note that the numeric identifiers are just that—identifiers. They are not intended to implied tiered security needs.
TODO
* End-point configuration
***CFG-L-0** End-point is fully preconfigured by enterprise IT, remote end-points and public keys updated by MDM
***CFG-L-1** End-point has limited user configuration options, such as choosing a region to connect to
***CFG-L-2** End user is provided clear configuration instructions and software is supplied directly by manufacturer or MDM
***CFG-L-3** End user is provided configuration information for any protocol-appropriate software to connect to the network
* Account management and authentication of endpoints
***AUT-L-0** Customer uses third party identity provider
@@ -423,8 +422,6 @@ TODO risk factors, security profiles
The purpose of a consumer VPN is to create a tunnel between client devices and a server that provides access to a public or private network while obfuscating information about the source device. Potential functions include:
Depending on the use case, VPNs provide different functions. Potential functions include:
* Authenticating client connections
* Determining to which exit nodes a clients may connect
* Establishing a secure tunnel between devices and exit nodes
@@ -576,6 +573,8 @@ The VPN product offers the following security functionalities to other component
- Network configuration audit logs
- Network flow logs and other statistics about data transferred over the network
- Debugging logs from end-points and VPN gateways
- Software applications
- Device-native applications for connecting to the network (Client or Node software)
### C.1.2 Product functions
@@ -601,13 +600,12 @@ A basic overview of VPN functions follows. See clause 4.7 for a detailed overvie
- End-point malware hijacking traffic or recording activity
- Unauthorised but authenticated access by a compromised node/end-point
- Misconfigured end-point exposing authentication information
- Cloning of the end-point machine to gain unauthorized access
- Social engineering resulting in credential harvesting (both for end-users, and admins accessing the management server)
- DoS attack (both for tunnel endpoints, and for the management server)
- DoS attack on manufacturer's remote data processing
- manufacturer infra compromise & isolation bugs in a multi-tenant SaaS system
- Activity exposure via unauthorised log access
- Out-of-the-box configuration that necessarily requires modification to be secure
## C.3 Assumptions
> List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases.
