Val/mitigationsupdates (abe169b2) · Commits · STAN4CRA / EN 304 620 Virtual Private Networks Part 1

EN-304-620-1.md

+22 −14

Original line number	Diff line number	Diff line
		@@ -629,22 +629,30 @@ Security profiles will be mapped to the security requirements necessary to mitig
		### 4.6.3 Mapping of security profile to technical requirements and mitigations

		\| Mitigation \| SP-1 \| SP-2 \| SP-3 \| SP-4 \|
		\|------------\|------\|------\|------\|------\|
		\|---------------------\|------\|------\|------\|------\|
		\| ROUT-1 \| Y \| Y \| Y \| Y \|
		\| CONF-1 \| Y \| Y \| Y \| Y \|
		\| CONF-2 \| Y \| Y \| Y \| Y \|
		\| CONF-3 \| Y \| Y \| Y \| Y \|
		\| NUTI-1 \| Y \| Y \| Y \| Y \|
		\| NUTI-2 \| Y \| Y \| Y \| Y \|
		\| NUTI-2 \| N \| Y \| Y \| Y \|
		\| AUTH-1 \| Y \| Y \| Y \| Y \|
		\| AUTH-2 \| Y \| Y \| Y \| Y \|
		\| AUTH-3 \| N \| Y \| Y \| Y \|
		\| AUTH-4 \| N \| Y \| Y \| Y \|
		\| AUTH-5 \| N \| Y \| Y \| Y \|
		\| DNSL-1 \| Y \| Y \| Y \| N \|
		\| DNSL-2 \| Y \| Y \| Y \| Y \|
		\| DNSL-3 \| N \| Y \| Y \| N \|
		\| DNSL-4 \| N \| Y \| Y \| Y \|
		\| DNSL-5 \| N \| N \| Y \| N \|
		\| DNSL-6 \| N \| N \| Y \| N \|
		\| EISO \| Y \| Y \| Y \| Y \|
		\| TRAF-1 \| N \| N \| Y \| N \|
		\| TRAF-(1 or 2 & 3 & 4) \| Y \| Y \| N \| Y \|

		_Table 3 — Security profiles mapped to mitigations_





		# Annex D (informative): Risk evaluation guidance

		## D.1 Mapping of risks to requirements

clauses/5.Requirements.md

+47 −16

Original line number	Diff line number	Diff line
		@@ -168,12 +168,28 @@ Some VPN node shall detect when multiple VPN clients are using credentials that
		* Verdict: Notification of both VPN clients or only one connection is active at a time => PASS, otherwise FAIL
		* Evidence: Configuration of clients, log messages showing notifications and/or connection status

		#### 5.2.X.x [MI-AUTH-5] Forced revocation of authorization of endpoints

		The VPN service shall provide a method to force revocation, temporary or permanent, of authorization of an endpoint by an authorized user. The revocation of authorization of the VPN client shall end the VPN connection for that client by the time the revocation indicates it has completed.

		* Reference: TR-AUTH
		* Objective: Protect VPN connection from unauthorized use
		* Preparation: None
		* Activities: Authorize an endpoint to connect to the VPN, connect it to the VPN, revoke its authorization, then attempt to access the VPN connection from the revoked client
		* Verdict: Revoked client cannot access the VPN connection => PASS, otherwise FAIL
		* Evidence: Logs or screenshots of authorization and revocation, packet capture

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|--------------\|----------------------\|
		\|--------------\|----------------------------------------\|
		\| any \| AUTH-1, AUTH-2 \|
		\| DAT > 0 \| AUTH-3, AUTH-4 \|
		\| DAT > 0 \| AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5 \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|----------------------------------------\|
		\| UC-1 \| AUTH-1, AUTH-2 \|
		\| UC-2, UC-3, UC-4 \| AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5 \|

		### 5.2.X [TR-DNSL] DNS leak prevention

		@@ -259,6 +275,13 @@ The VPN client shall block or notify users of potential DNS bypass via encrypted

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|-------------------\|------------------------------------------------\|
		\| DAT < 1 \| DNSL-1, DNSL-2 \|
		\| DAT < 2 & ADM > 0 \| DNSL-1, DNSL-2, DNSL-3, DNSL-4 \|
		\| DAT > 1 \| DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6 \|
		\| ADM < 1 \| DNSL-2, DNSL-4 \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|------------------------------------------------\|
		\| UC-1 \| DNSL-1, DNSL-2 \|
		@@ -281,6 +304,14 @@ The VPN provider shall by default not establish routes between different client
		* Verdict: Connection not possible or connection fails => PASS, otherwise FAIL
		* Evidence: Log messages, packet capture

		\| Risk factors \| Requires mitigations \|
		\|--------------\|----------------------\|
		\| all \| EISO \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|----------------------\|
		\| all \| EISO \|

		### 5.2.X TR-TRAF: No traffic through the node unless explicitly approved

		The VPN client shall not route traffic through the endpoint from sources/destinations other than the endpoint without the user's explicit informed consent, and such routing shall not be necessary for the use of any unrelated function.
		@@ -332,13 +363,13 @@ The VPN client shall not require routing of traffic from sources/destinations ot
		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|--------------\|-------------------------------------\|
		\| any \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4 \|
		\|--------------\|--------------------------------------\|
		\| any \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4) \|
		\| DAT > 1 \| TRAF-1 \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|-------------------------------------\|
		\| UC-1, UC-2, UC-4 \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4 \|
		\|------------------\|--------------------------------------\|
		\| UC-1, UC-2, UC-4 \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4) \|
		\| UC-3 \| TRAF-1 \|

		### 5.2.X TR-DMIN: Data minimization
		@@ -393,9 +424,9 @@ The VPN provider shall not store any PII of the user on remote data processing s
		FIXME is this useful? Is there a use case where the VPN client sends PII to the provider but the provider doesn't store the PII? For now, don't include as a mitigation for any use cases.

		\| Risk factors \| Requires mitigations \|
		\|----------------------\|------------------------\|
		\|--------------------\|------------------------\|
		\| any \| NPII-1, NPII-2 \|
		\| DAT == 2 or FUN == 2 \| NPII-1, NPII-2, NPII-3 \|
		\| DAT > 1 or FUN > 1 \| NPII-1, NPII-2, NPII-3 \|

		\| Security Profile \| Requires mitigations \|
		\|----------------------\|------------------------\|

Original line number	Diff line number	Diff line
		@@ -629,22 +629,30 @@ Security profiles will be mapped to the security requirements necessary to mitig
		### 4.6.3 Mapping of security profile to technical requirements and mitigations

		\| Mitigation \| SP-1 \| SP-2 \| SP-3 \| SP-4 \|
		\|------------\|------\|------\|------\|------\|
		\|---------------------\|------\|------\|------\|------\|
		\| ROUT-1 \| Y \| Y \| Y \| Y \|
		\| CONF-1 \| Y \| Y \| Y \| Y \|
		\| CONF-2 \| Y \| Y \| Y \| Y \|
		\| CONF-3 \| Y \| Y \| Y \| Y \|
		\| NUTI-1 \| Y \| Y \| Y \| Y \|
		\| NUTI-2 \| Y \| Y \| Y \| Y \|
		\| NUTI-2 \| N \| Y \| Y \| Y \|
		\| AUTH-1 \| Y \| Y \| Y \| Y \|
		\| AUTH-2 \| Y \| Y \| Y \| Y \|
		\| AUTH-3 \| N \| Y \| Y \| Y \|
		\| AUTH-4 \| N \| Y \| Y \| Y \|
		\| AUTH-5 \| N \| Y \| Y \| Y \|
		\| DNSL-1 \| Y \| Y \| Y \| N \|
		\| DNSL-2 \| Y \| Y \| Y \| Y \|
		\| DNSL-3 \| N \| Y \| Y \| N \|
		\| DNSL-4 \| N \| Y \| Y \| Y \|
		\| DNSL-5 \| N \| N \| Y \| N \|
		\| DNSL-6 \| N \| N \| Y \| N \|
		\| EISO \| Y \| Y \| Y \| Y \|
		\| TRAF-1 \| N \| N \| Y \| N \|
		\| TRAF-(1 or 2 & 3 & 4) \| Y \| Y \| N \| Y \|

		_Table 3 — Security profiles mapped to mitigations_





		# Annex D (informative): Risk evaluation guidance

		## D.1 Mapping of risks to requirements

Original line number	Diff line number	Diff line
		@@ -168,12 +168,28 @@ Some VPN node shall detect when multiple VPN clients are using credentials that
		* Verdict: Notification of both VPN clients or only one connection is active at a time => PASS, otherwise FAIL
		* Evidence: Configuration of clients, log messages showing notifications and/or connection status

		#### 5.2.X.x [MI-AUTH-5] Forced revocation of authorization of endpoints

		The VPN service shall provide a method to force revocation, temporary or permanent, of authorization of an endpoint by an authorized user. The revocation of authorization of the VPN client shall end the VPN connection for that client by the time the revocation indicates it has completed.

		* Reference: TR-AUTH
		* Objective: Protect VPN connection from unauthorized use
		* Preparation: None
		* Activities: Authorize an endpoint to connect to the VPN, connect it to the VPN, revoke its authorization, then attempt to access the VPN connection from the revoked client
		* Verdict: Revoked client cannot access the VPN connection => PASS, otherwise FAIL
		* Evidence: Logs or screenshots of authorization and revocation, packet capture

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|--------------\|----------------------\|
		\|--------------\|----------------------------------------\|
		\| any \| AUTH-1, AUTH-2 \|
		\| DAT > 0 \| AUTH-3, AUTH-4 \|
		\| DAT > 0 \| AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5 \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|----------------------------------------\|
		\| UC-1 \| AUTH-1, AUTH-2 \|
		\| UC-2, UC-3, UC-4 \| AUTH-1, AUTH-2, AUTH-3, AUTH-4, AUTH-5 \|

		### 5.2.X [TR-DNSL] DNS leak prevention

		@@ -259,6 +275,13 @@ The VPN client shall block or notify users of potential DNS bypass via encrypted

		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|-------------------\|------------------------------------------------\|
		\| DAT < 1 \| DNSL-1, DNSL-2 \|
		\| DAT < 2 & ADM > 0 \| DNSL-1, DNSL-2, DNSL-3, DNSL-4 \|
		\| DAT > 1 \| DNSL-1, DNSL-2, DNSL-3, DNSL-4, DNSL-5, DNSL-6 \|
		\| ADM < 1 \| DNSL-2, DNSL-4 \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|------------------------------------------------\|
		\| UC-1 \| DNSL-1, DNSL-2 \|
		@@ -281,6 +304,14 @@ The VPN provider shall by default not establish routes between different client
		* Verdict: Connection not possible or connection fails => PASS, otherwise FAIL
		* Evidence: Log messages, packet capture

		\| Risk factors \| Requires mitigations \|
		\|--------------\|----------------------\|
		\| all \| EISO \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|----------------------\|
		\| all \| EISO \|

		### 5.2.X TR-TRAF: No traffic through the node unless explicitly approved

		The VPN client shall not route traffic through the endpoint from sources/destinations other than the endpoint without the user's explicit informed consent, and such routing shall not be necessary for the use of any unrelated function.
		@@ -332,13 +363,13 @@ The VPN client shall not require routing of traffic from sources/destinations ot
		#### 5.2.X.x Mapping of mitigations to risk factors and security profiles

		\| Risk factors \| Requires mitigations \|
		\|--------------\|-------------------------------------\|
		\| any \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4 \|
		\|--------------\|--------------------------------------\|
		\| any \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4) \|
		\| DAT > 1 \| TRAF-1 \|

		\| Security Profile \| Requires mitigations \|
		\|------------------\|-------------------------------------\|
		\| UC-1, UC-2, UC-4 \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4 \|
		\|------------------\|--------------------------------------\|
		\| UC-1, UC-2, UC-4 \| TRAF-1 or (TRAF-2 & TRAF-3 & TRAF-4) \|
		\| UC-3 \| TRAF-1 \|

		### 5.2.X TR-DMIN: Data minimization
		@@ -393,9 +424,9 @@ The VPN provider shall not store any PII of the user on remote data processing s
		FIXME is this useful? Is there a use case where the VPN client sends PII to the provider but the provider doesn't store the PII? For now, don't include as a mitigation for any use cases.

		\| Risk factors \| Requires mitigations \|
		\|----------------------\|------------------------\|
		\|--------------------\|------------------------\|
		\| any \| NPII-1, NPII-2 \|
		\| DAT == 2 or FUN == 2 \| NPII-1, NPII-2, NPII-3 \|
		\| DAT > 1 or FUN > 1 \| NPII-1, NPII-2, NPII-3 \|

		\| Security Profile \| Requires mitigations \|
		\|----------------------\|------------------------\|