@@ -117,9 +117,9 @@ The VPN client and server shall implement data validity checks on all incoming p
| UC-1 | NUTI-1 |
| UC-2, UC-3, UC-4 | NUTI-1, NUTI-2 |
### 5.2.X **[TR-AUTH]** Authentication of servers
### 5.2.X **[TR-AUTH]** Authentication of nodes
All elements of the product that connect to servers providing security-relevant services shall authenticate the server before using any services from the servers.
All elements of the product that connect to nodes providing security-relevant services shall authenticate the node before using any services from the node.
#### 5.2.X.x **[MI-AUTH-1]** Authentication via pre-shared secrets
@@ -158,20 +158,22 @@ The VPN client, server, or other node shall implement an authentication timeout
The VPN client or server shall detect when multiple clients are using credentials that should be unique to a VPN client and notify the users of both VPN clients.
Some VPN node shall detect when multiple VPN clients are using credentials that should be unique to a VPN client and notify the users of both VPN clients or only allow one connection per credential.
- TR: detect identical clients
- TR: store credentials in secure TPM
- TR: don't use reusable credentials
- TR: document what the user has to do to avoid this
- TR: document that this product isn't appropriate for use case or doesn't provide this thin
* Applicability: VPN client credentials can be duplicated
* Reference: TR-AUTH
* Objective: Protect VPN connection from unauthorized use
* Preparation: Configure two VPN clients with identical credentials that should be unique to a VPN client
* Activities: Connect to the VPN with both VPN clients
* Verdict: Notification of both VPN clients or only one connection is active at a time => PASS, otherwise FAIL
* Evidence: Configuration of clients, log messages showing notifications and/or connection status
#### 5.2.X.x Mapping of mitigations to risk factors and security profiles
