Unverified Commit bfb9bf52 authored by Aki Braun's avatar Aki Braun
Browse files

Resolves OC5 46, clarifying split tunnelling requirement

parent e58efa75

clauses/5.Requirements.md

+4 −4
Original line number Diff line number Diff line
@@ -374,10 +374,10 @@ The product shall ensure that when the connection to the VPN server is lost at t 


#### 5.2.5.4 MI-ROUT-3 Tunnel all traffic by default



The VPN client shall by default be configured to route all network traffic from the endpoint through the VPN connection. If the client offers a mode that only tunnels traffic from specific applications (e.g., "split tunneling" or browser-only mode), this shall not be the default mode. Where the user is responsible for configuration of tunnel policy, the user must be clearly informed of its limitations before enabling it.

The VPN client shall by default be configured to route all network traffic from the endpoint through the VPN connection. If the client offers a configuration that only tunnels traffic from specific applications (e.g., "split tunnelling" or "browser-only mode"), this shall not be the default configuration. Where the user or administrator is responsible for configuration of tunnel policy, the user must be clearly informed of its limitations before enabling it.



* Reference: TR-ROUT

* Objective: Prevent user confusion and unexpected traffic leaks from non-tunneled applications

* Objective: Prevent user confusion and unexpected traffic leaks from non-tunnelled applications

* Preparation: Perform a factory reset or new installation of the VPN client.

* Activities: Start the VPN connection using the default configuration. Generate traffic from multiple applications (e.g., a web browser and a separate command-line tool). Capture traffic on all interfaces.

* Verdict: All traffic from all applications is routed through the VPN connection.
@@ -1080,6 +1080,7 @@ This clause lists all the mitigations necessary to meet requirements for each se 
  1. AUTH-6

  1. CDST

  1. LOGG-1

  1. ROUT-3

  1. SCFS

  1. SSCA

  1. VULH
@@ -1117,6 +1118,7 @@ This clause lists all the mitigations necessary to meet requirements for each se 
  1. NPER-1

  1. ROUT-1

  1. ROUT-2

  1. ROUT-3

  1. SCFS

  1. SSCA

  1. SUAU
@@ -1290,7 +1292,6 @@ This clause lists all the mitigations necessary to meet requirements for each se 
  1. NUTI-2

  1. ROUT-1

  1. ROUT-2

  1. ROUT-3

  1. SCFS

  1. SDRF

  1. SDTR
@@ -1383,7 +1384,6 @@ TODO: update security analysis to better allow for this security profile's needs 
1. NUTI-2

1. ROUT-1

1. ROUT-2

1. ROUT-3

1. SCFS

1. SDRF

1. SDTR