@@ -67,7 +67,7 @@ The purpose of this document is to provide essential cybersecurity requirements
# Introduction
The present document defines cybersecurity requirements for products with digital elements which have the primary purpose is providing private connections to public networks such as the Internet or other private networks. Demonstrating compliance with the present document is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act [\[i.1\]](#_ref_i.1).
The present document defines cybersecurity requirements for products with digital elements which have the primary purpose of providing an overlay network across a public or private network, or private connections to public networks such as the Internet or other private networks. Demonstrating compliance with the present document is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act [\[i.1\]](#_ref_i.1).
The present document does not provide presumption of conformity for products with digital elements which include a VPN feature as part of a larger networking or cybersecurity product, though it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with VPNs.
@@ -193,10 +193,10 @@ For the purposes of the present document, the terms given in [\[i.1\]](#_ref_i.1
: cybersecurity as defined in Article 2, point (1), of Regulation (EU) 2019/881 [\[i.5\]](#_ref_i.5)
**end-point**
: device that is connected to a network and serves as an entry point to that network
: device that is connected to a virtual private network and serves as an entry point for packets destined for that network
**exit node**
: VPN server software and associated hardware which routes user requests to and from their intended destination
: VPN server software and associated hardware which routes packets to and from their intended destination
**hardware**
: physical electronic information system, or parts thereof capable of processing, storing or transmitting digital data
@@ -254,15 +254,15 @@ For the purposes of the present document, the following abbreviations apply:
### 4.1.1 Intended Purpose
The purpose of a VPN is to create encrypted end-to-end communication between two end-points.
The purpose of a VPN is to create a secure overlay network between remote end-points or networks.
State of the art VPNs are generally defined by their functionality to provide access an "exit node" through which a user can elect to direct their internet traffic. Exit nodes can be controlled by users or, more commonly, the manufacturer. They may exist on user-owned and/or -operated hardware, manufacturer-owned and/or -operated hardware, or third party "cloud" infrastructure.
State of the art VPNs are generally defined by their functionality to provide access an "exit node" through which traffic can be directed. Exit nodes can be controlled by users, enterprises, or manufacturers. They may exist on user-owned and/or -operated hardware, manufacturer-owned and/or -operated hardware, or third party "cloud" infrastructure.
In a business environment, VPNs may also be used to create a restricted-use network without requiring separate physically restricted infrastructure. The VPN software controls which nodes can participate in the restricted-use network and which functions or data the node is able to use or access.
### 4.1.2 Reasonably foreseeable use
There are many reasons for VPNs' use, such as obfuscating information about the source of the VPN client, data transiting through an untrusted domain, etc. The use cases defined in clause 4.7 of the present document describe a range of reasonably foreseeable uses, which identify a range of cybersecurity needs. This does not cover *all* reasonably foreseeable uses.
There are many reasons for VPNs' use, such as building secure overlay enterprise networks or obfuscating information about the source of the VPN client, data transiting through an untrusted domain, etc. The use cases defined in clause 4.7 of the present document describe a range of reasonably foreseeable uses, which identify a range of cybersecurity needs. This does not cover *all* reasonably foreseeable uses.
## 4.2 Essential functions
@@ -271,9 +271,9 @@ The VPN product is a collection of software running on different devices, contex
Potential functions include:
* Authenticating client connections
* Determining to which exit nodes a clients may connect
* Determining to which exit nodes a clients may direct traffic towards
* Establishing a secure tunnel between devices and exit nodes
* Obfuscating the source or target of traffic sent through the tunnel
* Obfuscating the source or destination address of traffic sent through the tunnel
* Routing restricted-use network traffic in or out of specific nodes
Roles of nodes in VPNs (a node can have some or all):
As a complete product, a Virtual Private Network includes, at minimum, VPN software capable of establishing a secure encrypted tunnel between two or more devices.
The most common state of the art implementation is a product that provides a secure tunnel to one or more servers—usually managed by the manufacturer as "exit nodes"—which then route traffic to its originally intended destination, typically on a public network like the Internet. The product consists of any client software installed on a user device as well as any remote data processing on manufacturer infrastructure required for the product to function as expected.
In consumer deployments, the most common state of the art implementation is a product that provides a secure tunnel to one or more servers—usually managed by the manufacturer as "exit nodes"—which then route traffic to its originally intended destination, typically on a public network like the Internet.
In enterprise wide area deployments, a common state of the art implementation is a product with digital elements that provides a secure overlay network to one or more servers that enable routing of traffic between remote restricted-use enterprise networks.
The product consists of any client software installed on a user device as well as any remote data processing on manufacturer infrastructure required for the product to function as expected.
A VPN can also be a product that provides access to a restricted-use logical computer network that is constructed from the system resources of a physical or virtual network, including cases where that product provides access from a restricted-use logical computer network to a public network.
@@ -319,11 +323,11 @@ Some VPN products also provide management capabilities to network administrators
For the purpose of the current document, a VPN client is a piece of software responsible for connecting a single end-point (such as a computing device or home router) to servers operating as exit nodes. A VPN client typically uses authentication credentials provided by the manufacturer and input by the consumer to establish secure tunnel(s) to an aforementioned exit node running VPN server software.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network—this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and is based on a combination of local user preferences and policies configured by the VPN manufacturer.
After establishing a tunnel, the VPN client changes configuration of the host device operating system to facilitate connections to the private network—this can include changes to DNS configuration, firewall rules, routing table, etc. This configuration is tailored to the end-user, and may be based on a combination of local user or administrator preferences and policies configured by the VPN manufacturer.
### 4.3.3 VPN server, VPN gateway
A VPN server is responsible for maintaining tunnels between VPN clients and the resources they are requesting.
A VPN server is responsible for maintaining tunnels between VPN clients and the traffic destinations they are requesting.
## 4.4 Operational Environment
@@ -410,7 +414,8 @@ See [\[i.3\]](#_ref_i.3) for formal definitions of micro, small, and medium-size
***UC-1** Individual consumer
* Client installed on personal devices like mobile phone, portable or desktop computer
* Securing traffic on untrusted networks
* Client communicates with exit nodes managed by manufacturer
* Securing traffic on untrusted access networks
* User may lack advanced security knowledge
* Does not connect endpoints with other endpoints directly
@@ -12,7 +12,10 @@ The CRA requires the manufacturer to keep all the documentation necessary to sho
> \"Manufacturers shall, upon a reasoned request from a market surveillance authority, provide that authority, in a language which can be easily understood by that authority, with all the information and documentation, in paper or electronic form, necessary to demonstrate the conformity of the product with digital elements and of the processes put in place by the manufacturer with the essential cybersecurity requirements set out in Annex I. Manufacturers shall cooperate with that authority, at its request, on any measures taken to eliminate the cybersecurity risks posed by the product with digital elements which they have placed on the market.\"
The goal is that when the MSA does a "sweep" or otherwise decides to verify a product's conformance with the CRA, it has enough information that it can do its own independent testing without unnecessary barriers that could be solved by vendor documentation (e.g., does not have to reverse-engineer how to attach a serial console and read logs). Note that it is easer for an MSA to evaluate conformance via transparency—reviewing the test output and documentation to evaluate whether a mitigation is implemented—over actually testing the product themselves.
The goal is that when the MSA does a "sweep" or otherwise decides to verify a product's conformance with the CRA, it has enough information that it can do its own independent testing without unnecessary barriers that could be solved by vendor documentation (e.g., does not have to reverse-engineer how to attach a serial console and read logs).
> [!note]
> It is easer for an MSA to evaluate conformance via transparency—reviewing the test output and documentation to evaluate whether a mitigation is implemented—over actually testing the product themselves.
The present document makes the following assumptions regarding requirements and enforcement:
@@ -37,7 +40,7 @@ Recognizing that there may be vulnerabilities discovered between the time that a
#### 5.2.2.2 MI-KEVD: Documentation for secure update before or during first use
The product shall be accompanied by documentation describing how the product may be securely updated, including how to update the product prior to, or as part of, first use.
The product shall be accompanied by documentation describing how the product can be securely updated, including how to update the product prior to, or as part of, first use.
* Reference: TR-NKEV
* Objective: Prevent exploitation of known exploited vulnerabilities at first use
@@ -179,7 +182,7 @@ All cybersecurity-relevant software shall be compiled with secure compilation fl
#### 5.2.4.1 Requirement
The product shall be securely updatable by the user.
The product shall be securely updatable.
#### 5.2.4.2 MI-SUDC: Documentation of secure update
@@ -206,7 +209,7 @@ The product shall provide a method of securely updating any software in the prod
#### 5.2.4.4 MI-SUAP: Automatic secure update via product
The product shall provide a method of automatically securely updating any software in the product via the product itself with an option for the user to disable automatic updates.
The product shall provide a method of automatically securely updating any software in the product via the product itself with an option for the user or administrator to disable automatic updates.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
@@ -229,7 +232,7 @@ The technical documentation provided with the product shall document that the op
#### 5.2.4.6 MI-SUAO: Automatic secure update provided by operational environment
The technical documentation provided with the product shall document that the operational environment shall provide a method of automatically securely updating the product with an option for the user to disable automatic updates.
The technical documentation provided with the product shall document that the operational environment shall provide a method of automatically securely updating the product with an option for the product to be configured to disable automatic updates.
* Applicability: Product expected use is long enough to require updates
* Reference: TR-SCUD
@@ -387,7 +390,7 @@ The product shall ensure that when the connection to the VPN server is lost at t
#### 5.2.5.4 MI-ROUT-3 Tunnel all traffic by default
The VPN client shall by default be configured to route all network traffic from the endpoint through the VPN connection. If the client offers a mode that only tunnels traffic from specific applications (e.g., "split tunneling" or browser-only mode), this shall not be the default mode, and the user must be clearly informed of its limitations before enabling it.
The VPN client shall by default be configured to route all network traffic from the endpoint through the VPN connection. If the client offers a mode that only tunnels traffic from specific applications (e.g., "split tunneling" or browser-only mode), this shall not be the default mode. Where the user is responsible for configuration of tunnel policy, the user must be clearly informed of its limitations before enabling it.
* Reference: TR-ROUT
* Objective: Prevent user confusion and unexpected traffic leaks from non-tunneled applications
@@ -400,11 +403,11 @@ The VPN client shall by default be configured to route all network traffic from
#### 5.2.6.1 Requirement
The establishment and ending of a VPN connection shall not result in functional changes to the system configuration unless explicitly authorized by the user.
The establishment and ending of a VPN connection shall not result in functional changes to the system configuration unless explicitly authorized by the user or administrator.
#### 5.2.6.2 MI-CONF-1 VPN client restores any system configuration it changes to its previous state after the VPN connection ends
After the user knowingly deactivates the VPN connection, the VPN client shall restore any system configuration it has changed to a state that is functionally equivalent to the state it was in before the VPN connection began.
After the user or administrator knowingly deactivates the VPN connection, the VPN client shall restore any system configuration it has changed to a state that is functionally equivalent to the state it was in before the VPN connection began.
* Reference: TR-CONF
* Objective: Preserve integrity of system configuration
@@ -455,7 +458,7 @@ The VPN client shall not reduce system security after the end of the VPN connect
#### 5.2.6.5 MI-CONF-4 VPN client shall not require unnecessary permissions
Custom VPN clients shall not require permissions that that do not need.
Custom VPN clients shall not require permissions that they do not need.
> [!note]
> The VPN product should be able to operate without a wide set of permissions—eg, a VPN does not require access to files/folders (like ~/Downloads) nor would it need access to the local network.
@@ -491,12 +494,12 @@ Traffic from an unauthorized or unauthenticated source shall not be permitted to
The VPN client and server shall implement or integrate with a policy engine (e.g., a packet filter or firewall) to enforce granular packet filtering by application, port, and endpoint identity, and shall only permit traffic explicitly authorized to transit the VPN connection.
The VPN client and server shall be able to be configured to enforce granular packet filtering by application and destination address & port, and shall only permit traffic explicitly authorized to transit the VPN connection.
* Reference: TR-NUTI
* Objective: Prevent unauthorized traffic in the VPN connection
* Preparation: None
* Activities: Attempt to send traffic that is explicitly blocked by the central policy engine directly to the network port used to route traffic into the VPN connection on the VPN client, repeat on VPN server
* Activities: Attempt to send traffic that is explicitly blocked by configuration directly to the network port used to route traffic into the VPN connection on the VPN client, repeat on VPN server
* Verdict: The traffic does not enter the VPN connection, and does not exit it => PASS, otherwise FAIL
* Evidence: Configuration file including the deny rule, packet capture of both incoming and outgoing interface, log message recording the denied traffic
@@ -556,7 +559,7 @@ The VPN client, server, or other node shall implement an authentication timeout
VPN server or mesh node shall detect when multiple VPN clients are using credentials that should be unique to a VPN client and notify the users of both VPN clients or only allow one connection per credential.
* Applicability: VPN client credentials can be duplicated
* Applicability: VPN handles credentials and VPN client credentials can be duplicated
* Reference: TR-AUTH
* Objective: Protect VPN connection from unauthorized use
* Preparation: Configure two VPN clients with identical credentials that should be unique to a VPN client
@@ -590,7 +593,8 @@ The VPN service shall provide a method to force revocation, temporary or permane
#### 5.2.9.1 Requirement
The VPN client shall implement methods to reduce the likelihood of DNS queries being routed to unauthorized DNS servers while the VPN connection is active.
1. The VPN client shall be able to be configured with authorized DNS server(s).
2. When configured with an authorized DNS server, the client shall deny plaintext DNS queries to non-authorized DNS servers.
> [!note]
> The network configuration of a system is frequently changed by multiple different pieces of software, many of which the VPN client has no control over or insight into.
@@ -638,7 +642,7 @@ By default the VPN client shall route all DNS queries through the VPN connection
#### 5.2.9.5 MI-DNSL-4 DNS misconfiguration
The VPN client shall inspect the system DNS configuration when attempting to connect and shall validate any DNS configuration it receives from the VPN server. If it detects a statically configured, non-authorized DNS server, the client shall either reject the configuration, refuse to connect, or provide a clear warning to the user.
The VPN client shall validate any DNS configuration it receives from the VPN server. If it detects a misconfiguration, e.g. a statically configured, non-authorized DNS server, the client shall either refuse to connect or provide a clear warning to the user.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
@@ -651,7 +655,7 @@ The VPN client shall inspect the system DNS configuration when attempting to con
#### 5.2.9.6 MI-DNSL-5 Monitoring of DNS configuration
The VPN client shall monitor the DNS configuration of the system and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified in a way that affects DNS query visibility to third parties. By default, the user-configurable option shall be to disable network traffic outside of the system. The VPN client shall detect DNS configuration changes within 30 seconds.
The VPN client shall monitor the DNS configuration of the system and take a user-configurable action when it detects that the DNS configuration has changed from the one the VPN client specified in a way that affects plaintext DNS query visibility to third parties. By default, the user-configurable option shall be to disable network traffic outside of the system.
* Reference: TR-DNSL
* Objective: Prevent DNS query leaks outside of VPN connection
