Update part 2 with latest formatting
# Conflicts: # EN-304-620-2.md diff --git EN-304-620-2.md EN-304-620-2.md index fbfcaa6..0f1104e 100644 --- EN-304-620-2.md +++ EN-304-620-2.md @@ -1,15 +1,9 @@ -<div style="text-align: center;"> - +**Draft ETSI EN 304 620 v0.0.2 Part 2 (2025-09)** -# HARMONISED EUROPEAN STANDARD + -**Draft ETSI EN 304 620 v0.0.1 (2025-08)** -<br /> -<br /> -<br /> -<br /> CYBER; CRA; Harmonized Standards for essential cybersecurity requirements for Products with digital elements with the function of virtual private network (VPN);<br /> @@ -19,14 +13,12 @@ Part 2 of 2<br /> Release #<br /> -</div> <br /> <br /> <br /> <br /> -<div style="text-align: center;"> Reference<br /> <Workitem><br /> Keywords<br /> @@ -39,11 +31,9 @@ Tel.: +33 4 92 94 42 00 Fax: +33 4 93 65 47 16<br /> Siret N° 348 623 562 00017 - APE 7112B<br /> Association à but non lucratif enregistrée à la<br /> Sous-préfecture de Grasse (06) N° w061004871<br /> -</div> <br /> -<div style="text-align: center;"> **_Important notice_** @@ -84,13 +74,11 @@ No part may be reproduced or utilized in any form or by any means, electronic or All rights reserved.<br /> -[Principles for Drafting ETSI Deliverables]: https://portal.etsi.org/Portals/0/TBpages/edithelp/Docs/Principles_for_drafting_ETSI_deliverables.pdf [ETSI deliver]: http://www.etsi.org/deliver [Milestones listing]: https://portal.etsi.org/Services/editHelp/Standards-development/Tracking-a-draft/Status-codes [Committee Support Staff]: https://portal.etsi.org/People/Commitee-Support-Staff [CVD]: https://www.etsi.org/standards/coordinated-vulnerability-disclosure -</div> # Contents @@ -124,7 +112,7 @@ The present document is part 2 of a multi-part deliverable covering Cyber Securi Part 1: VPNs for secure remote access to private networks -Part 2: VPNs for private connection to public networks +Part 2: VPNs for private connection to public or private networks ## Transposition table @@ -155,7 +143,7 @@ The purpose of this document is to provide essential cybersecurity requirements # Introduction -The present document defines cybersecurity requirements for products with digital elements whose primary purpose is providing private connections to public networks such as the Internet. Demonstrating compliance with this standard is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <a href="#_ref_i.1">[i.1]</a>. +The present document defines cybersecurity requirements for products with digital elements whose primary purpose is providing private connections to public networks such as the Internet or other private networks. Demonstrating compliance with this standard is voluntary, but doing so provides a presumption of conformity with Regulation (EU) 2024/2847, the Cyber Resilience Act <a href="#_ref_i.1">[i.1]</a>. This standard does not provide presumption of conformity for products with digital elements with have a VPN feature as part of a larger networking or security product, though it may be useful as one part of the process of demonstrating compliance for a product containing or interacting with VPNs. @@ -163,16 +151,16 @@ This standard does not provide presumption of conformity for products with digit ## 1.1 General -The present document provides security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended main purpose of providing commercial Virtual Private Network (VPN)s for individual consumers. This includes products intended for a single user or home network to securely connect to a public network with an emphasis on privacy. +The present document provides security requirements and assessment criteria covering all elements defined in EU Regulation 2024/2847 Cyber Resilience Act Annex I Part 1 and Part 2 for products with digital elements (products) with the intended main purpose of providing commercial Virtual Private Network (VPN)s for individual consumers. This includes products intended for a single user or home network to securely connect to a public or private networks with an emphasis on privacy. The scope applies to: -1. Software that operates as a VPN end-point on a consumer device -1. Remote data processing and associated software used for consumer VPN product +1. Software that operates as a VPN end-point on a consumer device +2. Remote data processing and associated software used for consumer VPN product ## 1.2 Products in scope -The scope of this part of the standard covers products intended for use by a consumer (a natural person) for non-commercial purposes, with a focus on enhancing personal privacy, bypassing censorship, or accessing geographically-restricted content. +The scope of this part of the standard covers products intended for use by a consumer (a natural person) for non-commercial purposes, with a focus on enhancing personal privacy and increasing security on insecure networks. This includes: @@ -218,6 +206,8 @@ The following referenced documents are necessary for the application of the pres * <a name="_ref_1">[1]</a> CEN ## (##): “Cybersecurity requirements for products with digital elements — General principles for cyber resilience” * <a name="_ref_2">[2]</a> CEN ## (##): “Cybersecurity requirements for products with digital elements — Vulnerability Handling” +* <a name="_ref_3">[3]</a> OWASP ASVS (v5.0.0): “Application Security Verification Standard” +* <a name="_ref_4">[4]</a> OWASP MASVS (v2.1.0): “Mobile Application Security Verification Standard” [//]: # (* <a name="_ref_1">[3]</a> CEN ## (##): TK possible vocabulary document from WG9) [//]: # (* <a name="_ref_1">[4]</a> ETSI ## (##): TK shared vocabulary document from WG EUSR) @@ -364,6 +354,8 @@ TODO based on RDPS, how much of this is permitted to be in scope? This list of use cases is an informative resource to the manufacturer to simplify choosing a set of security requirements. It is not an exhaustive list, and deployments may cross over more than one use. +See [i.3] for formal definitions of micro, small, and medium-sized enterprises. + * **UC-1** Individual consumer * Client installed on personal devices like mobile phone, portable or desktop computer * Securing traffic on untrusted networks @@ -378,15 +370,40 @@ This list of use cases is an informative resource to the manufacturer to simplif * At high risk of surveillance * Actively circumventing censorship -## 4.4 Risk factors +* **UC-4** Small enterprise, small not-for-profit organisation + * limited or no full-time IT/network administration + * seeking secure connections primarily to SaaS products + * requires managed service for configuration and maintenance + +## 4.4 Users + +- general public +- children +- journalists +- small business workers +- gamers +- students + +## 4.5 Risk factors The risk factors identified by the risk assessment in Annex C are grouped into risk categories and assigned unique identifiers below. Note that the numeric identifiers are just that—identifiers. They are not intended to implied tiered security needs. TODO -## 4.5 Security profiles +* End-point configuration + * **CFG-L-0** End-point is fully preconfigured by enterprise IT, remote end-points and public keys updated by MDM + * **CFG-L-1** End-point has limited user configuration options, such as choosing a region to connect to + * **CFG-L-2** End user is provided clear configuration instructions and software is supplied directly by manufacturer or MDM + * **CFG-L-3** End user is provided configuration information for any protocol-appropriate software to connect to the network -### 4.5.1 Overview +* Account management and authentication of endpoints + * **AUT-L-0** Customer uses third party identity provider + * **AUT-L-1** Account details are managed by the customer through a centralized identity system (e.g. active directory) + * **AUT-L-2** Each system used by the customer involves its own set of account information & secrets + +## 4.6 Security profiles + +### 4.6.1 Overview Security profiles are an informative resource to the manufacturer. All VPNs will have a baseline of security requirements regardless of the use-case and environment of their product. Additional security requirements will align with the reasonably foreseeable use (and, potentially, the reasonably foreseeable mis-use) of their particular product, based on the security profile appropriate for their product. @@ -394,7 +411,7 @@ The different user types have varying needs that correspond directly to the secu Security profiles will be mapped to the security requirements necessary to mitigate them in a future draft. -### 4.5.2 Mapping of security profile to risk factors +### 4.6.2 Mapping of security profile to risk factors Each security profile will consist of the security requirements necessary to mitigate the threats related to the associated types of risk factors. @@ -404,7 +421,7 @@ TODO risk factors, security profiles |------------------|---------|---------|---------|---------|---------| | SEC-0 | INS-L-3 | PHY-L-0 | CFG-L-3 | EPH-L-2 | AUT-L-0 | -## 4.6 Essential functions +## 4.7 Essential functions > List the essential functions of the product, including: > @@ -412,12 +429,15 @@ TODO risk factors, security profiles > - How its functions are configured? > - How it keeps itself secure and functioning? -The purpose of a consumer VPN is to create a tunnel between client devices and a server that provides access to a public network while obfuscating information about the source device. Potential functions include: +The purpose of a consumer VPN is to create a tunnel between client devices and a server that provides access to a public or private network while obfuscating information about the source device. Potential functions include: + +Depending on the use case, VPNs provide different functions. Potential functions include: * Authenticating client connections * Determining to which exit nodes a clients may connect * Establishing a secure tunnel between devices and exit nodes * Obfuscating the source or target of traffic sent through the tunnel +* Routing restricted-use network traffic in or out of specific nodes The VPN itself is a collection of software running on different nodes. Each software element may have a different set of functionality and may be more or less trusted than other elements. How the functionality and trust are distributed vary according to the architecture and use case of the VPN. @@ -446,7 +466,7 @@ During reasonably foreseeable use, nodes may: * Leave the restricted network * Revoke the access of a node to the restricted use network -## 4.7 Operational Environment +## 4.8 Operational Environment > Describe the expected operating environment given the exclusions in Section 4.2. This includes: > @@ -497,13 +517,6 @@ VPN products often include or are use in concert with: * Distributed log collection and monitoring * Firewalls -## 4.8 Users - -- General public -- Journalists -- Activists -- Children - ## 4.9 Risk distribution among components This section describes the two-way relationship where the VPN product both delegates risks and provides security functionalities to other components in its ecosystem. @@ -607,11 +620,15 @@ A basic overview of VPN functions follows. See clause 4.7 for a detailed overvie > List assumptions that are relevant to the risk analysis for these threats. Everything is hackable if you try hard enough. What kinds of threats are in and out of scope? What are you assuming is the sophistication of attack? Relate to use cases. -[//]: # (- No secret hardware backdoors) -[//]: # (Do hardware backdoors need to be addressed in due diligence for remote data processing on manufacturer hardware? or is that more information than strictly necessary?) +* Device operating systems have installed security updates ## C.4 Risk assessments of threats +### C.4.1 Overview + +### C.4.2 Likelihood + +### C.4.3 Impact > For each threat identified above, use likelihood and magnitude of the threat to assess its risk in the context of use cases. The results should be consistent with the mapping of use cases to security levels. > Guidance from latest PT1 draft:
Loading
Please sign in to comment