Loading EN-304-625.md +43 −24 Original line number Diff line number Diff line Loading @@ -11,11 +11,7 @@ <br /> <br /> Title;<br /> Part #: Part element of title;<br /> Sub-part #: Sub-part element of title<br /> CRA; Essential cybersecurity requirements for physical and virtual network interfaces<br /> Release #<br /> Loading Loading @@ -257,6 +253,8 @@ Wired interfaces in use in a: Low: Stationary device inside a filtered network 1. Enterprise device in internal data center * professional physical security * professional administration Loading Loading @@ -297,41 +295,62 @@ Very high: Wireless interfaces: Low: All the same security level Except maybe by type??? 1. Enterprise use in a restricted area Virtual interfaces Medium: Local communication inside an OS or hypervisor 1. Home personal device (IoT, stationary personal computer) 1. Workplace 1. Communication between host OS and hypervisor/container 1. Software development 1. Provide a tunnel to an application or driver High: External communication 1. Public infrastructure (public wifi hubs) 1. Provide a tunnel to an external host 1. Filtering/firewalls Very high: ### Discussion 1. Mobile personal device (laptop, watch, phone) Much of this will move to risk assessment. Virtual interfaces Attack vectors that are the responsiblity of the network interface: Low: * Arbitrary packets from outside the system * OS-validated packets from unprivileged users inside the system * Any unprivileged user-accessible device driver API 1. Communication between host OS and hypervisor/container 1. Software development Out of scope attack vectors: Medium: * Anything the OS is responsible for * Firmware updates * Direct bit twiddling of registers 1. Provide a tunnel to an application or driver Refer to normative standards: High: * Device driver attack vectors * Physical interface specific attack vectors? 1. Provide a tunnel to an external host Factors Very high: Virtual 1. Filtering/firewalls * complexity of device driver interface and thus device driver * data layer attacks * tcp session layer or other offload-related attacks * intended environment of use (direct to internet or filtered) Wired * physical link layer attacks (refer to external standards?) * complexity of physical interface implementation (firmware) Wireless * All of above plus: * data layer level encryption? * added complexity of managing RF transmitters ## 4.4 Security levels Loading Loading
EN-304-625.md +43 −24 Original line number Diff line number Diff line Loading @@ -11,11 +11,7 @@ <br /> <br /> Title;<br /> Part #: Part element of title;<br /> Sub-part #: Sub-part element of title<br /> CRA; Essential cybersecurity requirements for physical and virtual network interfaces<br /> Release #<br /> Loading Loading @@ -257,6 +253,8 @@ Wired interfaces in use in a: Low: Stationary device inside a filtered network 1. Enterprise device in internal data center * professional physical security * professional administration Loading Loading @@ -297,41 +295,62 @@ Very high: Wireless interfaces: Low: All the same security level Except maybe by type??? 1. Enterprise use in a restricted area Virtual interfaces Medium: Local communication inside an OS or hypervisor 1. Home personal device (IoT, stationary personal computer) 1. Workplace 1. Communication between host OS and hypervisor/container 1. Software development 1. Provide a tunnel to an application or driver High: External communication 1. Public infrastructure (public wifi hubs) 1. Provide a tunnel to an external host 1. Filtering/firewalls Very high: ### Discussion 1. Mobile personal device (laptop, watch, phone) Much of this will move to risk assessment. Virtual interfaces Attack vectors that are the responsiblity of the network interface: Low: * Arbitrary packets from outside the system * OS-validated packets from unprivileged users inside the system * Any unprivileged user-accessible device driver API 1. Communication between host OS and hypervisor/container 1. Software development Out of scope attack vectors: Medium: * Anything the OS is responsible for * Firmware updates * Direct bit twiddling of registers 1. Provide a tunnel to an application or driver Refer to normative standards: High: * Device driver attack vectors * Physical interface specific attack vectors? 1. Provide a tunnel to an external host Factors Very high: Virtual 1. Filtering/firewalls * complexity of device driver interface and thus device driver * data layer attacks * tcp session layer or other offload-related attacks * intended environment of use (direct to internet or filtered) Wired * physical link layer attacks (refer to external standards?) * complexity of physical interface implementation (firmware) Wireless * All of above plus: * data layer level encryption? * added complexity of managing RF transmitters ## 4.4 Security levels Loading
