@@ -237,7 +237,7 @@ The following types of products have reduced or varied requirements under Regula
10. Testing and unfinished versions as defined in recital 37; Article 4, 2-3 <aname="_ref_i.1">[i.1]</a>;
11. Products Placed on the Market Prior to December 11, 2027 as defined in CRA article 69 <aname="_ref_i.1">[i.1]</a>.
## 4.2 Product overview and architecture
## 4.3 Product overview and architecture
_Explain the overall architecture and relationship among the parts of the products. Use diagrams if that is helpful._
@@ -269,74 +269,128 @@ The device driver communicates with the rest of the host software by means of a
A virtual interface emulates the device driver interface of a network interface to the host operating system. Instead of a physical network interface, it may send and receive packets to a hypervisor, a container, another device driver, another part of the network stack, or an application.
FIXME make some nice diagrams
## 4.3 Use cases
_Create a list of representative use cases, each one representing a different threat profile. If the threat profile is the same, it's basically the same use case for the purposes of this document. Later the use cases will be mapped to security levels. Use cases should include both intended and reasonably foreseeable use/misuse._
Wired interfaces in use in a:
Low:
Stationary device inside a filtered network
1. Enterprise device in internal data center
* professional physical security
* professional administration
* highly filtered network traffic
1. Home lab device
* semi-pro physical security
* semi-pro administration
* may be exposed to entire internet
Medium:
1. Enterprise edge device or internet infrastructure
* professional physical security
* professional administration
* exposed to entire internet
1. Enterprise worker device
* some professional physical security
* professional administration
* sometimes exposed to entire internet
1. Stationary home device
* some physical security
* no administration
* highly filtered network traffic
High:
1. Stationary public device
* no physical security
* little to no administration
* probably exposed to entire internet
Very high:
1. Mobile personal device (including laptops)
* often no physical security
* no administration
* often exposed to entire internet
Wireless interfaces:
All the same security level
Except maybe by type???
Virtual interfaces
Local communication inside an OS or hypervisor
1. Communication between host OS and hypervisor/container
1. Software development
1. Provide a tunnel to an application or driver
External communication
1. Provide a tunnel to an external host
1. Filtering/firewalls
<mark> FIXME make some nice diagrams </mark>
## 4.4 Use cases
* UC-WD-1 Wired enterprise device in isolated internal infrastructure
* Data center for internal job processing
* Behind a firewall, no direct route to internet
* Users are administrators and approved applications
* Behind a firewall, routing filtered internet traffic
* Users are administrators
* Interface implements performance optimizations
* Professional administration by enterprise IT
* UC-WD-3 Wired enterprise edge device or internet infrastructure
* Firewalls, VPN servers, switches in IXPs and ISPs
* Exposed to entire internet
* Users are administrators and approved applications
* Interface implements performance optimizations
* Professional administration by enterprise IT
* UC-WD-4 Wired enterprise worker device on internal network
* Stationary personal computer, registration terminal, cash register
* Behind a corporate firewall
* Users are company employees
* Interface implements performance optimizations
* Professional administration by enterprise IT
* UC-WD-5 Wired stationary home device
* Stationary personal computer, IoT hub
* Behind home gateway firewall
* Host access limited to people within the home
* Simple, low feature implementation
* May be administered by anyone in the home
* UC-WD-6 Wired stationary home gateway
* ISP-managed access point, smart meter
* Exposed to the entire internet, potentially some ISP filtering
* Host access limited to trusted users/systems
* Simple, low feature implementation
* Professionally administered
* UC-WD-7 Wired stationary public server
* Shared webhosting
* Behind some firewall
* Can be used by anyone who can open an account
* Interface implements performance optimizations
* Professional administration
* UC-WD-8 Wired stationary device for public use
* Public library computer, vending machine
* Behind some firewall, network accessible by physically nearby attackers
* Can be used by literally anybody
* Simple, low feature implementation
* Professional administration but probably underfunded
* UC-WD-9 Wired mobile device
* Laptop
* Exposed to entire internet, physically nearby attackers
* Users limited to owner and a few people they trust
* Simple, low feature implementation
* May be administered professionally by anyone in the home
* UC-WL-1 Wireless mobile enterprise worker device
* Company laptop, phone, tablet
* Exposed to entire internet via any access point
* Users are company employees
* Interface implements radio control and encryption
* Professional administration by enterprise IT
* UC-WL-2 Wireless stationary home device
* IoT lightbulb, smart oven, stationary personal computer
* Behind home gateway firewall, network accessible by physically nearby attackers
* Host access limited to people within the home
* Interface implements radio control and encryption
* May be administered by anyone in the home
* UC-WL-3 Wireless stationary device for public use
* Public library computer, vending machine
* Behind some firewall, network accessible by physically nearby attackers
* Can be used by literally anybody
* Interface implements radio control and encryption
* Professional administration but probably underfunded
* UC-WL-4 Wireless mobile personal device
* Laptop, phone, tablet
* Exposed to entire internet, physically nearby attackers
* Users limited to owner and a few people they trust
* Interface implements radio control and encryption
* May be administered by anyone in the home
* UC-VI-1 Virtual interface for internal use on private device
* Loopback, containers, tunnel to local application
* Packets only from other applications/users on host
* Users are administrators and approved applications in containers
* Very simple device driver
* Skilled administrator
* UC-VI-2 Virtual interface for external use on private device
* Virtio on hypervisors, VPN interfaces, tunnel interfaces
* Exposed to entire internet
* Users are administrators and potentially untrusted applications
* Highly complex packet filtering, processing, encryption, etc.
* Anyone can be administrator
* UC-VI-3 Virtual interface for external use on enterprise device
* Virtio on hypervisors, VPN interfaces, tunnel interfaces
* Exposed to entire internet
* Users are untrusted
* Highly complex packet filtering, processing, encryption, etc.
* Administered by enterprise IT
* UC-VI-4 Virtual interface for external use on public server
* Virtio on hypervisors, VPN interfaces, tunnel interfaces
* Exposed to entire internet
* Users are untrusted
* Highly complex packet filtering, processing, encryption, etc.
* Administered by professional IT
### Discussion
@@ -359,33 +413,83 @@ Refer to normative standards:
* Device driver attack vectors
* Physical interface specific attack vectors?
Factors
## 4.5 Security levels
For each network interface placed on the market, the manufacturer shall develop a threat model and risk profile of the forseeable use of the operating system, and shall consider the interplay between:
* complexity of forseeable use
* likelihood of an incident, given the forseeable use
* impact of an incident, given the forseeable use
The identified risks are grouped into risk categories and assigned unique identifiers below.
* Number of unprivileged users with network access on the host system
***[USR-L-0]** Effectively no users
***[USR-L-1]** Only trusted users with a formal approval system
***[USR-L-2]** Trusted users within the home
***[USR-L-3]** Untrusted users
* Degree of access to attached network
***[ACC-L-0]** Untrusted users have no or highly filtered access to attached network
***[ACC-L-1]** Untrusted users have somewhat filtered access to attached network
***[ACC-L-2]** Untrusted users have unfiltered access to attached network
Virtual
* Complexity of network interface implementation
* complexity of device driver interface and thus device driver
* data layer attacks
* tcp session layer or other offload-related attacks
* intended environment of use (direct to internet or filtered)
***[COM-L-0]** Minimal features to send/recv packets
***[COM-L-1]** Some simple performance features
***[COM-L-2]** Encryption features on device
***[COM-L-3]** Entire RTOS doing radio management or similar
Wired
* Type of administration
* physical link layer attacks (refer to external standards?)
* complexity of physical interface implementation (firmware)
_List the essential functions of the product, including:_
@@ -393,7 +497,7 @@ _List the essential functions of the product, including:_
* _How its functions are configured_
* _How it keeps itself secure and functioning_
.
The essential functions of a network interface
* Bridge host memory and the network
@@ -408,23 +512,13 @@ FIXME more functions
FIXME device driver and virtual
## 4.6 Operational Environment
_Describe the expected operating environment given the exclusions in Section 4.2. This includes:_
* _Physical environment (if applicable)_
* _Networks it is connected to_
* _Supporting/associated devices_
* _Supporting/associated software or services_
* _Other relevant context_
## 4.7 Operational Environment
_You may be able to use the following instructions taken from the Common Internet of Things draft:_
The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use.
_Harmonised Standards not specifying a normative environmental profile should use the following text:_
The network device will operate in the context of a host system and operating system. If the device driver is not included with the product, it will be provided by the operating system or other part of the system. See Risk Distribution FIXME CITE for more details.
_The technical requirements of the present document apply under the environmental profile for operation of the equipment, which shall be in accordance with its intended use. The equipment shall comply with all the technical requirements of the present document at all times when operating within the boundary limits of the operational environmental profile defined by its intended use._
## 4.7 Users
## 4.8 Users
_Describe the classes of users for this product, as differentiated by sophistication in understanding and taking responsibility for security risks. More sophisticated users can be expected to follow more instructions and cope with higher levels of unmitigated risks. Suggestions:_
@@ -444,26 +538,34 @@ While users of almost every product with digital elements are also using a netwo
FIXME more users
## 4.8 Risk distribution among components
## 4.9 Risk distribution among components
_Risk can be transferred between components, for example a network interface can document that secure update of its firmware must be handled by an external program, such as an operating system. In turn, the operating system can offer the security functionality of secure updates to other components in a system._
_Describe what risks are delegated to other components, as well as what security functionalities this product offers to things integrated with it._
The following security functionalities are outsourced to the operating system or other external programming device:
_Lego analogy_
### 4.9.1 Risks handled by outside components
* Secure configuration
* Secure update of firmware
* Authentication
* Authorization
The following security functionalities are handled by the operating system or other external device:
* Secure configuration of the network interface
* Provision of cryptographic keys
* Secure update of firmware and/or device driver
* Authentication of users
* Authorization of users
* Deletion of data
### 4.9.2 Security functions provided to other components
The network interface provides the following security functions to other parts of the system:
* Data confidentiality when providing encryption at the physical link layer (WPA2, MACSEC)
* Logging of network-related statistics
* Confidential communication channel when providing encryption at the physical link layer (WPA2, MACSEC)
* Impact minimization (can be programmed to assist processing packets more efficiently)
## 4.9 Support period
## 4.10 Support period
_Describe the expected support period and its impact on security risks. Generally the support period should be at least 5 years, shorter or longer according to the expected period of use. See Article 13.8 and Recitals 59 - 62 of the CRA for more information._
