PD 0124: Depth of Protocol or Interface Examination

Subject: PD 0124: Depth of Protocol or Interface Examination
From: "Observation Decisions Review Board" <faigin@aero.org>
Date: Tue, 23 Aug 2005 13:16:52 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


At its August meeting, the ODRB developed the following PD to provide guidance 
on recent issues brought to its attention. Any comments on this PD will be 
considered at the October ODRB meeting.

TITLE
Depth of Protocol or Interface Examination

ISSUE
If a protocol requires examination, how detailed must that examination be? For 
example, if a network interface accepts TCP connections on a port for a 
specific service, must it also be examined for a response on every other port?

RESOLUTION

Interfaces and protocols that an attacker can reasonably manipulate than have 
the potential to alter the security behavior of the TOE should be considered. 
 
RATIONALE
Decomposition should be performed only as exhaustively as the TOE user's threat 
environment dictates. 

For example an internet attacker against a firewall could manipulate datagrams, 
but not the electrical signaling. Further, only certain types of datagrams are 
likely to reach the public interface because of routing. An example of this 
might be a requirement that ICMP traffic is dropped by the router before 
reaching the firewall interface. In this case an assumption that no hostile 
user will appear between the firewall and the public router may be required, 
and/or that all network attacks are assumed to originate from outside the 
router.

Prev by Date: PD 0113 updated
Next by Date: PD 0122: Description of Logical and Physical Boundaries
Prev by thread: Re: PD 0122: Description of Logical and Physical Boundaries
Next by thread: RE: PD 0124: Depth of Protocol or Interface Examination

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov