PD 0123: Defining Protocols as Internal or External Interfaces

Subject: PD 0123: Defining Protocols as Internal or External Interfaces
From: "Observation Decisions Review Board" <faigin@aero.org>
Date: Tue, 23 Aug 2005 13:16:55 -0700
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


At its August meeting, the ODRB developed the following PD to provide guidance 
on recent issues brought to its attention. Any comments on this PD will be 
considered at the October ODRB meeting.

TITLE 
Defining Protocols as Internal or External Interfaces

ISSUE
Systems that communicate between components over network protocols may expose 
those interfaces to threats that impact the TOE. The CAPP, in particular, 
assumes the TOE communicates only with similarly-managed systems. Note that it 
does not require all systems to be the same product as the product under 
evaluation, only that there be similar management with congruent policies. This 
creates the potential for a heterogeneous network. In such a network, threat 
systems may be on the network while the CAPP A.PEER is still satisfied. Should 
the interface or protocol be treated as internal or external?

RESOLUTION

If an interface can affect the operation of the TOE and is accessible by 
systems that are not the evaluated product and are external to the evaluated 
TOE, it is considered an external interface.

In the absence of an explicit assumption that the network environment is 
homogeneous and the product provides networking services, then the protocols 
are considered an interface.

RATIONALE

The evaluator should be concerned with things that can affect the operation of 
the security functions of the TOE, based on the level of threat experienced by 
the TOE in its expected environment. The presence of untrusted systems (and 
from the point of view of a particular evaluation, any product other than the 
product under evaluation is an unevaluated product) on a heterogeneous network 
introduces threats that do not exist if the network were homogenous.

For example, RPC may be an appropriate protocol to use on a closed network 
consisting of only similarly managed, trusted systems. The addition of a 
potentially hostile system on that network requires that RPC be evaluated for 
vulnerabilities.

Prev by Date: PD 0122: Description of Logical and Physical Boundaries
Next by Date: PD 0120: Parameter Validation Testing
Prev by thread: PD 0120: Parameter Validation Testing
Next by thread: PD 0122: Description of Logical and Physical Boundaries

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov