PD 0132: Terminating Sessions in lieu of Locking Sessions

Subject: PD 0132: Terminating Sessions in lieu of Locking Sessions
From: "Observation Decisions Review Board" <faigin@aero.org>
Date: Thu, 22 Feb 2007 10:28:09 -0800
Content-description: Mail message body
Content-transfer-encoding: 7BIT
Content-type: text/plain; charset=US-ASCII
Priority: normal


During its February 2007 meeting, the ODRB issued the following PD:

PD 0132

TITLE 
Terminating Sessions in lieu of Locking Sessions


ISSUE

Both the Firewall Protection Profile for MR Environments
(PP_FW_MR2.0_V1.0) and the Traffic-Filter Firewall Protection Profile
for MR Environments (PP_FW_TF_MR_V1.0) include the FTA_SSL.1 and
FTA_SSL.2 functional requirements. FTA_SSL.1 requires the TSF to lock a
local interactive session after a Security Administrator-specified
period of inactivity. FTA_SSL.2 requires that a user (in this case an
administrative user) be able to initiate session locking of the local
interactive session.

Consider a product that wants to claim compliance with these profiles,
yet does not provide the ability to lock a session because the nature of
a session is such that there are no "windows" or persistent information
(i.e., a serial connection). This product terminates the session instead
of locking it. This approach appears to meet the intent of FTA_SSL.1
because it:

* Clears or overwrites display devices making the current contents
  unreadable.

* Disables any activity of the user's data access/display device.

* Requires re-identification and re-authentication.

The product also provides administrator guidance that instructs
administrators to terminate their Local Console interactive session when
leaving the Local Console unattended. If an administrator does not
follow this guidance, the unattended session will be terminated by the
TOE after a Security Administrator-specified period of inactivity. This
is argued to meet the intent of FTA_SSL.2.

To address this issue, it is proposed that the following be considered
an acceptable refinement of FTA_SSL.2 that is still in compliance with
the profile:

FTA_SSL.2 User-initiated locking

FTA_SSL.2.1 - Refinement: The TSF shall allow user-initiated session
termination of the user's own Local Console interactive session.

FTA_SSL.2.2 - Refinement: The TSF shall require the user to re-identify
and re-authenticate re-establishing a Local Console interactive session.

RESOLUTION

It is acceptable to use session termination rather than session locking
for a TOE claiming compliance to these PPs. The application note after
FPT_SSL.2 (which also applies to FPT_SSL.1) explicitly states that these
two components apply only to local administrators.

Because only the administrator accounts are affected, and because the
administrator would need to unlock affected accounts, the proposed
refinement will result in the administrator still having to re-establish
the connection, re-identify, and re-authenticate, all of which meet the
intent of FTA_SSL.2 as stated in the PPs.

RATIONALE

The purpose for locking a session is to ensure that a user must
re-authenticate before getting access to information in that
session. Terminating a session has the same effect, for it requires a
re-authentication before access to the system is granted.

Prev by Date: Re: PD 0129: Deletion of the oldest audit events when audit storage space is exhausted
Next by Date: PD 0131: Create Object Audit Event and CAPP Compliance
Prev by thread: Re: PD 0131: Create Object Audit Event and CAPP Compliance
Next by thread: Re: PD 0130:Clarification of Alert requirement in Basic Robustness

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov