|
The Checkmark VPN test is
designed to ensure that VPN’s achieve a basic level of functionality in
that they:
- Allow
a secure point to point link between two networks
- Allow
a secure point to point link between a roaming client and a network
(optional)
- Enforce
a reasonable level of encryption and data integrity for the data
contained within the VPN tunnel
- Provide
a secure key-exchange mechanism for all devices participating in a VPN
- Provide
authentication and access control mechanisms to restrict resource
access on a per-user or per-group level (optional)
- Provide
packet filtering or proxy services within the tunnel to restrict
tunnel traffic to specific protocols or source/destination points
(optional)
Configuration
-
���� The
product is to be configured to provide the various services and
enforce the various restrictions specified in this document
-
�����
Products can be provided either as a complete turnkey hardware and
software solution, or as software only to be installed on our own
hardware (the specification of which will be provided on request)
-
�����
All products are to be provided initially with an “out of the box”
configuration. This is to allow us to form an objective opinion on (a)
the amount of effort needed to configure the product from scratch, and
(b) the likelihood that an end user may mis-configure the product
-
����
Software-based products will be installed on a “clean” version of
the native operating system. The host machine will be “wiped” and
returned to a steady state after each test. Products from different
vendors will not be installed side by side on the same machine
-
�����
Vendors will be encouraged to provide advice on the most
appropriate means to achieve the necessary configuration. If no such
advice is forthcoming, NSS Group staff will attempt to provide the
best configuration possible from information contained in the manuals.
-
�����
Vendors will be encouraged to visit the testing lab to effect
the necessary configuration under direct supervision of NSS Group
laboratory staff
-
�����
In the event multiple methods of achieving the same result are
available, the vendor should advise on the most secure option
-
�����
It is assumed that the underlying OS will be “hardened” as
required and/or have the latest security fixes applied during�
installation. No patches or configuration options will be
allowed which are not available to the general public either in a
current release or via a recognised and generally available support
source
Test Environment
NSS Network Testing Laboratories maintains
a dedicated test network for Checkmark accreditation (network
diagram can be viewed here).
-
����
The test environment consists of two distinct networks – Head
Office network A, Head Office network B and Remote Office network.
-
�����
Each network consists of a Telnet host, DNS server, SMTP/POP3
server, FTP server, file/print server, Web server and various clients.
Clients can be attached at different points on the test bed in order
to appear as network clients (working via a gateway-to-gateway VPN) or
remote clients (running a client-to-gateway VPN).
-
�����
Machines are not configured in a secure manner – they rely
totally on the protection of the firewall (if installed) and the VPN.
-
�����
Two edge router devices (on which VPN server software will be
installed) are the only links between the two Head Office networks and
the Remote Office network. No packet filtering will be configured on
these routers – all protection must be provided by the firewall (if
installed) and VPN devices.
-
�����
A network monitor, protocol analyser and security monitor is
installed on each network
-
�����
The configuration of all machines remains constant between
tests, with all machines “wiped” and returned to a steady state
after each test.
Services
In order to accommodate the entire test
suite, a number of default tunnels can be defined following installation:
-
�����
Gateway-gateway – no restrictions on
services
-
�����
Client-gateway (if available) no restrictions on services
-
�����
Gateway-gateway – traffic restricted to HTTP and FTP
-
�����
Gateway-gateway – user access restricted
-
�����
Client-gateway (if available) – traffic restricted to HTTP
and FTP
-
�����
Client-gateway (if available) – user access restricted
For the majority of tests, the VPN is to be
configured to allow all typical services such as:
If the VPN offers such a facility, part of
the certification will involve restricting services to just two protocols
– HTTP and FTP – following which we will attempt to force restricted
packets through the open tunnel.
Management
Management of the VPN will be
evaluated using the following criteria:
-
�����
Local console must be secure
-
�����
Management console should not be open to the external network
-
�����
The VPN configuration should be fully protected and tamper
proof (except from an authorised management station)
-
�����
Full authentication is required for the administrator for local
administration
-
�����
Full authentication and an encrypted link is required for
remote administration. If the remote link cannot be encrypted, there
should be the ability to disable it.
Penetration Tests
A range of penetration tests will be
carried out using commonly-available firewall scanning tools (NAI CyberCop
Scanner and ISS Internet Scanner) as well as custom-built utilities. All
tools will be configured with full knowledge of both the VPN and network
configuration:
-
�����
Check that VPN management console is not available to any users
unless authenticated
-
�����
Check that the remote management link (if available) is
encrypted or can be disabled
-
�����
Check that the VPN configuration is fully protected and tamper
proof
-
�����
Check that the VPN is resistant to a range of known Denial Of
Service (DOS) attacks
-
�����
Check that the VPN has no known vulnerabilities.
-
�����
Check that the VPN does not allow uncontrolled access to the
networks behind it if traffic is restricted (see Services)
-
�����
Check that the VPN does not pass mis-configured packets to the
networks behind it if traffic is restricted (see Services)
-
�����
Check that the VPN correctly enforces access control policy on
a per user and/or per group basis
The following tests will be performed only
on products designed to act as true edge/tunnel termination devices (i.e.
with some firewall capability built in):�
-
�����
Stage 1: Probe the VPN
device from the trusted network with no tunnel established
-
�����
Stage 2: Probe the VPN
device from the untrusted network (Internet)
-
�����
Stage 3: Attempt to
establish tunnels using incorrect credentials
-
�����
Stage 4:
Establish a valid
tunnel (gateway-gateway and optionally client-gateway) and ensure that
data is being encrypted
-
�����
Stage 5: Probe the head
office networks from the remote network with valid gateway-gateway
tunnel established – attempt to violate tunnel traffic policy (i.e.
pass prohibited protocols, etc.)
-
�����
Stage 6: Probe the head
office networks from the remote network with valid client-gateway
tunnel established – attempt to violate tunnel traffic policy (i.e.
pass prohibited protocols, etc.)
-
�����
Stage 7:
Probe the head
office networks from the remote network with valid gateway-gateway
tunnel established – attempt to violate access control policy (i.e.
user to access restricted resources, etc.)
-
�����
Stage 8: Probe the head
office networks from the remote network with valid client-gateway
tunnel established – attempt to violate access control policy (i.e.
user to access restricted resources, etc.)
Crypto
Tests
A range of tests will be applied to the
cryptographic capabilities of the VPN in order to ensure that data is
encrypted and integrity is maintained.
The following tests will be performed:
-
����
Stage 9: Ensure tunnels can
be negotiated using dynamic and static keys
-
�����
Stage 10:
Ensure all data
passing through tunnel is encrypted and integrity is maintained
-
�����
Stage 11: Analyse encrypted
data for obvious patterns or weaknesses
-
�����
Stage 12: Attempt to replay
encrypted packets with amended contents and ensure that these are
rejected and reported
-
�����
Stage 13: Confirm integrity
of crypto functionality via implementation questionnaire
Results
Protocol analysers, network monitors and
advanced security monitoring tools are used during initial configuration
and throughout the testing, both to validate the configuration and confirm
the test results.
-
�����
The VPN should only allow tunnels to be negotiated between two
trusted hosts (via static and/or dynamic key exchange)
-
�����
All data travelling through the tunnel is to be encrypted and
integrity maintained
-
�����
Encrypted data to show no obvious signs of patterns,
repetitions or other weaknesses
-
�����
Compromised tunnel data to be rejected and reported
-
�����
Crypto implementation proved via questionnaire
-
�����
No access between trusted networks is permitted except via
correctly negotiated VPN tunnels
-
�����
No access to trusted networks is permitted from untrusted network
(Internet)
-
�����
No “illegal” traffic is to be permitted on any protected
network
-
�����
No access to the management console or VPN configuration files
is to be allowed
-
�����
VPN log files to log all completed and rejected attempts to
initiate and use a tunnel
-
�����
VPN is to remain running through DOS attacks (both generic IP
and OS-specific attacks). Where it is recognised that a particular DoS
attack has no defence, the VPN should terminated “gracefully”
(leaving connections securely closed).
-
�����
Log files to remain intact through all attacks
-
�����
The management console must remain available and secure
Accreditation�
-
�����
Accreditation will be awarded as a simple “Pass”
or “Fail”
-
�����
In the event the VPN fails accreditation, the vendor will be
provided with all the necessary information to allow them to rectify
the problem
|
|
