Xerox Multi-Function Device Security Target
34
Copyright
2013 Xerox Corporation. All rights reserved.
The following actions could be considered for the management functions in
FMT:
a) definition of the role(s) that are allowed to perform the management
activities;
b) management of the conditions under which direct forwarding can be
allowed by an administrative role;
c) revocation of such an allowance.
Audit: FPT_FDI_EXP.1
The following actions should be auditable if FAU_GEN Security Audit Data
Generation is included in the PP/ST:
a) There are no auditable events foreseen.
Rationale:
Quite often a TOE is supposed to perform specific checks and process data
received on one external interface before such (processed) data is allowed to
be transferred to another external interface. Examples are firewall systems
but also other systems that require a specific work flow for the incoming data
before it can be transferred. Direct forwarding of such data (i.e. without
processing the data first) between different external interfaces is therefore a
function that – if allowed at all – can only be allowed by an authorized role.
It has been viewed as useful to have this functionality as a single component
that allows specifying the property to disallow direct forwarding and require
that only an authorized role can allow this. Since this is a function that is quite
common for a number of products, it has been viewed as useful to define an
extended component.
The Common Criteria defines attribute-based control of user data flow in its
FDP class. However, in this Security Target, the authors needed to express
the control of both user data and TSF data flow using administrative control
instead of attribute-based control. It was found that using FDP_IFF and
FDP_IFC for this purpose resulted in SFRs that were too unwieldy for
refinement in a Security Target. Therefore, the authors decided to define an
extended component to address this functionality.
This extended component protects both user data and TSF data, and could
therefore be placed in either the FDP or FPT class. Since its purpose is to
protect the TOE from misuse, the authors believed that it was most
appropriate to place it in the FPT class. It did not fit well in any of the existing
families in either class, and this lead the authors to define a new family with
just one member.
FPT_FDI_EXP.1 Restricted forwarding of data to external interfaces
Hierarchical to: No other components.
Dependencies: FMT_SMF.1 Specification of Management Functions
FMT_SMR.1 Security roles.
To Next Page
Loading...
