NCOIC Secure Formatted Information Exchange Gateway (SFIEG) Pattern 1

IA WG

NCOIC Secure Formatted Information Exchange Gateway (SFIEG) Pattern 1.2

Verification Statement

Note to submitter: This form contains a series of questions that need to be answered. Please complete ALL the fields in the questionnaire below to produce a Verification Statement for your Secure Formatted Information Exchange Gateway system. Your completed form should be submitted to the Certification Authority when you register for certification. Please ensure that you use the current version of the questionnaire (available on the certification web site) for your submission. See the Guide to the NCOIC Certification for more information. Please note that this Verification Statement and the information contained herein will NOT appear on the public register of certified products.

1. Submitter Information

Enter the full name of the organization that is registering this product and the name of the author of this Verification Statement.

Organization:

Author:

2. Product Information

2.1. Identifier and Version

Please provide an identifier and version number for your Secure Formatted Information Exchange Gateway system. The identifier and version are the same ones used to register your product for certification and as specified on your product’s Conformance Statement.

Product Identifier:

Product Version:

3. Implementation of Mandatory Pattern Requirements

Rationale:

SFIEG systems must implement ALL of the behaviors marked as "SHALL" in the SFIEG Pattern Requirements.

Question 1: Verify by Inspection that the following mandatory Pattern Requirements have been implemented in the Secure Formatted Information Exchange Gateway.

This section identifies the full set of mandatory behaviors implemented and verified in the system, whether or not each behavior is used/enabled in each of the operational environments in which the product is deployed.

Response:

Table 1. Mandatory Requirements to be Verified by Inspection

ID / SHALL Requirements / Evidence of Verification
(Enter Y or N)
SFIEG-04 / The device shall provide the framework for a portal between two networks classified at different levels of sensitivity / Security Policy Inspected ( )
SFIEG-08 / The device shall have two data interfaces / Data Interface specification Inspected ( )
SFIEG-13 / The device shall determine the sensitivity of a message or field by reference to explicit markers within the message or associated with the field / Data Interface specification Inspected ( )
SFIEG-17 / The device shall inspect the message and determine whether the message is to be processed as Rejection, Censoring, or Forwarding / SW Design Inspected ( )
SFIEG-27 / The device shall provide for the rules for message processing to be input, securely, to the device by parameters / Security Policy and SW Design Inspected ( )
SFIEG-29 / The device shall provide for the secure use, for the input of rules, of a suitably featured markup language. / SW Design Inspected ( )

Question 2: Verify by performing the following test cases that the following mandatory Pattern Requirements have been implemented in the Secure Formatted Information Exchange Gateway

Response:

Table 2. Mandatory Requirements to be Verified by Testing

ID / SHALL requirements / Evidence of Verification
(Enter Y or N)
SFIEG-05 / The device shall provide a framework to prevent data of greater sensitivity on one network from being ported to the other network.
NOTE this sensitivity is determined by marking of the data. Data classified as ‘sensitive’ is not determined by a scale of sensitivity, but by its marked releasability / Blackbox Test
Tested ( )
SFIEG-09 / The device shall have a data input interface. / Blackbox Test
Tested ( )
SFIEG-10 / The device shall have a data output interface. / Blackbox Test
Tested ( )
SFIEG-11 / The device shall have a parameter input interface. / Blackbox Test
Tested ( )
SFIEG-12 / The device shall handle messages only in a fixed format. / Blackbox Test
Tested ( )
SFIEG-14 / The device shall assemble the packets, forming message packets into complete messages. / Blackbox Test
Tested ( )
SFIEG-15 / The device shall determine by inspection whether any message or part of the message is marked in a way indicating it must be further processed. / Blackbox Test
Tested ( )
SFIEG-16 / The device shall inspect the assembled message according to the inspection rules provided and decides what action is to be taken on the message. / Blackbox Test
Tested ( )
SFIEG-23 / The device shall, if the message is not passed on in any form, provide the option of further action, that may be taken including the following: diversion of the message to a secure store, returning of message to its originator, notification of refusal to message originator. / Blackbox Test
Tested ( )
SFIEG-25 / If a message is passed on, the device shall, following the processing of the stored message, output the message by disassembling it into packets and sending those packets forward. / Blackbox Test
Tested ( )
SFIEG-26 / The choice of options and the position of fields shall be specified by parameters input to the device in a secure manner. / Blackbox Test
Tested ( )
SFIEG-28 / The device shall provide for the location of fields to be used in message processing, to be input, securely, to the device by parameters. / Blackbox Test
Tested ( )
Approved for Public Release
NCOIC-SFIEG Verification Statement-20100329 / NCOIC Verification Statement for Secure Information Exchange Gateway Pattern
NCOIC Information Assurance WG / Version 1.2a / Page 1 / 13
IA WG

Table 3. Test Cases for Mandatory Requirements

Unique
Test ID / Subject / Secure
Function[1] / Requirement
Condition / Verification
Action / Expected
Results / Evidence of Verification Results
(Enter Y if expected behavior was observed or N if results are missing or inconsistent) /
SFIEG-04 / The device provides the framework for a portal between two networks classified at different levels of sensitivity. / Within the configuration, the device offers the possibility to manage the interface for a domain on the INPUT side and the interface for a domain on the OUTPUT side
NOTE : The SFIEG function is unidirectional but the device can be bidirectional. If the device is bidirectional, the same directional test case will be used in both directions. / Inspection of Security Policy:
Examine the device configuration data. / The device offers a configuration mechanism that manages the interface to the domain on the INPUT side and the interface to the domain on the OUTPUT side of the Device.
SFIEG-05 / The device provides a framework to prevent data of greater sensitivity on one network from being transported to the other network. / Blackbox Test:
Prepared test objects are sent from INPUT side to OUTPUT.side / · Test objects whose marker fields indicate unreleasable data are blocked
· Test objects whose marker fields indicate releasable data are allowed to pass
· A log entry is created if the message is blocked
SFIEG-08 / The device has two data interfaces. / True / The device hardware is present. / Inspection of Interfaces: / Two different interfaces are found.
SFIEG-09 / The device has a data input interface. / True / Test objects are prepared, with different values in the specified marker fields. / Blackbox Test:
Prepared test objects are sent from INPUT side to OUTPUT side. / SFIEG accepts test objects for processing.
SFIEG-10 / The device has a data output interface. / True / Test objects whose marker fields indicate releasable data are placed ready / Blackbox Test:
· Prepared test objects are sent from INPUT side to OUTPUT side
· Data output is monitored / Test objects that are allowed to pass drop out of the OUTPUT interface.
SFIEG-11 / The device has a parameter input interface. / True / The device needs parameters to perform its task. A mechanism that provides a correctly configured set of parameters is made ready
(Compare SFIEG-26). / Blackbox Test:
Action 1: the device is started with the correctly configured set of parameters.
Action 2: the device is started, but without a configured set of parameters. / Action 1
the device starts processing messages because the parameter input interface can find configuration data.
Action 2
· the device does not start processing messages because the device cannot find a correctly configured set of parameters.
· An error log is created.
SFIEG-12 / The device handles messages only in a fixed format. / True / The device can only handle messages that have the specified format. Therefore, a test message with a wrong format is placed ready (e.g., a wrong message format)
NOTE : The pattern only handles messages in fixed format. It makes no claim. to anything more. Fixed format message handling forming part of a mixed gateway could be compliant with the provisions of this pattern, without further work to the pattern. It is a matter of semantics to find a description of a situation where a subset of a set of requirements are fully compliant with a specification. / Blackbox Test:
Test object is sent from INPUT side to OUTPUT side. / · The test object is blocked.
· Log shows that format was wrong.
SFIEG-13 / The device determines the sensitivity of a message or field by reference to explicit markers within the message or associated with the field. / True / The device can only handle messages that have the specified format. Part of the format is the explicit marker for sensitivity. / Inspection of Message Format:
Inspect test data of Test IDs SFIEG-05 and SFIEG-15. / · Test data of Test ID SFIEG-05 have markers for sensitivity.
· Test data of Test ID. SFIEG-15 do not have markers for sensitivity.
SFIEG-14 / The device assembles the packets, forming message packets into complete messages. / A test message divided into several packets is placed ready.
Sensitivity of the test message is marked as releasable. / Blackbox Test:
· Packets are sent one by one to the device.
· Analyzer monitors output interface. / · If the last packet is sent to the device, the whole message is assembled by the device.
· Only when the message is complete can the sensitivity check be processed (see log file for results).
· The complete message is separated again into packets that are found at the device output interface.
(See SFIEG-25)
SFIEG-15 / The device determines by inspection whether any message or part of the message is marked in a way indicating it must be further processed. / Â test message is placed ready where the marker field content is empty. / Blackbox Test:
Test object is sent from INPUT side to OUTPUT side. / · Test object is blocked.
· Log shows that message is not marked.
SFIEG-16 / The device inspects the assembled message according to the inspection rules provided and decides what action is to be taken on the message. / True / · A test message with the wrong format is placed ready; the message will not be accepted by the device.
· A test message with the correct format is placed ready; the message will be accepted by the device.
· a client is installed on the OUTPUT Side. / Blackbox Test:
Each test object is sent from INPUT side to OUTPUT side. / First message:
· Test object is blocked.
· Log shows that format is wrong.
Second message:
· Test object is allowed to pass.
· It appears on the client on the OUTPUT side.
SFIEG-17 / The device inspects the message and determines whether the message is to be processed as rejection, censoring, or forwarding. / See SFIEG-16
SFIEG-23 / If the message is not passed on in any form, the device provides the option of further action that may be taken, including the following:
· Diversion of message to a secure store,
· Returning of message to its originator,
· Notification of refusal to message originator. / A prepared test object marked as unreleasable is placed ready / Blackbox Test:
Message is sent to an addressee on the OUTPUT side from a message client on the INPUT side of the device. / · Message is blocked
· A log is created
and
· Message is diverted to a secure store.
or
· Notification is sent to originator.
SFIEG-25 / If a message is passed on , following the processing of the stored message, the device outputs the message by disassembling it into packets and sending those packets forward. / See SFIEG-14. / Blackbox Test:
· Packets are sent one by one to SFIEG.
· Analyzer monitors output interface. / Packets are leaving output interface.
(Compare SFIEG-14)
SFIEG-26 / The choice of options and the position of fields are specified by parameters input to the device in a secure manner. / The device needs parameters to perform its task. Two files with these parameters are placed ready
· Parameters of the first file are signed by a permitted administrator (role).
· Parameters of the second file are not signed by a permitted administrator.
(See SFIEG-11) / Blackbox Test:
Action 1:
· First file with parameters is placed ready
· First file is signed by a permitted administrator
· The device is started.
Action 2:
· Second file with parameters is placed ready
· Second file is not signed by permitted administrator (not signed or signed by an unauthorized administrator) .
· The device is started. / Action 1: SFIEG starts because the parameter input interface can find configuration data and the file is signed by a permitted administrator in a secure manner.
Action 2:
· The device does not start, because the device can find the input interface parameter, but it is not signed by an administrator in a secure manner .
· An error log is created.
SFIEG-27 / The device provides for the rules for message processing to be input, securely, to the device by parameters. / · Security policy exists.
· Development specification exists. / Inspection:
The security policy and the specification are compared. / Development specification shows, that the security policy for the secure input of the rules is fulfilled.
SFIEG-28 / The device provides for the location of fields to be used in message processing, to be input, securely, to the device by parameters. / True / Sensitivity marker inside a message shall be protected against manipulation. Therefore, the security part of a message is protected by the signature of a permitted sender (role).
1. Message 1 with a sensitivity marker not signed by a permitted sender role is placed ready.
2. Message 2 with a sensitivity marker signed by a permitted sender role is available. / Blackbox Test:
Action 1
Message 1 is sent to the OUTPUT side.
Action 2
Message 2 is sent to the OUTPUT side. / Action 1
· Security marker is recognized as not secure.
· Message is blocked.
· Event is logged.
Action 2
· Security marker is recognized as secure.
· Message is allowed to pass.
· Event is logged.
SFIEG-29 / The device provides for the secure use, for the input of rules, of a suitably featured markup language. / See SFIEG-26
The rules and parameters are defined in XML
NOTE : The SFIEG-28 allow different types of Marking, SFIEG-29 is a mandatory requirement to use at least markup language . The Device shall at least provide a markup language functionality (see SFIEG 29) ; other means or functions could be added and are optional (see SFIEG 28). In this sense, there is no change to make in the pattern for these two requirements but additional optional requirements could be added in the future in the pattern with different tests in the verification statement. / Inspection of parameters and rules file. / Rules and parameters are expressed in XML.
Approved for Public Release
NCOIC-SFIEG Verification Statement-20100329 / NCOIC Verification Statement for Secure Information Exchange Gateway Pattern
NCOIC Information Assurance WG / Version 1.2a / Page 1 / 13
IA WG

4. Implementation of Optional Pattern Requirements

Rationale: