Development of Security Target for Router Based on ENISA Common Criteria Framework

Abstract

With the development of new technologies, information and communication technologies (ICT) are everywhere in our daily life. For attackers, information and communication technology products are the entry point for attacks, so they can quickly obtain the necessary information or retrieve data to threaten users. The diversity of network devices also increases the probability of attacks, whether software, hardware, or firmware, which could be an opportunity for attackers. The EUCC is based on the ISO/IEC15408 Common Criteria for Information Technology Security Certification, an international framework agreement that provides guidelines for evaluating and certifying ICT products. When a developer submits a product for evaluation, they need to design a security target (ST) for the product, which includes an overview of the product, security features, and an assessment of potential security threats. During the development of the security target, a preliminary analysis of the possible threats on the network device is performed, the security objectives are proposed for the threats, and finally, the security functional requirements are designed. In this study, we take a router as an example and perform a gap analysis between the possible threats faced by an unregulated router and the development of a security standard document related to routers based on the Common Criteria framework. Finally, we present a list of features reported as compliant with the Common Criteria framework to improve their router products.