In this paper we describe the method used to develop a gateway capable of meeting the ITSEC E4 requirements. The security policy was formally modelled and proven consistent with the functional specifications by means of an interactive theorem prover. The formalisms were used to assist in the design of the security architecture. Keywords : ITSEC, formal methods, security policy