NIAP: Archived U.S. Government Approved Protection Profile - Protection Profile for IPsec Virtual Private Network (VPN) Clients Ver...

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Archived PPs  »»  Details  
Archived U.S. Government Approved Protection Profile - Protection Profile for IPsec Virtual Private Network (VPN) Clients Version 1.4

Short Name: pp_vpn_ipsec_client_v1.4

Technology Type: Virtual Private Network

CC Version: 3.1

Date: 2013.10.23

Preceded By: pp_vpn_ipsec_client_v1.3

Succeeded By: ep_vpn_cli_v2.0

Sunset Date: 2017.12.26 [Sunset Icon]

Conformance Claim: None

Protection Profile [PDF]



This Protection Profile (PP) supports procurements of commercial off-the-shelf (COTS) IPsec Virtual Private Network (VPN) Clients to provide secure tunnels to authenticated remote endpoints or gateways. This PP details the policies, assumptions, threats, security objectives, security functional requirements, and security assurance requirements for the VPN and its supporting environment.

The primary intent is to clearly communicate to developers the Security Functional Requirements needed to counter the threats that are being addressed by the VPN Client.  The description in the TOE Summary Specification (TSS) of the Security Target (ST) is expected to document the architecture of the product (Target of Evaluation) and the mechanisms used to ensure that critical security transactions are correctly implemented.


This document specifies Security Functional Requirements (SFRs) for a VPN Client.  A VPN provides a protected transmission of private data between VPN Clients and VPN Gateways.  The TOE defined by this PP is the VPN Client, a component executing on a remote access client, using a platform API that enables the VPN client application to interact with other applications and the client device platform (part of the Operational Environment of the TOE).  The VPN Client is intended to be located outside or inside of a private network, and provides a secure tunnel to a VPN Gateway.  The tunnel provides confidentiality, integrity, and data authentication for information that travels across the public network.  All VPN clients that comply with this document will support IPsec.

A VPN Client allows remote users to use client computers to establish an encrypted IPsec tunnel across an unprotected public network to a private network (see Figure 1).  The TOE sits between the public network and entities (software, users, etc.) that reside on the VPN Client’s underlying platform.  IP packets crossing from the private network to the public network will be encrypted if their destination is a remote access VPN Client supporting the same VPN policy as the source network.  The VPN Client protects the data between itself and a VPN Gateway, providing confidentiality, integrity, and protection of data in transit, even though it traverses a public network.

Assigned to the following Validated Product

Active Related Technical Decisions

Archived Related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home