NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: ep_vpn_gw_v2.1

Technology Type: Virtual Private Network

CC Version: 3.1

Date: 08 March 2017

Preceded By: pp_ndcpp_vpn_gw_ep_v2.0

Conformance Claim: None

Protection Profile 

Control Mapping 

PP OVERVIEW

This Extended Package (EP) describes security requirements for a VPN Gateway. This is defined to be a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The EP is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats to VPN Gateway technology. However, this EP is not complete in itself, but rather extends the collaborative Protection Profile for Network Devices (NDcPP) and the collaborative Protection Profile for Stateful Traffic Filter Firewalls (FWcPP).

Assigned to the following Validated Products

• VID10767 – Klas Voyager 1.0
• VID10775 – Cisco ASA and FXOS on Firepower 4100/9300
• VID10793 – Cisco ASA 9.6 with FirePOWER Service v6.1
• VID10805 – Cisco Aggregation Services Router (ASR) 1000 Series, Integrated Services Router (ISR) 4000 Series
• VID10806 – Cisco Cloud Services Router 1000V and Cisco Aggregation Services Router (ASR) 1000 Series
• VID10839 – Palo Alto Networks PA-200 Series, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS v8.0.6
• VID10845 – Brocade FastIron ICX Series Switch/Router 08.0.70 with IPsec VPN Module
• VID10867 – Cisco Integrated Services Router (ISR) 1100 Series, IOS-XE 16.6
• VID10881 – Cisco Adaptive Security Appliances and ASA Virtual Version 9.8
• VID10882 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 4k and 9k families
• VID10883 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 2k family

Related Technical Decisions

• 0356 – OE.CONNECTIONS added to VPN GW v2.1
• 0329 – IPSEC X.509 Authentication Requirements
• 0319 – Updates to FMT_SMF.1 in VPN Gateway EP
• 0317 – FMT_MOF.1/Services and FMT_MTD.1/CryptoKeys
• 0316 – Update to FPT_TST_EXT.2.1
• 0307 – Modification of FTP_ITC_EXT.1.1
• 0248 – FAU_GEN.1 Guidance Activity
• 0242 – FPF_RUL_EXT.1.7, Test 3 - Logging Dropped Packets
• 0209 – Additional DH Group added as selection for IKE Protocols
• 0179 – Management Capabilities in VPN GW EP 2.1