NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: ep_vpn_gw_v2.1

Technology Type: Virtual Private Network

CC Version: 3.1

Date: 2017.03.08

Preceded By: pp_ndcpp_vpn_gw_ep_v2.0

Succeeded By: mod_vpngw_v1.0

Sunset Date: 2019.12.31

Conformance Claim: None

Protection Profile 

Control Mapping 

PP OVERVIEW

This Extended Package (EP) describes security requirements for a VPN Gateway. This is defined to be a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The EP is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats to VPN Gateway technology. However, this EP is not complete in itself, but rather extends the collaborative Protection Profile for Network Devices (NDcPP) and the collaborative Protection Profile for Stateful Traffic Filter Firewalls (FWcPP).

Assigned to the following Validated Products

• VID10882 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 4k and 9k families
• VID10887 – Junos OS 17.4R2 for vSRX
• VID10889 – Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv
• VID10890 – Cisco FTD (NGFW) 6.2 on ASA 5500-X and FTDv with FireSIGHT (FMC) and FMCv
• VID10891 – Cisco FTD (NGFW) 6.2 on Firepower 2100 Series with FireSIGHT (FMC) and FMCv
• VID10897 – PacStar 351, 451, 455 or 551 with Cisco ASAv Version 9.6
• VID10909 – Cisco Embedded Services Router (ESR) 5900 Series
• VID10910 – Compact Rugged Router, Series 1000 (CRR-1000), v1.0
• VID10914 – SonicWall SonicOS Enhanced V6.5.2 with VPN and IPS on TZ, SOHOW, NSA, and SM Appliances
• VID10917 – Cisco ASA with FirePOWER Services, ASA 9.8 and ASDM 7.8 with FirePOWER Services 6.2
• VID10951 – Cisco Aggregation Services Router 1000 Series (ASR1K) and Integrated Services Router 4000 Series (ISR4K) running IOS-XE 16.9
• VID10952 – Cisco Cloud Services Router 1000V (CSR1000V), Aggregation Services Router 1000 Series (ASR1K), Integrated Services Router 1100 Series (ISR1100), and Integrated Services Router 4000 Series (ISR4K) running on IOS-XE 16.9
• VID10971 – SilentEdge Enterprise Server and GoSilent Client
• VID10975 – Aruba Mobility Controller Series with ArubaOS 8.2
• VID10990 – Check Point Software Technologies Ltd. Security Gateway Appliances R80.30
• VID10996 – Apriva MESA VPN
• VID11010 – Junos OS 19.2R1 for NFX150
• VID11012 – Junos OS 19.1R2 for MX series with MultiServices MPC
• VID11017 – Rugged Crystal Firewall RCS5516FW 9.8
• VID11028 – SonicWall SonicOS Enhanced V6.5.4 with VPN and IPS on TZ and SOHO Appliances
• VID11033 – Cisco IR1101 Integrated Services Router
• VID11035 – Junos OS 19.2R1-S3 for vSRX
• VID11037 – Junos OS 19.1R2 for MX104 with Multiservices MIC MS-MIC-16G
• VID11052 – Aruba Remote Access Point Series with Aruba Mobility Controllers, running AOS 8.2
• Junos OS 19.2R1 for SRX300, SRX320, SRX340, SRX345, SRX345-DUAL-AC and SRX550M Series
• Junos OS 19.2R1 for SRX1500, SRX4100, SRX4200 and SRX4600 Series
• Fortinet FortiGate 6000 Series w/ FortiOS 5.6
• Junos OS 19.2R1-S2 for SRX5400, SRX5600 and SRX5800 Series

Archived Related Technical Decisions

• 0436 – IPsec protocol ESP algorithms
• 0356 – OE.CONNECTIONS added to VPN GW v2.1
• 0329 – IPSEC X.509 Authentication Requirements
• 0319 – Updates to FMT_SMF.1 in VPN Gateway EP
• 0317 – FMT_MOF.1/Services and FMT_MTD.1/CryptoKeys
• 0316 – Update to FPT_TST_EXT.2.1
• 0307 – Modification of FTP_ITC_EXT.1.1
• 0248 – FAU_GEN.1 Guidance Activity
• 0242 – FPF_RUL_EXT.1.7, Test 3 - Logging Dropped Packets
• 0209 – Additional DH Group added as selection for IKE Protocols
• 0179 – Management Capabilities in VPN GW EP 2.1