NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: ep_vpn_gw_v2.1

Technology Type: Virtual Private Network

CC Version: 3.1

Date: 2017.03.08

Preceded By: pp_ndcpp_vpn_gw_ep_v2.0

Conformance Claim: None

Protection Profile 

Control Mapping 

PP OVERVIEW

This Extended Package (EP) describes security requirements for a VPN Gateway. This is defined to be a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The EP is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats to VPN Gateway technology. However, this EP is not complete in itself, but rather extends the collaborative Protection Profile for Network Devices (NDcPP) and the collaborative Protection Profile for Stateful Traffic Filter Firewalls (FWcPP).

Assigned to the following Validated Products

• VID10767 – Klas Voyager 1.0
• VID10775 – Cisco ASA and FXOS on Firepower 4100/9300
• VID10793 – Cisco ASA 9.6 with FirePOWER Service v6.1
• VID10805 – Cisco Aggregation Services Router (ASR) 1000 Series, Integrated Services Router (ISR) 4000 Series
• VID10806 – Cisco Cloud Services Router 1000V and Cisco Aggregation Services Router (ASR) 1000 Series
• VID10839 – Palo Alto Networks PA-200 Series, PA-500, PA-800 Series, PA-3000 Series, PA-5000 Series, PA-5200 Series, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS v8.0.6
• VID10845 – Brocade FastIron ICX Series Switch/Router 08.0.70 with IPsec VPN Module
• VID10867 – Cisco Integrated Services Router (ISR) 1100 Series, IOS-XE 16.6
• VID10881 – Cisco Adaptive Security Appliances and ASA Virtual Version 9.8
• VID10882 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 4k and 9k families
• VID10883 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 2k family
• VID10887 – Junos OS 17.4R2 for vSRX
• VID10889 – Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv
• VID10890 – Cisco FTD (NGFW) 6.2 on ASA 5500-X and FTDv with FireSIGHT (FMC) and FMCv
• VID10891 – Cisco FTD (NGFW) 6.2 on Firepower 2100 Series with FireSIGHT (FMC) and FMCv
• VID10897 – PacStar 351, 451, 455 or 551 with Cisco ASAv Version 9.6
• VID10909 – Cisco Embedded Services Router (ESR) 5900 Series
• VID10910 – Compact Rugged Router, Series 1000 (CRR-1000), v1.0
• VID10914 – SonicWall SonicOS Enhanced V6.5.2 with VPN and IPS on TZ, SOHOW, NSA, and SM Appliances
• VID10951 – Cisco Aggregation Services Router 1000 Series (ASR1K) and Integrated Services Router 4000 Series (ISR4K) running IOS-XE 16.9
• VID10952 – Cisco Cloud Services Router 1000V (CSR1000V), Aggregation Services Router 1000 Series (ASR1K), Integrated Services Router 1100 Series (ISR1100), and Integrated Services Router 4000 Series (ISR4K) running on IOS-XE 16.9
• Fortinet FortiGate w/ FortiOS v5.6.7

Active Related Technical Decisions

• 0436 – IPsec protocol ESP algorithms
• 0356 – OE.CONNECTIONS added to VPN GW v2.1
• 0329 – IPSEC X.509 Authentication Requirements
• 0319 – Updates to FMT_SMF.1 in VPN Gateway EP
• 0317 – FMT_MOF.1/Services and FMT_MTD.1/CryptoKeys
• 0316 – Update to FPT_TST_EXT.2.1
• 0307 – Modification of FTP_ITC_EXT.1.1
• 0248 – FAU_GEN.1 Guidance Activity
• 0242 – FPF_RUL_EXT.1.7, Test 3 - Logging Dropped Packets
• 0209 – Additional DH Group added as selection for IKE Protocols
• 0179 – Management Capabilities in VPN GW EP 2.1