NIAP: Archived U.S. Government Approved Protection Profile - PP-Module for SSL/TLS Inspection Proxy Version 1.0

NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
Questions?  We're here to help
  NIAP  »»  Protection Profiles  »»  Archived PPs  »»  Details  
Archived U.S. Government Approved Protection Profile - PP-Module for SSL/TLS Inspection Proxy Version 1.0

Short Name: mod_stip_v1.0

Technology Type: Traffic Monitoring

CC Version: 3.1

Date: 2019.08.23

Succeeded By: mod_stip_v1.1

Sunset Date: 2023.05.17 [Sunset Icon]

Conformance Claim: None

Protection Profile [PDF]

Supporting Docs [PDF]

PP Configuration for ND-STIP_V1.0 [PDF]

Control Mapping [PDF]



This PP-Module is intended to specify the functionality of a network device that includes limited Certification Authority (CA) functionality to issue certificates for the purpose of providing network security services on the underlying plaintext. The device accomplishes this by terminating an intended TLS session between a monitored client and specified external servers. The device instead establishes a TLS session thread consisting of a TLS session between the device and the external server and a second TLS session between the device, acting as the external server, and the client. By replacing the end-to-end TLS session with two TLS sessions terminated at the TOE, the device is able to provide additional security services based on the decrypted plaintext.

A network device meeting this PP-Module may perform additional security services on the plaintext, provide the decrypted payload to external network devices to perform the security services, or do both. These additional security services, whether processed internally or externally, may be performed inline, or passively. If multiple security services are provided, some may be inline, while others are performed passively. This PP-Module does not cover the specific requirements associated with various additional services.

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

Archived Related Technical Decisions

Please forward any Protection Profile specific comments to the applicable Technical Rapid Response Team (TRRT).

Please forward any general questions to our Q&A tool.

Site Map              Contact Us              Home