NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: mod_stip_v1.0

Technology Type: Traffic Monitoring

CC Version: 3.1

Date: 2019.08.23

Succeeded By: mod_stip_v1.1

Sunset Date: 2023.05.17

Conformance Claim: None

Protection Profile 

Supporting Docs 

PP Configuration for ND-STIP_V1.0 

Control Mapping 

PP OVERVIEW

This PP-Module is intended to specify the functionality of a network device that includes limited Certification Authority (CA) functionality to issue certificates for the purpose of providing network security services on the underlying plaintext. The device accomplishes this by terminating an intended TLS session between a monitored client and specified external servers. The device instead establishes a TLS session thread consisting of a TLS session between the device and the external server and a second TLS session between the device, acting as the external server, and the client. By replacing the end-to-end TLS session with two TLS sessions terminated at the TOE, the device is able to provide additional security services based on the decrypted plaintext.

A network device meeting this PP-Module may perform additional security services on the plaintext, provide the decrypted payload to external network devices to perform the security services, or do both. These additional security services, whether processed internally or externally, may be performed inline, or passively. If multiple security services are provided, some may be inline, while others are performed passively. This PP-Module does not cover the specific requirements associated with various additional services.

This U.S. Government Approved Protection Profile is not assigned to any Validated Products

Archived Related Technical Decisions

• 0577 – Ciphersuite corrections
• 0516 – Behavior on Receiving TLS Certificate Request, FDP_TEP_EXT.1