NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: cpp_fw_v2.0e

Technology Type: Firewall

CC Version: 3.1

Date: 2018.03.14

Transition End Date: 2018.03.14

Preceded By: cpp_fw_v2.0

Succeeded By: mod_cpp_fw_v1.3

Sunset Date: 2019.12.31

Conformance Claim: None

Protection Profile 

Supporting Docs 

Control Mapping 

Configuration Annex 

PP OVERVIEW

This collaborative Protection Profile (cPP) defines requirements for the evaluation of Stateful Traffic Filter Firewalls. Such products are generally boundary protection devices, such as dedicated firewalls, routers, or perhaps even switches designed to control the flow of information between attached networks. While in some cases, firewalls implementing security features serve to segregate two distinct networks – a trusted or protected enclave and an untrusted internal or external network such as the Internet – that is only one of many possible applications. It is common for firewalls to have multiple physical network connections enabling a wide range of possible configurations and network information flow policies.

The TOE may be standalone or distributed, where a distributed TOE is one that requires multiple distinct components to operate as a logical whole in order to fulfil the requirements of this cPP (a more extensive description of distributed Stateful Traffic Filter Firewall TOEs is given in section 3). 

A Virtual Stateful Traffic Filter Firewall (vTFFW) is a software implementation of firewall functionality that runs inside a virtual machine. This cPP expressly excludes evaluation of vTFFWs unless the product is able to meet all the requirements and assumptions of a physical TFFW as required in this cPP.

This means: 

• The virtualisation layer (or hypervisor or Virtual Machine Manager (VMM)) is considered part of the TFFW's software stack, and thus is part of the TOE and must satisfy the relevant SFRs (e.g. by treating hypervisor Administrators as Security Administrators)2. vTFFWs that can run on multiple VMMs must be tested on each claimed VMM unless the vendor can successfully argue equivalence. 

• The physical hardware is likewise included in the TOE (as in the example included above). vTFFWs must be tested for each claimed hardware platform unless the vendor can successfully argue equivalence.

• There is only one vTFFW instance for each physical hardware platform.

• There are no other guest VMs on the physical platform providing non-stateful traffic filtering firewall functionality.

Assigned to the following Validated Products

• VID10881 – Cisco Adaptive Security Appliances and ASA Virtual Version 9.8
• VID10882 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 4k and 9k families
• VID10883 – Cisco Next-Generation Firewalls (NGFW) running ASA version 9.8 and FX-OS version 2.2 on the 2k family
• VID10887 – Junos OS 17.4R2 for vSRX
• VID10889 – Cisco FTD (NGFW) 6.2 on Firepower 4100 and 9300 Series with FireSIGHT (FMC) and FMCv
• VID10890 – Cisco FTD (NGFW) 6.2 on ASA 5500-X and FTDv with FireSIGHT (FMC) and FMCv
• VID10891 – Cisco FTD (NGFW) 6.2 on Firepower 2100 Series with FireSIGHT (FMC) and FMCv
• VID10914 – SonicWall SonicOS Enhanced V6.5.2 with VPN and IPS on TZ, SOHOW, NSA, and SM Appliances
• VID10917 – Cisco ASA with FirePOWER Services, ASA 9.8 and ASDM 7.8 with FirePOWER Services 6.2
• VID10971 – SilentEdge Enterprise Server and GoSilent Client
• VID10975 – Aruba Mobility Controller Series with ArubaOS 8.2
• VID10990 – Check Point Software Technologies Ltd. Security Gateway Appliances R80.30
• VID10995 – Forcepoint NGFW 6.5
• F5 BIG-IP 13.1.1 for LTM+AFM
• F5 BIG-IP 14.1.0 for LTM+AFM

Active Related Technical Decisions

• 0484 – NIT Technical Decision for Interactive sessions in FTA_SSL_EXT.1 & FTA_SSL.3
• 0483 – NIT Technical Decision for Applicability of FPT_APW_EXT.1
• 0482 – NIT Technical Decision for Identification of usage of cryptographic schemes
• 0481 – NIT Technical Decision for FCS_(D)TLSC_EXT.X.2 IP addresses in reference identifiers
• 0476 – NIT Technical Decision for Conflicting FW rules cannot be configured
• 0475 – NIT Technical Decision for Separate traffic consideration for SSH rekey
• 0453 – NIT Technical Decision for Clarify authentication methods SSH clients can use to authenticate SSH se
• 0451 – NIT Technical Decision for ITT Comm UUID Reference Identifier
• 0447 – NIT Technical Decision for Using 'diffie-hellman-group-exchange-sha256' in FCS_SSHC/S_EXT.1.7
• 0423 – NIT Technical Decision for Clarification about application of RfI#201726rev2
• 0412 – NIT Technical Decision for FCS_SSHS_EXT.1.5 SFR and AA discrepancy
• 0411 – NIT Technical Decision for FCS_SSHC_EXT.1.5, Test 1 - Server and client side seem to be confused
• 0408 – NIT Technical Decision for local vs. remote administrator accounts
• 0402 – NIT Technical Decision for RSA-based FCS_CKM.2 Selection
• 0400 – NIT Technical Decision for FCS_CKM.2 and elliptic curve-based key establishment
• 0398 – NIT Technical Decision for FCS_SSH*EXT.1.1 RFCs for AES-CTR
• 0394 – NIT Technical Decision for Audit of Management Activities related to Cryptographic Keys
• 0343 – NIT Technical Decision for Updating FCS_IPSEC_EXT.1.14 Tests
• 0340 – NIT Technical Decision for Handling of the basicConstraints extension in CA and leaf certificates
• 0339 – NIT Technical Decision for Making password-based authentication optional in FCS_SSHS_EXT.1.2
• 0337 – NIT Technical Decision for Selections in FCS_SSH*_EXT.1.6
• 0335 – NIT Technical Decision for FCS_DTLS Mandatory Cipher Suites
• 0333 – NIT Technical Decision for Applicability of FIA_X509_EXT.3
• 0321 – Protection of NTP communications
• 0291 – NIT technical decision for DH14 and FCS_CKM.1
• 0259 – NIT Technical Decision for Support for X509 ssh rsa authentication IAW RFC 6187

Archived Related Technical Decision

• 0260 – NIT Technical Decision for Typo in FCS_SSHS_EXT.1.4