NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: cpp_nd_v2.2e

Technology Type: Network Device

CC Version: 3.1

Date: 2020.03.27

Preceded By: cpp_nd_v2.1

Conformance Claim: None

Protection Profile 

Supporting Docs 

Control Mapping 

PP OVERVIEW

This is a Collaborative Protection Profile (cPP) whose Target of Evaluation (TOE) is a Network Device (ND). It provides a minimal set of security requirements expected by all Network Devices that target the mitigation of a set of defined threats. This baseline set of requirements will be built upon by future cPPs to provide an overall set of security solutions for networks up to carrier and enterprise scale. A Network Device in the context of this cPP is a device that is connected to a network and has an infrastructure role within that network. The TOE may be standalone or distributed, where a distributed TOE is one that requires multiple distinct components to operate as a logical whole in order to fulfil the requirements of this cPP.

When discussing a ND in this document, it refers to a Network Device or a component of a distributed Network Device unless it is expressly stated otherwise.Under this cPP, NDs may be physical or virtualized.

A physical Network Device (pND) consists of network device functionality implemented inside a physical chassis with physical network connections. The network device functionality may be implemented in either hardware or software or both. For pNDs, the TOE encompasses the entire device—including both the network device functionality and the physical chassis. There is no distinction between TOE and TOE Platform.

A virtual Network Device (vND) is a software implementation of network device functionality that runs inside a virtual machine (VM) on either general purpose or purpose-built hardware. The TOE consists of all software within the VM—in particular, the network device functionality and the operating system on which it runs.

Assigned to the following Validated Products

• VID11137 – One Identity Safeguard for Privileged Passwords v6.7
• VID11138 – Cisco FTD 6.4 on Firepower 1000 and 2100 Series with FMC/FMCv
• VID11139 – Cisco FTD (NGFW) 6.4 on Firepower 1000 and 2100 Series with FMC/FMCv
• VID11141 – Cisco FTD 6.4 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv
• VID11142 – Cisco FTD (NGFW) 6.4 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv
• VID11144 – Cisco Firepower NGIPS/NGIPSv 6.4 with FMC/FMCv 6.4
• VID11154 – Ruckus SmartZone WLAN Controllers & Access Points, R5.2.1.3
• VID11173 – Cisco Nexus 3000 and 9000 Series Switches running NX-OS 9.3
• VID11176 – Sierra Nevada Corporation Binary Armor SCADA Network Guard, with firmware version 2.1
• VID11177 – Cisco Catalyst Industrial Ethernet 3x00 Rugged Series (IE3200, IE3300, IE3400, IE3400H) Switches running IOS-XE 17.3
• VID11179 – FortiWLM Wireless Manager 8.5
• VID11182 – Nokia 7x50 SR OS 20.10.R4 for 7750 SR-7, 7750 SR-12, 7750 SR-12e, 7750 SR-1e, 7750 SR-2e, 7750 SR-3e, 7750 SR-a4, and 7750 SR-a8 with maxp10-10/1Gb-msec-sfp+ and me12-10/1gb-sfp+ MDAs
• VID11183 – Nokia 7x50 SR OS 20.10.R4 for 7750 SR-1, 7750 SR-1s, 7750 SR- 2s, 7750 SR-7s, 7750 SR-14s, 7950 XRS-20, 7950 XRS-16c, 7450 ESS, and 7750 SR-1e
• VID11186 – Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Cloud Services Router 1000V (CSR1000V), Cisco Integrated Services Router 1100 Series (ISR1100), Cisco Integrated Services Router 4200 Series (ISR4K) running IOS-XE 17.3
• VID11188 – Klas Fastnet Series Switches KlasOS 5.3
• VID11195 – Aruba, a Hewlett Packard Enterprise Company, 6200, 6300, 6400, 8320, 8325, 8360 and 8400 Switch Series
• VID11197 – Cisco Aggregation Services Router 9000 (ASR9K) running on IOS-XR 7.1
• VID11198 – Extreme Networks, Inc. SLX Product Series operating with Version 20.2.1aa
• VID11204 – NIKSUN NetOmni, and NetDetector/NetVCR/LogWave running Everest Software v5.1.6.3
• VID11206 – Trend Micro TippingPoint Threat Protection System (TPS) v5.3
• VID11207 – Cellcrypt Server
• VID11208 – Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Integrated Services Router 4000 Series (ISR4K), Cisco Catalyst 8300 and 8500 Series Edge Routers (Cat8300, Cat8500) running IOS-XE version 17.3
• VID11212 – Cisco CUBE on Cloud Services Router 1000v (CSR1000v) running IOS-XE 17.3
• VID11214 – One Identity Safeguard for Privileged Sessions 6.9
• VID11215 – Crestron DigitalMedia NVX® AV-over-IP v5.2
• VID11217 – VMware NSX-T Data Center 3.1
• VID11218 – SonicWall Secure Mobile Access (SMA) v12.4
• VID11219 – McAfee Advanced Threat Defense 4.12
• VID11225 – Citrix ADC (MPX FIPS and VPX FIPS) Version 12.1
• VID11234 – Forcepoint NGFW 6.10
• VID11235 – Check Point Software Technologies Ltd. Security Gateway and Maestro Hyperscale Appliances R81.00
• VID11236 – Junos OS 20.3R3 for NFX350
• VID11245 – Cisco Catalyst 9200/9200L Series Switches running IOS-XE 17.6
• VID11246 – Cisco Catalyst 9400/9600 Series Switches running IOS-XE 17.6
• VID11247 – Cisco Catalyst 9300/9300L/9500 Series Switches running IOS-XE 17.6
• VID11253 – Corelight Sensor AP 200, AP 1001, AP 3000 and AP 5000 BroLin v22.1
• VID11255 – Cisco Adaptive Security Appliances (ASA) 9.16 on Firepower 1000 and 2100 Series
• VID11256 – Cisco ASA 9.16 on Firepower 4100 and 9300 Security Appliances
• VID11257 – Cisco Adaptive Security Appliances (ASA) 5500-X, Industrial Security Appliances (ISA) 3000 and Adaptive Security Appliances Virtual (ASAv) Version 9.16
• VID11274 – Cisco 8000 Series Routers running on IOS-XR 7.3
• VID11275 – Cisco Embedded Services Router 5921 (ESR5921) running IOS version 15.9M
• VID11276 – MAGNUM-HW-CC
• VID11277 – MMA10G-IPX Series v3.3
• VID11279 – Forescout v8.3
• VID11280 – Kemp LoadMaster
• VID11281 – SecuGATE SIP Server v5.0
• VID11284 – Palo Alto Networks PA-220 Series, PA-400 Series, PA-800 Series, PA-3200 Series, PA-5200 Series, PA-5450, PA-7000 Series, and VM Series Next-Generation Firewall with PAN-OS 10.1
• VID11285 – Palo Alto Networks Panorama 10.1
• VID11286 – Palo Alto Networks WF-500 WildFire 10.1
• VID11287 – Guardtime Federal Black Lantern® BL300 Series and BL400 with BLKSI.2.2.1-FIPS
• VID11290 – Cisco FTD (NGFW) 7.0 on Firepower 1000 and 2100 Series with FMC/FMCv
• VID11292 – Cisco FTD (NGFW) 7.0 on Firepower 4100 and 9300 Series with FMC/FMCv
• VID11294 – CommScope Technologies LLC, Ruckus FastIron ICX Series Switch/Router 9.0.10
• VID11295 – CommScope Technologies LLC, Ruckus FastIron ICX Series Switch/Router 9.0.10 with MACsec
• VID11296 – FortiGate/FortiOS 6.4
• VID11299 – CAE MPIC 3.0.66
• VID11300 – Cisco FTD (NGFW) 7.0 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv
• VID11301 – Extreme Networks ExtremeSwitching Series (x440-G2, x460-G2, x465, x435, x695) and 5520 Series Switches running EXOS 31.3.100
• VID11310 – ID Technologies GoSilent Cube + GoSilent Server v25.01
• VID11312 – Extreme Networks Virtual Services Platform (VSP) Series Switches v8.3.100
• VID11313 – Cisco Secure Network Analytics (SNA) 7.4
• VID11314 – Gigamon GigaVUE Version 6.0
• VID11316 – A10 Networks Thunder Series Appliances TH-4435, TH-5840-11, TH-7445, TH-7650-11, TH-7655 with ACOS 5.2.1-P3
• VID11324 – Aruba ClearPass Policy Manager 6.11
• VID11331 – Cisco Catalyst 8200 and 8500 Series Edge Routers (Cat8200, Cat8500)
• VID11332 – Cisco Catalyst 8000V Edge (C8000V), Cisco 1000 Series Integrated Services Routers (ISR1000), Cisco Catalyst 1800 Rugged Series Routers (IR1800), Cisco Catalyst 8300 Rugged Series Routers (IR8300)
• VID11333 – Aruba Mobility Controller with ArubaOS 8.10
• VID11334 – Aruba, a Hewlett Packard Enterprise Company 2930F, 2930M, 3810M, and 5400R Switch Series running ArubaOS version 16.11
• VID11339 – Cisco NGIPSv 7.0 with FMC/FMCv 7.0
• VID11340 – Brocade Communications Systems LLC Directors and Switches using Fabric OS v9.1.1
• VID11343 – Forcepoint NGFW 6.10.9
• NetApp E-Series & EF-Series with SANtricity OS 11.70
• FortiGate/FortiOS Version 6.2.7
• Keysight Technologies Vision Series Network Packet Broker v5.7.1
• F5 BIG-IP 15.1.2.1 including APM
• F5 BIG-IP 15.1.2.1 including AFM
• Cisco Web Security Appliance with AsyncOS 11.8
• F5 BIG-IP 14.1.4.2 (LTM + APM)
• F5 BIG-IP 14.1.4.2 (LTM + AFM)
• nGenius 5000 & 7000 Series Packet Flow Switches with PFOS 6.0.6
• Cisco 900 Series Integrated Services Routers running IOS v15.9
• FortiManager 6.2.8
• FortiAnalyzer 6.2.8
• F5 BIG-IP® 16.1.3.1 including APM
• F5 BIG-IP® 16.1.3.1 including AFM
• Cisco Catalyst 9800 Series Wireless Controllers and Access Points 17.6
• TestStream Management Software v5.3.0 on nGenius 3900 Series Switches

Active Related Technical Decisions

• 0738 – NIT Technical Decision for Link to Allowed-With List
  • References:  Chapter 2
• 0670 – NIT Technical Decision for Mutual and Non-Mutual Auth TLSC Testing
  • References:  ND SD2.2, FCS_TLSC_EXT.2.1
• 0639 – NIT Technical Decision for Clarification for NTP MAC Keys
  • References:  FCS_NTP_EXT.1.2, FAU_GEN.1, FCS_CKM.4, FPT_SKP_EXT.1
• 0638 – NIT Technical Decision for Key Pair Generation for Authentication
  • References:  NDSDv2.2, FCS_CKM.1
• 0636 – NIT Technical Decision for Clarification of Public Key User Authentication for SSH
  • References:  ND SD2.2, FCS_SSHC_EXT.1
• 0635 – NIT Technical Decision for TLS Server and Key Agreement Parameters
  • References:  FCS_TLSS_EXT.1.3, NDSD v2.2
• 0634 – NIT Technical Decision for Clarification required for testing IPv6
  • References:  FCS_DTLSC_EXT.1.2, FCS_TLSC_EXT.1.2, ND SD v2.2
• 0633 – NIT Technical Decision for IPsec IKE/SA Lifetimes Tolerance
  • References:  ND SD2.2, FCS_IPSEC_EXT.1.7, FCS_IPSEC_EXT.1.8
• 0632 – NIT Technical Decision for Consistency with Time Data for vNDs
  • References:  ND SD2.2, FPT_STM_EXT.1.2
• 0631 – NIT Technical Decision for Clarification of public key authentication for SSH Server
  • References:  ND SDv2.2, FCS_SSHS_EXT.1, FMT_SMF.1
• 0592 – NIT Technical Decision for Local Storage of Audit Records
  • References:  FAU_STG
• 0591 – NIT Technical Decision for Virtual TOEs and hypervisors
  • References:  A.LIMITED_FUNCTIONALITY, ACRONYMS
• 0581 – NIT Technical Decision for Elliptic curve-based key establishment and NIST SP 800-56Arev3
  • References:  FCS_CKM.2
• 0580 – NIT Technical Decision for clarification about use of DH14 in NDcPPv2.2e
  • References:  FCS_CKM.1.1, FCS_CKM.2.1
• 0572 – NiT Technical Decision for Restricting FTP_ITC.1 to only IP address identifiers
  • References:  FTP_ITC.1
• 0571 – NiT Technical Decision for Guidance on how to handle FIA_AFL.1
  • References:  FIA_UAU.1, FIA_PMG_EXT.1
• 0570 – NiT Technical Decision for Clarification about FIA_AFL.1
  • References:  FIA_AFL.1
• 0569 – NIT Technical Decision for Session ID Usage Conflict in FCS_DTLSS_EXT.1.7
  • References:  ND SD v2.2, FCS_DTLSS_EXT.1.7, FCS_TLSS_EXT.1.4
• 0564 – NiT Technical Decision for Vulnerability Analysis Search Criteria
  • References:  NDSDv2.2, AVA_VAN.1
• 0563 – NiT Technical Decision for Clarification of audit date information
  • References:  NDcPPv2.2e, FAU_GEN.1.2
• 0556 – NIT Technical Decision for RFC 5077 question
  • References:  NDSDv2.2, FCS_TLSS_EXT.1.4, Test 3
• 0555 – NIT Technical Decision for RFC Reference incorrect in TLSS Test
  • References:  NDSDv2.2, FCS_TLSS_EXT.1.4, Test 3
• 0547 – NIT Technical Decision for Clarification on developer disclosure of AVA_VAN
  • References:  ND SDv2.1, ND SDv2.2, AVA_VAN.1
• 0546 – NIT Technical Decision for DTLS - clarification of Application Note 63
  • References:  FCS_DTLSC_EXT.1.1
• 0537 – NIT Technical Decision for Incorrect reference to FCS_TLSC_EXT.2.3
  • References:  FIA_X509_EXT.2.2
• 0536 – NIT Technical Decision for Update Verification Inconsistency
  • References:  AGD_OPE.1, ND SDv2.1, ND SDv2.2
• 0528 – NIT Technical Decision for Missing EAs for FCS_NTP_EXT.1.4
  • References:  FCS_NTP_EXT.1.4, ND SD v2.1, ND SD v2.2
• 0527 – Updates to Certificate Revocation Testing (FIA_X509_EXT.1)
  • References:  FIA_X509_EXT.1/REV, FIA_X509_EXT.1/ITT

Archived Related Technical Decision

• 0538 – NIT Technical Decision for Outdated link to allowed-with list