NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems

Short Name: mod_vpngw_v1.1

Technology Type: Virtual Private Network

CC Version: 3.1

Date: 2020.07.01

Preceded By: mod_vpngw_v1.0

Succeeded By: mod_vpngw_v1.2

Sunset Date: 2022.09.30

Conformance Claim: None

Protection Profile 

Supporting Docs 

PP Configuration for NDcPP-VPNGW_V1.1 

Control Mapping 

PP-Configuration for NDcPP-FW-VPNGW_V.1.1  

PP-Configuration for NDcPP-IPS-FW-VPNGW_V1.0  

PP OVERVIEW

This PP-Module defines requirements for the evaluation of VPN Gateways in addition to the requirements of the Base-PP which specifies requirements on network devices in general. This PP-Module specifically addresses network gateway devices that terminate IPsec VPN tunnels. A compliant VPN gateway is a device composed of hardware and software that is connected to two or more distinct networks and has an infrastructure role in the overall enterprise network. In particular, a VPN gateway establishes a secure tunnel that provides an authenticated and encrypted path to another site(s) and thereby decreases the risk of exposure of information transiting an untrusted network. The baseline requirements of this PP-Module are those determined necessary for a multi-site VPN gateway device. A compliant TOE may also contain the ability to act as a headend for remote clients.

Assigned to the following Validated Products

• VID11186 – Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Cloud Services Router 1000V (CSR1000V), Cisco Integrated Services Router 1100 Series (ISR1100), Cisco Integrated Services Router 4200 Series (ISR4K) running IOS-XE 17.3
• VID11208 – Cisco Aggregation Services Router 1000 Series (ASR1K), Cisco Integrated Services Router 4000 Series (ISR4K), Cisco Catalyst 8300 and 8500 Series Edge Routers (Cat8300, Cat8500) running IOS-XE version 17.3
• VID11235 – Check Point Software Technologies Ltd. Security Gateway and Maestro Hyperscale Appliances R81.00
• VID11236 – Junos OS 20.3R3 for NFX350
• VID11255 – Cisco Adaptive Security Appliances (ASA) 9.16 on Firepower 1000 and 2100 Series
• VID11256 – Cisco ASA 9.16 on Firepower 4100 and 9300 Security Appliances
• VID11257 – Cisco Adaptive Security Appliances (ASA) 5500-X, Industrial Security Appliances (ISA) 3000 and Adaptive Security Appliances Virtual (ASAv) Version 9.16
• VID11275 – Cisco Embedded Services Router 5921 (ESR5921) running IOS version 15.9M
• VID11290 – Cisco FTD (NGFW) 7.0 on Firepower 1000 and 2100 Series with FMC/FMCv
• VID11292 – Cisco FTD (NGFW) 7.0 on Firepower 4100 and 9300 Series with FMC/FMCv
• VID11296 – FortiGate/FortiOS 6.4
• VID11300 – Cisco FTD (NGFW) 7.0 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv
• VID11327 – SpaceX Regulus
• VID11331 – Cisco Catalyst 8200 and 8500 Series Edge Routers (Cat8200, Cat8500)
• VID11332 – Cisco Catalyst 8000V Edge (C8000V), Cisco 1000 Series Integrated Services Routers (ISR1000), Cisco Catalyst 1800 Rugged Series Routers (IR1800), Cisco Catalyst 8300 Rugged Series Routers (IR8300)
• FortiGate/FortiOS Version 6.2.7
• Cisco 900 Series Integrated Services Routers running IOS v15.9

Active Related Technical Decisions

• 0597 – VPN GW IPv6 Protocol Support
  • References:  FPF_RUL_EXT.1.6, MOD VPNGW SD v1.1
• 0590 – Mapping of operational environment objectives
  • References:  Section 4.3
• 0549 – Consistency of Security Problem Definition update for MOD_VPNGW_v1.0 and MOD_VPNGW_v1.1
  • References:  Section 6.1.2