NIAP: Archived U.S. Government Approved Protection Profile - Network Device Protection Profile (NDPP) Extended Package VPN Gateway ...

Short Name: pp_nd_vpn_gw_ep_v1.1

Technology Type: Virtual Private Network

CC Version: 3.1

Date: 15 April 2013

Preceded By: pp_nd_vpn_gw_ep_v1.0

Succeeded By: pp_ndcpp_vpn_gw_ep_v2.0

Sunset Date: 27 February 2016 [Sunset Icon]

Conformance Claim: None



This Extended Package (EP) describes security requirements for a VPN Gateway (defined to be a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network) and is intended to provide a minimal, baseline set of requirements that are targeted at mitigating well defined and described threats. However, this EP is not complete in itself, but rather extends the Security Requirements for Network Devices protection profile (NDPP). This introduction will describe the features of a compliant Target of Evaluation (TOE), and will also discuss how this EP is to be used in conjunction with the NDPP.


The Security Requirements for Network Devices Protection Profile (NDPP) defines the baseline Security Functional Requirements (SFRs) and Security Assurance Requirements (SARs) for network infrastructure devices in general. This EP serves to extend the NDPP baseline with additional SFRs and associated ‘Assurance Activities’ specific to VPN Gateway network infrastructure devices. Assurance Activities are the actions that the evaluator performs in order to determine a TOE’s compliance to the SFRs.

This EP conforms to Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 4. It is CC Part 2 extended and CC Part 3 conformant.

Assigned to the following Validated Product

Related Technical Decisions

  • 0107 – FCS_CKM - ANSI X9.31-1998, Section 4.1.for Cryptographic Key Generation
  • 0079 – RBG Cryptographic Transitions per NIST SP 800-131A Revision 1
  • 0056 – Revision to FCS_RBG_EXT.1 Requirement in VPN GW EP v1.1
  • 0052 – Revised Application Note for FTP_ITC requirement in VPN GW EP v1.1
  • 0049 – Clarification of FAU_GEN.1 Requirements
  • 0041 – Not accepting certificates when failing to connect/check certificates in FIA_X509_EXT.1.10 VPN GW EP
  • 0037 – IPsec Requirement_DN Verification
  • 0035 – Alignment of FTP_ITC.1. to NDPP V1.1 Errata #3
  • 0019 – Testing Data Channel Modification for FTP_ITC.1 and FTP_TRP.1
  • 0015 – FPF_RUL_EXT.1.7 Clarification needed for IPv6 extension header numbers
  • 0014 – Satisfying FCS_IPSEC_EXT.1.13 in VPN GW EP
  • 0013 – AVA_VAN.1 in VPN GW EP
  • 0012 – FCS_SSH_EXT.1 Conflict Resolution

Please forward any questions or comments to

Site Map              Contact Us              Home