NIAP Oversees Evaluations of Commercial IT Products for Use in National Security Systems
|
|
|
Archived U.S. Government Approved Protection Profile - collaborative Protection Profile for Network Devices Version 2.2e
Short Name:
cpp_nd_v2.2e
Technology Type:
Network Device
CC Version:
3.1
Date:
2020.03.27
Preceded By:
cpp_nd_v2.1
Succeeded By:
cpp_nd_v3.0e
Sunset Date:
2024.06.14
Conformance Claim:
None
Protection Profile
Supporting Docs
Control Mapping
PP Configuration for NDcPP-VPNGW_V1.3
PP OVERVIEW
This is a Collaborative Protection Profile (cPP) whose Target of Evaluation (TOE) is a Network Device (ND). It provides a minimal set of security requirements expected by all Network Devices that target the mitigation of a set of defined threats. This baseline set of requirements will be built upon by future cPPs to provide an overall set of security solutions for networks up to carrier and enterprise scale. A Network Device in the context of this cPP is a device that is connected to a network and has an infrastructure role within that network. The TOE may be standalone or distributed, where a distributed TOE is one that requires multiple distinct components to operate as a logical whole in order to fulfil the requirements of this cPP.
When discussing a ND in this document, it refers to a Network Device or a component of a distributed Network Device unless it is expressly stated otherwise.Under this cPP, NDs may be physical or virtualized.
A physical Network Device (pND) consists of network device functionality implemented inside a physical chassis with physical network connections. The network device functionality may be implemented in either hardware or software or both. For pNDs, the TOE encompasses the entire device—including both the network device functionality and the physical chassis. There is no distinction between TOE and TOE Platform.
A virtual Network Device (vND) is a software implementation of network device functionality that runs inside a virtual machine (VM) on either general purpose or purpose-built hardware. The TOE consists of all software within the VM—in particular, the network device functionality and the operating system on which it runs.
Assigned to the following Validated Products
-
VID11274 – Cisco 8000 Series Routers running on IOS-XR 7.3
-
VID11276 – MAGNUM-HW-CC
-
VID11277 – MMA10G-IPX Series v3.3
-
VID11279 – Forescout v8.3
-
VID11280 – Kemp LoadMaster
-
VID11285 – Palo Alto Networks Panorama 10.1
-
VID11286 – Palo Alto Networks WF-500 WildFire 10.1
-
VID11287 – Guardtime Federal Black Lantern® BL300 Series and BL400 with BLKSI.2.2.1-FIPS
-
VID11290 – Cisco FTD (NGFW) 7.0 on Firepower 1000 and 2100 Series with FMC/FMCv
-
VID11292 – Cisco FTD (NGFW) 7.0 on Firepower 4100 and 9300 Series with FMC/FMCv
-
VID11296 – FortiGate/FortiOS 6.4
-
VID11299 – CAE MPIC 3.0.66
-
VID11300 – Cisco FTD (NGFW) 7.0 on ASA 5500 and ISA 3000 and FTDv with FMC/FMCv
-
VID11301 – Extreme Networks ExtremeSwitching Series (x440-G2, x460-G2, x465, x435, x695) and 5520 Series Switches running EXOS 31.3.100
-
VID11310 – ID Technologies GoSilent Cube + GoSilent Server v25.01
-
VID11312 – Extreme Networks Virtual Services Platform (VSP) Series Switches v8.3.100
-
VID11313 – Cisco Secure Network Analytics (SNA) 7.4
-
VID11314 – Gigamon GigaVUE Version 6.0
-
VID11316 – A10 Networks Thunder Series Appliances TH-4435, TH-5840-11, TH-7445, TH-7650-11, TH-7655 with ACOS 5.2.1-P3
-
VID11324 – Aruba ClearPass Policy Manager 6.11
-
VID11327 – SpaceX Regulus
-
VID11331 – Cisco Catalyst 8200 and 8500 Series Edge Routers (Cat8200, Cat8500)
-
VID11332 – Cisco Catalyst 8000V Edge (C8000V), Cisco 1000 Series Integrated Services Routers (ISR1000), Cisco Catalyst 1800 Rugged Series Routers (IR1800), Cisco Catalyst 8300 Rugged Series Routers (IR8300)
-
VID11333 – Aruba Mobility Controller with ArubaOS 8.10
-
VID11334 – Aruba, a Hewlett Packard Enterprise Company 2930F, 2930M, 3810M, and 5400R Switch Series running ArubaOS version 16.11
-
VID11338 – Dell EMC Networking SmartFabric OS10.5.4
-
VID11339 – Cisco NGIPSv 7.0 with FMC/FMCv 7.0
-
VID11340 – Brocade Communications Systems LLC Directors and Switches using Fabric OS v9.1.1
-
VID11343 – Forcepoint NGFW 6.10.9
-
VID11345 – Aruba Mobility Conductor with ArubaOS 8.10
-
VID11353 – Nokia 7705 SAR Series with SAR OS 21.10R5
-
VID11356 – Arista Networks 7280 Series Switches Running EOS 4.28
-
VID11360 – VMware Unified Access Gateway (UAG) 2209
-
VID11363 – Apriva MESA VPN v3.0
-
VID11364 – Cisco Catalyst 9200/9200L Series Switches running IOS-XE 17.9
-
VID11365 – Cisco Catalyst 9300/9300L/9400/9500/9600 Series Switches running IOS-XE 17.9
-
VID11372 – Ivanti Connect Secure 22.2
-
VID11373 – Ivanti Policy Secure 22.2
-
VID11376 – IBM QRadar Security Intelligence Platform version 7.5
-
VID11377 – DataSoft RAP-117
-
VID11382 – Ruckus SmartZone WLAN Controllers & Access Points with WIDS, R5.2.1.3
-
VID11390 – Ciena Waveserver 5 OS R2.3.12
-
VID11391 – Aruba, a Hewlett Packard Enterprise Company 4100i, 6200, 6300, 6400, 8320, 8325, 8360, 8400, 9300, and 10000 Switch Series Version 10.11
-
VID11392 – Cisco Catalyst 9400X/9600X Series Switches Running IOS-XE 17.9
-
VID11393 – Cisco Catalyst 9200CX/9300X/9300LM/9500X Series Switches running IOS-XE 17.9
-
VID11394 – Cisco Embedded Services 9300 & 3300 Series Switches (ESS9300 & ESS3300)
-
VID11395 – Cisco Catalyst Industrial Ethernet 9300 Rugged Series Switches running IOS-XE 17.9
-
VID11397 – Juniper vSRX3.0 with Junos OS 22.2R2
-
VID11400 – Ciena SAOS 10.7.1 on 3926, 3928, 3948, 5144, 5162, 5164, 5170, 5171, Large NFV Compute Server, and 8180 Service Aggregation Platforms
-
VID11403 – Aruba Remote Access Points and Aruba Mobility Controllers with ArubaOS 8.10
-
VID11404 – Alcatel-Lucent Enterprise OmniSwitch series 6360, 6465, 6560, 6860, 6865, 6900, 9900 with AOS 8.9.R11
-
VID11405 – Viasat Secure VPN v1.1.7
-
VID11407 – Cisco Identity Services Engine (ISE) Version 3.1
-
VID11409 – HYCU for Enterprise Clouds
-
VID11414 – Architecture Technology Corporation Machete Router
-
VID11417 – Trellix Intrusion Prevention System Sensor and Manager Appliances version 11.1
-
VID11418 – Adtran’s FSP 3000R7 Network Element r22.2.2
-
VID11422 – Aruba, a Hewlett Packard Enterprise Company 6300M and 8360v2 Switch Series MACsec
-
VID11428 – MMA10G-EXE Series
-
VID11431 – Versa Networks Versa Secure SD-WAN Versa Operating System (VOS) 22.1 running on CSG1500, CSG2500, CSG3500, CSG5000, Dell PowerEdge R7515, and Dell VEP4600, Versa Director 22.1, and Versa Analytics 22.1
-
VID11443 – Cisco Catalyst Industrial Ethernet 3200, 3300, 3400, 3400H (IE3x00) Rugged Series Switches running IOS-XE 17.12
-
VID11483 – Cisco Embedded Services Router (ESR) 6300 v17.12
-
Keysight Technologies Vision Series Network Packet Broker v5.7.1
-
Cisco 900 Series Integrated Services Routers running IOS v15.9
-
FortiManager 6.2.8
-
FortiAnalyzer 6.2.8
-
F5 BIG-IP® 16.1.3.1 including APM
-
F5 BIG-IP® 16.1.3.1 including AFM
-
Cisco Catalyst 9800 Series Wireless Controllers and Access Points 17.6
-
TestStream Management Software v5.3.0 on nGenius 3900 Series Switches
-
Symantec Edge Secure Web Gateway (SWG) with SGOS v7.4
-
Junos OS 22.2R1 for MX10003
-
Junos OS 22.2R1 for SRX Series
-
NETSCOUT® nGeniusONE® with InfiniStreamNG® v6.3.3
-
Certification for F5 BIG-IP 16.1.3.1 including SSLO
-
Junos OS 22.2R1 for SRX380
Active Related Technical Decisions
-
0800 – Updated NIT Technical Decision for IPsec IKE/SA Lifetimes Tolerance
References: FCS_IPSEC_EXT.1.7, FCS_IPSEC_EXT.1.8, CPP_ND_V2.2-SD
-
0792 – NIT Technical Decision: FIA_PMG_EXT.1 - TSS EA not in line with SFR
References: FIA_PMG_EXT.1, CPP_ND_V2.2-SD
-
0790 – NIT Technical Decision: Clarification Required for testing IPv6
References: FCS_DTLSC_EXT.1.2, FCS_TLSC_EXT1.2, CPP_ND_V2.2-SD
-
0738 – NIT Technical Decision for Link to Allowed-With List
-
0670 – NIT Technical Decision for Mutual and Non-Mutual Auth TLSC Testing
References: ND SD2.2, FCS_TLSC_EXT.2.1
-
0639 – NIT Technical Decision for Clarification for NTP MAC Keys
References: FCS_NTP_EXT.1.2, FAU_GEN.1, FCS_CKM.4, FPT_SKP_EXT.1
-
0638 – NIT Technical Decision for Key Pair Generation for Authentication
References: NDSDv2.2, FCS_CKM.1
-
0636 – NIT Technical Decision for Clarification of Public Key User Authentication for SSH
References: ND SD2.2, FCS_SSHC_EXT.1
-
0635 – NIT Technical Decision for TLS Server and Key Agreement Parameters
References: FCS_TLSS_EXT.1.3, NDSD v2.2
-
0632 – NIT Technical Decision for Consistency with Time Data for vNDs
References: ND SD2.2, FPT_STM_EXT.1.2
-
0631 – NIT Technical Decision for Clarification of public key authentication for SSH Server
References: ND SDv2.2, FCS_SSHS_EXT.1, FMT_SMF.1
-
0592 – NIT Technical Decision for Local Storage of Audit Records
-
0591 – NIT Technical Decision for Virtual TOEs and hypervisors
References: A.LIMITED_FUNCTIONALITY, ACRONYMS
-
0581 – NIT Technical Decision for Elliptic curve-based key establishment and NIST SP 800-56Arev3
-
0580 – NIT Technical Decision for clarification about use of DH14 in NDcPPv2.2e
References: FCS_CKM.1.1, FCS_CKM.2.1
-
0572 – NiT Technical Decision for Restricting FTP_ITC.1 to only IP address identifiers
-
0571 – NiT Technical Decision for Guidance on how to handle FIA_AFL.1
References: FIA_UAU.1, FIA_PMG_EXT.1
-
0570 – NiT Technical Decision for Clarification about FIA_AFL.1
-
0569 – NIT Technical Decision for Session ID Usage Conflict in FCS_DTLSS_EXT.1.7
References: ND SD v2.2, FCS_DTLSS_EXT.1.7, FCS_TLSS_EXT.1.4
-
0564 – NiT Technical Decision for Vulnerability Analysis Search Criteria
References: NDSDv2.2, AVA_VAN.1
-
0563 – NiT Technical Decision for Clarification of audit date information
References: NDcPPv2.2e, FAU_GEN.1.2
-
0556 – NIT Technical Decision for RFC 5077 question
References: NDSDv2.2, FCS_TLSS_EXT.1.4, Test 3
-
0555 – NIT Technical Decision for RFC Reference incorrect in TLSS Test
References: NDSDv2.2, FCS_TLSS_EXT.1.4, Test 3
-
0547 – NIT Technical Decision for Clarification on developer disclosure of AVA_VAN
References: ND SDv2.1, ND SDv2.2, AVA_VAN.1
-
0546 – NIT Technical Decision for DTLS - clarification of Application Note 63
References: FCS_DTLSC_EXT.1.1
-
0537 – NIT Technical Decision for Incorrect reference to FCS_TLSC_EXT.2.3
References: FIA_X509_EXT.2.2
-
0536 – NIT Technical Decision for Update Verification Inconsistency
References: AGD_OPE.1, ND SDv2.1, ND SDv2.2
-
0528 – NIT Technical Decision for Missing EAs for FCS_NTP_EXT.1.4
References: FCS_NTP_EXT.1.4, ND SD v2.1, ND SD v2.2
-
0527 – Updates to Certificate Revocation Testing (FIA_X509_EXT.1)
References: FIA_X509_EXT.1/REV, FIA_X509_EXT.1/ITT
Archived Related Technical Decisions
|