Network Fundamentals and Firewalls

CCDB iTC Liaison:  US

Introduction and Status

The scope of this international Technical Community (iTC) is Network Devices (ND)(e.g. routers, switches), and Stateful Traffic Filter Firewalls (FW). The iTC develops and maintains collaborative Protection Profiles (cPPs) for such products. The iTC also develops the Supporting Documents (SD) that describe the Evaluation Activities that are to take place when evaluating a product against a cPP.

To join the iTC, please send a request to the ND-iTC Chair.

Current Versions

Published cPPs and SDs, along with their associated Endorsement Statements,

  • collaborative Protection Profile for Network Devices v1.0
  • Supporting Document: Evaluation Activities for Network Device cPP v1.0
  • collaborative Protection Profile for Stateful Traffic Filter Firewalls v1.0
  • Supporting Document: Evaluation Activities for Stateful Traffic Filter Firewalls v1.0
  • collaborative Protection Profile for Network Devices v2.0 + Errata 20180314
  • Supporting Document: Evaluation Activities for Network Device cPP v2.0 + Errata 20180314
  • collaborative Protection Profile for Stateful Traffic Filter Firewalls v2.0 + Errata 20180314
  • Supporting Document: Evaluation Activities for Stateful Traffic Filter Firewalls v2.0 + Errata 20180314
  • collaborative Protection Profile for Network Devices v2.1
  • Supporting Document: Evaluation Activities for Network Device cPP v2.1
  • collaborative Protection Profile for Network Devices v2.2e
  • Supporting Document: Evaluation Activities for Network Device cPP v2.2
  • collaborative Protection Profile Module for Stateful Traffic Filter Firewalls v1.3

are available at https://commoncriteriaportal.org/pps/collaborativePP.cfm?cpp=1.

The latest versions introduce support for distributed TOEs, DTLS, and vNDs, incorporate interpretations from the NIT, and continue to evolve SFRs as the technology advances.

In addition, the iTC has published allow-with lists for both the NDcPP and the FW PP-Module at (https://ccusersforum.onlyoffice.com/products/projects/tmdocs.aspx#2335049):

  • NDFW iTC allowed-with list for Network Device cPP, v2.1r8, 20200701
  • NDFW iTC allowed-with list for Stateful Traffic Filter Firewall PP Module, v1.4r5, 20200701

Version 1 Background Information

The CCDB established a Work Group to assist in creating an iTC (and hence cPPs) for Network Fundamentals and Firewalls (the Work Group name is abbreviated to "CCDB NDFW WG"). The Work Group comprised participants from 10 nations, at present: Australia, Canada, India, Japan, Norway, Republic of Korea, Sweden, Turkey, the UK, and the US.

The WG produced two statements for FW 'Essential Security Requirements' (ESR) and ND ESR which represents the common needs of the WG members in these areas.

The associated Position Statements:

Upon CCMC endorsement of the iTC, the iTC posted the invitation notice for joining the iTC, with contact details ( iTC invitation letter ), and developed the Security Problem Definition (SPD). The SPD is a set of draft requirements (in the form of a zipped set of documents for individual functional areas) for the Network Device and Firewall.

The preliminary Network Device cPP and Stateful Traffic Filtering Firewall cPP and the associated Supporting Documents Network Device and  Stateful Traffic Filtering Firewall  were released for public review and updated based on the feedback received from several schemes. The iTC’s comments based on the feedback can be found below:

In February 2015, version 1.0 of both cPPs and associated SDs were published. Since then, additional security functionality has been incorporated into subsequent revisions and the Stateful Traffic Filter Firewall cPP has been transitioned to a collaborative Protection Profile Module.