The minimum requirements for security when you are comparing different network devices or cybersecurity solutions for deployment in a corporate network infrastructure.
In the list of certified products on Common Criteria's website, the 'Network Devices’ category is the one with the largest and most diverse number of solutions. All of them have one characteristic in common: they are products that manage (process, filter and distribute) information flowing through a network’s architecture.
In this broad category, we can find an infinite number of Common Criteria-certified solutions with this label. These could be traditional network electronics such as routers, switches and access points, or cybersecurity solutions for networks such as firewalls, proxies, antivirus, virtual private networks (VPN) and other solutions for the detection of threats and protection of information.
Although at first glance this may seem a very generalist group, it actually makes sense. Let us not lose sight of the purpose of a Common Criteria certification. We might presume that certifications are just aimed at validating the security functions offered by the solution. However, more often than not, the security of the solution itself is also evaluated.
In other words, the laboratory not only assures that the operation of the solution conforms to what is expected for a solution of its kind, but also, we check that the solution has been developed in a secure way so that the product does not pose a threat to itself and the environment where it is deployed. Moreover, the laboratory also reviews the associated guidance to make sure that any security-critical instructions are properly provided to the end user in the product documentation.
Let’s take an antivirus solution as an example: the laboratory would not assess whether an antivirus is capable of detecting a greater or lesser number of malware, or whether it does so faster or slower than other solutions on the market. We would assess that the process of detecting malicious content exists and that management processes are secure. We would make sure its software does not contain vulnerabilities (such as those derived from using old and vulnerable third party libraries), and that it doesn’t use weak authentication mechanisms. These are just some of many evaluation activities we would perform.
Here is the meeting point between all these different solutions and products. That is, in the requirements and security levels that must be demanded from a network device or a solution (in physical or software/virtualized format) that connects to a network and handles the information that circulates through it.
As we discussed in a previous article on the questions CISOs should ask themselves before choosing a cybersecurity solution or network device, there are different options for conducting a Common Criteria security assessment of a solution. In short, the developer can decide the objectives and scope of the evaluation (Target of Evaluation, commonly known as TOE) based on an EAL (Evaluation Assurance Level). Alternatively, they can use a Protection Profile that fits the taxonomy of the solution.
As we also mentioned in the aforementioned article, Protection Profiles are generated by international technical working groups, which may be composed of manufacturers, evaluation laboratories, public bodies, risk owners, consumers, and other parties. The Protection Profiles are then reviewed and certified by a recognized Common Criteria Certification Body and then published on this website.
Undoubtedly, the profile that fits better for security evaluations of network devices, and one of the most widely used protection profiles, is the NDcPP, "Collaborative Protection Profile for Network Devices", which is currently in version 2.2e, released on 23-03-2020.
Two products evaluated under NDcPP will offer at least the mandatory security functionalities evaluated in equivalent assurance levels. In contrast, the guarantees provided by a certificate of a product, evaluated without a protection profile will vary depending on what the developer decided to declare in the functionality descriptions for their evaluated solution.
The NDcPP provides a fundamental set of security requirements to be expected from a network solution, with the objective of mitigating a specific list of security threats. It does this regardless of the ultimate purpose of the solution or any specific security functionality (e.g. firewall) that the product may provide.
Primarily, this reference set includes requirements for:
Ultimately, the aim is to ensure that the management capabilities of the product are secure, and that it does not pose a security threat in the network environment where it is deployed.
The threats that the NDcPP Protection Profile is intended to mitigate are grouped according to the functional areas of the product:
Communications with the network device
Administrator and device credentials and information
To mitigate such threats, the protection profile for Network Devices, NDcPP, contains the following Security Functional Requirements (SFR), grouped by the functional areas of the TOE (Target of Evaluation) listed below in the annex, which the developer must fulfil to pass the evaluation.
In summary, when comparing different network devices or cybersecurity solutions for deployment in our corporate network infrastructure, certification based on the Protection Profile provides us with the minimum guarantees on the product’s management functionalities and robustness against possible security threats.
Secure Communications Requirements
Administrator Authentication Requirements