In the security hardware world, NDPP CC certification is a big deal, especially for government and enterprise customers who require independent assurance that devices can meet critical standards for network protection. These are more than just letters or one more test that vendors can wave around in the race to claim their products are “the best” or “the most secure”.
Let’s take a step back, though, and look at what CC certification really is and what it means to buyers and IT decision makers. “Common Criteria for Information Technology Security Evaluation” or CC is actually an international standard for computer security certification. There are currently 33 “Protection Profiles” defined for the Common Criteria ranging from email clients to network security devices. The latter, known as the Network Device Protection Profile (NDPP), sets out a fundamental set of Security Functional Requirements and Security Assurance Requirements (SFRs and SARs, respectively – like I said, alphabet soup, but important terms when we’re talking about this level of testing).
Version 1.1 of the NDPP can be found here. Although it was originally written in 2012, there are several errata and “extended packages” that allow it to be used in the evaluation of modern network protection devices. While it isn’t the most exciting reading, it is instructive in understanding just what testers are looking for when they evaluate devices. As described in the document,
This is a Protection Profile (PP) for a network device. A network device in the context of this PP is a device composed of hardware and software that is connected to the network and has an infrastructure role in the overall enterprise. Examples of a “network device” that should claim compliance to this PP include routers, firewalls, IDSs, audit servers, and switches that have Layer 3 functionality.
Fair enough, right? The key here is that the profile and related testing according to the Common Criteria standards are accepted by governments around the world via an international treaty. Devices that are certified to comply with the protection profile through rigorous testing aren’t guaranteed to solve every security problem faced by government agencies or enterprises with complex regulatory requirements. Obviously, configuration errors or security credentials divulged in phishing attacks can do damage for which testers can’t account.
Rather, NDPP CC certification means that
Bottom line? These CC certifications are useful tools for agencies evaluating network protection solutions in general and firewalls in particular. Not surprisingly, Common Criteria are top of mind for us at Fortinet since we were recently awarded our 8th CC certification for our FortiOS firmware and FortiGate next generation firewalls. For more details on the specific testing and certification, you can view the certificate and ST here and check out the press release.