Aruba 620 Betriebsanweisung

Aruba Networks Mobility Controller (7240, 7220, 7210, 6000, 3600, 3400, 3200, 650, 620) with ArubaOS 6.3 Security Target May 2014 Document prepar

Aruba Networks Security Target Page 10 of 67 wireless access point between the controller and the AP. A simple TOE deployment is depicted in Fig

Aruba Networks Security Target Page 11 of 67 b) Verifiable updates. Updates are digitally signed and verified upon installation utilizing digital

Aruba Networks Security Target Page 12 of 67 Model Max # APs Max # users Firewall throughput 620 8 256 800 Mbps 22 The differences in the models i

Aruba Networks Security Target Page 13 of 67 2.5.1 Guidance Documents 23 The TOE includes the following guidance documents: a) ArubaOS 6.3 Quick

Aruba Networks Security Target Page 14 of 67 3 Security Problem Definition 3.1 Threats 26 Table 1 and Table 2 identify the threats addressed by

Aruba Networks Security Target Page 15 of 67 Table 6: Assumptions drawn from NDPP Identifier Description A.NO_GENERAL_PURPOSE It is assumed that t

Aruba Networks Security Target Page 16 of 67 4 Security Objectives 4.1 Objectives for the Operational Environment 29 Table 7 identifies the obje

Aruba Networks Security Target Page 17 of 67 Identifier Description O.SESSION_LOCK The TOE shall provide mechanisms that mitigate the risk of unat

Aruba Networks Security Target Page 18 of 67 5 Security Requirements 5.1 Conventions 31 This document uses the following font conventions to ide

Aruba Networks Security Target Page 19 of 67 Component Title Source FTA_SSL_EXT.1 TSF-initiated Session Locking NDPP FCS_IPSEC_EXT.1 Explicit:

Aruba Networks Security Target Page 2 of 67 Document History Version Date Author Description 1.0 27 August 2012 L Turner Release for evaluation

Aruba Networks Security Target Page 20 of 67 Requirement Title FIA_PMG_EXT.1 Password Management FIA_UIA_EXT.1 User Identification and Authentica

Aruba Networks Security Target Page 21 of 67 FAU_GEN.1.2 The TSF shall record within each audit record at least the following information: a) D

Aruba Networks Security Target Page 22 of 67 Requirement Auditable Events Additional Audit Record Contents Guidance Notes FCS_TLS_EXT.1 Failure to

Aruba Networks Security Target Page 23 of 67 FCS_CKM.1(2) Cryptographic Key Generation (for asymmetric keys – IPSec) FCS_CKM.1.1(2) The TSF sha

Aruba Networks Security Target Page 24 of 67 FCS_COP.1(1) Cryptographic Operation (for data encryption/decryption) FCS_COP.1.1(1) Refinement: T

Aruba Networks Security Target Page 25 of 67  The TSF shall implement “NIST curves” P-256, P-384 and no other curves (as defined in FIPS PUB 186-

Aruba Networks Security Target Page 26 of 67 TLS_RSA_WITH_AES_128_CBC_SHA256 TLS_RSA_WITH_AES_256_CBC_ SHA256 TLS_DHE_RSA_WITH_AES_128_CBC_ SHA25

Aruba Networks Security Target Page 27 of 67 FCS_SSH_EXT.1.2 The TSF shall ensure that the SSH protocol implementation supports the following aut

Aruba Networks Security Target Page 28 of 67 FIA_UIA_EXT.1.2 The TSF shall require each administrative user to be successfully identified and aut

Aruba Networks Security Target Page 29 of 67  Authorized Administrator role shall be able to administer the TOE remotely; are satisfied. 5.3.7

Aruba Networks Security Target Page 3 of 67 Table of Contents 1 Introduction ...

Aruba Networks Security Target Page 30 of 67 FPT_TST_EXT.1.1 The TSF shall run a suite of self-tests during initial start-up (on power on) to dem

Aruba Networks Security Target Page 31 of 67 logically distinct from other communication paths and provides assured identification of its end point

Aruba Networks Security Target Page 32 of 67 6 TOE Summary Specification 6.1 Security Functions 6.1.1 Protected Communications Related SFRs: FC

Aruba Networks Security Target Page 33 of 67 42 The TOE may be configured to support username/password authentication, client certificate authenti

Aruba Networks Security Target Page 34 of 67 requires RSA key sizes of 2048 bits or greater. The TOE supports an RSA key size of 1024 bits in addi

Aruba Networks Security Target Page 35 of 67 49 A SHA-256 hash of each update image is digitally signed using Aruba’s code signing certificate (RS

Aruba Networks Security Target Page 36 of 67 when the configuration of the TOE has been erased using the “write erase” command. While in this defa

Aruba Networks Security Target Page 37 of 67 64 The memory buffers used in packet processing are sanitized subsequent to each packet being process

Aruba Networks Security Target Page 38 of 67 v) HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KAT 67 The following Conditional Self-

Aruba Networks Security Target Page 39 of 67 #469, #466. SHS #2250, #2249, #2246. RNG #1250. DRBG #433. HMAC #1666, #1663. KBKDF #16. Component

Aruba Networks Security Target Page 4 of 67 Table 14: Summary of SFRs ...

Aruba Networks Security Target Page 40 of 67 # Name CSPs type Generation Storage and Zeroization Use 1 Key Encryption Key (KEK) Triple-DES 168-bit

Aruba Networks Security Target Page 41 of 67 8 Diffie-Hellman private key Diffie-Hellman private key (224 bits) Generated internally during Dif

Aruba Networks Security Target Page 42 of 67 16 User Passwords 8-64 character password CO configured Stored encrypted in Flash with KEK. Zeroized b

Aruba Networks Security Target Page 43 of 67 24 SSHv2 session keys AES (128/196/256 bits) Established during the SSHv2 key exchange Stored in plai

Aruba Networks Security Target Page 44 of 67 32 ECDSA Public Key ECDSA suite B P-256 and P-384 curves Generated in the module Stored in flash memor

Aruba Networks Security Target Page 45 of 67 Table 14 - Crypto-Officer Services IKEv1/IKEv2-IPSec Provide authenticated and encrypted remote manage

Aruba Networks Security Target Page 46 of 67 Table 14 - Crypto-Officer Services HTTPS over TLS Secure browser connection over Transport Layer Secur

Aruba Networks Security Target Page 47 of 67 Table 14 - Crypto-Officer Services data, self signed certificates Zeroization Zeroizes all flash memo

Aruba Networks Security Target Page 48 of 67 7 Rationale 7.1 Conformance Claim Rationale 82 The following rationale is presented with regard to

Aruba Networks Security Target Page 49 of 67 SFR Protected Communications Verifiable Updates System Monitoring Secure Administration Residual Infor

Aruba Networks Security Target Page 5 of 67 1 Introduction 1.1 Overview 1 The Aruba Networks Mobility Controller is a network device that serves

Aruba Networks Security Target Page 50 of 67 SFR Protected Communications Verifiable Updates System Monitoring Secure Administration Residual Infor

Aruba Networks Security Target Page 51 of 67 Annex A: NDPP Assurance Activities 87 The NDPP contains assurance activities that are to be performed

Aruba Networks Security Target Page 52 of 67 # NDPP Source Requirement Assurance Family how these records are protected against unauthorized access

Aruba Networks Security Target Page 53 of 67 # NDPP Source Requirement Assurance Family 1 Digital Signature Algorithm Validation System (DSA2VS)&qu

Aruba Networks Security Target Page 54 of 67 # NDPP Source Requirement Assurance Family (ECDSAVS or ECDSA2VS), and "The RSA Validation System”

Aruba Networks Security Target Page 55 of 67 # NDPP Source Requirement Assurance Family values for each trial. The first is a count (0 – 14). The n

Aruba Networks Security Target Page 56 of 67 # NDPP Source Requirement Assurance Family as part of the establishment of a higher-level protocol, e.

Aruba Networks Security Target Page 57 of 67 # NDPP Source Requirement Assurance Family and attempted to be maintained while more data than is spec

Aruba Networks Security Target Page 58 of 67 # NDPP Source Requirement Assurance Family this key to successfully establish an IPsec connection. Wh

Aruba Networks Security Target Page 59 of 67 # NDPP Source Requirement Assurance Family 28. FCS_SSH_EXT.1.7 The evaluator shall ensure that opera

Aruba Networks Security Target Page 6 of 67 d) U.S. Government Approved Protection Profile - Security Requirements for Network Devices , v1.1 (her

Aruba Networks Security Target Page 60 of 67 # NDPP Source Requirement Assurance Family Test 1: The evaluator shall use the operational guidance to

Aruba Networks Security Target Page 61 of 67 # NDPP Source Requirement Assurance Family team’s test activities. 37. FPT_SKP_EXT.1 The evaluator

Aruba Networks Security Target Page 62 of 67 # NDPP Source Requirement Assurance Family activity again to verify the version correctly corresponds

Aruba Networks Security Target Page 63 of 67 # NDPP Source Requirement Assurance Family instance. 46. FTP_ ITC.1 The evaluator shall examine the

Aruba Networks Security Target Page 64 of 67 # NDPP Source Requirement Assurance Family modification of the channel data is detected by the TOE. F

Aruba Networks Security Target Page 65 of 67 # NDPP Source Requirement Assurance Family user role the process runs as or under. 52. AGD_OPE.1 The

Aruba Networks Security Target Page 66 of 67 # NDPP Source Requirement Assurance Family tool will not adversely affect the performance of the funct

Aruba Networks Security Target Page 67 of 67 ----- End of Document -----

Aruba Networks Security Target Page 7 of 67 [CLI] ArubaOS 6.3.x Command Line Interface, Ref 0511500-00 [SYSLOG] ArubaOS 6.3.x Syslog Messages G

Aruba Networks Security Target Page 8 of 67 2 TOE Description 2.1 Type 7 The TOE is a network device. 8 In the CC evaluated configuration, the

Aruba Networks Security Target Page 9 of 67 f) Provides a web-based (HTTPS/TLS) management UI for the mobility controller g) Provides various WLA