NIAP: Compliant Product
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Compliant Product  
Compliant Product - Aruba Mobility Controller Series with ArubaOS 8.2

Certificate Date:  2019.08.27

Validation Report Number:  CCEVS-VR-VID10975-2019

Product Type:    Wireless LAN
   Firewall
   Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0 + Errata 20180314
  Extended Package for VPN Gateways Version 2.1
  Extended Package for Wireless LAN Access System

CC Testing Lab:  Gossamer Security Solutions


CC Certificate [PDF] Security Target [PDF] Validation Report [PDF]

Assurance Activity [PDF]

Administrative Guide [PDF]


Product Description

The Target of Evaluation (TOE) is Aruba Mobility Controller Series with ArubaOS 8.2. The TOE is a multi-purpose network device that includes stateful traffic filter firewall, VPN gateway and WLAN access system capabilities. The Aruba Mobility Controller Series platform serves as a gateway between wired and wireless networks and provides command and control over Aruba Access Points (APs) within an Aruba dependent wireless network.

The Aruba Mobility Controllers (MCs) and Aruba Virtual Mobility Controllers (VMCs) are wireless switch hardware and virtual appliances that provide a wide range of security services and features including wireless and wired network mobility, security, centralized management, auditing, authentication, secure remote access, self-verification of integrity and operation, stateful traffic filtering and VPN gateway functionality.

The ArubaOS is a suite of mobility applications that runs on all Aruba controllers and allows administrators to configure and manage the wireless and mobile user environment. The TOE is generally deployed in a configuration consisting of one or more Aruba mobility controllers (MC and/or VMC) and multiple Aruba wireless APs.

 The TOE performs stateful packet filtering on network packets processed by the TOE.  Filtering rules may be applied to appliance Ethernet interfaces and to user roles (for wireless clients as described above) to allow fine grained control over network traffic.

 As a VPN gateway – a device at the edge of a private network that terminates an IPsec tunnel – the TOE provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The TOE provides packet filtering and secure IPsec tunneling. This functionality may be used with VPN clients or with other VPN gateways (i.e. site-to-site VPN).


Evaluated Configuration

The evaluated configuration consists of the Aruba Mobility Controller Series with ArubaOS version 8.2 and the following required software licenses: 

·         Policy Enforcement Firewall,

·         RFprotect

·         Advanced Cryptography

The TOE includes the following hardware and virtual appliance models:

Mobility Controller Hardware Appliances

Product Model

Part Number(s)

CPU

Aruba 7005 Mobility Controller

JW636A

Broadcom XLP

Aruba 7008 Mobility Controller

JX932A

Broadcom XLP

Aruba 7010 Mobility Controller

JW703A

Broadcom XLP

Aruba 7024 Mobility Controller

JW707A

Broadcom XLP

Aruba 7030 Mobility Controller

JW711A

Broadcom XLP

Aruba 7205 Mobility Controller

JW740A

Broadcom XLP

Aruba 7210 Mobility Controller

JW746A

Broadcom XLP

Aruba 7220 Mobility Controller

JW754A

Broadcom XLP

Aruba 7240 Mobility Controller

JW762A

Broadcom XLP

Aruba 7240XM Mobility Controller

JW830A

Broadcom XLP

                                Table 1 Mobility Controller Hardware Appliances

 

The table below shows the different model series based on maximum number of APs and users supported within that series.

Product

Max. # of APs

Max. # of Users

Typical Deployment

Aruba 7000 Series

64

4096

Branch Office / Small Campus

Aruba 7200 Series

2,048

65,536

Headquarters/ Large Campus

                                Table 2 Mobility Controller Deployments

 

 

Mobility Controller Virtual Appliances (deployed on ESXi v6.5.0)

·         MC-VA-50

·         MC-VA-250

·         MC-VA-1k

 

The table below shows the different virtual model series based on maximum number of APs and clients supported within that series.

 

 

Aruba Mobility Controller Virtual Appliance

MC-VA-50

MC-VA-250

MC-VA-1K

Maximum AP Count

50 APs

250 APs

1,000 APs

Maximum Client Count   

800

4,000

16,000

                          Table 3 MC Virtual Appliance Models and Capacities

 

 

VM Platforms

The Mobility Controller Virtual Appliances are deployed on ESXi version 6.5.0.  The following virtual machine platforms are included in the evaluated configuration:

 

Name

CPU

Memory

HPE EdgeLine 20

Intel Core i5

8GB

DTECH M3-SE-SVR4

Intel Xeon E3

32GB

DTECH M3x

Intel Core i5

32GB

Klas Telecom TDC Blade

Intel Xeon D

128GB

Klas Telecom VoyagerVMm

Intel Core i5

32GB

PacStar PS451-4330 Series

Intel Core i5

16GB

PacStar PS451-1258 Series

Intel Xeon E3

32GB

IAS VPN Gateway Module NANO-VM

Intel Atom E3

4GB

IAS VPN Gateway Module Classic Plus

Intel Core i7

32GB

Table 4 VM Platforms

 


Security Evaluation Summary

The evaluation was carried out in accordance to the Common Criteria Evaluation and Validation Scheme (CCEVS) requirements and guidance. The evaluation demonstrated that the TOE meets the security requirements contained in the Security Target.  The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1, Revision 5, April 2017. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Evaluation Methodology, Version 3.1, Revision 5, April 2017.  The product, when delivered and configured as identified in the Common Criteria Configuration Guidance Aruba OS 8.2 Supplemental Guidance, Version 1.5, August 2019 document, satisfies all of the security functional requirements stated in the Aruba Mobility Controller Series with ArubaOS 8.2 (FWcPP20E/VPNGWEP21/WLANASEP10)  Security Target, Version 1.1 August 20, 2019.  The project underwent CCEVS Validator review.  The evaluation was completed in August 2019.  Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report (report number CCEVS-VR-10975-2019) prepared by CCEVS.


Environmental Strengths

The logical boundaries of the Aruba Mobility Controller Series with ArubaOS 8.2 are realized in the security functions that it implements. Each of these security functions is summarized below.

 

Security audit:

The TOE is designed to be able to generate logs for a wide range of security relevant events including start-up and shutdown of the TOE, all administrator actions, and all Protection Profile Auditable Events. The TOE can be configured to store the logs locally so they can be accessed by an administrator or alternately to send the logs to a designated syslog server in the operational environment.

Cryptographic support:

The TOE includes cryptographic modules that provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher level cryptographic protocols including IPsec, SSH, and TLS/HTTPS.

User Data Protection:

The TOE ensures that any data packets passing through do not inadvertently contain any residual information that might be disclosed inappropriately.

 

Firewall:

The TOE performs stateful packet filtering. Filtering rules may be applied to appliance Ethernet interfaces or to user-roles (wireless clients connecting through APs are placed into user-roles). Stateful packet filter policies are applied to user-roles to allow fine grained control over wireless traffic.

 

Identification and authentication:

The TOE requires administrators to be identified and authenticated before they can access any TOE security functions. The TOE supports role-based authentication, so user accounts are assigned predefined roles which restrict them based on their assigned role.  The TOE maintains these administrator and user attributes which can be defined locally with user names and passwords or can be defined in the context of local RADIUS services.  Authentication can be either locally or remotely through an external authentication server, or internally.  Wireless clients are identified and authenticated by different authentication mechanisms such as 802.1X, etc. After an administrator-specified number of failed attempts, the user account is locked out. The TOE’s password mechanism provides configuration for a minimum password length.  The TOE also protects, stores and allows authorized administrators to load X.509.v3 certificates for use to support authentication for IPsec, TLS and SSH connections.

Security management:

The TOE provides the administrator role the capability to configure and manage all TOE security functions including cryptographic operations, user accounts, passwords, advisory banner, session inactivity and TOE updates.  The management functions are restricted to the administrator role. The role must have the appropriate access privileges or access will be denied. The TOE’s cryptographic functions ensure that only secure values are accepted for security attributes.

Packet Filtering:

The TOE may be used as a VPN gateway – a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The TOE provides packet filtering and secure IPsec tunneling. The tunnels can be established between two trusted VPN peers as well as between remote VPN clients and the TOE. An administrator can configure security policies that determine whether to block, allow, or log a session based on traffic attributes such as the source and destination security zone, the source and destination IP address, the application, user, and the service.

 

Protection of the TSF:

The TOE has its own internal hardware clock that provides reliable time stamps used for auditing. The TOE stores passwords on flash using a SHA1 hash and does not provide any interfaces that allow passwords or keys to be read. The TOE also provides integrity and security protection for all communication between its components. This prevents unauthorized modification or disclosure of TSF data during transmission.

The TOE runs self-tests during power up and periodically during operation to ensure the correct operation of the cryptographic functions and TSF hardware. There is an option for the administrator to verify the integrity of stored TSF executable code.

The TOE includes mechanisms so that the administrator can determine the TOE version and update the TOE securely using digital signatures.

TOE access:

The TOE allows administrators to configure a period of inactivity for administrator and wireless user sessions. Once that time period has been reached while the session has no activity, the session is terminated. All users may also terminate their own sessions at any time. A warning banner is displayed at the management interfaces (Web GUI and CLI) to advise users on appropriate use and penalty for misuse of system.

In order to limit access to the administrative functions, the TOE can be configured to deny wireless clients and remote VPN clients based on the time/date, IP address (location), as well as information retained in a blacklist.  The TOE assigns a private IP address (internal to the trusted network for which the TOE is the headend) to a VPN client upon successful establishment of a session.

Trusted path/channels:

The TOE uses IPsec to provide an encrypted channel between itself and third-party trusted IT entities in the operating environment including Aruba access point(s), external syslog server, external authentication server, 802.1x authentication server, NTP server and VPN Gateway/Client. The TOE also uses IPsec to encrypt communications between TOE components.

The TOE also provides a protected communication path between itself and wireless users. The TOE protects communication with wireless clients using WPA2 with 802.1x EAP-TLS.

The TOE secures remote communication with administrators by implementing TLS/HTTPS for remote Web UI access and SSHv2 for CLI access.  In each case, both the integrity and disclosure protection is ensured via the secure protocol. If the negotiation of a secure session fails or if the user cannot be authenticated for remote administration, the attempted session will not be established.


Vendor Information


Aruba, a Hewlett Packard Enterprise Company
Kevin Micciche
404-648-0062
kevin.micciche@hpe.com

www.arubanetworks.com
Site Map              Contact Us              Home