Compliant Product - Aruba Remote Access Point Series with Aruba Mobility Controllers, running AOS 8.2
Certificate Date: 2020.03.12CC Certificate Validation Report Assurance Activity
Validation Report Number: CCEVS-VR-VID11052-2020
Product Type: Virtual Private Network
Conformance Claim: Protection Profile Compliant
PP Identifier: collaborative Protection Profile for Network Devices Version 2.1
Extended Package for VPN Gateways Version 2.1
CC Testing Lab: Leidos Common Criteria Testing Laboratory
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
The Aruba Remote Access Point Series with Aruba Mobility Controllers and AOS 8.2 solution is a distributed system of network infrastructure devices providing VPN Gateway capabilities.
The Remote Access Points (VPN clients) and Mobility Controllers perform encryption and decryption of network packets in accordance with a VPN security policy negotiated between the VPN client (APs) and the Aruba Mobility Controller. As a VPN gateway – a device at the edge of a private network that terminates an IPsec tunnel – the Mobility Controller provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The TOE provides packet filtering and secure IPsec tunneling.
As network infrastructure devices the Remote Access Points and Mobility Controllers along with ArubaOS 8.2 provide centralized management, auditing, authentication, cryptographic functions, secure remote access, self-verification of integrity and operation, self-protection and IPsec VPN packet filtering functionality.
The TOE consists of one or more Aruba Remote Access Point wireless devices and a Mobility Controller hardware switch, each with ArubaOS version 8.2. The specific devices and part numbers are identified in the table below. Each device has the ArubaOS 8.2 software.
The tested configuration consisted of the following devices: Aruba 7240XM Mobility Controller, Aruba AP-303H, and Aruba AP-203RP. Equivalency between supported functionality, underlying operating system, and CPU family ensures that the results on the tested configuration are representative of all claimed models.
Security Evaluation Summary
The evaluation was carried out in accordance with the Common Criteria Evaluation and Validation Scheme (CCEVS) process and scheme. The criteria against which the TOE was judged are described in the Common Criteria for Information Technology Security Evaluation, Version 3.1 rev 5. The evaluation methodology used by the evaluation team to conduct the evaluation is the Common Methodology for Information Technology Security Evaluation, Version 3.1 revision 5, augmented by evaluation activities specified in the collaborative Protection Profile for Network Devices, Version 2.1, and the Supporting Document— Extended Package VPN Gateway, Version 2.1. The product, when delivered and configured as identified in the Common Criteria Configuration Guidance, Aruba OS 8.2 Supplemental Guidance Version 1.0, July 2019, satisfies all of the security functional requirements stated in the Aruba Remote Access Point Series with Aruba Mobility Controllers, running AOS 8.2 Security Target, v1.0, 28 Febaruary 2020. The evaluation was subject to CCEVS Validator review. The evaluation was completed in March 2020. Results of the evaluation can be found in the Common Criteria Evaluation and Validation Scheme Validation Report prepared by CCEVS.
The TOE generates logs for security relevant events including start-up and shutdown of the TOE, all administrator actions, and all events identified in the Auditable Events table. The TOE stores the logs locally on the Mobility Controller so they can be accessed by an administrator and can be configured to send the logs to a designated syslog server in the operational environment.
All appliances included in the TOE are CAVP certified and details are provided in the TOE Security Summary (TSS). The approved algorithms provide key management, random bit generation, encryption/decryption, digital signature and secure hashing and key-hashing features in support of higher-level cryptographic protocols including IPsec, SSH, and TLS/HTTPS.
The TOE is a distributed configuration consisting of Aruba Mobility Controllers and Remote Access Points. The Security Administrator must enable communications between the Remote Access Points and Controller TOE components before any communication can take place. The RAPs must be configured with an appropriate RSA or ECDSA certificate and the IP address of the Aruba Mobility Controller.
Identification and Authentication
The TOE requires administrators to be identified and authenticated before they can access any TOE security functions. The TOE supports role-based access control, so user accounts are assigned predefined roles that restrict them based on their assigned role. The TOE maintains these administrator and user attributes which can be defined locally with user names and passwords and/or certificate or public-key. Alternatively a user account can be defined in the context of local RADIUS and TACAS+ services with user names and passwords. Authentication can be either locally or remotely through an external authentication server. After an administrator-specified number of failed attempts, the user account is locked out. The TOE’s password mechanism provides configuration for a minimum password length. The TOE also protects, stores and allows authorized administrators to load X.509.v3 certificates to support authentication for IPsec, and TLS.
The TOE provides the administrator role the capability to configure and manage all TOE security functions including cryptographic operations, user accounts, passwords, advisory banner, session inactivity, and TOE updates. The management functions are restricted to the administrator role. The role must have the appropriate access privileges or access will be denied.
The TOE acts as a VPN gateway – a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network. The TOE provides packet filtering and secure IPsec tunneling. The tunnels can be established between remote VPN clients and the TOE Remote Access Points and Controllers. An administrator can configure security policies that determine whether to block, allow, or log a session based on traffic attributes such as the source and destination port, the source and destination IP address, user, and the service.
Protection of the TSF
The TOE has its own internal hardware clock that provides reliable time stamps used for auditing and can be configured to synchronize time with an external NTP server. The TOE stores passwords on flash using a SHA1 hash and does not provide any interfaces that allow passwords or keys to be read. The TOE also provides integrity and security protection for all communication between its components using IPsec. This prevents unauthorized modification or disclosure of TSF data during transmission.
The TOE runs self-tests during power up to ensure the correct operation of the cryptographic functions and TSF hardware. There is an option for the administrator to verify the integrity of stored TSF executable code.
The TOE includes mechanisms so that the administrator can determine the TOE version and update the TOE securely using digital signatures.
The TOE allows administrators to configure a period of inactivity for administrator sessions. Once that time period has been reached, the session is terminated. All users may also terminate their own sessions at any time. A warning banner is displayed at the management interfaces (Web GUI and CLI) to advise users on appropriate use and penalty for misuse of system.
In order to limit access to the administrative functions, the TOE can be configured to deny remote VPN clients based on the time/date, IP address (location), as well as information retained in a whitelist, such that removal from the whitelist prevents session establishment. The TOE assigns a private IP address (internal to the trusted network for which the TOE is the headend) to a VPN client upon successful establishment of a session.
The TOE uses IPsec to provide an encrypted channel between Mobility Controllers and third-party trusted IT entities in the operating environment including external syslog server, external authentication server, and an NTP server. The TOE also uses IPsec to encrypt communications between TOE components and for VPN connections.
The TOE secures remote communication with administrators by implementing TLS/HTTPS for remote Web UI access and SSHv2 for CLI access. In each case, both the integrity and disclosure protection is ensured via the secure protocol. If the negotiation of a secure session fails or if the user cannot be authenticated for remote administration, the attempted session will not be established.
Aruba, a Hewlett Packard Enterprise Company