NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Aruba Mobility Controller Series with ArubaOS version 8.5

Date of Maintenance Completion:  2020.02.11

Product Type:    Wireless LAN
   Firewall
   Virtual Private Network

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Stateful Traffic Filter Firewalls Version 2.0 + Errata 20180314
  Extended Package for VPN Gateways Version 2.1
  Extended Package for Wireless LAN Access System

Original Evaluated TOE:  2019.08.27 - Aruba Mobility Controller Series with ArubaOS 8.2

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The changes are divided into two categories: hardware and software. The TOE has been revised from the evaluated ArubaOS version 8.2 to version 8.5. The subsections below provide justification that the changes have no security relevance on the certified TOE.

Hardware Additions to TOE: 

The vendor has added additional hardware to the existing switch series. These additional platforms use the same software as others in the same series.  They were addressed in regression testing and the CAVP certificates remain valid for these models.

Series Identifier

Hardware Models

Processor

Aruba 7280 Mobility Controller

JX914A

 Broadcom XLP

 

Software Changes to TOE: 

The changes are divided into several categories: New Non-Security Related Features, Security Related Additions, and Bug Fixes. One of these implemented changes impacted a security functional requirement (SFR) but does not affect the scope of the evaluation. The subsections below help to justify that the changes have no security impact on the certified TOE.

New Feature Impacting an SFR

New Feature Description

Assessment

Disabling TLS RSA Cipher Suites –

The  following TLS RSA cipher suites are disabled to ensure complete forward confidentiality and to prevent the Return of Bleichenbacher's Oracle Threat (ROBOT) attacks in APs:

TLS_RSA_WITH_AES_256_CBC_SHA256

TLS_RSA_WITH_AES_128_CBC_SHA256

TLS_RSA_WITH_AES_256_CBC_SHA

TLS_RSA_WITH_AES_128_CBC_SHA

 

The FWcPP20E:FCS_TLSS_EXT.1.1 element in the ST has been updated to remove these ciphers. This removal is still within the scope of the evaluation as other ciphers are available and were tested.  This is a narrowing of scope and not an expansion.

 

Note: A TRRT was filed about this issue. The Response to #909 says “The TRRT agrees that it is acceptable to apply TD0335 and remove the TLS_RSA_* cipher suites through assurance continuity”

 

New Non-Security Related Features

Features and enhancements have been added to the updated software. See the following table for an analysis of each feature.

New Feature Description

Assessment

AirMatch Enhancements – these enhancements deal with optimizing radio frequency.

Radio frequency  optimization is outside the scope of the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation

Air Management – IDS - the output legends like flags and statuses for the command, show ap debug client-table is sorted in alphabetical order to increase readability

This is a functional change and not relevant to the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.

AP-Platform Updates and new APs– these are new features in the Access Points provided by Aruba

The Access Points do not enforce any of the requirements in the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.  As such, all related features are outside the scope of the evaluation.

AMON updates – new features added for Cloud interfaces

AMON is a management protocol similar to SNAMP and is outside the scope of the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.

NetInsight Support - ArubaOS is now integrated with NetInsight, Aruba’s Network Analytics and Assurance solution

Interactions with the NetInsight product are outside the scope of the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.

IAP-VPN Termination - Mobility Controller Virtual Appliance supports IAP-VPN termination by using custom certificates

Only the IPsec VPN was included in the evaluation.  This IAP-VPN is outside the scope of the evaluation.

ARM Enhancements –

·         Displays signal strength

·         Load balancing enhancements

·         Advanced statistical reporting

These enhancements are functional in nature and are outside the scope of the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.

Support for ASCOM Device-Type – these are handheld devices

These devices  were not considered in the original evaluation  and are outside the scope of the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation

VIA Connection-Profile Enhancement - provides the ability to mark outgoing IKE and ESP packets with custom DSCP, which is configured in managed devices by using the VIA connection-profile.

This change is related to the VIA application evaluation and not the current evaluation.  There are no requirements that address VIA profiles in the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.  As such, this feature is outside the scope of the evaluation

VIA Client Enhancements –

·         when a user authenticates and accesses the VIA client, a notification with details about the last successful logon date and time stamp is provided

·         a new command no banner via is added to remove banner VIA configuration

·         when a user authenticates and accesses the VIA client, a notification with details about the last successful logon date and time stamp is provided

This change is related to the VIA application evaluation and not the current evaluation.  There are no requirements that address VIA profiles in the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.  As such, this feature is outside the scope of the evaluation.

BLE Enhancements – These enhancements are Bluetooth in the APs.

The APs do not enforce any of the requirements in the FWcPP20E/WLANASEP10/VPNGWEP21 evaluation.  As such, all related features are outside the scope of the evaluation.

New Counter for Standby Managed Devices in a Cluster - a new counter, current standby entries, is added to the station parameter of the show datapath command. This counter provides information on standby managed devices in a cluster

This is a functional enhancement and is outside the scope of the evaluation.

RTP Traffic - Starting from this release, the RTP traffic is prioritized based on the DSCP value set by the end user device. This allows the RTP traffic to pass through the managed devices

RTP was not in the evaluated configuration so enhancements to it do not impact the evaluation results.

Jumbo Frames - Starting from this release, Jumbo Frames is supported on Mobility Controller Virtual Appliance

This is a functional enhancement and is outside the scope of the evaluation. 

Branch Office Enhancements

Branch office appliances were not part of the evaluation. As such, all related features are outside the scope of the evaluation.

Cluster Enhancements

Cluster configurations were not part of the evaluation. As such, all related features are outside the scope of the evaluation.

License Management with ASP - Starting from this release, the ArubaOS License Automation feature is supported, where the Mobility Master obtains the ArubaOS licenses from ASP or LMS automatically. The users need not manually add the licenses on the Mobility Master

The procedure for licensing is outside the scope of the evaluation.

Mesh - ArubaOS now allows you to set mesh auto under Configuration > Access Points > Provision > Mesh role. Mesh auto enables auto-detection of mesh point or mesh portal based on system initialization or operation. The mesh-auto parameter is introduced under the provision-ap command to enable auto-detection of mesh using the CLI

Mesh configuration were not part of the evaluation so enhancements to it do not impact the evaluation results.

Management Enhancements –

·         NetDestination and NetServices aliases can now be configured using the ArubaOS 8.4.0.0 WebUI

·         Starting from this release, managed devices can be configured to support the same gateway IP address over multiple PPPoE uplinks

These are added management functions and not needed for the evaluation. As such, all related features are outside the scope of the evaluation.

SNMP Enhancements

SNMP is not part of the evaluation. As such, all related features are outside the scope of the evaluation

Tunnel Node

·         Starting from this release, a single IPv4 and IPv6 Layer-2 GRE tunnel can carry both trusted and untrusted VLANs.

·         Dynamic Segmentation solution enhancements

These are function enhancements and support for additional products. As such, these enhancements are outside the scope of the evaluation.

UCC Support – Added support for cloud-based UCC application from Microsoft

UCC was not part of the evaluation. As such, all related features are outside the scope of the evaluation

Web Server - ArubaOS 8.4.0.0 introduces the Backward Compatibility feature that enables managed devices to receive register requests on the older HTTP port 80. This option is beneficial when managed devices and Instant APs have not been upgraded to ArubaOS 8.4.0.0 simultaneously in a network. When only managed devices are upgraded, users must enable this feature so that managed devices do not drop register requests received on the older HTTP port 80, which can result in service disruption.

This is an added functional feature outside the scope of the evaluation.  It does not impact the evaluation results.

Web UI Enhancements – Numerous enhancements were made for ease of use

 

These are added Web UI functions and not needed for the evaluation. As such, all related features are outside the scope of the evaluation

Support for 4G Modems on 7000 Series Controllers

This is a functional change and not related to the evaluation.  As such, all related features are outside the scope of the evaluation.

802.11ax capability on ClientMatch - Any 802.11ax capable STAs can be matched with 802.11ax capable radios dynamically resulting in better throughput and spectral efficiency. 802.11ax clients are best compatible with 802.11ax capable radios, resulting in better throughput and spectral efficiency. When an 802.11ax client is associated with a lower radio, ClientMatch pushes the client to the best compatible 802.11ax radio for advanced capabilities. Though STA is in good health, and is 802.11ax capable, it still sometimes connects to lower radios. ClientMatch finds a potential 802.11ax radio on the same band and the client moves to the new 802.11ax radio. The rf arm-profile command has been modified to include the cm-he-min-signal parameter

ClientMatch is a performance feature and does not impact an security requirements. As such, all related features are outside the scope of the evaluation

DHCP - DHCP option 82 sub-option 5 can be used to relay non-routeable guest network users into corporate network to obtain IP addresses

DHCP is not part of the evaluation. As such, all related features are outside the scope of the evaluation

GRE Tunnels - GRE tunnel will now support ICMP based health-check feature to monitor the status of WAN reachability from remote uplink.

GRE functionality is not needed to meet any security requirements. As such, it is outside the scope of the evaluation.

IoT Added Support

IoT Support is not part of the evaluation. As such, all related features are outside the scope of the evaluation

WLAN Ageout Refresh Direction -

The refresh direction of an SSID profile for a client is bidirectional by default. Starting from ArubaOS 8.5.0.0, the ageout refresh direction of SSID profile can be configured to use either bidirectional, receive-only, or transmit-only data frames

This is a functional change and does not impact any security requirements.  As such, it is outside the scope of the evaluation.

 

Security related additions:

New Feature Description

Assessment

Changes made for CC that are now in product releases –

·         Login Banner for WebGU

·         X509 Checks for OCSP signing purpose and crlSign bit

These changes were made in the minor release for CC and have been rolled into the general product releases. They have already been tested as part of the evaluation.

Firewall Enhancements –

ArubaOS now increases the limit of CP firewall rules from 32 to 96. You can now configure up to 96 firewall CP rules. A Max CP firewall limit (96) reached configuration error message is displayed when the maximum limit of 96 rules is reached

This providing more functionality to users.  It is not changing the implementation of the firewall rules but rather adding flexibility. As such, it does not impact the requirements as there are no requirements for number of rules supported.

Implementing Management User Audits

The administrator can track the following details:

·         Location of the last successful login

·         Date and time stamp of the last successful login

·         Number of successful attempts over a period of time

·         Number of unsuccessful attempts since the last successful login

All of these additions were included in the evaluated product. Aruba has rolled them into the general product so they are available for all releases

PSK Updates –

·         When a PSK-based management user changes the password, a check is added to ensure that there is at least a difference of 8 characters between the new password and the old password

The added functionality is in addition to what was required for the evaluation. This is an additional restriction on the PSK. As such, the evaluation results are still valid.

Enhancements to SSH Ciphers and MAC Algorithms Administrators can configure SSH to enable or disable the following ciphers and MAC authentication algorithms:

HMAC-SHA1-96

HMAC-SHA1

AES-CBC

AES-CTR

 

This is only available in non-FIPS mode.  The Guide instructs the administrator to set the Controller in FIPS mode.  AS such, this enhancement is not applicable to the evaluated configuration.

PSK Password Validation - When a PSK based management user changes the password, a check is added to ensure that there is at least a difference of 8 characters between the new password and the old password

This is a stronger check on the PSK than is required by the evaluation.  As such, this added check is outside the scope of the evaluation.

Configuring Concurrent Sessions - A check is added to limit the number of concurrent sessions that an administrator account can maintain. If the admin user tries to create a new session after the maximum concurrent user sessions limit is reached, then the system displays an error message and does not allow the user to login although the login credentials entered are valid.

This is related to administrative session but is not related to a FWcPP20E/WLANASEP10/VPNGWEP21 requirement.  As such, this added check is outside the scope of the evaluation

Standard Mandatory Notice and Consent Banner - a configuration option is added to enable retaining the Login Banner on the WebUI login page until the user clicks the I Accept button. Only after which the login prompt is displayed

This is related to the FTA_TAB.1 requirement but is an extra feature. The TOE already displayed a warning banner.  The “I Accept” button is an added feature and does not impact the evaluation results.

Zeroizing TPM Keys - you can zeroize a cryptographic module, this involves erasing sensitive parameters such as electronically stored data, cryptographic keys, and critical security parameters from a controller or an AP to prevent disclosure of information if the equipment is permanently and irreversibly decommissioned

This addition was included in the evaluated product. Aruba has rolled it into the general product so it is available for all releases.

CP Firewall Limit – the change increases the limit of CP firewall rules from 32 to 96. You can now configure up to 96 firewall CP rules. A Max CP firewall limit (96) reached configuration error message is displayed when the maximum limit of 96 rules is reached

The firewall rules themselves are not changed; rather the number allowed is changed. This does not impact the security requirements as the ordering and application of the rules has not changed.

Reauthenticate Wired User on VLAN Change - when a wired user moves across VLANs, a trigger is created to re-authenticate this user. To support this feature, a new parameter, reauth-wired-user-vlan-change is added in the aaa profile command

This command impacts authentication but is in addition to the evaluated authentication. The evaluated mechanisms remain intact.  As such, this does not impact the evaluation results.

SSH Server and Client Update - Starting from ArubaOS 8.3.0.4, OpenSSH v7.7 is supported.

This is the same version that was in the evaluated configuration.  The note is in 8.3.0.4 release notes because the update during the CC effort came after 8.3.0.3 had already been released. 8.2.2.5 also has the same version

WPA3 enhancements – Several enhancements have been made to WPA3 support

WPA3 was not within the scope of the evaluation.  As such this change does not impact the evaluation results.

EAP-TLS Enhancements –

·         The EAP-TLS supplicant support allows you to add a Fully Qualified Domain Name (FQDN) as a suffix to an AP name or a group of APs for factory certificates

·         As part of 802.1X authentication, ArubaOS supports EAP-TLS fragmentation in non-termination mode

These are added features that are not claimed in the ST.  The tested functions are still valid.  As such, the evaluation results remain valid. 

Admin Password Recovery -

Starting from this release, ArubaOS allows you to disable the default password recovery feature and create an alternate password recovery user to reset the admin password

The password recovery feature was not part of the original evaluation and not needed to meet the requirements.  As such this change does not impact the evaluation results.

Configuring Concurrent Sessions

A check is added to limit the number of concurrent sessions that an administrator account can maintain. If the admin user tries to create a new session after the maximum concurrent user sessions limit is reached, then the system displays an error message and does not allow the user to login although the login credentials entered are valid.

There are no evaluation requirements for the number of concurrent sessions. As such this change does not impact the evaluation results.

IPv6 Enhancements –

·         Starting from this release, Remote APs support IPv6 clients in Split-Tunnel forwarding mode in a VAP profile.

·         Starting from this release, an AP can connect to the Aeroscout or RTLS location server using a configurable IPv6 address.

·         Starting from this release, you can configure an IPv6 address in one data zone of an AP MultiZone profile.

·         ArubaOS now supports external captive portal for IPv6.

·         Starting from this release, the WebCC feature also supports classification of IPv6 sessions on the managed device

These are IPv6 functional enhancements.  The evaluation tested the filtering capabilities for IPv6. These changes do not impact that filtering.

 

Bug Fixes:

These defects were primarily functional in nature and none has any bearing on the security requirements in the evaluated ST.  They are identified in the Release Notes where specific configuration recommendations are provided so the product functions as expected by the customer (these are not security functions).

Affected Developer Evidence:

Modifications were made to the ST to change the software version and to add the new hardware models. The Release Notes were updated to address version number and features. The Common Criteria Guidance was updated to address the new hardware models, version numbers and other non-security relevant features.

Regression Testing

Aruba has performed regression testing on 8.5 on both the new and old platforms.  All platforms in the ST have been subject to testing and the CAVP certificates remain valid for these models.

Vulnerability Analysis:

The updates to software included security relevant fixes for documented CVEs. The CVE databases were searched on 10/17/2019, 11/5/2019, and again on 12/4/2019 to ensure known security vulnerabilities have been corrected.

The evaluator searched the following:

·         National Vulnerability Database (https://web.nvd.nist.gov/vuln/search),

·         Vulnerability Notes Database (http://www.kb.cert.org/vuls/),

·         Rapid7 Vulnerability Database (https://www.rapid7.com/db/vulnerabilities),

·         Tipping Point Zero Day Initiative  (http://www.zerodayinitiative.com/advisories ),

·         Exploit / Vulnerability Search Engine (http://www.exploitsearch.net),

·         SecurITeam Exploit Search (http://www.securiteam.com),

·         Tenable Network Security (http://nessus.org/plugins/index.php?view=search),

·         Offensive Security Exploit Database (https://www.exploit-db.com/)

 

Each site was searched using the following terms: "Aruba", "Broadcom XLP", "IAP", "VMC", "ESXi", "TCP ", "VPN", "IPsec", "SSH", "TLS", "OpenSSL", “ssibyte”, “Linux 2.6.32”, “Linux 3.18.26”, “OpenSSH v7.7”.

Most of the search results were due to the generic nature of the search terms “TCP” and “TLS”, “VPN”, and “SSH”. None of the findings were found to be applicable to the TOE. Most findings were related to other products and not applicable to the TOE, the remaining findings were duplicates among the searched databases.

Vendor Information


Aruba, a Hewlett Packard Enterprise Company
Kevin Micciche
404-648-0062
kevin.micciche@hpe.com

www.arubanetworks.com
Site Map              Contact Us              Home