NIAP: Assurance Continuity
NIAP/CCEVS
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - Aruba Virtual Intranet Access (VIA) Client, Update from v4.3 to v4.4

Date of Maintenance Completion:  2023.01.24

Product Type:    Virtual Private Network
   Application Software

Conformance Claim:  Protection Profile Compliant

PP Identifier:    PP-Module for VPN Client, Version 2.3
  Protection Profile for Application Software Version 1.3

Original Evaluated TOE:  2022.08.31 - Aruba Virtual Intranet Access (VIA) Client v4.3

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The TOE has been updated from VIA Client Version 4.3 to Version 4.4. Below is a summary of the changes.

Major Changes

None.

Minor Changes

Eighteen changes were identified in the IAR along with a description and given rationale. Fourteen of those changes impacted the VIA client on the evaluated platforms. The description and rationale for each were inspected and the overall Minor Change characterization was considered appropriate. None of the changes resulted in the introduction of new TOE capabilities, modification to security functions as defined in the ST, or changes to the TOE boundary.  The following table includes a summary of the changes presented in the IAR that impact VIA and/or one or more of the evaluated platforms. The changes have been categorized according to Bug Fixes and Functional Updates.  Changes identified in the IAR that do not impact the evaluated platforms were also reviewed and have been included at the end of the Table.

 

Change Description

Affected Platforms

Assessment

Bug Fixes

A VIA connection failed with the error heart beat failed was resolved in VIA 4.4

Windows

This is a bug fix and does not affect any SFRs.

Fixed VIA clients being unable to connect to the VPN while using existing user certificate (EAP-TLS). The issue was specific to user deployment.

Windows

This is a bug fix for an edge case in a specific customer environment.

Fixed an issue prior to VIA 4.3 related to the IKE handshake, which prevented the phase-2 proposal from being sent. The issue is resolved in 4.4, so upgrades to 4.4 will not be impacted by the issue

Windows

This bug is outside the scope of the relevant protection profiles and unrelated to any SFRs.

Improved how VIA manages the GUI if the registry is corrupted, allowing users to resume normal VIA functionality

Windows

This bug fix is unrelated to any SFR.

Changes to VIA 4.4 allow VIA to install the fonts file if missing from specific Windows client machines, resolving UI issues.

Windows

This bug fix is purely a UI/UX issue and is out of scope of the ST or the protection profile.

 

Functional Updates

Display of warning message for the Windows client during profile download was fixed.

Windows

Profile download is outside the scope of the ST. This change therefore does not affect the compliance status of the TOE.

VIA 4.4 server certificate validation is done before profile download and if the certificate has changed, the user is shown a warning message about the change.

Windows

HTTPS connection is used for the configuration profile download which is handled by the platform operating system. Therefore, it is outside the scope of the ST. Overall product security is enhanced by this change, without impact to SFRs in the ST.

Improvements to VIA 4.4 clients to ensure they hold the profile download session for 2 minutes (or until the user provides a response, if less than two minutes)

iOS

macOS

Linux

Profile download is outside the scope of the Security Target or TSF.

Fixed issue in VIA 4.3 impacting entry of MFA-based authentication credentials. The issue was resolved for Android and iOS in VIA 4.4. (This was resolved for Windows Clients in 4.3.).

Android

iOS

Windows

Multi-factor authentication is out of scope of the relevant protection profiles. In addition, iOS is not claimed as an evaluated platform.

Fixed issue that allowed VIA clients to disconnect prior to the maximum session timeout period.

Windows

This bug fix corrects an issue that prevents a session from lasting to the maximum period. Being less than a maximum is not relevant to any security functional requirement.

The DN profile feature in VIA enables VIA had a strict check against all four identifiers; Common Name, Organization, Organizational Unit (OU), and Country. Starting with VIA 4.4, the Organizational Unit (OU) is optional. If the OU is absent, VIA will still be able to make a successful connection (unless configured to check for it in the authentication profile).

All

The scope of this change is such that if an OU is present in the DN, it will be used, and if it is not, it won’t be counted against. As guidance includes usage of the OU in the authentication profile, this has no impact on any claims in the Security Target and merely ensures compatibility with new settings in Aruba gateways.

An issue is resolved in VIA 4.4 where VIA failed to connect with class B (digital badge) certificates in Linux.

Linux

Digital badges were not claimed in the ST and so this change is out of scope of the evaluated configuration.

Resolved an issue where VIA was automatically reconnecting and blocking traffic after reboot when in a trusted network.

Windows

This change does not impact the evaluated configuration.

Improvements were made to how VIA 4.4 manages GRE traffic destined for the L3 adapter which resolves an issue where VIA could discard GRE packet, allowing the VIA client to drop the connection.

Windows

Tunnel mode is the only approved mode in the evaluated configuration. GRE outside the scope of the evaluated configuration.

Non-TOE Platform Fixes

An issue was resolved where users were unable to connect using 3DES in 4.4, and VIA for iOS and VIA for macOS are now able to connect using 3DES encryption

iOS

macOS

In the evaluated configuration, the VIA client does not have 3DES enabled. In addition, neither iOS nor macOS is claimed as an evaluated platform.

Resolved an issue with releases prior to VIA4.4 where VIA could reconnect after Maximum session time is reached if auto connect is enabled.

iOS

iOS is not claimed as an evaluated platform.

Improvements were made to how VIA manages source address selection.

macOS

macOS is not claimed as an evaluated platform. Additionally, it does not affect any SFRs and is outside the scope of the TOE.

VIA 4.4 now shows the certificate details in the VIA app UI. Certificate details were not displayed in the VIA app in VIA 4.3

iOS

iOS is not claimed as an evaluated platform. In addition, this is a UI feature enhancement. It is outside of the scope of the evaluation.

Vendor Information


Aruba, a Hewlett Packard Enterprise Company
Kevin Micciche
404-648-0062
kevin.micciche@hpe.com

www.arubanetworks.com
Site Map              Contact Us              Home