Specifications

Security Target Version 1.0 9/29/2014

• Sends and receives IPsec-encapsulated PAPI

protocol messages to and from managed APs as well as other

mobility controllers

• Manages system configuration and licensing

• Manages an internal database used to store licenses, user authentication information, etc

• Provides network anomaly detection, hardware monitoring, mobility management, wireless management,

and radio frequency management services

• Provides a Command Line Interface (CLI)

• Provides a web-based (HTTPS/TLS) management UI for the mobility controller

• Provides various WLAN station and AP management functions

• Provides authentication services for the system management interfaces (CLI, web GUI) as well as for

WLAN users

• Provides IPsec key management services for APs, VPN users, and connections with other Aruba mobility

controllers

• Provides network time protocol service for APs, point to point tunneling protocol services for users, layer 2

tunneling protocol services for users, , , SSH services for incoming management connections, SNMP

client/agent services, and protocol independent multicast (routing) services for the controller

• Provides syslog services by sending logs to the operating environment.

The Linux OS running on the CP is a standard unmodified 2.6.32 kernel. Linux is a soft real-time, multi-threaded

operating system that supports memory protection between processes. Only Aruba provided interfaces are used, and

the CLI is a restricted command set. Administrators do not have access to the Linux command shell or operating

system.

The DP is further subdivided into two subcomponents: Fast Path (FP) and Slow

Path (SP). The FP implements

high-speed packet forwarding based on various proprietary tables and sends the packets to SP. The SP manages

(create, delete, and age entries) all DP tables such as user, stateful firewall rules, station, tunnel, route, ARP cache,

session, bridge, VLAN

, and port. The SP also performs deep packet inspection and cryptographic processing.

The data plane is implemented on a multi-core network processor

. There is a lightweight, Aruba-proprietary OS

running on the network processor called SOS. SOS contains an Ethernet driver, a serial driver, a logging facility,

semaphore support, and a crypto driver. This OS is not a general purpose operating system. In the Aruba 6000 with

M3 controller card, an FPGA is also used to control and monitor the switch fabric, Ethernet interface hardware, and

provide security functionality such as filtering.

The DP and CP run on different hardware platforms but the security functionality remains the same, regardless of

the model. The differences in the platforms are in the processors, memory capacity, physical interfaces, FPGA

implementation, etc., and are based on performance and scalability requirements. The table below shows the

different models based on maximum number of APs and users supported.

PAPI is an Aruba-proprietary WLAN management protocol and provides no direct security.

The entire DP (including both FP and SP elements) is a high-speed packet processor, so the SP designation should

be understood to be relative.

A VLAN has the same attributes as a physical LAN, but it allows for end devices to be grouped together even if

they are not located on the same network switch. Network reconfiguration can be done through the Aruba software

instead of physically relocating devices.