Specifications
Security Target Version 1.0 9/29/2014
12
Product
Max. # of
APs
Max. # of
Users
Typical Deployment
Aruba 7200 Series
2,048
32,768
Headquarters/ Large Campus
Aruba 6000/M3
512
8,192
Headquarters/ Large Campus
Aruba 3000 Series
128
2,048
Medium/Large Enterprise/Campus
Aruba 620/650
16
256
Branch Office
The Aruba AP is a hardware device that is enclosed in a plastic or metal casing. All APs contain chips to provide
IEEE 802.11 wireless LAN functionality. Some models contain a separate CPU, while other models combine the
CPU with the wireless LAN chip (an integrated approach known as “system on a chip”). Some AP models contain
integrated antennas, while other models provide connectors for attaching external antennas. Software functionality
for the APs is provided by ArubaOS, which is downloaded from the mobility controller and stored in a local flash
memory partition. In the case of the APs, ArubaOS consists of a Linux kernel and various custom user-space
applications. Although the AP’s operating system is named ArubaOS, the Linux kernel and user-space applications
are different from those running on the mobility controller. The version number of ArubaOS running on the AP and
the version number of ArubaOS running on the controller are the same; the two software images are bundled into a
single image file that is installed by the administrator on the mobility controller. Similar to the controllers, the
security functionality of the different models is the same with differences in platforms based on performance and
scalability requirements only. At a high level, Aruba Access Points consist of the following subsystems:
• Processor subsystem—performs the packet processing functions on the packet.
• Memory subsystem—contains memory which supports the Processor subsystem.
• Ethernet Controller (i.e., Network Interface Controller) subsystem—includes integrated Ethernet Media
Access Control (MAC) for transfer of 10/100 Ethernet packets between the AP and the wired network.
• Radio Controller subsystem—there are one or two (depending on model) radio controllers, 802.11a/n (5
GHz range) and 802.11b/g/n (2.4 GHz range).
• Wireless Antenna subsystem—interface between the wireless world and the AP. The antenna handles both
5 GHz and 2.4 GHz ranges. Some AP models include connectors for external antennas, while other AP
models contain integrated antennas.
• PoE (Power over Ethernet) subsystem—receives 48V power over the Ethernet.
• USB subsystem—the AP-70 and RAP-5wn support one USB V2.0 compliant port (up to 480 Mbps). A
PCI to USB 2.0 controller is used to interface to the system host.
• Serial subsystem—all 802.11n APs support a serial console port that utilizes a RJ45 jack and connects
directly to serial port 0 via the RS232 transceiver.
Aruba APs may or may not perform cryptographic processing, depending on administrator configuration. The
default mode of operation is known as “tunnel mode”, in which raw encrypted 802.11 frames are passed through the
AP and processed by the Mobility Controller without decryption or further processing in between. This mode of
operation places fewer security constraints on the AP, since cleartext network traffic is never present in the AP.
Other modes of operation are available as well, including “decrypt-tunnel mode”, in which wireless traffic is
decrypted by the AP and forwarded to the Mobility Controller, and “bridge mode”, in which wireless traffic is
decrypted and forwarded directly from the AP to the local LAN segment. In the CC-evaluated configuration, only
tunnel mode is used.
2.2.1 Physical Boundaries
The TOE consists of the following components:
• Aruba Mobility Controllers: Aruba 620, 650, 3200, 3400, 3600, 6000, 7210, 7220, and 7240.
• Aruba Access Points: Aruba AP-92, AP-93, AP-104, AP-105, AP-114, AP-115, AP-134, AP-135, AP-175,
AP-224, AP-225, RAP-3WN, RAP-5WN, RAP-108, RAP-109, and RAP-155.