Specifications
Security Target Version 1.0 9/29/2014
13
• ArubaOS version 6.3.1.5-FIPS
The differences in the models include the number of ports, interfaces, throughput and processing speed, memory and
storage. Although these models have different specifications (in terms of performance and capabilities), they all
provide the same security functions described in the ST; therefore, they have been considered to be the same for the
purposes of the ST description. There is no difference between the products and the TOE. Since the TOE is a
WLAN access system, the physical boundary of each product that comprises the WLAN is the hard steel or plastic
encasing.
The ArubaOS consists of a base software package with add-on software modules that can be activated by installing
the appropriate license key. Three SFR-enforcing software modules are required to be licensed and installed in the
CC evaluated configuration. The base ArubaOS software includes the following functions:
• Centralized configuration and management of APs
• Wireless client authentication to an external authentication server or to the controller’s internal database
• Encryption
• Mobility with fast roaming
• RF management and analysis tools.
The following table summarizes the required software modules.
Required Software Module Description
Policy Enforcement Firewall Provides identity-based security for wired and wireless clients. Stateful
firewall enables classification based on client identity, device type,
location, and time of day, and provides differentiated access for different
classes of users.
RFprotect Detects, classifies and limits designated wireless security threats such as
rogue APs, DoS attacks, malicious wireless attacks, impersonations, and
unauthorized intrusions. Eliminates need for separate system of RF
sensors and security appliances. Also pr
ovides spectrum intelligence
and spectrum visibility when used with compatible AP platforms.
Advanced Cryptography Required for SuiteB, AES-GCM and ECDSA functionality.
The wireless client can be any device that uses a wireless network interface that is Wi-Fi Certified. Specifically, it
must be WPA2 compliant to support the cryptographic and authentication (e.g., certificate) requirements of the
TOE. Note that WPA2 compliance is a specific subset of the Wi-Fi certification. For more information, please see
http://certifications.wi-fi.org/wbcs_certified_products.php?lang=en
The TOE relies on third-party software and hardware components in the operating environment. The TOE can
utilize an external audit server (support syslog) to store audit records and external authentication server (support
RADIUS, LDAP, TACACS+) to authenticate users. In addition, the TOE uses an external Time server (support
NTP) to obtain reliable time stamps and external SNMP server to capture SNMP traps. For security reasons, only
SNMPv3 is allowed in the evaluated configuration. The remote administrator can use a web browser (supported
browsers: Microsoft Internet Explorer 8.x on Windows XP, Windows Vista, Windows 7, and MacOS; Mozilla
Firefox 3.x on Windows XP, Windows Vista, Windows 7, and MacOS; Apple Safari 5.x on MacOS) to access the
Web GUI interface and/or use SSH client to access the CLI. The local administrator can use the serial port to access
the CLI. Neither the web browser or SSH client is part of the TOE. Note that Telnet cannot be used to access the
CLI in the CC evaluated configuration.
2.2.2 Logical Boundaries
This section summarizes the security functions provided by Mobility Controller: