Specifications

Security Target Version 1.0 9/29/2014

CPU and electronic fuses are blown to protect it from overwrite. On bootup, the controller performs a

SHA1 hash of the ArubaOS image file, then compares it to the digital signature. The digital signature is

checked against the root CA certificate. Note that since the AP firmware images are packaged within the

controller image file, the APs are automatically upgraded with the controller upgrade, since the APs check

for version mismatches between the controller and themselves.

• FPT_TUD_EXT.1: The TOE allows administrators to query the current version of its firmware/software

and allows those administrators to initiate firmware/software updates. Prior to installing any update the

administrator can verify the digital signature of the update or alternately ensure that the software hash of

the update matches a value published by Aruba. If in the case there is unsuccessful verification of candidate

updates, the controller will reboot (and continue to reboot until an administrator intervenes) if this happens

during bootup. If the verification fails at the time an image is loaded, the controller will indicate an error

message and will not write the image file to flash.

6.7 Resource utilization

The TOE includes rate limiting for traffic from untrusted users reaching the control plane. By default, an untrusted

user may send no more than 100 packets per second to the control function of the TOE. This rate is configurable

from 1 to 255. The system may be configured to blacklist users who exceed the threshold. Once blacklisted, all

network traffic from the user is rejected until the user is removed from the blacklist (either through expiration of a

timer or through administrator action.) The blacklist action will be logged in the audit log, in compliance with

FAU_GEN.1.2.

Other features are present in the TOE to protect the control plane. These include protection against invalid IP

addresses in the user table, use of a control-plane firewall to control network traffic that is permitted to reach the

control plane, and aggregate bandwidth limitations on traffic reaching the control plane. These features do not

generate audit messages, however, and so do not meet the requirements of FAU_GEN.1.2.

The Resource utilizsation function is designed to satisfy the following security functional requirements:

• FRU_RSA.1: The TOE enforces the maximum quota on the amount of control-plane bandwidth that can be

consumed by an untrusted user.

6.8 TOE access

Whether connecting to the CLI (remotely) and web GUI, the TOE displays an advisory message when an

administrator logs on. The message is configurable by TOE administrators.

The TOE terminates a wireless user session or an administrator CLI session (for a local or remote administrator)

after session inactivity time exceeds a configurable session idle timeout. The session idle timeout is the maximum

amount of time a wireless user or an administrator may remain idle.

However, the timeout does not apply to the following web GUI screens below which are auto refreshed. These

screens are used for monitoring purposes only and do not provide any security management interface. The

information on these screens are updated constantly; therefore, the screens are never idle (timeout does not apply).

• Monitoring > Network > All Access Points

• Monitoring > Network > All Air Monitor

• Monitoring > Network > Wired Access Points

• Monitoring > Network > All WLAN Clients

• Monitoring > Controller > Access Points

• Monitoring > Controller > Air Monitor

• Monitoring > Controller > Wired Access Points