Manualshelf

User guide

ManualsBrandsAruba ManualsComputer equipment620
31323334353637383940
Aruba Networks Security Target
Page 32 of 67
6 TOE Summary Specification
6.1 Security Functions
6.1.1 Protected Communications
Related SFRs: FCS_CKM.1(1), FCS_CKM.1(2), FCS_CKM.1(3), FCS_CKM_EXT.4,
FCS_COP.1(1), FCS_COP.1(2), FCS_COP.1(3), FCS_COP.1(4),
FCS_RBG_EXT.1(1), FCS_RBG_EXT.1(2), FPT_SKP_EXT.1, FTP_ITC.1,
FTP_TRP.1, FCS_IPSEC_EXT.1, FCS_SSH_EXT.1, FCS_TLS_EXT.1,
FCS_HTTPS_EXT.1
37 The TOE protects the following communication flows:
a) WebUI. Remote administration via the WebUI is protected using TLS/HTTPS.
TLS/HTTPS is enabled by default.
b) CLI. Remote administration via the Command Line Interface (CLI) is protected
using SSHv2.
SSHv2 is enabled by default
c) Syslog. Syslog messages are protected using IPSec.
To set up site-to-site IPsec refer to [USER] page 288 “Working with
Site-to-Site VPNs”. Configure the IP address of the syslog server as
the destination network.
d) RADIUS. RADIUS authentication messages are protected using IPSec.
Same configuration as syslog set up site-to-site IPsec, and
configure the IP address of the RADIUS server as the destination
network.
38 Note: The TOE must be operated in a FIPS 140-2 approved mode of operation to
ensure that only approved cryptographic operations and algorithms are supported.
To enable FIPS mode, use the command “fips enable” from CLI config mode, as
documented in the FIPS 140-2 Security Policy. Operation in non-FIPS mode is not
part of this evaluation.
39 Note: RBG services are not configurable.
40 Note: By default, the TOE enables the FTP service for the purpose of providing
software images to wireless access points. This service should be disabled when
operating in an approved mode of operation. To disable the FTP service, use the
CLI command “firewall disable-ftp-server”.
6.1.1.1 TLS\HTTPS
Related SFRs: FCS_CKM.1(1), FCS_CKM_EXT.4, FCS_COP.1(1), FCS_COP.1(2),
FCS_COP.1(3), FCS_COP.1(4), FCS_RBG_EXT.1(1), FPT_SKP_EXT.1,
FTP_TRP.1, FCS_TLS_EXT.1, FCS_HTTPS_EXT.1
41 The TOE implements a web server that provides the WebUI, The web server is
configured by default to use HTTPS. The TOE’s implementation of HTTPS uses TLS
1.2 (RFC 5246) without extensions, supporting the ciphersuites identified in
FCS_TLS_EXT.1. The available ciphersuites are not configurable. If the web server
has been configured to use an RSA certificate, the TOE will use RSA-based TLS
ciphersuites. If the web server has been configured to use an ECDSA certificate, the
TOE will use ECDSA-based TLS ciphersuites.