User guide

ManualsBrandsAruba ManualsComputer equipment620

Aruba Networks Security Target

Page 33 of 67

42 The TOE may be configured to support username/password authentication, client

certificate authentication or both.

43 Refer to [USER] Chapter 35 – Management Access. “Configuring Certificate

Authentication for WebUI Access” for more information.

6.1.1.2 IPSec

Related SFRs: FCS_CKM.1(2), FCS_CKM_EXT.4, FCS_COP.1(1), FCS_COP.1(2),

FCS_COP.1(3), FCS_COP.1(4), FCS_COP.1(5), FCS_RBG_EXT.1(2),

FPT_SKP_EXT.1, FTP_ITC.1, FCS_IPSEC_EXT.1

44 IPsec is documented in [USER] Chapter 18 “Virtual Private Networks”

45 IPSec can be configured to secure communication with a Syslog server or Radius

server.

46 The TOE’s IPSec implementation has the following characteristics:

a) The algorithms specified at FCS_IPSEC_EXT.1.1 are supported. In addition,

AES-CBC-192 and 3DES are also supported by the TOE. These algorithms

have not been evaluated during the Common Criteria evaluation and must not

be used.

b) IKEv1 and IKEv2 are supported.

c) Only tunnel mode is supported. IPsec transport mode is not supported.

d) The “confidentiality only" ESP mode is disabled in the TOE. This behaviour

has been hard-coded by excluding the related configuration option from the

administrative interfaces (WebUI and CLI).

e) Aggressive mode is not used for IKEv1 Phase 1 exchanges - only main mode

is available.

 Aggressive mode must be disabled in order to ensure it is not used.

This is documented in [CLI] and is performed using the command

“crypto-local isakmp disable-aggressive-mode”.

f) Lifetimes for IKEv1 SAs (both Phase 1 and Phase 2) are established during

configuration of the IKE policies by specifying the number of seconds or the

number of kb for the SA lifetime.

 Setting the lifetime in number of seconds is documented in [USER}

Chapter 18. Volume (traffic) based lifetimes are configured using

“crypto dynamic-map set security-association lifetime kilobytes” as

documented in [CLI].

g) The TOE supports the DH groups listed at FCS_IPSEC_EXT.1.5. One DH

group is configured per IKE policy. IKE policies are incorporated into IPSec

maps. IPsec maps are given a priority for peer negotiation. Negotiation

requests for security associations will try to match the highest-priority map

first. If that map does not match, the negotiation request will continue down

the list to the next-highest priority map until a match is made.

h) All IKE protocols implement DH Groups 14 (2048-bit MODP), 19 (256-bit

Random ECP), and 20 (384-bit Random ECP. DH group 2 (1024-bit MODP)

is also supported by the TOE – it was not evaluated during the Common

Criteria evaluation and must not be used.

i) IKE peer authentication is performed with either an IKE pre-shared key or

digital certificates. IKE policies may be configured to use RSA (rDSA) or

ECDSA authentication when using digital certificates. FCS_COP.1(2)