User guide
Aruba Networks Security Target
Page 57 of 67
#
NDPP
Source
Requirement
Assurance
Family
and attempted to be maintained while more data than is specified in the above
assignment flows over the connection. The evaluator shall observe that this SA
is closed or renegotiated before the amount of data specified is exceeded. If
such an action requires that the TOE be configured in a specific way, the
evaluator shall implement tests demonstrating that the configuration capability of
the TOE works as documented in the operational guidance.
19.
FCS_IPSE
C_EXT.1.5
The evaluator shall check to ensure that the DH groups specified in the
requirement are listed as being supported in the TSS. If there is more than one
DH group supported, the evaluator checks to ensure the TSS describes how a
particular DH group is specified/negotiated with a peer. The evaluator shall also
perform the following test:
Test 1: For each supported DH group, the evaluator shall test to ensure that all
IKE protocols can be successfully completed using that particular DH group.
ASE_TSS
ATE_IND
20.
FCS_IPSE
C_EXT.1.6
The evaluator shall check that the TSS contains a description of the IKE peer
authentication process used by the TOE, and that this description covers the use
of the signature algorithm or algorithms specified in the requirement. The
evaluator shall also perform the following test:
Test 1: For each supported signature algorithm, the evaluator shall test that peer
authentication using that algorithm can be successfully achieved.
ASE_TSS
ATE_IND
21.
FCS_IPSE
C_EXT.1.7
The evaluator shall check to ensure that the TSS describes how pre-shared keys
are established and used in authentication of IPsec connections. The evaluator
shall check that the operational guidance describes how pre-shared keys are to
be generated and established for a TOE. The description in the TSS and the
operational guidance shall also indicate how pre-shared key establishment is
accomplished for both TOEs that can generate a pre-shared key as well as
TOEs that simply use a pre-shared key. The evaluator shall also perform the
following test:
Test 1: The evaluator shall generate a pre-shared key and use it, as indicated in
the operational guidance, to establish an IPsec connection between two peers.
If the TOE supports generation of the pre-shared key, the evaluator shall ensure
that establishment of the key is carried out for an instance of the TOE generating
the key as well as an instance of the TOE merely taking in and using the key.
ASE_TSS
ATE_IND
22.
FCS_IPSE
C_EXT.1.8
The evaluator shall check the operational guidance to ensure that it describes
the generation of preshared keys, including guidance on generating strong keys
and the allowed character set. The evaluator shall check that this guidance does
not limit the pre-shared key in a way that would not satisfy the requirement. It
should be noted that while the administrator (in contravention to the operational
guidance) can choose a key that does not conform to the requirement, there is
no requirement that the TOE check the key to ensure that it meets the rules
specified in this component.
However, should the administrator choose to create a password that conforms to
the rules above (and the operational guidance); the TOE should not prohibit such
a choice. The evaluator shall also perform the following test; this may be
combined with Test 1 for FCS_IPSEC_EXT.1.7:
Test 1: The evaluator shall generate a pre-shared key that is 22 characters long
that meets the composition requirements above. The evaluator shall then use
AGD_OPE
ATE_IND