User guide
Aruba Networks Security Target
Page 59 of 67
#
NDPP
Source
Requirement
Assurance
Family
28.
FCS_SSH_
EXT.1.7
The evaluator shall ensure that operational guidance contains configuration
information that will allow the security administrator to configure the TOE so that
all key exchanges for SSH are performed using DH group 14. If this capability is
“hard-coded” into the TOE, the evaluator shall check the TSS to ensure that this
is stated in the discussion of the SSH protocol. The evaluator shall also perform
the following test:
Test 1: The evaluator shall attempt to perform a diffie-hellman-group1-sha1 key
exchange, and observe that the attempt fails. The evaluator shall then attempt
to perform a diffie-hellman-group14-sha1 key exchange, and observe that the
attempt succeeds.
AGD_OPE
ASE_TSS
ATE_IND
29.
FDP_RIP.2
“Resources” in the context of this requirement are network packets being sent
through (as opposed to “to”, as is the case when a security administrator
connects to the TOE) the TOE. The concern is that once a network packet is
sent, the buffer or memory area used by the packet still contains data from that
packet, and that if that buffer is re-used, those data might remain and make their
way into a new packet. The evaluator shall check to ensure that the TSS
describes packet processing to the extent that they can determine that no data
will be reused when processing network packets. The evaluator shall ensure
that this description at a minimum describes how the previous data are
zeroized/overwritten, and at what point in the buffer processing this occurs.
ASE_TSS
30.
FIA_PMG_
EXT.1
The evaluator shall examine the operational guidance to determine that it
provides guidance to security administrators on the composition of strong
passwords, and that it provides instructions on setting the minimum password
length. The evaluator shall also perform the following tests. Note that one or
more of these tests can be performed with a single test case.
Test 1: The evaluator shall compose passwords that either meet the
requirements, or fail to meet the requirements, in some way. For each
password, the evaluator shall verify that the TOE supports the password. While
the evaluator is not required (nor is it feasible) to test all possible compositions of
passwords, the evaluator shall ensure that all characters, rule characteristics,
and a minimum length listed in the requirement are supported, and justify the
subset of those characters chosen for testing.
AGD_OPE
ATE_IND
31.
FIA_UIA_E
XT.1
The evaluator shall examine the TSS to determine that it describes the logon
process for each logon method (local, remote (HTTPS, SSH, etc.)) supported for
the product. This description shall contain information pertaining to the
credentials allowed/used, any protocol transactions that take place, and what
constitutes a “successful logon”. The evaluator shall examine the operational
guidance to determine that any necessary preparatory steps (e.g., establishing
credential material such as preshared keys, tunnels, certificates, etc.) to logging
in are described. For each supported the login method, the evaluator shall
ensure the operational guidance provides clear instructions for successfully
logging on. If configuration is necessary to ensure the services provided before
login are limited, the evaluator shall determine that the operational guidance
provides sufficient instruction on limiting the allowed services.
The evaluator shall perform the following tests for each method by which
administrators access the TOE (local and remote), as well as for each type of
credential supported by the login method:
ASE_TSS
ATE_IND