User guide

ManualsBrandsAruba ManualsComputer equipment620

Aruba Networks Security Target

Page 9 of 67

f) Provides a web-based (HTTPS/TLS) management UI for the mobility

controller

g) Provides various WLAN station and AP management functions

h) Provides authentication services for the system management interfaces (CLI,

web GUI) as well as for WLAN users

i) Provides IPsec key management services for APs and connections with other

Aruba mobility controllers (Note: IPsec for APs, VPN users and other mobility

controllers is not within the scope of evaluation)

j) Provides network time protocol service for APs, point to point tunnelling

protocol services for users, layer 2 tunnelling protocol services for users, SSH

services for incoming management connections, SNMP client/agent services,

and protocol independent multicast (routing) services for the controller

k) Provides syslog services by sending logs to the operating environment.

12 The Linux OS running on the CP is a version 2.6.32 kernel. Linux is a soft real-time,

multi-threaded operating system that supports memory protection between

processes. Only Aruba provided interfaces are used, and the CLI is a restricted

command set. Administrators do not have access to the Linux command shell or

operating system.

13 The DP is further subdivided into two subcomponents: Fast Path (FP) and Slow

Path (SP). The FP implements high-speed packet forwarding based on various

proprietary tables and sends the packets to SP. The SP manages (create, delete,

and age entries) all DP tables such as user, station, tunnel, route, ARP cache,

session, bridge, VLAN

, and port. The SP also performs deep packet inspection and

cryptographic processing.

14 The data plane is implemented on a multi-core network processor. There is a

lightweight, Aruba-proprietary OS running on the network processor called SOS.

SOS contains an Ethernet driver, a serial driver, a logging facility, semaphore

support, and a crypto driver. This OS is not a general purpose operating system. In

the Aruba 6000 with M3 controller card, an FPGA is also used to control and monitor

the switch fabric, Ethernet interface hardware, and provide security functionality such

as filtering.

15 The DP and CP run on different hardware platforms but the security functionality

remains the same, regardless of the model. The differences in the platforms are in

the processors, memory capacity, physical interfaces, FPGA implementation, etc.,

and are based on performance and scalability requirements.

2.3 Usage

16 The TOE is generally deployed as a gateway between wired and wireless networks

that performs command-and-control within an Aruba dependent wireless network

architecture consisting of one or more Aruba mobility controllers and multiple Aruba

wireless APs. In this architecture, Aruba split the traditional functions of an all-in-one

The entire DP (including both FP and SP elements) is a high-speed packet processor, so the SP

designation should be understood to be relative in terms of speed.

A VLAN has the same attributes as a physical LAN, but it allows for end devices to be grouped together

even if they are not located on the same network switch. Network reconfiguration can be done through the

Aruba software instead of physically relocating devices.