Aruba 6000 and Aruba 800 Series Mobility Controller Security Target Version 1.8 May 28, 2008 Prepared for: Aruba Networks™ 1322 Crossman Ave.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 TABLE OF CONTENTS SECTION PAGE 1 Security Target Introduction.................................................................................. 7 1.1 Security Target Identification.....................................................................................7 1.2 Security Target Overview ...........................................................................................7 1.3 Common Criteria Conformance .
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 5.1.3 TOE Access ..................................................................................................................................31 5.1.3.1 FTA_SSL.3 TSF-initiated termination..........................................................................................31 5.1.3.2 FTA_TAB.1 Default TOE access banners ..................................................................................32 5.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.2.4.3 5.2.4.4 5.2.5 5.2.5.1 5.2.5.2 5.2.5.3 5.2.6 5.2.6.1 5.2.6.2 5.2.6.3 5.2.6.4 5.2.7 5.2.7.1 5.2.7.2 Version 1.8 FCS_CKM.4b Cryptographic key destruction .............................................................................44 FCS_COP.1b Cryptographic operation.......................................................................................45 Protection of the TSF........................................................
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 8.4.2 8.4.3 8.5 Version 1.8 Security Objectives .......................................................................................................................93 TOE and IT Environment SFRs ...................................................................................................94 Rationale for Satisfaction of Strength of Function Claims ....................................98 9 Appendix .............................
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Table of Tables and Figures Table or Figure Page Figure 2-1: The evaluated configuration............................................................................................................................14 Table 3-1 Assumptions........................................................................................................................................................18 Table 3-2 Threats...................
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 1 Security Target Introduction 1.1 Security Target Identification TOE Identification: Aruba 6000 and Aruba 800 series Mobility Controller Hardware Versions: a. Aruba 800 series: HW-800-CHAS-SPOE-SX, HW-800-CHAS-SPOE-T b. Aruba 6000 series: HW-CHASF (3300028 Rev. 01), HW-FTF (3300031 Rev. 01), LC-2G24F (3300026 Rev. 01), LC-2G (3300029-01), LC-2G24FP (3300024 Rev. 01), SC-256-C2 (3300027 Rev.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 1.3 Common Criteria Conformance The TOE is Part 2 extended, Part 3 conformant, and meets the requirements of Evaluation Assurance Level (EAL) 2 from the Common Criteria Version 2.3 August 2005, augmented with ACM_SCP.1 (TOE CM Coverage), ALC_FLR.2 (Flaw Remediations) and AVA_MSU.1 (Misuse – Examination of Guidance). 1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Section 7, Protection Profile (PP) Claims, references the PP to which conformance is claimed and identifies any additional TOE objectives and any tailored or additional IT security requirements. Section 8, Rationale, presents evidence that the ST is a complete and cohesive set of requirements and that a conformant TOE would provide an effective set of IT security countermeasures within the security environment.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 2 TOE Description 2.1 Product Type Aruba 6000 and Aruba 800 series Mobility Controllers are wireless LAN (WLAN) switches. A WLAN switch is a gateway device which controls operation of multiple Access Points (APs), processes network data flows between wireless and wired networks, and implements various wired and wireless network and security protocols.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 2.1.3 Version 1.8 TOE design and operation In the evaluated configuration the TOE is used in the FIPS 140-2 approved mode of operation. The Aruba Mobility Controllers utilize the following security protocols in the FIPS 140-2 approved mode of operation: TLS (RFC 2246), 802.11i (IEEE 802.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 In a typical usage scenario, a wireless client attempts to connect to an access point. The access point passes the connection request to the TOE, which in turn passes the request to the authentication server. The authentication server exchanges messages with the wireless client through the TOE and the access point to perform secure session key derivation and secure authentication using EAP-TLS, EAP-TTLS or PEAP protocol.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 • BCM1125 network processor executes SOS (SiByte OS). It performs network data frame processing functions. The BCM1125 network processor is connected to the MPC8241 control processor via PCI and serial interfaces. • Cavium CN1001 cryptographic processor. The CN1001 processor is used to accelerate cryptographic operations performed by xSec, IPSec/IKE, TLS and 802.11i security protocols.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Figure 2-1: The evaluated configuration 2.3 TOE Logical Boundary The TOE security functions are: Auditing – The TOE provides a functionality to log security-relevant events. It uses a logging level that can be set for each of the ArubaOS modules. The administrator can configure a logging level (total of eight logging levels) independently for each module.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 audit server is used to store and review audit records. An external NTP server is used to obtain reliable time stamps. Cryptography - The TOE employs cryptographic functionalities of a FIPS 140-2 validated module for the purposes of wireless and wired security protocol processing as well as for establishment of secure remote administration sessions.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Note: For the authentication of wireless users using 802.11i authentication, the IT environment provides a trusted path. When using the EAP-TTLS and PEAP authentication protocols, the IT environment provides a TLS based trusted path between the authentication server and the wireless user.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 TOE. In case of a successful authentication, the authentication server derives a session key which is then provided to the TOE to be used for protection of wireless user data. The authentication server also communicates the wireless user role to the TOE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 3 TOE Security Environment This section identifies secure usage assumptions, threats to security and organizational security policies. 3.1 Assumptions This section contains assumptions regarding the security environment and the intended usage of the TOE. Table 3-1 Assumptions A.ADMIN Administrators are non-hostile, appropriately trained and follow all administrator guidance. A.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target T.INTERNAL Version 1.8 A user or process may cause, through an unsophisticated attack, TSF data, or executable code to be inappropriately accessed (viewed, modified, or deleted). Application Note: PP Threats T.POOR_DESIGN, T.POOR_IMPLEMENTATION and T.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 4 Security Objectives 4.1 Security Objectives for the TOE The Security Objectives for the TOE are as follows: Table 4-1 Security Objectives for TOE O.AUDIT_GEN The TOE will provide the capability to detect and create records of security-relevant events, including those associated with users. O.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 4.2 Security Objectives for the Environment 4.2.1 Security Objectives for the IT Environment The Security Objectives for the IT Environment are as follows: Table 4-2 Security Objectives for the IT Environment OE.AUDIT_PROTECT The IT Environment will provide the capability to protect audit information and the authentication credentials. OE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 OE.PROTECT The environment provides physical security, commensurate with the value of the TOE and the data it contains. OE.BYPASS Wireless clients are configured so that information cannot flow between a wireless client and any other wireless client or host networked to the TOE without passing through the TOE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 5 IT Security Requirements This section provides functional and assurance requirements that are satisfied by the TOE and the IT environment. 5.1 TOE Security Functional Requirements The TOE security functional requirements are listed in Table 5-1 Functional Components. Table 5-1 Functional Components Item Component Component Name PP Conformance 1 FAU_ARP.1 Security alarms Additional 2 FAU_SAA.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Item Component Component Name Version 1.8 PP Conformance 26 FMT_MOF.1a Management of security functions behavior (Cryptographic Function) PP 27 FMT_MOF.1b Management of security functions behavior (Audit Record Generation) PP 28 FMT_MOF.1c Management of security functions behavior (Authentication) PP Tailored 29 FMT_MOF.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.1.1.2 Version 1.8 FAU_SAA.3 Simple attack heuristics FAU_SAA.3.1 The TSF shall be able to maintain an internal representation of the following signature events [the subset of system events specified in column one of Table 5-2 WIP signature events, information and actions] that may indicate a violation of the TSP. FAU_SAA.3.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version Information used to detect event Signature Event Action on event AirJack signature detection Received SSID of “AirJack” in beacon frame NetStumbler Generic signature detection 802.11 data packets with specific patterns in the payload Notify administrator Notify administrator 802.11 data packets with specific patterns in the payload Notify administrator Deauth-Broadcast signature detection 802.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Requirement FAU_SAA.3 Auditable Events Enabling and disabling of any of the analysis mechanisms Version 1.8 Additional Audit Record Contents None Automated responses performed by the tool FAU_GEN.1a None None FAU_GEN.2 None None FAU_SEL.1 All modifications to the audit configuration that occur while the audit collection functions are operating The identity of the Administrator performing the function FIA_UAU.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Requirement Auditable Events Version 1.8 Additional Audit Record Contents FCS_COP.1a Success or failure of operation Type of cryptographic operation FDP_PUD_EXP.1 Enabling or disabling TOE encryption of wireless traffic The identity of the Administrator performing the function FDP_RIP.1a None None FPT_RVM.1a None None FPT_SEP.1a None None FPT_STM_EXP.1a Changes to the time None FPT_TST_EXP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Requirement Auditable Events Version 1.8 Additional Audit Record Contents FMT_SMF.1c Use of the management functions None FMT_SMF.1d Use of the management functions None FMT_SMF.1e Use of the management functions None FMT_SMR.1a Modifications to the group of users that are part of a role None FTP_ITC_EXP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 b) [device interface, wireless client identity]. Application note: event type is defined as the BSD syslog severity level indicator. Application Note: The device interface is the physical interface upon which user (or administrative) data is received/sent (e.g. WLAN interface, wired LAN interface, serial port, administrative LAN interface, etc.). 5.1.2 5.1.2.1 Identification and authentication FIA_UAU.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.1.2.5 Version 1.8 FIA_ATD.1b User attribute definition FIA_ATD.1.1b The TSF shall maintain the following minimum list of security attributes belonging to individual remotely authenticated users: [session key, role]. 5.1.2.6 FIA_USB.1 User-subject binding FIA_USB.1.1 The TSF shall associate the following user security attributes with subjects acting on the behalf of that user: [username]. FIA_USB.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.1.3.2 Version 1.8 FTA_TAB.1 Default TOE access banners FTA_TAB.1.1 Before establishing a administrator session, the TSF shall display an advisory warning message regarding unauthorized use of the TOE. Application note: In accordance with O.BANNER, the PP requires an access banner to be displayed only for an administrator. 5.1.4 Cryptographic Support Application note: PP SFR component FCS_BCM_EXP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.1.4.4 Version 1.8 FCS_CKM.4a Cryptographic key destruction FCS_CKM.4.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Cryptographic operations Cryptographic algorithm Key sizes (bits) Standards Certificate number Data authentication and verification. HMAC SHA-1 128, 160 Keyed-Hash Message Authentication Code (HMAC) (FIPS PUB 198) 116 and 118 RSA PKCS #1 1024 RSA PKCS #1 101, 102 Random data generation and key generation ANSI X9.31 PRNG 64 ANSI X9.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 and the wireless user is established, the wireless user has an option to use IPSec/IKE Layer 3 encryption protocol as an additional security measure on top of xSec/802.11i protocols. For the IPSec/IKE protocol only pre-shared keys are supported, the RSA digital signatures option of IPSec/IKE is not supported. • Where wireless user authentication does not use 802.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.1.6.5 Version 1.8 FPT_TST_EXP.2 TSF Testing of Cryptographic Modules FPT_TST_EXP.2.1 The TSF shall run the suite of self-tests provided by the FIPS 140-2 validated cryptographic module during initial start-up (power on) and upon request, to demonstrate the correct operation of the cryptographic components of the TSF. FPT_TST_EXP.2.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.1.7.4 behavior Version 1.8 FMT_MOF.1d Management of Wireless Intrusion Protection security functions FMT_MOF.1.1d The TSF shall restrict the ability to determine the behavior of, enable, disable, and modify the behavior of the functions [ • • WIP: signature events (wireless intrusion profiles) WIP: actions to be taken upon detection of a potential security violation] to [administrators]. 5.1.7.5 FMT_MSA.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 5.1.7.10 FMT_SMF.1b Specification of Management Functions (TOE Audit Record Generation) FMT_SMF.1.1b The TSF shall be capable of performing the following security management functions: [query, enable or disable Security Audit]. 5.1.7.11 Data) FMT_SMF.1c Specification of Management Functions (Cryptographic Key FMT_SMF.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 FTP_ITC_EXP.1.3a The TSF shall initiate communication via the trusted channel for [all authentication functions, remote logging, time]. Application Note: The trusted channel is based on the IPSec/IKE protocol with pre-shared keys. 5.1.8.2 FTP_TRP.1a Trusted path (remote administrators) FTP_TRP.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 In support of the authentication server, the environment shall provide implementations of the wireless user authentication protocols as well as facilities to manage and protect authentication information. The communications between the TOE and audit/time/authentication servers will be protected.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.2.1 Version 1.8 Security Audit 5.2.1.1 FAU_GEN.1b Audit data generation FAU_GEN.1.1b The TOE IT Environment TSF shall be able to generate an audit record of the following auditable events: a) Start-up and shutdown of the audit functions; b) All auditable events for the [not specified] level of audit; and c) [the following events: events specified in column two of Table 5-6 TOE IT Environment Auditable Events].
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Requirement Auditable Events Version 1.8 Additional Audit Record Contents FPT_RVM.1b None None FPT_SEP.1b None None FPT_STM.1 Setting time/date Identity of the administrator that performed the action FMT_MOF.1e Changes to audit server settings None Changes to authentication server settings Changes to time server settings FMT_MTD.1d Changes to TSF data None FMT_SMF.1f Use of the management functions None FMT_SMR.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.2.1.3 Version 1.8 FAU_SAR.2 Restricted audit review FAU_SAR.2.1 The TOE IT Environment TSF shall prohibit all users read access to the audit records, except those users that have been granted explicit read-access. 5.2.1.4 FAU_SAR.3 Selectable audit review FAU_SAR.3.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 an open system connection, in which case a username and password is used. Remote administrators authenticate initially as wired users using a username and password. 5.2.3.2 FIA_UID.2b User identification before any action FIA_UID.2.1b The TOE IT Environment TSF shall require each TOE remote user to be successfully identified before allowing any other TSF-mediated actions on behalf of that user. 5.2.3.3 FIA_AFL.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 cryptographic key destruction method [zeroization upon issuance of the key zeroization command] that meets the following: [key zeroization requirements of the FIPS 140-2 standard]. 5.2.4.4 FCS_COP.1b Cryptographic operation FCS_COP.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Table 5-7 IT Environment Cryptographic Operation Cryptographic operations Cryptographic algorithm Key sizes (bits) Standards Encryption/decryption AES–CBC 128, 192, 256 Advanced Encryption Standard (AES) (FIPS PUB 197) Triple DESCBC 168 ANSI X9.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target • 5.2.5 5.2.5.1 Version 1.8 A FIPS-approved PRNG shall be used by the IT environment for random data generation and key generation purposes. Protection of the TSF FPT_RVM.1b Non-bypassability of the TOE IT Environment Security Policy FPT_RVM.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 5.2.6.4 Version 1.8 FMT_SMR.1b Security roles FMT_SMR.1.1b The TOE IT Environment TSF shall maintain the roles [administrator]. FMT_SMR.1.2b The TOE IT Environment TSF shall be able to associate users with roles. Application Note: The TOE IT environment must include an administrative role for its own management. 5.2.7 Trusted path/channels 5.2.7.1 FTP_ITC_EXP.1b Inter-TSF trusted channel FTP_ITC_EXP.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 5.3 TOE Security Assurance Requirements The Security Assurance Requirements for the TOE are the assurance components of Evaluation Assurance Level 2 (EAL2) taken from Part 3 of the Common Criteria, augmented with ACM_SCP.1 (CM Coverage), ALC_FLR.2 (Flaw Remediation) and AVA_MSU.1 (Misuse – Examination of guidance). None of the assurance components are refined.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 FDP_PUD_EXP.1 and FTP_ITC_EXP.1a include the following probabilistic/permutational mechanisms for which specific SOF metrics are appropriate: a pre-shared key is used in the IPSec/IKE protocol.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 6 TOE Summary Specification 6.1 IT Security Functions Section 6.1 describes the specific security functions that are implemented by the TOE. The following sections describe the IT Security Functions of the Aruba 6000 and Aruba 800 series Mobility Controller.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target FDP_PUD_EXP.1 UDP-1 FDP_RIP.1a UDP-2 FPT_RVM.1a PT-1 Version 1.8 FPT_SEP.1a Protection of the TSF FPT_STM_EXP.1 PT-2 FPT_TST_EXP.1 PT-3 FPT_TST_EXP.2 PT-4 FMT_SMF.1a SM-2 FMT_SMF.1b FMT_SMF.1c FMT_SMF.1d Security management FMT_SMF.1e SM-2, SM-4 FMT_SMR.1a SM-1 FMT_MOF.1a SM-1, SM-2 Security Management FMT_MOF.1b FMT_MOF.1c FMT_MOF.1d FMT_MSA.2 SM-3 FMT_MTD.1a SM-2, SM-4 FMT_MTD.1b FMT_MTD.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Debug - Messages containing information useful for debugging purposes. SA-1 The TOE generates audit records for auditable events. The audit function is integrated into each module of ArubaOS. In particular, when an auditable event occurs, the module executes a logging API call that records event information to the external audit server.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 review them to the administrator. Note: Reliable time stamps described in PT-2 are used to provide time for audit records. SA-2 After a user is identified, the TOE will keep an in-memory session object for this user and associate each auditable event with the identity of the user that caused the event using an in-memory pointer to the username string. The user is identified by the username in the audit record.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 attribute. The session key may be used by the TOE to encrypt further communications with a wireless client. For wireless users using an open system connection with VPN, the IPSec/IKE VPN is established between the TOE and the wireless client prior to the user authentication using pre-shared keys. The user authenticates to the RADIUS server using a username and password.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target TA-1 Version 1.8 The TSF terminates a wireless user session or a management user CLI session (for a local or remote administrator) after the inactivity time exceeds a configurable session idle timeout. The TSF terminates a management user Web UI session for a remote administrator after the inactivity time exceeds a session idle timeout of 30 minutes. Timeout does not apply to the following screens which are autorefreshed.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target CY-1 Version 1.8 The TSF generates cryptographic keys in accordance with the cryptographic key generation methods identified in Table 5-4 Cryptographic Operation. In particular, the TSF uses the ANSI X9.31 random number generator to generate cryptographic keys internally. Cryptographic key sizes and the corresponding standards are also identified in Table 5-2.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 handshake as well as for signature generation/verification during SSH and TLS handshakes. • PRNG (ANSI X9.31) is used to generate random data and cryptographic keys for xSec, 802.11i, TLS, SSH and IPSec/IKE. The TOE relies on the environment (authentication server) to implement cryptographic handshakes used in EAP-TLS, EAP-TTLS and PEAP protocols. 6.1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 processes. Access to the underlying Linux implementation is not provided to the users. The command line interface utilizes a restricted command set. The TOE does not provide uncontrolled management interfaces. The TOE’s critical data is protected against unauthorized disclosure, modification, and substitution by controlling access to the management functions via authentication and through the access control mechanism.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 obtained from an external NTP server. PT-3 The Mobility Controller runs a suite of self tests during power-up which includes demonstration of the correct operation of the hardware and the use of cryptographic functions to verify the integrity of TSF executable code and static data. An administrator can choose to reboot the TOE to perform power-up self test.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 performed utilizing the CLI loginsession timeout command) and setting the idle timeout for wireless users (which is configured by utilizing the Security->AAA Servers -> Internal Servers-> General panel of the Web UI for local administrators and the Security->AAA Servers panel of the Web UI or the CLI config aaa timers command). e) Auditing.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 wireless users to the external authentication server. Note: As specified in the requirement FTP_TRP.1c for the IT Environment, for wireless user authentication using EAP-TLS, EAP-TTLS or PEAP protocols, the authentication server establishes a trusted path between the authentication server and the wireless user which passes through the TOE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Item 8 Security Assurance Requirement How Satisfied AGD_ADM.1 Administrator guidance ArubaOS 2.4 Reference Guide Version 1.8 ArubaOS 2.4 Management Reference Guide Aruba Quick Start Guide 9 AGD_USR.1 User guidance ArubaOS 2.4 User Guide 10 ALC_FLR.2 Flaw Remediation Aruba Mobility Controller Flaw Remediation 11 ATE_COV.1 Evidence of coverage Aruba Mobility Controller Test Coverage Analysis 12 ATE_FUN.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 7 PP Claims 7.1 PP Reference This TOE is in conformance with the Wireless Local Area Network (WLAN) Access System Protection Profile for Basic Robustness Environments [3]. 7.2 PP Tailoring All PP SFRs except FTP_TRP.1 are satisfied by the TOE, either without tailoring or with permitted operations carried out. PP SFR FTP_TRP.1 is considered to be in error and has been corrected in ST SFRs FTP_TRP.1a, FTP_TRP.1b and FTP_TRP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 8 Rationale 8.1 Security Objectives Rationale This section provides evidence demonstrating coverage of the TOE security environment by the IT security objectives. The security objectives were derived from statements of threats, assumptions and organizational security policies. The following table demonstrates that the mapping of the assumptions, threats and organizational security to the security objectives is complete.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 8.1.1 Version 1.8 Threats T.ERROR An administrator may accidentally incorrectly install or configure the TOE, resulting in ineffective security mechanisms. Coverage Rational: O.MANAGE provides that administrators will be able to effectively manage the TOE and its security functions. O.CORRECT provides assurance to the administrators that the TSF continues to operate as expected.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 T.ATTACK A user may gain access to TSF data, executable code or services (either on the TOE or by sending data through the TOE) for which they are not authorized according to the TOE security policy. Coverage Rational: O.MANAGE and OE.MANAGE mitigate this threat by restricting access to administrative functions and management of the TSF data to the administrator. OE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 sessions are dropped after an administrator-defined time period of inactivity. (O.TOE_ACCESS). T.CRYPTO A user or process may cause key, data or executable code associated with the cryptographic functionality to be inappropriately accessed (viewed, modified, or deleted), thus compromising the cryptographic mechanisms and the data protected by those mechanisms. Coverage Rational: O.RESIDUAL and OE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 A.NO_GENRL There are no general-purpose computing or storage repository capabilities (e.g., compilers, editors, or user applications) available on the TOE. Coverage Rational: OE. NO_GENRL specifies that the TOE provides no general-purpose computing or storage repository capabilities (e.g., compilers, editors, or user applications). A.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 OE.AUDIT_REVIEW supports accountability by providing mechanisms for viewing and sorting the audit logs. O.MANAGE provides that the TSF allows only administrators to manage the TOE and its security functions, and ensures that only authorized administrators will be able to access such functionality. Therefore, the access to TOE administration and management functions is restricted to the administrators. OE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 information passing through the TOE will be inspected to ensure it is authorized by TOE polices.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 8.2 Security Requirements Rationale This section provides evidence demonstrating that the security objectives for the TOE and the IT environment are satisfied by the security requirements. 8.2.1 Rationale for TOE Security Requirements Table 8-2 Mapping of TOE Security Requirements to Security Objectives for the TOE O.INTRUSION O.CRYPTO O.TRAFFIC O.TIME O.CORRECT O.RESIDUAL O.TOE_ACCESS O.BANNER O.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 FDP_RIP.1a O.INTRUSION X FPT_RVM.1a X X X FPT_SEP.1a X X X FPT_STM_EXP.1 X X FPT_TST_EXP.1 X FPT_TST_EXP.2 X FMT_MOF.1a X FMT_MOF.1b X FMT_MOF.1c X FMT_MOF.1d X FMT_MSA.2 X FMT_MTD.1a X FMT_MTD.1b X FMT_MTD.1c X FMT_SMF.1a X FMT_SMF.1b X FMT_SMF.1c X FMT_SMF.1d X FMT_SMF.1e X FMT_SMR.1a X FTP_ITC_EXP.1a O.CRYPTO O.TRAFFIC O.TIME O.CORRECT O.RESIDUAL O.TOE_ACCESS O.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Coverage Rational: FAU_GEN.1a, Audit data generation, specifies that the TOE will be able to generate audit records of security-relevant events. The list of the events is specified in FAU_GEN.1a. For each event, date and time of the event, type of the event, subject identity, and the outcome (success or failure) of the event are recorded. Subject identity is defined as follows.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 O.SELF_PROTECT The TOE will maintain a domain for its own execution that protects itself and its resources from external interference, tampering, or unauthorized disclosure. Coverage Rational: FPT_SEP.1a, TSF domain separation, was chosen to ensure the TSF provides a domain that protects itself from untrusted users. If the TSF cannot protect itself it cannot be relied upon to enforce its security policies. FPT_RVM.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 FPT_RVM.1a, Non-bypassability of the TSP, ensures that for each user the TSP enforcement functions are invoked and succeed before each function within the TSC is allowed to proceed. FTP_TRP.1a ensures that remote administrators utilize a trusted path for authentication with the TOE. FTP_TRP.1b ensures that wireless users authentication using an open system connection utilize a trusted path for authentication with the TOE.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 O.CORRECT The TOE will provide the capability to verify the correct operation of the TSF. Coverage Rational: FPT_TST_EXP.1 addresses this objective by requiring the TOE to provide facilities to verify the correct operation of TSF hardware and to verify that TSF software and data has not been corrupted. FPT_TST_EXP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target OE.RESIDUAL OE.TOE_ACCESS OE.TIME OE.SELF_PROTECT OE.MANAGE Requirements OE.AUDIT_REVIEW Security Functional OE.AUDIT_PROTECT Security Objectives for IT Environment FIA_UID.2b X FIA_AFL.1 X FIA_ATD.1c X FCS_CKM.1b X X FCS_CKM.2b X X FCS_CKM.4b X X FCS_COP.1b X X FDP_RIP.1b X FPT_RVM.1b X FPT_SEP.1b X FPT_STM.1 FMT_MOF.1e X X X FMT_SMF.1f X X X X FMT_MTD.1d FMT_SMR.1b X X FTP_ITC_EXP.1b FTP_TRP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 FMT_MOF.1e and FMT_SMR.1b specify the ability of the administrator to control the security functions associated with audit and alarm generation. OE.AUDIT_REVIEW The IT Environment will provide the capability to selectively view audit information. Coverage Rational: The administrator will be able to read all the events and will be able to interpret the information (FAU_SAR.1).
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 OE.TIME The IT Environment shall provide reliable time stamps and the capability for the administrator to set the time used for these time stamps. Coverage Rational: FPT_STM.1, Reliable time stamps, addresses this objective by requiring the IT environment to provide reliable time stamps. The IT environment will provide to the administrator an interface that can be used to set the time used for the time stamps (FMT_MTD.1d).
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 OE.RESIDUAL The IT Environment will ensure that any information contained in a protected resource within its Scope of Control is not released when the resource is reallocated. Coverage Rational: FDP_RIP.1b addresses this objective by requiring the IT environment to provide the same protection for residual information in network packet objects that the TOE provides. 8.2.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Item Version SFR Dependencies # 13 14 SFR FCS_CKM.1a Cryptographic key generation FCS_CKM.2a Cryptographic key distribution 1.8 Included FCS_CKM.2 or 16, 17 FCS_COP.1 19 FCS_CKM.4 18 FMT_MSA.2 31 FDP_ITC.1, or FDP_ITC.2, or 15 FCS_CKM_EXP.2 Cryptographic key establishment FCS_CKM.1 19 FCS_CKM.4 18 FMT_MSA.2 31 FDP_ITC.1, or FDP_ITC.2, or 16 FCS_CKM.4a Cryptographic key destruction FCS_CKM.1 19 FCS_CKM.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Item Version SFR Dependencies # 26 27 28 29 1.8 SFR Included FMT_MOF.1b Management of security functions behavior (Audit Record Generation) FMT_SMF.1 36 FMT_SMR.1 40 FMT_MOF.1c Management of security functions behavior (Authentication) FMT_SMF.1 39 FMT_SMR.1 40 FMT_MOF.1d Management of security functions behavior (Wireless Intrusion Protection) FMT_SMF.1 38 FMT_SMR.1 40 FMT_MSA.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Item Version SFR 1.8 Dependencies # SFR Included 42 FAU_SAR.1 Audit review FAU_GEN.1 1, 43 43 FAU_SAR.2 Restricted audit review FAU_SAR.1 44 44 FAU_SAR.3 Selectable audit review FAU_SAR.1 44 45 FAU_STG.1 Protected audit trail storage FAU_GEN.1 1, 43 46 FAU_STG.3 Prevention of audit data loss FAU_STG.1 47 47 FIA_UAU_EXP.5b Remote authentication mechanism FIA_UID.1 50 48 FIA_UID.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Item Version SFR Dependencies # 59 SFR FMT_MTD.1d Management of TSF data 1.8 Included FMT_SMF.1 62 FMT_SMR.1 63 60 FMT_SMF.1f Specification of Management Functions none - 61 FMT_SMR.1b Security roles FIA_UID.1 50 62 FTP_ITC_EXP.1b Inter-TSF trusted channel none - 63 FTP_TRP.1a Trusted path none - 63 FTP_TRP.1b Trusted path none - Note: Since FAU_SAA.3 is hierarchical to FAU_SAA.1, the dependency of FAU_ARP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 between distributed portions of the TOE rather than between the TOE and its trusted IT environment. The assurance requirements at EAL2 are sufficient to support these explicitly stated requirements. 8.2.5 Strength of Function Strength of function level of SOF-basic counters an attack level of low.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 8.3 TOE Summary Specification Rationale 8.3.1 IT Security Functions Table 8-5 shows that the IT Security Functions in the TOE Summary Specification (TSS) address all of the TOE Security Functional Requirements. Table 8-5 Mapping of Functional Requirements to TOE Summary Specification Security Functions SFRs Wireless Intrusion Protection FAU_ARP.1 Auditing FAU_GEN.1a FAU_SAA.3 FAU_GEN.2 FAU_SEL.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Security Functions I&A and TOE Access SFRs FTA_SSL.3 FTA_TAB.1 FIA_UAU.1a FIA_UAU_EXP.5a FIA_UID.2a FIA_ATD.1a FIA_ATD.1b FIA_USB.1 Version 1.8 Rationale The Mobility Controller displays a warning banner regarding authorized use of the TOE before establishing an administrator session (FTA_TAB.1). The Mobility Controller requires each user to be successful identified before allowing any TSF-mediated action (FIA_UID.2a).
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Security Functions User and TSF Data Protection SFRs FDP_PUD_EXP.1 FDP_RIP.1a FPT_RVM.1a FPT_SEP.1a FPT_STM_EXP.1 FPT_TST_EXP.1 FPT_TST_EXP.2 Version 1.8 Rationale If configured by the administrator, the Aruba Mobility Controller encrypts data transmitted to the wireless client and decrypts data received from the wireless client (FDP_PUD_EXP.1).
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Security Functions SFRs Security Management FMT_MSA.2 FMT_MOF.1a FMT_MOF.1b FMT_MOF.1c FMT_MOF.1d FMT_MTD.1a FMT_MTD.1b FMT_MTD.1c FMT_SMF.1a FMT_SMF.1b FMT_SMF.1c FMT_SMF.1d FMT_SMF.1e FMT_SMR.1a Trusted path/channels FTP_TRP.1a FTP_TRP.1b FTP_ITC_EXP.1a Version 1.8 Rationale Only the Mobility Controller’s administrator (FMT_SMR.1a) has the ability to manage the behavior of the TOE security functions (FMT_MOF.1a, FMT_MOF.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target 8.3.2 Version 1.8 Assurance Measures Table 6-2 Assurance Measures in Section 6.2 shows how all assurance requirements are satisfied. 8.4 PP Claims Rationale 8.4.1 TOE Security Environment The PP claims rationale justifies any differences between the ST and the PP TOE security environment; the statements of threats, assumptions and organizational security policies.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target PP TOE Security Environment 8.4.2 ST TOE Security Environment Version 1.8 Difference Rationale P.ACCESS_BANNER P.BANNER Name change only P.ACCOUNTABILITY P.ACCOUNT Name change only P.CRYPTOGRAPHIC P.CRYPTO P.CRYPTOGRAPHY_VALIDATED P.CRYPTO P.ENCRYPTED_CHANNEL P.CHANNEL Name change; semantically equivalent Name change; semantically equivalent Name change only P.NO_AD_HOC_NETWORKS P.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target PP Security Objectives ST Security Objectives O.CONFIGURATION_ IDENTIFICATION O.DOCUMENTED_ DESIGN O.PARTIAL_ FUNCTIONAL_TESTING O.VULNERABILITY_ ANALYSIS O.INTRUSION Version 1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 Table 8-8 Rationale for Difference between ST SFRs and PP SFRs PP SFR FAU_GEN.1(1) ST SFR Difference Rationale TOE Security Functional Requirements FAU_GEN.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target PP SFR ST SFR FCS_BCM_EXP.1 FCS_CKM.1a FCS_CKM_.1 FCS_CKM_EXP.2 FCS_CKM_EXP.2 FCS_CKM.4a FCS_CKM.4 FCS_COP.1a FCS_COP_EXP.1 FCS_COP_EXP.2 Version 1.8 Difference Rationale The ST SFRs fully meet the requirements of the PP SFRs. The ST SFRs have been re-drafted to conform more completely with the CC Part 2 FCS components. FCS_BCM_EXP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target PP SFR FTP_TRP.1 ST SFR FPT_TRP.1a FPT_TRP.1b FAU_GEN.1(2) Version 1.8 Difference Rationale The PP SFR is considered to be in error, because the trusted path protecting authentication of wireless users using 802.11i is set up between the IT Environment and the wireless user and not the TOE and the wireless user. ST SFR FTP_TRP.1c has therefore been included in the IT environment SFRs. TOE SFR FTP_TRP.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target PP SFR FMT_MOF.1c ST SFR FMT_MOF.1(3) Version 1.8 Difference Rationale The PP SFR has been modified in the ST to remove the setting of the number of authentication failures before lockout, as this is handled in the IT Environment. 8.5 Rationale for Satisfaction of Strength of Function Claims The claimed minimum strength of function is SOF-basic. The following security mechanisms have specific SOF claims.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.8 c) Assuming 106 hashes may be processed per second, 3 x 1013 hashes may be processed in one year. d) Therefore the secret is uncrackable in any practical terms.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target Version 1.
Aruba 6000 and Aruba 800 series Mobility Controller Security Target UI VPN WEP WIP WLAN WPA Version 1.8 User Interface Virtual Private Network Wired Equivalent Privacy or Wireless Encryption Protocol Wireless Intrusion Protection Wireless Local Area Network WiFi Protected Access Table 9-2 References Ref. # Reference title [1] Common Criteria for Information Technology Security Evaluation, Version 2.
