National Information Assurance Partnership
Common Criteria Evaluation and Validation Scheme
Validation Report
Aruba Mobility Controller and Access Point Series
Report Number: CCEVS-VR-VID10348-2011
Dated: 27 June 2011
Version: 1.0
National Institute of Standards and Technology National Security Agency
Information Technology Laboratory Information Assurance Directorate
100 Bureau Drive 9800 Savage Road STE 6940
Gaithersburg, MD 20899 Fort George G. Meade, MD 20755-6940
®
TM
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
ii
ACKNOWLEDGEMENTS
Validation Team
James Donndelinger
The Aerospace Corporation
Columbia, MD
Ralph Broom
Noblis, Inc.
Falls Church, VA
Common Criteria Testing Laboratory
SAIC
Columbia, MD
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
iii
Table of Contents
1 Executive Summary........................................................................................1
1.1 Evaluation Details.....................................................................................1
1.2 Interpretations ...........................................................................................2
1.3 Threats.......................................................................................................3
1.4 Organizational Security Policies...............................................................3
2 Identification...................................................................................................4
3 Security Policy................................................................................................4
3.1 Security Audit...........................................................................................4
3.2 Cryptographic Support..............................................................................4
3.3 User Data Protection.................................................................................4
3.4 Identification and Authentication .............................................................5
3.5 Security Management ...............................................................................5
3.6 Protection of the TSF................................................................................5
3.7 Resource Utilization..................................................................................5
3.8 TOE Access ..............................................................................................5
3.9 Trusted Path/Channels ..............................................................................6
4 Assumptions....................................................................................................6
4.1 Clarification of Scope ...............................................................................6
5 Architectural Information ...............................................................................7
6 Documentation................................................................................................9
7 Product Testing.............................................................................................10
7.1 Developer Testing...................................................................................10
7.2 Evaluation Team Independent Testing ...................................................11
7.3 Penetration Testing .................................................................................12
8 Evaluated Configuration ...............................................................................13
9 Results of the Evaluation ..............................................................................14
10 Validator Comments/Recommendations ......................................................15
11 Annexes.........................................................................................................15
12 Security Target..............................................................................................15
13 Bibliography .................................................................................................15
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
1
List of Tables
Table 1 – Evaluation Details.................................................................................................. 1
Table 2 – Mobility Controller Specifications ........................................................................ 8
Table 3 – TOE Security Assurance Requirements .............................................................. 14
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
1
1 Executive Summary
The evaluation of the Aruba Mobility Controller and Access Point Series product was performed
by Science Applications International Corporation (SAIC) Common Criteria Testing Laboratory
(CCTL) in Columbia, Maryland, United States of America and was completed in May 2011. The
evaluation was conducted in accordance with the requirements of the Common Criteria and
Common Methodology for IT Security Evaluation (CEM), version 3.1. The evaluation was
consistent with National Information Assurance Partnership (NIAP) Common Criteria Evaluation
and Validation Scheme (CCEVS) policies and practices as described on their web site
(www.niap-ccevs.org).
The SAIC evaluation team determined that the product is Common Criteria Part 2 Extended and
Common Criteria Part 3 Conformant, and that the Evaluation Assurance Level (EAL) for the
product is EAL 4 augmented with ALC_FLR.2. The information in this Validation Report is
largely derived from the Evaluation Technical Report (ETR) and associated test reports produced
by the SAIC evaluation team. This Validation Report is not an endorsement of the Target of
Evaluation by any agency of the U.S. government, and no warranty is either expressed or implied.
The TOE is a Wireless Local Area Network (WLAN) access system comprising Aruba Mobility
Controllers, Access Points, and the ArubaOS. The Aruba Mobility Controller (MC) appliances
are wireless switches that provide a wide range of wireless and wired network mobility services,
security, centralized management, auditing, authentication, and remote access. The Aruba Access
Point (AP) appliances service wireless clients (part of the operational environment) and can
monitor radio frequency spectrums to detect intrusions, denial of service (DoS) attacks, and other
vulnerabilities. The ArubaOS is a suite of mobility applications that runs on all Aruba MCs and
APs and allows administrators to configure and manage the wireless and mobile user
environment.
The products, when configured as specified in the guidance documentation, satisfy all of the
security functional requirements stated in the Aruba Mobility Controller and Access Point Series
Security Target (ST).
1.1 Evaluation Details
Table 1 – Evaluation Details
Evaluated Product: Aruba Mobility Controller and Access Point Series, comprising:
o Aruba Mobility Controllers: Aruba MC 200, MC 800, MC
3200, MC3400, MC3600 and MC 6000.
o Aruba Access Points: Aruba AP-60, AP-61, AP-65, AP-
70, AP-85, AP-120, AP-121, AP-124 and AP-125.
o ArubaOS version 3.4.2.3
Sponsor: Aruba Networks, Inc.
1344 Crossman Avenue
Sunnyvale, CA 94089-1113
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
2
Developer: Aruba Networks, Inc.
1344 Crossman Avenue
Sunnyvale, CA 94089-1113
CCTL: Science Applications International Corporation
6841 Benjamin Franklin Drive
Columbia, MD 21046
Kickoff Date: 21 August 2009
Completion Date: 9 May 2011
CC: Common Criteria for Information Technology Security
Evaluation, Version 3.1, Revision 2, September 2007
Interpretations: None
CEM: Common Methodology for Information Technology Security
Evaluation, Part 2: Evaluation Methodology, Version 3.1,
Revision 2, September 2007.
Evaluation Class: EAL 4 augmented with ALC_FLR.2
Description: Aruba Mobility Controller and Access Point Series provides a
Wireless Local Area Network (WLAN) access system supporting
a wide range of wireless and wired network mobility services,
security, centralized management, auditing, authentication, remote
access, and wireless intrusion detection.
Disclaimer: The information contained in this Validation Report is not an
endorsement of the Aruba Mobility Controller and Access Point
Series product by any agency of the U.S. Government and no
warranty of the product is either expressed or implied.
PP: US Government Wireless Local Area Network (WLAN) Access
System For Basic Robustness Environments Protection Profile,
Version 1.1, 25 July 2007
Evaluation Personnel: Science Applications International Corporation:
Anthony J. Apted
Dawn Campbell
Katie Sykes
Validation Body: National Information Assurance Partnership CCEVS
1.2 Interpretations
Not applicable.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
3
1.3 Threats
The ST identifies the following threats that the TOE and its IT environment are intended to
counter:
 An administrator may incorrectly install or configure the TOE, resulting in ineffective
security mechanisms.
 A user or process may cause key, data or executable code associated with the
cryptographic functionality to be inappropriately accessed (viewed, modified, or deleted),
thus compromising the cryptographic mechanisms and the data protected by those
mechanisms.
 A user or process may masquerade as another entity in order to gain unauthorized access
to data or TOE resources.
 Unintentional errors in requirements specification or design of the TOE may occur,
leading to flaws that may be exploited by a casually mischievous user or program.
 Unintentional errors in implementation of the TOE design may occur, leading to flaws
that may be exploited by a casually mischievous user or program.
 The developer or tester performs insufficient tests to demonstrate that all TOE security
functions operate correctly (including in a fielded TOE) may occur, resulting in incorrect
TOE behavior being undiscovered leading to flaws that may be exploited by a
mischievous user or program.
 A user or process may gain unauthorized access to data through reallocation of TOE
resources from one user or process to another.
 A user or process may cause, through an unsophisticated attack, TSF data, or executable
code to be inappropriately accessed (viewed, modified, or deleted).
 A user may gain unauthorized access to an unattended session.
 A user may gain access to services (either on the TOE or by sending data through the
TOE) for which they are not authorized according to the TOE security policy.
 An unauthorized user or process may gain access to an administrative account.
1.4 Organizational Security Policies
The ST identifies the following organizational security policies that the TOE and its IT
environment are intended to fulfill:
 The TOE shall display an initial banner for administrator logins describing restrictions of
use, legal agreements, or any other appropriate information to which users consent by
accessing the system.
 The authorized users of the TOE shall be held accountable for their actions within the
TOE.
 The TOE shall provide cryptographic functions for its own use, including
encryption/decryption operations.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
4
 Only NIST FIPS validated cryptography (methods and implementations) are acceptable
for key management (i.e.; generation, access, distribution, destruction, handling, and
storage of keys) and cryptographic services (i.e.; encryption, decryption, signature,
hashing, key exchange, and random number generation services).
 The TOE shall provide the capability to encrypt/decrypt wireless network traffic between
the TOE and those wireless clients that are authorized to join the network.
 In accordance with the DOD Wireless Policy, there will be no ad hoc 802.11 or 802.15
networks allowed.
2 Identification
The evaluated product is Aruba Mobility Controller and Access Point Series, comprising:
o Aruba Mobility Controllers: Aruba MC 200, MC 800, MC 3200, MC3400, MC3600 and
MC 6000.
o Aruba Access Points: Aruba AP-60, AP-61, AP-65, AP-70, AP-85, AP-120, AP-121, AP-
124 and AP-125.
o ArubaOS version 3.4.2.3
3 Security Policy
The TOE enforces the following security policies as described in the ST.
Note: Much of the description of the Aruba Mobility Controller and Access Point Series
security policy has been extracted and reworked from the Aruba Mobility Controller and
Access Point Series ST and Final ETR.
3.1 Security Audit
The TOE is capable of auditing security relevant events such as logins, administrator actions, use
of trusted channel and path, cryptographic operations, resource limitation exceeded, etc. Each
audit event includes the date and time of the event, the type of event, the subject identity (if
applicable), and the outcome of the event. The administrator can include and exclude events to be
audited based on specific criteria. The TOE can detect security event/violation based on signature
and perform the appropriate action such as alerting the administrator or denying access.
3.2 Cryptographic Support
The TOE has been certified as a FIPS 140-2 cryptographic module (FIPS 140-2 certified
Certificates #:1297, #1116, #1109, #1077, and #1075) at Security Level 2. When in FIPS mode,
the cryptographic module only employs FIPS-approved RNG, key generation, establishment,
zeroization, encryption, digital signature, and hashing algorithms.
3.3 User Data Protection
The TOE provides both policies and access control lists (ACLs) to control information flow.
Firewall policies identify specific characteristics about a data packet and specify the action to take
based on that identification. ACLs provide a method of restricting certain types of traffic on a
physical port based on IP address, port, protocol, etc. Administrators can apply firewall policies
to user roles and give differential treatment to different users on the same network, or to physical
ports and apply the same policy to all traffic through the port. The TOE can also group wireless
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
5
clients into separate virtual LANs (VLANs). The TOE protects the data between itself and the
wireless clients using AES or TDES. The TOE ensures any previous information content is made
unavailable upon the allocation of a memory buffer to a network packet.
3.4 Identification and Authentication
The TOE can maintain administrator and user attributes, including credentials such as
username and password for administrators and session key and role for remote
authenticated users (username and password can be stored in the TOE’s internal database
or in an authentication server in the operational environment). The TOE requires
identification and authentication (either locally or remotely through external
authentication server, internally, or both) of administrators managing the TOE. The TOE
provides various mechanisms for identifying and authenticating wireless clients,
including captive portal and 802.1X. After an administrator-specified number of failed
authentication attempts, the user account is locked out. In addition, the password
mechanism can be configured to have a minimum length of six characters.
3.5 Security Management
The TOE provides the capability to manage auditing, cryptographic operations, intrusion
protection functions, password minimum length enforcement, user accounts, policies & ACLs
rules, advisory banner, and timeout (inactivity threshold) value. The management functions are
restricted to an administrator role. The role must have the appropriate access privileges or access
will be denied. The wireless user role has no access to the management interfaces. The
information flow policy blocks packets by default and only administrators can change the default
values. The FIPS-validated TOE ensures that only secure values are accepted for security
attributes.
3.6 Protection of the TSF
The TOE provides integrity protection for all communication between its components. This
prevents unauthorized modification of TSF data during transmission. The TOE also provides self-
tests to ensure the correct operation of the cryptographic functions and TSF hardware. There is an
option for the administrator to verify the integrity of stored TSF executable code. The
communication between the TOE and another trusted IT product (e.g., NTP, syslog, RADIUS) is
protected through a trusted channel. The communication between the TOE and remote
administrators is protected through a trusted path.
3.7 Resource Utilization
The TOE can enforce maximum usage quotas on the number of concurrent sessions available to
each named group of users.
3.8 TOE Access
The TOE allows administrators to configure a period of inactivity for a user’s session. Once that
time period has been reached while the session has no activity, the session is terminated. A
warning banner is displayed at the management interfaces (Web GUI and CLI) to advise users on
appropriate use and penalty for misuse of the system.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
6
3.9 Trusted Path/Channels
The TOE provides an encrypted channel between itself and third-party trusted IT entities in the
operating environment. The TOE also provides a protected communication path between itself
and wireless users.
4 Assumptions
The ST identifies the following assumptions about the use of the product:
 Administrators are non-hostile, appropriately trained and follow all administrator
guidance.
 There are no general-purpose computing or storage repository capabilities (e.g.,
compilers, editors, or user applications) available on the TOE.
 Physical security, commensurate with the value of the TOE and the data it contains, is
assumed to be provided by the environment.
 Wireless clients are configured so that information cannot flow between a wireless client
and any other wireless client or host networked to the TOE without passing through the
TOE.
4.1 Clarification of Scope
All evaluations (and all products) have limitations, as well as potential misconceptions that need
clarifying. This text covers some of the more important limitations and clarifications of this
evaluation. Note that:
1. As with any evaluation, this evaluation only shows that the evaluated configuration meets
the security claims made, with a certain level of assurance (EAL 4 augmented with
ALC_FLR.2).
2. This evaluation only covers the specific model numbers and software version identified
in this document, and not any earlier or later versions released or in process.
3. The TOE must be configured in FIPS mode in the evaluated configuration.
4. The following add-on software modules, which are not part of the ArubaOS base
software package and require separate product licenses, are included in the scope of
evaluation and required in the evaluated configuration:
a. Policy Enforcement Firewall—provides identity-based security for wired and
wireless clients.
b. Wireless Intrusion Protection—detects, classifies and limits designated wireless
security threats such as rogue APs, denial of service attacks, malicious wireless
attacks, impersonations, and unauthorized intrusions.
c. VPN Server—enables controllers to provide Virtual Private Network (VPN)
tunnel termination to local and remote clients, and provides site-to-site VPN
tunnels between controllers and third-party VPN concentrators.
5. The TOE utilizes third-party software and hardware components in its operational
environment, as follows:
a. syslog server to store audit records
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
7
b. authentication server to authenticate users (RADIUS, LDAP, and TACACS+ are
supported)
c. Network Time Protocol (NTP) server to obtain reliable time stamps
d. SNMP server to capture SNMP traps. For security reasons, only SNMPv3 is
allowed in the evaluated configuration.
e. The remote administrator can use a web browser to access the Web GUI interface
and/or use SSH client to access the CLI. Note that Telnet cannot be used to
access the CLI in the CC evaluated configuration.
5 Architectural Information
This section provides a high level description of the TOE and its components as described in the
Security Target and design documentation.
At a high level, Aruba Mobility Controllers consist of two main components:
 Control Plane (CP)—implements functions which can be handled at lower speeds such as
Mobility Controller system management (CLI and Web GUI), user authentication (e.g.
802.1X, RADIUS, LDAP, captive portal), Internet Key Exchange (IKE),
auditing/logging (SYSLOG), Wireless IDS (WIDS), and termination of protocols
operating at the system level (e.g. SSH, TLS, NTP, etc.).
 Data Plane (DP)—implements functions that must be handled at high speeds such as
high-speed switching functions (forwarding, VLAN tagging/enforcement, bridging),
termination of 802.11 associations/sessions, tunnel termination (GRE, IPsec),
firewall/ACL and deep packet inspection functions, and cryptographic acceleration.
The CP runs the Linux OS, along with various custom user-space applications which provide CP
functions. This suite of custom user-space applications, which constitutes ArubaOS, provides the
following functions:
 Monitoring and managing critical system resources, including processes, memory, and
flash
 Sending and receiving PAPI1
protocol messages to and from managed APs as well as
other mobility controllers
 Managing system configuration and licensing
 Managing an internal database used to store licenses, user authentication information, etc
 Providing network anomaly detection, hardware monitoring, mobility management,
wireless management, and radio frequency management services
 Providing a Command Line Interface (CLI) for the MC
 Providing a web-based management UI for the MC, as well as an optional captive portal
login page for wireless users
 Providing various WLAN station and AP management functions
1
PAPI is an Aruba-proprietary WLAN management protocol and provides no direct security.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
8
 Providing authentication services for the system management interfaces (CLI, web GUI)
and wireless users
 Providing IPSec key management services for remote APs, VPN users, and connections
with other Aruba mobility controllers
 Providing Network Time Protocol service for APs, point-to-point tunneling protocol
services for users, layer 2 tunneling protocol services for users, file transfer protocol
services for users, serial over Ethernet connection services for administration of directly-
connected APs, SSH services for incoming management connections, SNMP client/agent
services, and protocol independent multicast (routing) services for the controller
 Providing syslog services by sending logs to the operating environment.
The DP is further subdivided into two subcomponents: Fast Path (FP) and Slow2
Path (SP). The
FP implements high-speed packet forwarding based on various proprietary tables, and on table
miss will send the packets to SP. The SP manages all DP tables such as user, ACL, station,
tunnel, route, ARP cache, session, bridge, VLAN, and port. The SP also performs deep packet
inspection and cryptographic processing.
The Linux OS running on the CP is MontaVista’s Embedded Linux. Linux is a soft real-time,
multi-threaded operating system that supports memory protection between processes. Only Aruba
provided interfaces are used, and the CLI is a restricted command set. For the 3000 series, this OS
implements both the control and data planes.
For all but the 3000 series, the data plane is primarily implemented on the SiByte platform3
. A
lightweight, Aruba-proprietary OS called SOS runs on the SiByte platform. SOS contains an
Ethernet driver, a serial driver, a logging facility, semaphore support, and a crypto driver. In the
MC 6000 controller, a Field Programmable Gate Array (FPGA) is used to control and monitor the
switch fabric, MACs, PHYs, SoE, and PoE and provide security functionality such as filtering.
The DP and CP run on different hardware platforms but the security functionality remains the
same, regardless of the model. The differences in the platforms are in the processors, memory
capacity, physical interfaces, FPGA implementation, etc., and are based on performance and
scalability requirements. The table below shows the different models based on maximum number
of APs and users supported.
Table 2 – Mobility Controller Specifications
Product
Max. # of
APs
Max. #
of Users
Typical Deployment
MC 6000 2,048 32,768 Headquarters/ Large Campus
MC 3000 Series 128 2,048 Medium/Large Enterprise/Campus
MC 800 16 256 Branch Office
MC 200 6 100 Small Offices/ Retail Store
Each Aruba AP is a wireless hardware device that is enclosed in a plastic encasing. The ArubaOS
provides the security functionality for the APs. The ArubaOS runs on an embedded Linux kernel.
2
The entire DP (including both FP and SP elements) is a high-speed packet processor, so the SP
designation should be understood to be relative.
3
SiByte refers to the hardware architecture of the TOE which includes Broadcom SiByte MIPS
processors and cryptographic processor.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
9
Similar to the controllers, the security functionality of the different models are the same with
differences in platforms based on performance and scalability requirements only. At a high level,
the APs consist of the following subsystems:
 Processor subsystem—performs the packet processing functions on the packet
 Memory subsystem—contains memory which supports the Processor subsystem
 Ethernet Controller subsystem—includes integrated Ethernet MAC for transfer of
10/100 Ethernet packets between the AP and the wired network
 Radio Controller subsystem—there are two radio controllers, 802.11a (5 GHz range) and
802.11b/g (2.4 GHz range)
 Wireless Antenna subsystem—interface between the wireless world and the AP. The
antenna handles both 5 GHz and 2.4 GHz ranges
 PoE (Power over Ethernet) subsystem—receives 48V power over the Ethernet
 SoE (Serial over Ethernet) subsystem—contains the RS-232 serial port circuitry for
communicating with the switch connected to the 10/100 port
 USB subsystem—the AP-70 supports one USB V2.0 compliant port (up to 480 Mbps). A
PCI to USB 2.0 controller is used to interface to the system host
 Serial subsystem—the AP-120 supports a serial console port on the front panel that
utilizes a RJ45 jack and connects directly to serial port 0 via the RS232 transceiver.
6 Documentation
6.1 Product Guidance
The guidance documentation examined during the course of the evaluation and therefore
delivered with the TOE is as follows:
 Aruba AP-120 Series Indoor Access Point Installation Guide, Apr 2009
 Aruba AP-60/61 Access Point Installation Guide, Apr 2008
 Aruba AP-65 Wireless Access Point Installation Guide, 20 Aug 2008
 Aruba AP-70 Access Point Installation Guide, Nov 2009
 Aruba AP-85 Outdoor Access Point Series Installation Guide, Feb 2010
 ArubaOS 3.4.2.2-FIPS Release Notes, Apr 2010
 ArubaOS 3.4.2 Command Line Interface Reference Guide, Dec 2009
 ArubaOS 3.4.2 MIB Reference Guide, Jun 2008
 ArubaOS 3.4.2 Quick Start Guide, Dec 2009
 ArubaOS 3.4.2 User Guide, Dec 2009
 ArubaOS 3.4.2 Software Upgrade Guide, Dec 2009
 Aruba Common Criteria EAL4 Addendum, Apr 2010
 Aruba 200 Mobility Controller Installation Guide, May 2006
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
10
 Aruba 3000 Multi Service Mobility Controller Series Installation Guide, Sep 2007
 Aruba 6000 Series Mobility Controller Installation Guide, May 2006
 Aruba 800 Series Mobility Controller Installation Guide, Jan 2006
 ArubaOS 3.4.2 Syslog Messages Reference Guide, Aug 2009
7 Product Testing
This section describes the testing efforts of the developer and the Evaluation Team. It is derived
from information contained in the Evaluation Team Test Report for Aruba Mobility Controller
and Access Point Series.
Evaluation team testing was conducted at the vendor’s development site April 11 through April
14, 2011.
7.1 Developer Testing
The vendor’s approach to testing is based primarily on comprehensive testing of the network
protocols forming the majority of the TSFI. Much of the testing is automated using a dedicated
security analyzer (the Mu-4000) to thoroughly exercise the TSFI. Additional manual testing is
also performed to demonstrate capabilities specified in the SFRs that are not directly discernible
through protocol testing, and to generate specific audit records or packet streams for capture and
subsequent analysis. The vendor has developed a test suite comprising interface tests specific to
each TSFI described in the functional specification.
The vendor’s test documentation additionally includes security conformance tests for the
following protocols and associated RFCs:
 EAP TLS Authentication Protocol (RFC 2716)
 EAP Tunneled TLS Authentication Protocol (RFC 5281)
 HTTP over TLS (RFC 2818)
 IPsec/IKE (RFC 2408, RFC 2409)
 IPsec/ESP (RFC 4303)
 Protected EAP (PEAP) Version 0
 RADIUS (RFC 2138, RFC 2869, RFC 3579, RFC 3580)
 SSH (RFC 4251, RFC 4252, RFC 4253, RFC 4254).
Each protocol or (for protocols defined by multiple RFCs) RFC has a test case specification that
describes the test cases for testing each conformance statement in the corresponding RFC
conformance document. Each test case maps to one or more test identifiers, which identify the
specific conformance statements tested.
The vendor ran the TOE test suites in various configurations, consistent with the test environment
described in the testing documentation, and provided the evaluation team with the actual results.
The test configurations were representative of the Mobility Controller and Access Point
appliances included in the evaluated configuration. All tests passed.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
11
7.2 Evaluation Team Independent Testing
The evaluation team executed a sample of the vendor test suite, per the evaluated configuration as
described in the Aruba Mobility Controller and Access Point Series Security Target. The tests
were run on a selection of the test configurations described in the various interface test
documents.
The developer’s test documentation describes different test configurations for each of the TSFI
that is tested. The documentation identifies different models of the TOE components that were
used in the test configurations. The evaluation team performed its tests on two test bed
configurations as follows:
 An MC-3400 Mobility Controller with an AP-125 Access Point. The MC-3400 is a high-
end mobility controller based on the XLR architecture described in the Architecture
Overview, while the AP-120 series of access points (which includes the AP-125) are the
only access points in the valuated configuration that include a hardware cryptographic
module.
 An MC-800 Mobility Controller and an AP-70 Access Point. The MC-800 is a low-end
Mobility Controller based on the legacy architecture described in the Architecture
Overview.
All MCs run the same MC code base, all APs run the same AP code base, and all MCs and APs
in the evaluated configuration are also FIPS 140-2 validated.
The test environment included the following IT components that are external to the TOE but are
required in the TOE’s operational environment:
 Client computers to support remote administration—in the test environment, these
comprised laptops equipped with Windows XP or Linux. On the Windows XP platforms,
Putty was used to provide access to the CLI using SSH and either Internet Explorer or
Mozilla Firefox was used to provide access to the WebUI using HTTPS, while on the
Linux platforms Openssh was used to access the CLI and Mozilla Firefox was used to
access the WebUI.
 Wireless clients—in the test environment, these comprised laptops equipped with
Windows XP and Odyssey Access Client to provide wireless client access to the TOE.
 A RADIUS server to support remote authentication of wireless client users.
 An NTP server to provide a synchronized timestamp to the network components.
 An SNMP server to receive traps generated by the TOE.
The test environment provided by the vendor included the following tools used in a number of the
vendor’s tests:
 Wireshark—used to capture and examine packet streams
 Colasoft Packet Builder—used to craft or modify network packets
 MG-SOFT MIB browser—an SNMP browser used to monitor network-attached devices
when testing SNMP
 OpenSSL—used in manual testing of the TOE’s TLS implementation
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
12
 Paros proxy—used to intercept and modify HTTP/HTTPS data transmitted between a
client and server
 Backtrack4—provides a large collection of security-related tools ranging from port
scanners to password crackers
 IxANVL (Automated Network Validation Library) software from Ixia—used to
demonstrate RFC conformance of specific protocols
 Mu-4000 security analyzer—used to exercise the TOE’s implementation of specific
protocols.
The evaluation team performed the following additional functional tests:
 Audit Data Generation—the evaluation team confirmed, through examination and
analysis of the audit trail produced by running the vendor test sample and the evaluation
team’s own tests, that all audit records specified in the ST can be generated by the TOE.
 Audit Function Management—the evaluation team determined, through testing and
examination of the developer’s guidance documentation, that the security audit function
is always enabled when the TOE is operating and there is no command provided to
disable the audit function.
 Selective Audit—the evaluation team confirmed the descriptions in the ST that the
administrator is able to include and exclude auditable events from the set of audited
events based on specified criteria.
 Administrator Login—the evaluation team confirmed the behavior of the identification
and authentication mechanisms for remote administrators.
 Password Constraints—the evaluation team confirmed the TOE enforces a minimum
password length of 6 characters for all passwords, and that the administrator can
configure a Management Password policy to set a minimum password length in the range
6..64 and specify additional restrictions, based on password composition rules.
 Information Flow at AP—the evaluation team confirmed the Access Point components
of the TOE enforce information flow (firewall) rules and NAT policy when configured in
remote bridge mode.
 Security Management—the evaluation team confirmed that all management capabilities
specified and described in the ST are described accurately and are limited to appropriate
security management roles.
 Maximum Simultaneous Sessions—the evaluation team confirmed the TOE enforces
the maximum number of sessions specified for a defined user role.
7.3 Penetration Testing
The evaluation team conducted an open source search for vulnerabilities in the TOE, identifying a
number of vulnerabilities reported against earlier versions of ArubaOS or third-party libraries that
are incorporated within ArubaOS. The evaluation team determined, through analysis of
vulnerability descriptions and consideration of the method of use of the TOE, that two of these
reported vulnerabilities are not relevant to the TOE in its evaluated configuration—one relates to
SNMP, which must be configured for SNMPv3 in the evaluated configuration, and the other is a
documented feature, which has appropriate guidance associated with it in the product guidance
documentation. The evaluators additionally confirmed, through examination of the vendor’s CM
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
13
records, that the other vulnerabilities have had fixes developed and applied to ArubaOS and do
not exist in the evaluated version of the TOE.
The evaluation team also performed a port scan of the TOE using Nmap. The evaluation team
confirmed all open ports identified by the scan were identified in the TOE guidance as ports that
are open by default, but only on the trusted side of the network.
In addition to the open source search and port scan, the evaluation team considered other potential
vulnerabilities, based on a focused search of the evaluation evidence. Some of the ideas for
vulnerability tests identified by the evaluation team were already covered by vendor functional
tests or by the independent functional tests devised by the evaluation team. Others were
determined, through analysis, not to present exploitable vulnerabilities. The evaluation team
performed tests to confirm:
 The TOE accepts only SSHv2 connections. Attempts to connect to the CLI using SSHv1
are refused.
 The TOE does not allow MIB values to be modified via SNMP—they can only be read.
In addition, when SNMPv3 is configured, all SNMP packet data is encrypted, and any
attempt to execute an SNMP request must specify the correct authentication and privacy
credentials.
8 Evaluated Configuration
The evaluated version of the TOE is identified as: Aruba Mobility Controller and Access Point
Series, comprising:
o Aruba Mobility Controllers: Aruba MC 200, MC 800, MC 3200, MC3400, MC3600 and
MC 6000.
o Aruba Access Points: Aruba AP-60, AP-61, AP-65, AP-70, AP-85, AP-120, AP-121, AP-
124 and AP-125.
o ArubaOS version 3.4.2.3.
The TOE is a Wireless Local Area Network (WLAN) access system comprising Aruba Mobility
Controllers, Access Points, and the ArubaOS. The Aruba Mobility Controller (MC) appliances
are wireless switches that provide a wide range of wireless and wired network mobility, security,
centralized management, auditing, authentication, and remote access. The Aruba Access Point
(AP) appliances service wireless clients (part of the operational environment) and can monitor
radio frequency spectrums to detect intrusions, denial of service (DoS) attacks, and other
vulnerabilities. The ArubaOS is a suite of mobility applications that runs on all Aruba MCs and
APs and allows administrators to configure and manage the wireless and mobile user
environment.
The TOE relies on third-party software and hardware components in the operating environment.
The TOE can utilize an external audit server (support syslog) to store audit records and external
authentication server (support RADIUS, LDAP, TACACS+) to authenticate users. In addition,
the TOE uses an external Time server (support NTP) to obtain reliable time stamps and external
SNMP server to capture SNMP traps. For security reasons, only SNMPv3 is allowed in the
evaluated configuration. The remote administrator can use a web browser to access the Web GUI
interface and/or use SSH client to access the CLI. The local administrator can use the serial port
to access the CLI. Neither the web browser or SSH client is part of the TOE. Note that Telnet
cannot be used to access the CLI in the CC evaluated configuration.
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
14
9 Results of the Evaluation
The evaluation was conducted based upon version 3.1 Revision 2 of the CC and the CEM. A
verdict for an assurance component is determined by the resulting verdicts assigned to the
corresponding evaluator action elements. The evaluation team assigned a Pass, Fail, or
Inconclusive verdict to each work unit of each assurance component. For Fail or Inconclusive
work unit verdicts, the evaluation team advised the developer of issues requiring resolution or
clarification within the evaluation evidence. In this way, the evaluation team assigned an overall
Pass verdict to the assurance component only when all of the work units for that component had
been assigned a Pass verdict.
The validation team agreed with the conclusion of the evaluation team, and recommended to
CCEVS management that an ―EAL4 augmented with ALC_FLR.2‖ certificate rating be issued
for Aruba Mobility Controller and Access Point Series.
The details of the evaluation are recorded in the Evaluation Technical Report (ETR), which is
controlled by the SAIC CCTL. The security assurance requirements are listed in the following
table.
Table 3 – TOE Security Assurance Requirements
Assurance Component ID Assurance Component Name
ADV_ARC.1 Security Architecture Description
ADV_FSP.4 Complete Functional Specification
ADV_IMP.1 Implementation Representation of the TOE
ADV_TDS.3 Basic Modular Design
AGD_OPE.1 Operational User Guidance
AGD_PRE.1 Preparative Procedures
ALC_CMC.4 Production Support, Acceptance Procedures and Automation
ALC_CMS.4 Problem Tracking CM Coverage
ALC_DEL.1 Delivery Procedures
ALC_DVS.1 Identification of Security Measures
ALC_FLR.2 Flaw Reporting Procedures
ALC_LCD.1 Developer Defined Life-cycle Model
ALC_TAT.1 Well-defined Development Tools
ATE_COV.2 Analysis of Coverage
ATE_DPT.2 Testing: Security Enforcing Modules
ATE_FUN.1 Functional Testing
ATE_IND.2 Independent Testing – Sample
AVA_VAN.3 Focused Vulnerability Analysis
VALIDATION REPORT
Aruba Mobility Controller and Access Point Series
15
10 Validator Comments/Recommendations
1. The TOE does not support authenticated NTP for time synchronization. The TOE end-
user must ensure that the communications path for NTP and the time server is trusted.
2. The TOE permits configuration of key sizes smaller than required in the Protection
Profile. TOE users should select the required key sizes during configuration.
11 Annexes
Not applicable.
12 Security Target
The ST for this product’s evaluation is Aruba Mobility Controller and Access Point Series
Security Target, Version 1.0, dated May 6, 2011.
13 Bibliography
1. Common Criteria for Information Technology Security Evaluation – Part 1: Introduction
and general model, Version 3.1, Revision 1, September 2006, CCIMB-2006-09-001.
2. Common Criteria for Information Technology Security Evaluation – Part 2: Security
functional components, Version 3.1, Revision 2, September 2007, CCIMB-2007-09-002.
3. Common Criteria for Information Technology Security Evaluation – Part 3: Security
assurance components, Version 3.1, Revision 2, September 2007, CCIMB-2007-09-003.
4. Common Methodology for Information Technology Security: Evaluation methodology,
Version 3.1, Revision 2, September 2007, CCIMB-2007-09-004.
5. Aruba Mobility Controller and Access Point Series Security Target, Version 1.0, May 6,
2011.