The Aruba Networks Mobility Controller a network device, stateful traffic filter firewall and VPN gateway It is a network device that serves as a gateway between wired and wireless networks and provides command-and-control over Access Points (APs) within an Aruba dependant wireless network. ArubaOS 184.108.40.206 FIPS is the underlying operating system of the Mobility Controller, which is available in modular chassis or network appliance models:
a) Aruba 7000 Series Mobility controller. (7240, 7220, 7205, 7210, 7030, 7024, 7010, 7005)
b) Aruba 6000 Series. The Aruba 6000 with M3 blades are designed for corporate headquarters and large campus deployments.
c) Aruba 3000 Series. The Aruba 3200, 3400 and 3600 are designed for small, medium and large enterprises.
d) Aruba 600 Series. The Aruba 620 and 650 are designed for branch offices and similar deployments.
The TOE provides the following security functions:
a) Protected communications. The TOE protects the following communication flows:
i) WebUI. Communication with the administrative web user interface (WebUI) is protected using TLS/HTTPS.
ii) CLI. Remote administration via the Command Line Interface (CLI) is protected using SSHv2.
iii) Syslog. Syslog messages are protected using IPSec.
iv) Radius. Radius authentication messages are protected using IPSec.
b) Verifiable updates. Updates are digitally signed and verified upon installation utilizing digital signatures.
c) System monitoring. The TOE maintains an audit log of administrative and security relevant events. Logs can optionally be delivered to a Syslog server.
d) Secure administration. The TOE provides administration interfaces for configuration and monitoring. The TOE authenticates administrators and implements session timeouts.
e) Residual information clearing. The TOE ensures that network packets sent from the TOE do not include data "left over" from the processing of previous network information.
f) Self-test. The TOE performs both power-up and conditional self-tests to verify correct and secure operation.
g) Firewall. The TOE performs stateful packet filtering. Wireless clients connecting through APs are placed into user-roles. Stateful packet filter policies are applied to these user-roles to allow fine grained control over wireless traffic.
h) VPN gateway. The TOE may be used as a VPN gateway – a device at the edge of a private network that terminates an IPsec tunnel, which provides device authentication, confidentiality, and integrity of information traversing a public or untrusted network.
Product Maintenance: 10 October 2016: Assurance Maintenance conducted on TOE Version 220.127.116.11-FIPS. There are a number of changes that aim to improve the overall useability of the TOE, such as providing traffic analysis and blocked sessions which provide a dashboard view of the sessions blocked via ACLS or system logs.