This Site Has Been Decomissioned

This site remains for historical review purposes only. Any changes made to the data will not be saved.

 
NIAP: Assurance Continuity
  NIAP  »»  Product Compliant List  »»  Product Entry  »»  Assurance Continuity  
Assurance Continuity - HPE Aruba Networking 4100i, 6200, 6300, 6400, 8100, 8320, 8325, 8360, 8400, 9300, and 10000 Switch Series running ArubaOS-CX 10.13

Date of Maintenance Completion:  2024.05.30

Product Type:    Network Device

Conformance Claim:  Protection Profile Compliant

PP Identifier:    collaborative Protection Profile for Network Devices Version 2.2e

Original Evaluated TOE:  2023.12.05 - Aruba, a Hewlett Packard Enterprise Company 4100i, 6200, 6300, 6400, 8320, 8325, 8360, 8400, 9300, and 10000 Switch Series Version 10.11

CC Certificate [PDF] Validation Report [PDF] Assurance Activity [PDF]

Administrative Guide [PDF]

Please note:  The above files are for the Original Evaluated TOE.  Consequently, they do not refer to this maintained version, although they apply to the maintained version. 

Security Target [PDF] * Assurance Continuity Maintenance Report [PDF] Administrative Guide [PDF]

Please note:  This serves as an addendum to the VR for the Original Evaluated TOE. 

* This is the Security Target (ST) associated with this latest Maintenance Release.  To view previous STs for this TOE, click here.

Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product.  Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate.  Such assurance can only be gained through re-evaluation. 

Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary.  A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target.  Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents. 

Product Description

The TOE has been updated from Aruba, A Hewlett Packard Enterprise Company 4100i, 6200, 6300, 6400, 8320, 8325, 8360, 8400, 9300, and 10000 Switch Series Version 10.11 to Version 10.13. Below is a summary of the changes.

Ninety-six bug fixes and thirty-four enhancements were identified in the IAR between versions 10.11 and 10.13 along with a description and given rationale. Not all changes impacted all hardware platforms. The description and rationale for each bug fix or enhancement was inspected and the overall Minor Change characterization was considered appropriate. None of the changes resulted in the introduction of new TOE capabilities, modification to security functions as defined in the ST, or changes to the TOE boundary.  The following table includes a summary of the changes presented in the IAR that impact one or more of the evaluated platforms. The changes have been categorized according to Bug Fixes and Enhancements. 

Category

Number of Changes

Assessment

Bug Fixes – version 10.11 to 10.12

35

34 Bug Fixes were made for issues identified in previous releases. The bug fixes break out into the following categories:

 

29 - Unrelated to SFRs

6 - Outside the Scope of the Evaluated Configuration

 

None of the bug fixes affected the security functionality and none of the changes resulted in changes to the ST or guidance documentation. As noted, these changes were either unrelated to SFRs or outside the scope of the evaluated configuration. Thus, the original testing still holds, and any fix testing was covered by vendor non-evaluation regression testing.

 

Bug Fixes – version 10.12 to 10.13

61

61 Bug Fixes were made for issues identified in previous releases. The bug fixes break out into the following categories:

 

53 - Unrelated to SFRs

5 - Outside the Scope of the Evaluated Configuration

2 – Provides additional information not required by the PP or modifies the capture of information but does not impact what is required by the PP

1 – Resolved an unexpected process crash that was not impacting claims related to the SFR.

 

None of the bug fixes affected the security functionality required by the SFRs and none of the changes resulted in changes to the ST or guidance documentation. As noted, these changes were either unrelated to SFRs, outside the scope of the evaluated configuration, or did not impact the ability to meet the requirements of the PP/SFRs. Thus, the original testing still holds, and any fix testing was covered by vendor non-evaluation regression testing.

 

Enhancements – version 10.11 to 10.13 (no enhancements in 10.12)

34

34 Enhancements were made that impacted the management, control, or security of data plane traffic, the boot process, NTP, SNMP, and Access Point deployments, which are not covered by the SFR functionality claimed.

 

Specifically, 2 of the 34 Enhancements updated functionality related to commands and logging, but did not impact the evaluated configuration:

·       1 provides a new command structure, but the structure covered in the AGD is still functional and preferred.

·       1 provides additional information in the logs that is not required by the PP.

Vendor Information


Aruba, a Hewlett Packard Enterprise Company
Kevin Micciche
4046480062
aruba-product-security@hpe.com

www.arubanetworks.com
Site Map              Contact Us              Home