Aruba 7000 and 7200 series Mobility Controllers IPsec Security ...

April 2016 Issue No: 1.0

Security Procedures

Aruba 7000 and 7200 series Mobility Controllers

IPsec Security Gateway

Security Procedures

Aruba 7000 and 7200 series Mobility Controllers IPsec Security Gateway

Issue No: 1.0 April 2016

The copyright of this document is reserved and vested in the Crown.

Document history

Version Date Comment

1.0 April 2016 First public release

Page 1


About this document These Security Procedures provide guidance in the secure operation of Aruba 7000 and 7200 series of Mobility Controllers (in relation to their operation as an IPsec Security Gateway). This document is intended for System Designers, Risk Managers and Accreditors. CESG recommends you establish whether any departmental or local standards, which may be more rigorous than national policy, should be followed in preference to those given in these Security Procedures. The Security Procedures come from detailed technical assessment carried out on behalf of CESG. They do not replace the need for tailored technical or

legal advice on specific systems or issues. CESG and its advisors accept no liability whatsoever for any expense, liability, loss, claim or proceedings arising from reliance placed on this guidance.

Related documents The documents listed in the References section are also relevant to the secure deployment of this product. For detailed information about device operation, refer to the Aruba Mobility Controller product documentation.

Points of contact For additional hard copies of this document and general queries, please contact CESG using the following details. CESG Enquiries

Hubble Road Cheltenham GL51 0EX United Kingdom

[email protected] Tel: 01242-709141

CESG welcomes feedback, positive or negative, about this document. Please email your comments to [email protected]

mailto:[email protected]


Page 2


Contents:

Chapter 1 - Outline Description ................................................................................ 3

Product Summary ..................................................................................................... 3

Certification ............................................................................................................... 3 Components ............................................................................................................. 3

Chapter 2 - Security Functionality ........................................................................... 4

Chapter 3 - Secure Operation ................................................................................... 5

Pre-installation .......................................................................................................... 5

Installation ................................................................................................................ 6 Configuration ............................................................................................................ 6

Operation .................................................................................................................. 9 Maintenance and updates ........................................................................................ 9 System logs .............................................................................................................. 9 System Administration ............................................................................................ 11

Chapter 4 - Security Incidents ................................................................................ 12

Incident management ............................................................................................. 12

Chapter 5 - Disposal and Destruction .................................................................... 13

Routine destruction of equipment ........................................................................... 13

References ............................................................................................................... 14

Page 3


Chapter 1 - Outline Description

Product Summary

1. The Aruba 7000 and 7200 series of Mobility Controllers are hardware appliances that are optimised for mobile application delivery over Wi-Fi, providing secure network access through Aruba Remote Access Points (ARAPs) and Virtual Intranet Access (VIA) client software. The Mobility Controller manages authentication, encryption, VPN connections, IPv4 and IPv6 Layer 3 services and stateful firewall policy enforcement.

Certification

2. The Aruba 7000 and 7200 series of Mobility Controllers have undergone CPA assessment and have been certified as meeting the Foundation Grade requirements as described in the IPsec Security Gateway Security Characteristic (SC) v2.3 (reference [a]). Later versions are automatically covered by this certification until the certificate expires or is revoked, as stated on the product’s certificate and on the CPA website1.

3. It is important to note that, whilst the Mobility Controllers provide general support for IPv6, this does not extend to support for IPsec over IPv6. The product IPv6 option must therefore not be enabled when deploying a Mobility Controller as an IPsec Security Gateway (the option is disabled by default).

Components

4. The software running on the Mobility Controller is known as ArubaOS, which consists of two main components, known as the Control Plane (CP) and the Data Plane (DP). The CP implements functions such as system management, user authentication, internet key exchange and audit logging. The DP implements functions that must be handled at high speeds, such as IPsec tunnel termination, deep packet inspection functions and cryptographic acceleration.

5. A Mobility Controller should be treated at a security classification commensurate with the highest security classification of data which the device has handled or will handle.

1 CPA website address: https://www.cesg.gov.uk/scheme/commercial-product-assurance-products-foundation-grade

https://www.cesg.gov.uk/scheme/commercial-product-assurance-products-foundation-grade

Page 4


Chapter 2 - Security Functionality

6. The Aruba 7000 and 7200 series of Mobility Controllers provide the following primary security functionality assessed at Foundation Grade:

Built-in IKEv2 VPN providing support for the PSN End-State IPsec profile

Implementation of approved cryptographic algorithms and Pseudo-Random Number Generator (PRNG) used in key generation

Protection of cryptographic keys and certificates, including zeroisation of all plaintext secret and private keys and Critical Security Parameters (CSPs) when no longer required

Restriction of Security Association (SA) lifetimes, in accordance with the approved IPsec profile

Mutual authentication of all IPsec connections, with full certificate chain verification and processing of the current certificate revocation list(s) as delivered through the Online Certificate Status Protocol (OCSP)

Restriction of access to the Mobility Controller configuration, which may only be modified by authorised administrators

Event logging, ensuring that relevant IPsec events are logged and timestamped, together with other events that may affect the security of the deployment. Event logs are protected from unauthorised access

Automatic forwarding of event logs to an external syslog server

Logon controls providing for identification and authentication of Mobility Controller administrators

Firewall policy enforcement to control the attack surface on the Mobility Controller external interfaces

ArubaOS Image Updates, supporting the timely application of security updates to the product and assuring their authenticity and integrity

Page 5


Chapter 3 - Secure Operation

7. The following recommendations outline a configuration for the Aruba 7000 and 7200 series of Mobility Controllers that is in line with the SC for an IPsec Security Gateway (reference [a]). These requirements should be followed unless there is a strong business requirement not to do so. Such instances should be discussed with your Accreditor. Note that must is used in these security procedures to indicate a configuration instruction that is mandatory in order to ensure that a Mobility Controller is in a secure and approved state.

Pre-installation

8. Before installing the product, a check should be made to verify the authenticity of the installation media or the download contents.

9. As stated in the SC, the guidance and patterns described in the CESG Architectural Pattern No.2 - Walled Garden for Remote Access (AP2) (reference [b]) should be followed when deploying the Mobility Controller as part of a remote-working VPN deployment. In particular, the Mobility Controller should be deployed within a Demilitarised Zone (DMZ) network between an Edge firewall (connected to the less trusted network, e.g. Internet) and a Perimeter firewall (connected to the more trusted network e.g. Corporate).

10. A simplified deployment is illustrated below.

11. The deployment must be supported by an internal public key infrastructure (PKI), including:

An offline Root Certificate Authority (CA)

Page 6


One or more intermediate (subordinate) CAs

One or more OCSP servers (unless the intermediate CAs are also configured to act as an OCSP server)

12. The deployment must be supported by one or more external syslog servers, configured to accept and store audit records from the Mobility Controller.

Installation

13. The equipment must be deployed in a data centre that has been accredited for the security classification of the data that the device is handling. In particular:

Physical access controls must restrict access to the server hardware to authorised personnel only, such that only the administrator can gain local access to the Mobility Controller

Physical access controls must restrict access to the management network to authorised personnel only, to prevent an unauthorised person from connecting an unauthorised device to it

Tamper-evident seals (available from Aruba Networks) should be placed over access points on the server, such that unauthorised entry to system internals can be detected through physical inspection. The tamper seals should be applied as described in Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 (reference [c]) “Tamper-Evident Labels” (for the 7000 series models and also the 7205 model) or in Aruba 7200 Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2Level 2 (reference [d]) “Tamper-Evident Labels” (for other models in the 7200 series). Tamper stickers should be uniquely identifiable to prevent an attacker successfully replacing it with a new, undamaged sticker

14. Installation should only be performed by trained, knowledgeable and authorised personnel.

15. ArubaOS must be installed with the Advanced Cryptography License.

Configuration

16. The IPv6 option (see ArubaOS 6.4.x User Guide (reference [e]) Chapter 5) must not be enabled when deploying a Mobility Controller as an IPsec Security Gateway (it is disabled by default).

17. The deployment must use X.509 gateway and client certificates that are chained to a trusted, non-public, CA to enable revocation of the certificates and prevent issue of fraudulent certificates. Certificates must be uploaded to the Mobility Controller as described in the User Guide (reference [e]) Chapter 35 “Management Access” under “Managing Certificates”. As well as describing how to upload CA and OCSP responder certificates, the guidance also details how to generate a Certificate Signing Request (CSR) that can be sent to a CA to provision the Mobility Controller with a server certificate.

Page 7


18. Certificate revocation checkpoints must be configured as detailed in the User Guide (reference [e]) Chapter 13 “Certificate Revocation” under “Configuring the Controller as an OCSP Client”; this involves specifying the URL of the designated OCSP responder and identifying the OCSP responder certificate that was previously uploaded to the Mobility Controller.

19. The following steps are required to ensure the Mobility Controller configuration complies with the IPsec Security Gateway SC (reference [a]):

Enable FIPS Mode (paragraph 20)

Configure IPsec policies (paragraph 21)

Lock down the Black Interface (paragraphs 22 to 23)

Configure Management Password policies (paragraph 28)

20. FIPS Mode must be enabled on the Mobility Controller. This may be achieved using either the Web User Interface (WebUI) or Command Line interface (CLI), as follows:

WebUI:

1. Navigate to the Configuration > Network > Controller > System Settings page.

2. Click the FIPS Mode for Controller Enable checkbox. 3. Click Apply.

CLI:

1. fips enable

21. The Mobility Controller must be configured with at least one IKE policy that satisfies the PSN End-State profile cryptographic algorithm requirements as defined in the IPsec Security Gateway SC (reference [a]) Section 1.6. This can be the Default 10008 or Default 10009 policies supplied with the product2, or a custom IKE policy. All other IKE policies (including the factory-default policies) should be disabled. Guidance on how to achieve this is provided in the ArubaOS User Guide (reference [e]), Chapter 15 “Virtual Private Networks” under “Configuring IKE Policies”.

22. The connection to the less trusted network (Black interface) must be locked down to enable only those services that are required to enable VPN clients or other security gateways on the less trusted network to establish a VPN connection to the Mobility Controller. This can be achieved through the following CLI commands (where “<<IP address>>” should be replaced with the designated IP address of the Mobility Controller on the Black interface):

2 Note that the Default 10009 policy exceeds the PSN End-State profile requirements and so may be unsuitable for deployments where interoperability with other IPsec devices is required.

Page 8


ip access-list session "firewall-inbound-acl" any host <<IP address>> svc-natt permit

The following command is ONLY required if Aruba VIA clients are in use on the less trusted network:

any host <<IP address>> svc-https permit

The following two commands are ONLY required if other third-party IPsec clients are in use on the less trusted network:

any host <<IP address>> svc-esp permit any host <<IP address>> svc-ike permit

23. These are followed by the following command (this assumes that gigabitethernet 0/0/0 is the designated Mobility Controller interface to the less trusted network):

interface gigabitethernet 0/0/0 ip access-group "firewall-inbound-acl" session !

24. Further details on configuring the Mobility Controller’s firewall policies are provided in the User Guide (reference [e]) Chapter 16 “Roles and Policies” under “Configuring Firewall Policies”. See also ArubaOS 6.4.x Command-Line Interface Reference Guide (reference [f]).

25. The Mobility Controller must be configured as a dedicated Virtual Private Network (VPN) server and must not host other services.

26. The guidance in the ArubaOS Hardening Guide (reference [g]), section “Locking Down Administrative Access”, must be followed to secure the management interfaces for the Mobility Controller and ensure that access is permitted only from authorised sources, for example a dedicated management subnet.

27. The Management Password Policy rules should be set to ensure that administrator passwords are suitably complex, in accordance with organisational security policies and accreditation requirements.

28. The Management Password Policy rules should be configured to set the following parameters to non-zero values, as directed by organisational security policies and accreditation requirements:

Maximum Number of failed attempts in 3 minute window to lockout user (any value from 1-10 is permitted)

Time duration to lockout the user upon crossing the “lock-out” threshold (any value from 1 minute upwards is permitted).

Page 9


29. Endpoints should be configured in line with good IT practice as part of a risk-managed accredited system.

Operation

30. The Mobility Controller must only be used with other VPN Security Gateways and Clients that have been certified to CPA Foundation Grade.

31. Management of the Mobility Controller must be carried out either via the WebUI over a Secure Sockets Layer (SSL) connection, via the CLI over a Secure Shell (SSH) connection, or via a physical console connection.

32. If the WebUI interface is used for configuring and managing the Mobility Controller, the browser used for such access must not be configured to save passwords or session cookies.

33. The deployment should reissue client certificates every 2 years. The previous versions should be revoked by generating the appropriate CRLs and appropriate revocation checkpoints on the Mobility Controller (see the User Guide (reference [e]) Chapter 35 “Management Access” under “Managing Certificates”).

34. All certificates and, where possible, keys should be revoked prior to disposal.

35. Only administrators of the Mobility Controller (assigned to the ‘root’ role) are able to manage the certificate installation for the Mobility Controller. The number of such users must be kept to the minimum necessary to manage the Mobility Controller.

36. If Simple Network Management Protocol (SNMP) is used in the deployed environment then SNMPv3 must be used.

Maintenance and updates

37. An Aruba Support account should be set up, which enables access to any Aruba Advisories and security bulletins.

38. The latest version of the product should be used (i.e. updated with the most recent security patches). Product updates should therefore be applied as soon as possible.

39. Guidance on the ArubaOS Update process may be found in the ArubaOS User Guide (reference [e]), Chapter 35 “Management Access” under “Managing Files on the Controller” > “Transferring ArubaOS Image Files”.

System logs

40. The Mobility Controller must be configured to log all actions that are deemed to be of interest and in sufficient detail to support forensic investigation during security incident management. A description of the categories of events that may be logged by the Mobility Controller, and the various levels of logging that

Page 10


may be set, is provided in the User Guide (reference [e]) Chapter 35 “Management Access” under “Configuring Logging”. The recommended logging levels are as follows3:

Security category: Informational

User category: Informational

All other categories: Warnings.

41. The Syslog Messages Reference Guide (reference [h]) should be reviewed against departmental or organisational protective monitoring policies to determine whether there should be any deviation from the above recommendations.

42. Audit logs must be regularly reviewed for unexpected entries. Events of interest include (but are not limited to):

Failed server administrator logon attempts or account lockout

Account activity occurring at unusual times

Security policy configuration changes

Dropping or blocking of packets

Suspected attacks reported by the Mobility Controller (such as IP Spoofing or ARP Spoofing)

Failed or blocked connections

Failed negotiations

Failed ArubaOS Updates

Service or system failures

43. See also the general guidance on this matter that is provided in CESG Good Practice Guide No.13 – Protective Monitoring for HMG ICT Systems (GPG13) (reference [i]). The impact of log entries related to a suspected compromise or attempt at compromise should be assessed, and organisational procedures followed for incident resolution (see Chapter 4).

44. On the Mobility Controller itself, the disk space available for storage of audit logs is limited and it automatically overwrites those logs when they are full. Therefore the Mobility Controller must be configured to export logs automatically to an external syslog server, as described in the User Guide (reference [e]), Chapter 35 “Management Access” under “Configuring Logging”. The external syslog server must have sufficient disk space, with suitable management controls in place, to minimise the risk of loss of audit information.

3 The Debug logging level is intended to be used for diagnostic purposes and should not be required once the Mobility Controller is configured and operating correctly.

Page 11


45. The Mobility Controller should be configured to establish an IPsec tunnel between itself and the external syslog server, as described in the User Guide (reference [e]), Chapter 35 “Management Access” under “Configuring Logging”.

46. Review of audit logs should be carried out using automated log analysis tools on the external syslog server that can identify and flag unusual activity, such as a third-party Security Information and Event Management (SIEM) product. (Whilst it is possible to manually download the audit logs to the local management PC for analysis, this is not recommended as a general process, for the reasons given in the preceding paragraph.)

System Administration

47. The only “users” to be defined for Mobility Controllers should be administrators and these will be set up with full access rights.

48. Authorised administrators should have sufficient skills and experience to manage the Mobility Controller. They must also be cleared to access all material on the server and be trusted to follow the guidance and not misuse their privileges.

49. Administrators should inspect the recent authentication history that is displayed on the WebUI Configuration > Management > Administration page, under Management User Statistics, immediately following successful logon to identify any unexpected activity for the management accounts (last successful logon and the number of logon failures since then). The audit logs must be inspected to identify any unexpected activity against the account being used by the administrator. If an attempted compromise is suspected, this should be immediately reported as a security incident, following the organisational incident reporting procedures.

50. Security Operating Procedures (SyOPs) for the deployment should provide Mobility Controller administrators with advice on the tamper threat. This should ensure that:

Administrators regularly check for possible damage to tamper-evident seals

Any evidence of tampering is reported as soon as possible in line with organisational incident reporting procedures

The Mobility Controller is immediately removed from use in the event of such tampering

Any Mobility Controller that shows evidence of tampering must not be returned to service unless and until approved by the relevant Accreditors

Page 12


Chapter 4 - Security Incidents

Incident management

51. In the event of a security incident that results in the compromise of information protected by the Mobility Controller, the local IT security incident management policy should ensure that the Department Security Officer (DSO) is informed.

52. Any security incidents should be managed in accordance with the local accredited security incident management procedures and policies.

53. Contact CESG if a compromise occurs that is suspected to have resulted from a failure of a Mobility Controller.

Page 13


Chapter 5 - Disposal and Destruction

Routine destruction of equipment

54. Disposal and destruction of equipment (e.g. server hardware, network devices, etc.) must be in accordance with HMG policy and guidance (see HMG Infosec Standard 5 – Secure Sanitisation (IS5) (reference [j])), including preliminary sanitisation before it is sent for disposal or destruction.

Page 14


References

Unless stated otherwise, these documents are available from the CESG. [a] CPA Security Characteristic - IPsec Security Gateway, Version 2.3, April 2013

[b] CESG Architectural Patterns No. 2, Walled Gardens for Remote Access, latest version

[c] Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2, Version 1.14, October 2015 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2457.pdf

[d] Aruba 7200 Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2, Version 1.8, March 2015 http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2136.pdf

[e] ArubaOS 6.4.x User Guide, 0511615-01v1, August 2014 Available at https://support.arubanetworks.com/DCUMENTATION/tabid/77/Default.aspx > “Software User & Reference Guides” > “ArubaOS” > “General Availability” > “Current Release” > “ArubaOS 6.4.3.x” > “Documentation Suite”

[f] ArubaOS 6.4.x Command-Line Interface Reference Guide, 0511616-01v1, August 2014 Available at https://support.arubanetworks.com/DOCUMENTATION/tabid/77/Default.aspx > “Software User & Reference Guides” > “ArubaOS” > “General Availability” > “Current Release” > “ArubaOS 6.4.3.x” > “Documentation Suite”

[g] ArubaOS Hardening Guide, Aruba Threat Labs, July 2014 http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/37095/1/ArubaOS_Hardening_Guide.pdf

[h] ArubaOS 6.4.x Syslog Messages Reference Guide, 0511324-04, November 2014 Available at https://support.arubanetworks.com/DOCUMENTATION/tabid/77/Default.aspx > “Software User & Reference Guides” > “ArubaOS” > “General Availability” > “Current Release” > “ArubaOS 6.4.3.x” > “Documentation Suite”

[i] Good Practice Guide Number 13 – Protective Monitoring for HMG ICT Systems, CESG, latest version

[j] HMG Infosec Standard 5 - Secure Sanitisation, latest version

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2457.pdf

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2136.pdf

https://support.arubanetworks.com/DCUMENTATION/tabid/77/Default.aspx

https://support.arubanetworks.com/DOCUMENTATION/tabid/77/Default.aspx

http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/37095/1/ArubaOS_Hardening_Guide.pdf

http://community.arubanetworks.com/aruba/attachments/aruba/unified-wired-wireless-access/37095/1/ArubaOS_Hardening_Guide.pdf

https://support.arubanetworks.com/DOCUMENTATION/tabid/77/Default.aspx

CESG Hubble Road Cheltenham Gloucestershire GL51 0EX Tel: +44 (0)1242 709141 Email: [email protected] © Crown Copyright 2016. Communications on CESG telecommunications systems may be monitored or recorded to secure the effective operation of the system and for other lawful purposes. This information is exempt under the Freedom of Information Act 2000 and may be exempt under other UK Information legislation. Refer any FOIA queries to GCHQ on 01242 221491 x30306 or email [email protected] .


Aruba 7000 and 7200 series Mobility Controllers IPsec Security ...

Documents