Aruba ClearPass was awarded the industry’s first Common Criteria Certification for network access control (NAC) in January 2018. Recognized in 28 countries around the world, Common Criteria certification increases cyber-protection assurances for government agencies – and increasingly for security-conscious enterprises across the private sector.
In our most recent certification, ClearPass is recognized under the Network Device Collaborative Protection Profile as well as the Extended Package for Authentication Servers module. The Common Criteria tests replicate real-world threat situations covering all aspects of access control, including encryption, physical security, certificate validation, and processing, along with TLS/SSL processing. ClearPass is also the industry’s first NAC solution to receive certification as an authentication server.
Looking Back at our First Common Criteria Certification
Aruba has been at the forefront of Common Criteria (CC) certification across our product portfolio, and the Aruba Australia team has played a leading role. For the mobility controllers to be fully Common Criteria certified, there are in fact four individual CC certifications needed. These are Network Device Protection Profile (NDPP), NDPP with WLAN extension, NDPP with stateful traffic filter firewall extension, and NDPP with VPN gateway extension. Each CC certification is targeted at a specific function of the controller, and since the controllers support all of these functions, having CC certification for all of them means that all of the controller functions can be used in a government deployment. In Australia, we achieved three out of the four CC certifications. Only the NDPP with WLAN extension was conducted in the US. We received NDPP and NDPP with WLAN extension certification in 2014. The firewall and VPN were completed two years later, in 2016.
The impetus for Common Criteria certification was a very significant Australian Federal Government project that could not have proceeded without it.
Here in Australia, the Australian Signals Directorate (ASD) is the signatory that produces the Common Criteria certification. The Australasian Information Security Evaluation Program (AISEP) is the Common Criteria evaluation scheme that covers both Australia and New Zealand.
Common Criteria certification is very rigorous, and it commonly takes a year or more. We worked diligently to meet the AISEP evaluation scheme for our Mobility Controllers. To make it more challenging, the Common Criteria certification was shifting from the Evaluation Assurance Level (EAL) grading system to NDPP, so it was a new experience for everyone. All of the three accreditations mentioned above were done locally by CSC, which was the independent testing agent appointed by the Australian government.
Many government agencies need to encrypt classified information, so our controller also had to pass the ASD Cryptographic Evaluation. This evaluation is in addition to NDPP and validates that the cryptography used in our products is suitable for Australian Federal government usage. Without it, Federal government agencies cannot deploy devices that use encryption. It’s an extremely difficult test – the evaluation is an unconstrained search and test for cryptographic vulnerabilities. Our local team, along with Jon Green, who is now CTO of Aruba Government Solutions, worked diligently together. In fact, Jon personally authored a major component of the assessment criteria that investigated how the electronic components within our controllers generate encryption keys, particularly in relation to WPA2.
I was lucky enough to receive the ASD cryptographic evaluation certificate in person at the ASD office.
Build a Secure Core
Common Criteria certification is just one element of our effort to provide a strong, secure network foundation for our customers.
The Aruba Secure core starts with our wireless access points, controllers and switches. Our security architecture is different than other vendors. To start, Aruba campus APs don’t perform encryption/decryption and don’t contain any encryption keys. The APs receive encrypted wireless frames from the radio interface and immediately package these encrypted wireless frames into an IP tunnel to the controller. Once at the controller, the IP tunnel packet header is removed and what remains is an encrypted 802.11 Wi-Fi frame. The controller then processes this frame, decrypting it and turning it back into a standard IP packet. This “tunneling” of all traffic to the controllers means APs never have access to encryption keys, and they can’t process the Wi-Fi traffic locally. This fact alone is a major reason why Aruba is so extensively deployed in many defence networks across the world.
In addition, each element is engineered with extensive embedded security. For instance, Aruba wired and wireless products use Trusted Platform Module (TPM) technology, an international standard for secure tamper-resistant crypto-processors.
The power of Aruba’s Secure 360 framework provides the highest levels of security for security-conscious organizations. ClearPass and IntroSpect are part of Aruba’s Secure 360 framework, which provides an integrated, more comprehensive way to gain complete visibility and control over networks.
ClearPass can be integrated with the Aruba IntroSpect UEBA behavioral analytics solution. IntroSpect uses machine learning to spot changes in user behavior that often indicate inside attacks that have evaded perimeter defenses. Security teams gain insights into malicious, compromised or negligent users, systems and devices so they can cut off the threat before it does damage.
Read Jon Green’s blog Now Common Criteria Certified, ClearPass is Ideal for Highly Secure Environments.
Learn more about ClearPass.
Learn about the Aruba Secure Core.
Learn about the Aruba Secure 360 framework.