Cisco 4404 - Wireless LAN Controller Specifications

Cisco Wireless Local Area Network (WLAN) Access System with Integrated Wireless Intrusion Prevention System (wIPS) Security Target Versio

10

11 TSP TOE Security Policy Wi-Fi Wireless Fidelity WIDS Wireless Intrusion Detection System wIPS

12

13 MSE, and syslog server) in the environment for analysis and review, and denial of traffic flo

14

15 Figure 1 depicts a sample TOE configuration, highlighting the physical boundary. The shaded p

16

17 Cisco Aironet 1131 AG Series Access Point The Cisco Aironet 1131 AG Series IEEE 802.11a/b/g

18

19 Cisco Aironet 1520 AG Series Access Point The Cisco Aironet 1520 AG Series IEEE 802.11a/b/g

2

20

21 succeeds before allowing any other mediate security function dealing with authentication or a

22

23 Catalyst 6500 Wireless Integrated Service Module (WiSM) and WiSM2 The WiSM and WiSM2 functi

24

25 external components such as the time server use for Controller clock updates. The APs, and

26

27 The Controller can be configured to require the APs to use the Controller’s internal database

28

29 EAP-MD5 Not supported Supported EAP-TLS Supported Not supported EAP-MSCHAPv2 Supported Not su

3 6 SECURITY REQUIREMENTS ...

30

31 3) FCS_BCM_(EXT).1.2 was deleted to bring the ST in conformance with current cryptography po

32

33 4 Security Problem Definition This section identifies the following:  Significant assumptio

34

35 T.UNAUTHORIZED_ACCESS A user may gain access to services (either on the TOE or by sending dat

36

37 O.CRYPTOGRAPHY_VALIDATED The TOE will use NIST FIPS 140-2 validated cryptomodules for cryptog

38

39 OE.TOE_NO_BYPASS Wireless clients are configured so that information cannot flow between a wi

4

40

41 FIA_USB.1(1) User-subject binding (Administrator) FIA_USB.1(2) User-subject binding (Wireles

42

43 FIA_AFL.1(1) The reaching of the threshold for the unsuccessful authentication attempts and t

44

45 6.1.2 FAU_GEN.2 User Identity Association FAU_GEN.2.1 For audit events resulting from ac

46

47 functions Digital Signature Algorithm (DSA) with a key size (modulus) of [2048 bits], RSA D

48

49 mechanism for administrators and wireless LAN users. Application note: Local authenticati

5 List of Tables Table 1 Acronyms, Abbreviations & Definitions ...

50

51 6.1.31 FMT_MTD.1(3) Management of Authentication Data (User) FMT_MTD.1.1(3) The TSF shall

52

53 6.1.43 FTP_ITC_(EXT).1 Extended: Inter-TSF Trusted Channel FTP_ITC_(EXT).1.1 The TOE shall p

54

55 Application Note This IPS Data Collection SFR (IPS_SDC) is distinct from the wIPS Analysis SF

56

57 FIA_AFL.1(2) The reaching of the threshold for the unsuccessful authentication attempts and t

58

59 6.2.11 FIA_UAU_(EXT).5(2) Remote authentication mechanisms FIA_UAU_(EXT).5.1(2) The TOE IT E

6

60

61 ALC_TAT.1 Well-defined development tools ASE: Security Target evaluation ASE_CCL.1 Conformanc

62

63 administrators who have individually authenticated to an external entity prior to trigging an

64

65 For non-volatile memories other than EEPROM and Flash, the zeroization shall be executed by o

66

67 • EAP-FAST without client certificate: username and password • EAP-FAST with client c

68

69 FMT_MOF.1(3) The Controller administrator is able to configure (enable/disable/define/re-de

7 2. The Controller, hereafter referred to as the Controller or the WLC (or WiSM when distincti

70

71 configuration or in the TOEs evaluated configuration and is covered with a tamper evident lab

72

73 through the TOE by providing the ability to enable and disable the encryption policy of the T

74

75 IPS_SDC_(EXT).1 The AP analyzes wireless network traffic, performing signature matching check

76

77 ALC_DEL.1 Cisco documents the delivery procedure for the TOE to include the procedure on how

78

79 O.ADMIN_GUIDANCE O.AUDIT_GENERATION O.CONFIGURATION_IDENTIFICATION O.CORRECT_TSF_OPERATION O

8

80

81 satisfies the security functional requirements. In order to ensure the TOE's design is c

82

83 P.ACCOUNTABILITY O.AUDIT_GENERATION addresses this policy by providing the administrator with

84

85 Table 21 TOE Security Functional Requirement to TOE Security Objectives Mapping O.ADMIN_GUID

86

87 Table 22 TOE Security Functional Requirement to TOE Security Objectives Rationale Security O

88

89 O.CRYPTOGRAPHY Baseline cryptographic services are provided in the TOE by FIPS PUB 140-2 comp

9 EAP Extensible Authentication Protocol EAP-TLS Extensible Authentication Protocol-Transport La

90

91 O.RESIDUAL_ INFORMATION FDP_RIP.1(1) is used to ensure the contents of resources are not avai

92

93 O.WIPS_FUNCTIONS IPS_SDC_(EXT).1 defines the types of traffic that the AP will be able to col

94

95 FIA_UAU.1 No other components FIA_UID.1 Satisfied by FIA_UID.2 FIA_UAU_(EXT).5(1) No other co

96

97 FMT_MTD.1(2) FMT_SMR.1 FMT_SMF.1 This ST is based on the PP which was validated as acceptable

98

99 CCDE, CCENT, Cisco Eos, Cisco HealthPresence, the Cisco