Summary of Contents for Aruba Networks FIPS 140-2
- Page 1 FIPS 140-2 Non-Proprietary Security Policy for Aruba RAP-5WN and Dell W-RAP-5WN Remote Access Points Version 1.4 September 2012 Aruba Networks™ 1322 Crossman Ave. Sunnyvale, CA 94089-1113...
- Page 2 VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.
-
Page 3: Table Of Contents
INTRODUCTION ..........................4 ......................4 RUBA ELATIONSHIP ....................4 CRONYMS AND BBREVIATIONS PRODUCT OVERVIEW ........................6 RAP-5WN ............................6 2.1.1 Physical Description ....................... 6 2.1.1.1 Dimensions/Weight ......................7 ... -
Page 4: Introduction
AP meets the security requirements of FIPS 140-2 Level 2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product. - Page 5 SPOE Serial & Power Over Ethernet Tamper-Evident Label TFTP Trivial File Transfer Protocol WLAN Wireless Local Area Network...
-
Page 6: Product Overview
FIPS 140-2 security policy. 2.1 RAP-5WN This section introduces the Aruba RAP-5WN Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. -
Page 7: Dimensions/Weight
Access Point configuration validated during the cryptographic module testing included: Aruba Part Number Dell Corresponding Part Number RAP-5WN-F1 W-RAP-5WN-F1 The exact firmware versions validated were: • ArubaOS_6.1.2.3-FIPS • Dell_PCW_6.1.2.3-FIPS 2.1.1.1 Dimensions/Weight The AP has the following physical dimensions: • 6.9" x 9.5" x 1.4" (175 mm x 240 mm x 35 mm) •... - Page 8 Flashing Ethernet link activity ENET 1 Ethernet Network Link Ethernet link unavailable Status / Activity On – Amber 10 Mbps Ethernet link negotiated On - Green 100 Mbps Ethernet link negotiated Flashing Ethernet link activity ENET 2 Ethernet Network Link Ethernet link unavailable Status / Activity On - Amber...
-
Page 9: Module Objectives
3 Module Objectives This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. In addition, it provides information on placing the module in a FIPS 140-2 approved configuration. 3.1 Security Levels Section Section Title... -
Page 10: Required Tel Locations
3.2.2 Required TEL Locations This section displays all the TEL locations on the Aruba RAP-5WN. The RAP-5WN requires four (4) TELs to be applied as follows: 1. Spanning the top and bottom chassis covers and left chassis cover placed in the left corner 2. - Page 11 Figure 4: Left side view of Aruba RAP-5WN Figure 5: Right side view of Aruba RAP-5WN Figure 6: Top view of Aruba RAP-5WN...
-
Page 12: Inspection/Testing Of Physical Security Mechanisms
“staging controller”. The staging controller must be provisioned with the appropriate firmware image for the module, which has been validated to FIPS 140-2, prior to initiating AP provisioning. After setting up the Access Point by following the basic installation instructions in the module User... -
Page 13: Configuring Remote Ap Fips Mode
3.3.1 Configuring Remote AP FIPS Mode 1. Apply TELs according to the directions in section 3.2 2. Log into the administrative console of the staging controller 3. Deploying the AP in Remote FIPS mode configure the controller for supporting Remote APs, For detailed instructions and steps, see Section “Configuring the Secure Remote Access Point Service”... -
Page 14: Configuring Remote Mesh Portal Fips Mode
3.3.2 Configuring Remote Mesh Portal FIPS Mode 1. Apply TELs according to the directions in section 3.2 2. Log into the administrative console of the staging controller 3. Deploying the AP in Remote Mesh Portal mode, create the corresponding Mesh Profiles on the controller as described in detail in Section “Mesh Profiles”... - Page 15 1. Log into the administrative console of the Aruba Mobility Controller 2. Verify that the module is connected to the Mobility Controller 3. Verify that the module has FIPS mode enabled by issuing command “show ap ap- name <ap-name> config” 4.
-
Page 16: Operational Environment
3.4 Operational Environment This section does not apply as the operational environment is non-modifiable.. 3.5 Logical Interfaces The physical interfaces are divided into logical interfaces defined by FIPS 140-2 as described in the following table. Table 2 - FIPS 140-2 Logical Interfaces... -
Page 17: Roles, Authentication And Services
4 Roles, Authentication and Services 4.1 Roles The module supports the roles of Crypto Officer, User, and Wireless Client; no additional roles (e.g., Maintenance) are supported. Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs. -
Page 18: Wireless Client Authentication
4.1.3 Wireless Client Authentication The wireless client role, in the Remote AP or Remote Mesh Portal configuration authenticates to the module via WPA2. Please notice that WEP and/or Open System configurations are not permitted in FIPS mode. In advanced Remote AP configuration, when Remote AP cannot communicate with the controller, the wireless client role authenticates to the module via WPA2-PSK only. - Page 19 Authentication Mechanism Strength Mechanism Wireless Client For WPA2-PSK there are at least 95^16 (=4.4 x 10^31) possible WPA2-PSK combinations. In order to test a guessed key, the attacker must complete the (Wireless Client 4-way handshake with the AP. Prior to completing the 4-way handshake, the role) attacker must complete the 802.11 association process.
-
Page 20: Services
4.2 Services The module provides various services depending on role. These are described below. Crypto Officer Services 4.2.1 The CO role in each of Remote AP FIPS mode and Remote Mesh Portal FIPS mode has the same services. Service Description CSPs Accessed (see section 6 below for complete description of... -
Page 21: User Services
Service Description CSPs Accessed (see section 6 below for complete description of CSPs) • Creation/use of secure The module supports use of IKEv1/IKEv2 Preshared management session between IPSec for securing the Secret module and CO management channel. • DH Private Key •... -
Page 22: Wireless Client Services
Service Description CSPs Accessed (see section 6 below for complete description of CSPs) Encryption Key • 802.11i AES-CCM key • 802.11i GMK • 802.11i GTK Use of WPA pre-shared key for When the module is in mesh establishment of IEEE 802.11i configuration, the inter-module •... -
Page 23: Unauthenticated Services
4.2.4 Unauthenticated Services The module provides the following unauthenticated services, which are available regardless of role. No CSPs are accessed by these services. • View system status – module LEDs • Reboot module by removing/replacing power • Self-test and initialization at power-on... -
Page 24: Cryptographic Algorithms
Non-FIPS Approved Algorithms The cryptographic module implements the following non-approved algorithms that are not permitted for use in the FIPS 140-2 mode of operations: • In addition, within the FIPS Approved mode of operation, the module supports the following allowed key... - Page 25 • Diffie-Hellman (key agreement; key establishment methodology provides 80 bits of encryption strength)
-
Page 26: Critical Security Parameters
6 Critical Security Parameters The following Critical Security Parameters (CSPs) are used by the module: STORAGE CSP TYPE GENERATION ZEROIZATI Encryption Triple-DES Hard-coded Stored in flash, Encrypts (KEK) 168-bits key zeroized by the IKEv1/IKEv2 ‘ap wipe out preshared keys flash’ command. - Page 27 STORAGE CSP TYPE GENERATION ZEROIZATI IKEv1/IKEv2 Diffie- 1024-bit Generated internally Stored in Used in Hellman Private key Diffie- during IKEv1/IKEv2 plaintext in establishing Hellman negotiation volatile the session key private key memory; for IPSec zeroized when session is closed or system is powered off IKEv1/IKEv2 Diffie-...
- Page 28 STORAGE CSP TYPE GENERATION ZEROIZATI WPA2 PSK 16-64 CO configured Encrypted in Used to derive character flash using the the PMK for shared secret KEK; zeroized 802.11i mesh used to by updating connections authenticate through between APs mesh administrative and in connections interface, or by advanced...
- Page 29 STORAGE CSP TYPE GENERATION ZEROIZATI 802.11i Group Master Key 256-bit Generated from approved Stored in Used to derive (GMK) secret used plaintext in Group to derive volatile Transient Key memory; (GTK) zeroized on reboot 802.11i Group Transient 256-bit Internally derived by AP Stored in Used to derive Key (GTK)
-
Page 30: Self Tests
7 Self Tests The module performs the following Self Tests after being configured into either Remote AP mode or Remote Mesh Portal mode. The module performs both power-up and conditional self-tests. In the event any self-test fails, the module enters an error state, logs the error, and reboots automatically. The module performs the following power-up self-tests: •... - Page 31 These self-tests are run for the Cavium hardware cryptographic implementation as well as for the Aruba OpenSSL AP and ArubaOS cryptographic module implementations. Self-test results are written to the serial console. In the event of a KATs failure, the AP logs different messages, depending on the error. For an ArubaOS OpenSSL AP module and ArubaOS cryptographic module KAT failure: AP rebooted [DATE][TIME] : Restarting System, SW FIPS KAT failed For an AES Cavium hardware POST failure:...
Need help?
Do you have a question about the FIPS 140-2 and is the answer not in the manual?
Questions and answers