Aruba Networks 3000 Series Manual
  1. Manuals
  2. Brands
  3. Aruba Networks Manuals
  4. Controller
  5. 3000 Series
  6. Manual

Aruba Networks 3000 Series Manual

Mobility controllers with arubaos fips firmware non-proprietary security policy fips 140-2 level 2
Hide thumbs
Table of Contents

Advertisement

Quick Links

Dell W-3000 and W-6000/M3 Mobility Controllers with Dell AOS
FIPS Firmware
Non-Proprietary Security Policy FIPS 140-2 Level 2
January 26, 2015
This is to advise that the document entitled "Aruba 3000 and 6000/M3 Mobility Controllers with
ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2" Version 3.2, dated August
2014, applies to Dell W-3000 and W-6000/M3 Mobility Controllers with Dell AOS FIPS Firmware. Aruba
Networks is the Original Equipment Manufacturer (OEM) for the Dell Networking W-Series of products.
This document, provided below, is applicable for use by Dell W-Series customers for security policy
information and instruction on how to place and maintain the W-3000 and W-6000/M3 Mobility
Controllers in a secure FIPS 140-2 mode.
Dell Networking W-Series products are equivalent in features and functionality to the corresponding
Aruba Networks product models. Accordingly, the Dell AOS FIPS firmware is the validated ArubaOS FIPS
firmware version, with the exception of branding. When using the FIPS Security Policy document, the
screenshots, configurations, TEL placement locations, and images can be applied to Dell Networking W-
Series products without any need for changes.
Product Name Mapping:
Aruba Networks Model name
Aruba 3200-F1
Aruba 3200-USF1
Aruba 3400-F1
Aruba 3400-USF1
Aruba 3600-F1
Aruba 3600-USF1
Aruba 6000-400-F1
Aruba 6000-400-USF1
M3mk1-S-F1
HW-PSU-200
HW-PSU-400
LC-2G-1
LC-2G24F-1
LC-2G24FP-1
These models include Aruba FIPS kit 4010061-01 (contains tamper evident labels)
The exact firmware version validated was ArubaOS 6.3.1.7-FIPS
The Dell Networking W-Series products are rebranded for Dell customers, as shown in the product
images below.
Dell W-3000, W-6000/M3 Series Controllers FIPS 140-2 Security Policy
Dell Networking Model name
W-3200-F1
W-3200-USF1
W-3400-F1
W-3400-USF1
W-3600-F1
W-3600-USF1
W-6000-F1
W-6000-USF1
W-6000M3
HW-PSU-200
HW-PSU-400
No Dell model
No Dell model
No Dell model
Description
Non-US – 32 AP Controller
US – 32 AP Controller
Non-US – 64 AP Controller
US – 64 AP Controller
Non-US – 128 AP Controller
US – 128 AP Controller
Non-US – Controller Chassis
US – Controller Chassis
M3 Controller Module for
Chassis
Power Supply (not re-branded)
Power Supply (not re-branded)
Ethernet Line card
Ethernet Line card
Ethernet Line card
1

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 3000 Series and is the answer not in the manual?

Questions and answers

Related Manuals for Aruba Networks 3000 Series

Summary of Contents for Aruba Networks 3000 Series

  • Page 1 Dell Networking W-Series products are equivalent in features and functionality to the corresponding Aruba Networks product models. Accordingly, the Dell AOS FIPS firmware is the validated ArubaOS FIPS firmware version, with the exception of branding. When using the FIPS Security Policy document, the screenshots, configurations, TEL placement locations, and images can be applied to Dell Networking W- Series products without any need for changes.
  • Page 2 Dell Networking W-3000 Controller Series Product Images: Aruba 3000 Controller Series Product Images: Dell W-3000, W-6000/M3 Series Controllers FIPS 140-2 Security Policy...
  • Page 3 Dell Networking W-6000 Controller chassis with W-6000M3 module (1) and PSU (2): Aruba 6000-400 controller chassis with M3 Mark I modules (4) and PSU (3): If you have questions or concerns, please contact Dell Technical Support at www.dell.com/support, additional product documentation is also available by device under user manuals. Attachment: Aruba 3000 and 6000/M3 Mobility Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Dell W-3000, W-6000/M3 Series Controllers FIPS 140-2 Security Policy...
  • Page 4     Aruba 3000 and 6000/M3 Mobility Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Version 3.2 August 2014   Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy  ...
  • Page 5 Legal Notice The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc.

  • Page 6: Table Of Contents

    Purpose of this Document  ............................... 5  Related Documents ................................. 5  Additional Product Information ........................5  Overview  .................................... 6  Cryptographic Module Boundaries ........................ 7  Aruba 6000 ..............................7  Aruba 3000 Series ............................9  Intended Level of Security ............................ 10  Physical Security ................................ 11  Operational Environment .............................. 11  Logical Interfaces ................................ 11  Roles and Services ................................ 12 ...
  • Page 7 Tamper-Evident Labels .............................. 30  Reading TELs .............................. 30  Required TEL Locations ..........................31  To Detect Opening the Chassis Cover ....................... 31  To Detect the Removal of Any Module or Cover Plate  .................. 31  To Detect Access to Restricted Ports ......................... 31  To Detect Access to Restricted Port ........................ 31  To Detect Opening the Chassis Cover ....................... 32 ...

  • Page 8: Preface

    This release supplement provides information regarding the Aruba 3000 and 6000/M3 Mobility Controllers with FIPS 140- 2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation included with this product and should be kept with your Aruba product documentation.

  • Page 9: Overview

    Overview The Aruba 6000 and 3000 series Mobility Controllers are network infrastructure devices providing secure, scalable solutions for enterprise Wi-Fi, network security policy enforcement, VPN services, and wireless intrusion detection and prevention. Mobility controllers serve as central points of authentication, encryption, access control, and network coordination for all mobile network services.

  • Page 10: Cryptographic Module Boundaries

    Physical Description Cryptographic Module Boundaries For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone cryptographic module. The steel chassis physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the controller. The cryptographic boundary is defined as encompassing the top, front, left, right, rear, and bottom surfaces of the chassis.
  • Page 11 M3mk1-S-F1 LC-2G-1 LC-2G-1 LC-2G-1 M3mk1-S-F1 LC-2G-1 LC-2G24F-1 M3mk1-S-F1 LC-2G-1 LC-2G24F-1 LC-2G24F-1 M3mk1-S-F1 LC-2G-1 LC-2G24F-1 LC-2G24FP-1 M3mk1-S-F1 LC-2G-1 LC-2G24FP-1 M3mk1-S-F1 LC-2G-1 LC-2G24FP-1 LC-2G24FP-1 M3mk1-S-F1 LC-2G24F-1 M3mk1-S-F1 LC-2G24F-1 LC-2G24F-1 M3mk1-S-F1 LC-2G24F-1 LC-2G24F-1 LC-2G24F-1 M3mk1-S-F1 LC-2G24F-1 LC-2G24F-1 LC-2G24FP-1 M3mk1-S-F1 LC-2G24F-1 LC-2G24FP-1 LC-2G24FP-1 M3mk1-S-F1 LC-2G24FP-1 M3mk1-S-F1 LC-2G24FP-1...

  • Page 12: Aruba 3000 Series

    When using more than one power supply, verify that they are all of the same type. Do not mix 200 W and 400 W power supplies in the same chassis.   Aruba 3000 Series The Aruba 3000-series Controller chassis is a 1U non-modular chassis. Figure 2 ‐ Aruba 3000‐series Controller Chassis ...

  • Page 13: Intended Level Of Security

    Intended Level of Security The Aruba 3000 and 6000/M3 Controllers and associated modules are intended to meet overall FIPS Table 2 140-2 Level 2 requirements as shown in Table 2 ‐ Intended Level of Security  Section Section Title Level Cryptographic Module Specification Cryptographic Module Ports and Interfaces Roles, Services, and Authentication Finite State Model Physical Security...

  • Page 14: Physical Security

    The operational environment is non-modifiable. The control plane Operating System (OS) is Linux, a real- time, multi-threaded operating system that supports memory protection between processes. Access to the underlying Linux implementation is not provided directly. Only Aruba Networks provided interfaces are used, and the CLI is a restricted command set.

  • Page 15: Roles And Services

    Table 3 ‐ FIPS 140‐2 Logical Interfaces  Control Input Interface Power switch (Aruba 6000 only)  Reset button (Aruba 6000 only)  10/100 Mbps Ethernet port  10/100/1000 Mbps Ethernet ports  Serial console port (disabled)  Status Output Interface 10/100 Mbps Ethernet port  10/100/1000 Mbps Ethernet ports ...
  • Page 16 management session over the Ethernet ports or locally over the serial port. In FIPS mode, the serial port is disabled.  Web Interface The Crypto Officer can use the Web Interface as an alternative to the CLI. The Web Interface provides a highly intuitive, graphical interface for a comprehensive set of controller management tools.
  • Page 17 Table 4 ‐ Crypto‐Officer Services  Configuring Define the platform subsystem Commands and Status of None Module Platform firmware of the module by configuration data commands and entering Bootrom Monitor Mode, configuration data File System, fault report, message logging, and other platform related commands Configuring Define synchronization features Commands and Status of...
  • Page 18 Table 4 ‐ Crypto‐Officer Services  Status Function Cryptographic officer may use Commands and Status of None CLI "show" commands or view configuration data commands and WebUI via TLS to view the configurations controller configuration, routing tables, and active sessions; view health, temperature, memory status, voltage, and packet statistics;...
  • Page 19 Table 4 ‐ Crypto‐Officer Services  Zeroization Zeroizes all flash memory Command Progress All CSPs will be information destroyed. User Role The User role can access the controller’s IPSec and IKEv1/IKEv2 services. Service descriptions and inputs/outputs are listed in the following table: Table 5 ‐ User Service  Service Description Input Output CSP Access...

  • Page 20: Authentication Mechanisms

    802.11i with EAP- Access the module’s 802.11i 802.11i inputs, 802.11i outputs, 29, 30, 31, 32 (read) services in order to secure commands and data status, and data 34, 35 (read/write) network traffic Self-Tests Run Power-On Self-Tests and None Error messages None Conditional Tests logged if a failure...

  • Page 21: Unauthenticated Services

    ECDSA-based authentication User ECDSA signing and verification is used to authenticate to the module (IKEv1/IKEv2) during IKEv1/IKEv2. Both P-256 and P-384 curves are supported. ECDSA P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^128, which is less than 1 in 1,000,000 required by FIPS 140-2.

  • Page 22: Cryptographic Key Management

    Cryptographic Key Management Implemented Algorithms FIPS-approved cryptographic algorithms have been implemented in firmware and hardware.  Hardware encryption acceleration is provided for bulk cryptographic operations for the following FIPS approved algorithms: AES (Cert. #762) Triple-DES (Cert. #667) SHS (Cert. #769) HMAC (Cert.

  • Page 23: Non-Fips Approved Algorithms Allowed In Fips Mode

    Note: RSA (Cert. #1376; non-compliant with the functions from the CAVP Historical RSA List)  FIPS186-2: ALG[ANSIX9.31]: Key(gen)(MOD: 1024 PubKey Values: 65537) ALG[RSASSA-PKCS1_V1_5]: SIG(gen): 1024, SHS: SHA-1/SHA-256/SHA-384/SHA- 512, 2048, SHS: SHA-1 ECDSA (Cert. #466; non-compliant with the functions from the CAVP Historical ECDSA List) ...

  • Page 24: Critical Security Parameters

    Critical Security Parameters The following are the Critical Security Parameters (CSPs) used in the controller.   Table 7 ‐ CSPs/Keys Used in Aruba Controllers  Storage and # Name CSPs type Generation Zeroization Key Encryption Key Triple-DES 168-bit key Hardcoded during Stored in Flash. Encrypts IKEv1/IKEv2 (KEK) manufacturing Zeroized by using Pre-shared key, command ‘wipe out...
  • Page 25 RNG seed key FIPS 186-2 RNG Seed Derived using NON- Stored in plaintext in Seed 186-2 General key (512 bits) FIPS approved HW volatile memory. purpose (x-change Zeroized on reboot. Notice); SHA-1 RNG Diffie-Hellman private Diffie-Hellman private Generated internally Stored in the volatile Used in establishing key (224 bits) during Diffie-Hellman...
  • Page 26 8-64 character Store in ciphertext in Administrator Enable secret CO configured password flash. Zeroized by authentication changing (updating) through the user interface. User Passwords 8-64 character CO configured Stored encrypted in Authentication for password Flash with KEK. accessing the Zeroized by either management deleting the password interfaces, RADIUS...
  • Page 27 IPSec session HMAC-SHA-1 (160 Established during the Stored in plaintext in User authentication authentication keys bits) IPSec service volatile memory. implementation Zeroized when the session is closed. SSHv2 session keys AES (128/196/256 bits) Established during the Stored in plaintext in Secure SSHv2 traffic SSHv2 key exchange volatile memory.
  • Page 28 ECDSA suite B P-256 Generated in the Stored in flash Used by TLS and ECDSA Private Key and P-384 curves module memory encrypted EAP-TLS/PEAP with KEK. Zeroized by protocols during the the CO command handshake. write erase all. ECDSA Public Key ECDSA suite B P-256 Generated in the Stored in flash...

  • Page 29: Self-Tests

    Self-Tests The Aruba Controller performs both power-up and conditional self-tests. In the event any self-test fails, the controller will enter an error state, log the error, and reboot automatically. The following self-tests are performed: ArubaOS OpenSSL Module:  AES (encrypt/decrypt) KATs ...

  • Page 30: Alternating Bypass State

    ArubaOS UBoot BootLoader Module  Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification Conditional Tests on Hardware:  CRNG Test to non-Approved RNGs Self-test results are logged in a log file. Upon successful completion of the power-up self tests, the module logs a KATS: passed message into a log file.

  • Page 31: Installing The Controller

     Do not disassemble chassis or modules. They have no internal user-serviceable parts. When service or repair is needed, contact Aruba Networks. Product Examination The units are shipped to the Crypto Officer in factory-sealed boxes using trusted commercial carrier shipping companies.

  • Page 32: Package Contents

    Guide). It is the Crypto Office's responsibility to install all required power supplies during module setup phase. The controller is shipped with all required modules installed. The Aruba 3000 series do not have minimum configurations, as they are fixed configuration chassis. Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy...

  • Page 33: Tamper-Evident Labels

    Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the controller. When applied properly, the TELs allow the Crypto Officer to detect the opening of the chassis cover, the removal or replacement of modules or cover plates, or physical access to restricted ports.

  • Page 34: Required Tel Locations

    10. Spanning the PS3 handle (or blank faceplate) and the bottom of the chassis To Detect Access to Restricted Ports 11. Spanning the Serial port on the M3 The Aruba 3000 series Controller require a minimum of 3 TELs to be applied as follows: Figure 5 ‐ Required TELs for the Aruba 3000‐series Controller To Detect Access to Restricted Port 1.

  • Page 35: To Detect Opening The Chassis Cover

    To Detect Opening the Chassis Cover 2. Spanning the top of the faceplate and top of the chassis 3. Spanning the back and top of the chassis   Applying TELs The Crypto Officer should employ TELs as follows:  Before applying a TEL, make sure the target surfaces are clean and dry. ...

  • Page 36: User Guidance

     When installing expansion modules for the Aruba 6000, use only FIPS-approved modules, replace TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial numbers, in the security log.  The Crypto Officer shall not configure the Diffie-Hellman algorithm with 768-bits (Group 1) or 1024-bits (Group 2) in FIPS mode for IKEv1/IKEv2-IPSec and SSHv2.

  • Page 37: Setup And Configuration

    Setup and Configuration The Aruba 3000 and 6000/M3 Controllers meet FIPS 140-2 Level 2 requirements. The sections below describe how to place and keep the controller in FIPS-approved mode of operation. The Crypto Officer (CO) must ensure that the controller is kept in a FIPS-approved mode of operation. The controller can operate in two modes: the FIPS-approved mode, and the standard non-FIPS mode.

  • Page 38: Disallowed Fips Mode Configurations

    To verify that FIPS mode has been enabled, issue the command “show fips”. Disallowed FIPS Mode Configurations When you enable FIPS mode, the following configuration options are disallowed:  All WEP features   TKIP mixed mode  Any combination of DES, MD5, and PPTP Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy...

This manual is also suitable for:

6000 series3200-f13200-usf13400-f13400-usf13600-f1 ... Show all

Table of Contents