Hewlett Packard Enterprise Aruba 7 Series Manual
  1. Manuals
  2. Brands
  3. Hewlett Packard Enterprise Manuals
  4. Controller
  5. Aruba 7 Series
  6. Manual

Hewlett Packard Enterprise Aruba 7 Series Manual

With arubaos fips firmware non-proprietary security policy fips 140-2 level 2
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Aruba 7XXX Series Controllers
with ArubaOS FIPS Firmware
Non-Proprietary Security Policy
FIPS 140-2 Level 2
Version 1.17
June 2016
Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Aruba 7 Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Hewlett Packard Enterprise Aruba 7 Series

Summary of Contents for Hewlett Packard Enterprise Aruba 7 Series

  • Page 1 Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Version 1.17 June 2016 Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy...
  • Page 2 Open Source Code Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses.

  • Page 3: Table Of Contents

    Contents Contents ..................................... 3 Preface ....................................5 Purpose of this Document ............................... 5 Related Documents ................................. 5 Additional Product Information ........................5 Overview .................................... 6 Cryptographic Module Boundaries ........................ 7 Intended Level of Security ............................10 Physical Security ................................11 Operational Environment ..............................
  • Page 4 User Guidance ................................43 Setup and Configuration..............................43 Setting Up Your Controller ............................43 Enabling FIPS Mode ..............................43 Enabling FIPS Mode with the WebUI ......................43 Enabling FIPS Mode with the CLI ........................ 43 Disabling the LCD ............................44 Disallowed FIPS Mode Configurations ........................

  • Page 5: Preface

    Preface This security policy document can be copied and distributed freely. Purpose of this Document This release supplement provides information regarding the Aruba 7XXX Controllers with FIPS 140-2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation included with this product and should be kept with your Aruba product documentation.

  • Page 6: Overview

    Overview Aruba 7XXX series Mobility Controllers are optimized for 802.11ac and mobile app delivery. Fully application-aware, the 7XXX series prioritizes mobile apps based on user identity and offers exceptional scale for BYOD transactions and device densities. With a new central processor employing eight CPU cores and four virtual cores, the 7XXX series supports over 32,000 wireless devices and performs stateful firewall policy enforcement at speeds up to 40 Gbps –...

  • Page 7: Cryptographic Module Boundaries

    Physical Description Cryptographic Module Boundaries For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone cryptographic module. The opaque hard plastic (Aruba 7005 Controller only) or metal chassis physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the module.
  • Page 8 Figure 2 shows the front of the Aruba 7010 Controller, and illustrates the following: • Sixteen 10/100/1000 Ethernet ports • Two Small Form-Factor Pluggable (SFP) Uplink ports • Two Type A USB ports • LINK/ACT and Status LEDs • Management/Status LED •...
  • Page 9 Figure 3 shows the front of the Aruba 7024 Controller, and illustrates the following: • Twenty-four 10/100/1000 Ethernet ports • Two Enhanced Small Form-Factor Pluggable (SFP+) Uplink ports • One Type A USB ports • LINK/ACT and Status LEDs • Management/Status LED •...

  • Page 10: Intended Level Of Security

    Figure 5 - The Aruba 7205 controller chassis Figure 5 shows the front of the Aruba 7205 Controller, and illustrates the following: • Four 10/100/1000 Ethernet ports • Four Small Form-Factor Pluggable (SFP) Uplink ports • Two Dual-Purpose Gigabit Uplink Ports •...

  • Page 11: Physical Security

    Finite State Model Physical Security Operational Environment Cryptographic Key Management EMI/EMC Self-tests Design Assurance Mitigation of Other Attacks Overall module validation level Overall Physical Security The Aruba Controller is a scalable, multi-processor standalone network device and is enclosed in a robust steel housing.

  • Page 12: Logical Interfaces

    Logical Interfaces All of these physical interfaces are separated into logical interfaces defined by FIPS 140-2, as described in the following table. Table 2 FIPS 140-2 Logical Interfaces FIPS 140-2 Logical Interface Module Physical Interface • Data Input Interface 10/100/1000 Ethernet Ports •...

  • Page 13: Roles And Services

    Roles and Services The Aruba Controller supports role-based authentication. There are two roles in the module (as required by FIPS 140-2 Level 2) that operators may assume: a Crypto Officer role and a User role. The Administrator maps to the Crypto-Officer role and the client Users map to the User role. Crypto Officer Role The Crypto Officer role has the ability to configure, manage, and monitor the controller.
  • Page 14 Table 3 Crypto-Officer Services SNMPv3 Provides ability to query SNMPv3 requests SNMPv3 32, 33 (read) management information responses 34 (delete) IKEv1/IKEv2- Provide authenticated and IKEv1/IKEv2 inputs and IKEv1/IKEv2 19 (read) IPSec encrypted remote management data; IPSec inputs, outputs, status, and 20, 21, 22, 23, 24, sessions to access the CLI commands, and data...
  • Page 15 Table 3 Crypto-Officer Services Configuring VPN Configure Public Key Commands and Status of 19 (read) Infrastructure (PKI); configure the configuration data commands and 16, 17, 18, 19, 20, Internet Key Exchange configuration data 21, 22, 23, 24,25 and (IKEv1/IKEv2) Security Protocol; 26 (delete) configure the IPSec protocol Configuring DHCP...
  • Page 16 Table 3 Crypto-Officer Services Self-Test Perform FIPS start-up tests on None Error messages None demand logged if a failure occurs Configuring Configure bypass operation on Commands and Status of None Bypass Operation the module configuration data commands and configuration data Updating Updating firmware on the module Commands and...
  • Page 17 User Role Table 4 below lists the services available to User role: Table 4 User Service CSP Access (please Service Description Input Output see table 6 below for CSP details) IKEv1/IKEv2- Access the module's IPSec IPSec inputs, IPSec outputs, IPSec services in order to secure commands, and data status, and data...

  • Page 18: Authentication Mechanisms

    Authentication Mechanisms The Aruba Controller supports role-based authentication. Role-based authentication is performed before the Crypto Officer enters privileged mode using admin password via Web Interface or SSHv2 or by entering enable command and password in console. Role-based authentication is also performed for User authentication.

  • Page 19: Unauthenticated Services

    ECDSA-based authentication User ECDSA signing and verification is used to authenticate to the module IKEv1, IKEv2 and TLS during IKEv1/IKEv2. Both P-256 and P-384 curves are supported. ECDSA P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security. Assuming the low end of that range, the associated probability of a successful random attempt during a one-minute period is 1 in 2^128, which is less than 1 in 100,000 required by FIPS 140-2.
  • Page 20 The above hardware algorithm certificates were tested on Broadcom XLP series processors by Broadcom Corporation. Aruba Networks purchased the processors and put them in the Aruba modules to support bulk cryptographic operations. Please be aware that there is no partnership between Aruba Networks and Broadcom Corporation.
  • Page 21 • • Diffie-Hellman (less than 112 bits of encryption strength) • HMAC-MD5 • • NOTE: IKEv1, IKEv2, TLS, SSH and SNMP protocols have not been reviewed or tested by the CAVP and CMVP. Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy...

  • Page 22: Critical Security Parameters

    Critical Security Parameters The following are the Critical Security Parameters (CSPs) used in the module. Table 6 CSPs/Keys Used in the module Name Algorithm/Key Size Generation/Use Storage Zeroization General Keys/CSPs Key Encryption Key Triple-DES Hardcoded during Stored in Flash Zeroized by using (KEK) manufacturing.
  • Page 23 Table 6 CSPs/Keys Used in the module Diffie-Hellman Diffie-Hellman Group Generated internally by Stored in SDRAM Zeroized by rebooting private key 14 (224 bits) calling FIPS approved memory (plaintext). the module DRBG (cert #528) during Diffie-Hellman Exchange. Used for establishing DH shared secret.
  • Page 24 Table 6 CSPs/Keys Used in the module RADIUS server 8-128 characters Entered by CO role. Stored in SDRAM Zeroized by using shared secret shared secret Used for RADIUS memory (plaintext). command ‘write erase server authentication all’ or by overwriting with a new secret Enable secret 8-64 characters Entered by CO role.
  • Page 25 Table 6 CSPs/Keys Used in the module ECDSA Public Key ECDSA suite B P-256 This key is generated by Stored in Flash Zeroized by using and P-384 curves calling FIPS approved memory (plaintext) command ‘write erase DRBG (cert #528) in the encrypted with KEK.
  • Page 26 Table 6 CSPs/Keys Used in the module IKE session HMAC-SHA- The IKE session (IKE Stored in SDRAM Zeroized by rebooting authentication key 1/256/384 Phase I) authentication memory (plaintext). the module key. This key is (160/256/384 bits) derived via key derivation function defined in SP800-135 KDF (IKEv1/IKEv2).
  • Page 27 Table 6 CSPs/Keys Used in the module SSHv2 session HMAC-SHA-1 (160- This key is derived via Stored in SDRAM Zeroized by rebooting authentication key bit) a key derivation memory (plaintext). the module function defined in SP800-135 KDF (SSHv2). Used for SSHv2 traffics integrity verification.
  • Page 28 Table 6 CSPs/Keys Used in the module SNMPv3 session key AES-CFB key (128 This key is derived via Stored in SDRAM Zeroized by rebooting bits) a key derivation memory (plaintext). the module function defined in SP800-135 KDF (SNMPv3). Used for SNMPv3 traffics protection.
  • Page 29 The module performs the following POSTs (Power On Self-Tests): • ArubaOS OpenSSL library (Firmware) AES encrypt KAT AES decrypt KAT Triple-DES encrypt KAT Triple-DES decrypt KAT DRBG KAT RSA sign KAT RSA verify KAT ECDSA Pairwise Consistency Test SHS (SHA1, SHA256, SHA384 and SHA512) KATs HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KATs •...

  • Page 30: Alternating Bypass State

    ECDSA Pairwise Consistency Test RSA Pairwise Consistency Test • ArubaOS Uboot BootLoader library (Firmware) Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification • CRNG Test to NDRNG (Firmware) Self-test results are logged in a log file. Upon successful completion of the power-up self tests, the module logs a KATS: passed message into a log file.

  • Page 31: Installing The Controller

    Installing the Controller This chapter covers the physical installation of the 7XXX Controllers with FIPS 140-2 Level 2 validation. The Crypto Officer is responsible for ensuring that the following procedures are used to place the controller in a FIPS-approved mode of operation.

  • Page 32: Package Contents

    Package Contents The product carton should include the following: • 7XXX Controller • Rack mounting kit (optional) • Aruba User Documentation CD • Tamper-Evident Labels Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy...

  • Page 33: Tamper-Evident Labels

    Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the controller. When applied properly, the TELs allow the Crypto Officer to detect the opening of the chassis cover, the removal or replacement of modules or cover plates, or physical access to restricted ports.

  • Page 34: Required Tel Locations

    Required TEL Locations The Aruba 7005 Mobility Controller requires a minimum of 4 TELs to be applied as follows: To Detect Opening the Chassis Lid • Spanning the front left side and right rear corners of the chassis lid where it meets the chassis bottom, as shown in Figures 7 and 8 (Labels 1 &...
  • Page 35 The Aruba 7010 Mobility Controller requires a minimum of 6 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figure 9 (Label 1). To Detect Opening the Chassis Lid Bottom •...
  • Page 36 Figure 10 Required TELs for the Aruba 7010 Mobility Controller – Front Figure 11 Required TELs for the Aruba 7010 Mobility Controller – Bottom Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy...
  • Page 37 The Aruba 7024 Mobility Controller requires a minimum of 7 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figures 12 and 13 (Label 1). To Detect Opening the Chassis Lid Bottom •...
  • Page 38 Figure 15 Required TELs for the Aruba 7024 Mobility Controller – Bottom The Aruba 7030 Mobility Controller requires a minimum of 6 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figures 16 & 17 (Label 1). To Detect Opening the Chassis Lid Bottom •...
  • Page 39 Figure 16 Required TELs for the Aruba 7030 Mobility Controller – Top Figure 17 Required TELs for the Aruba 7030 Mobility Controller – Front Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy...
  • Page 40 Figure 18 Required TELs for the Aruba 7030 Mobility Controller – Bottom The Aruba 7205 Mobility Controller requires a minimum of 6 TELs to be applied as follows: To Detect Opening the Chassis Lid Top • Spanning the front bezel and the chassis lid, as shown in Figure 19 (Label 1). To Detect Opening the Chassis Lid Bottom •...
  • Page 41 Figure 19 Required TELs for the Aruba 7205 Mobility Controller – Top Figure 20 Required TELs for the Aruba 7205 Mobility Controller – Front Figure 21 Required TELs for the Aruba 7205 Mobility Controller – Bottom Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy...

  • Page 42: Applying Tels

    Applying TELs The Crypto Officer should employ TELs as follows: • Before applying a TEL, make sure the target surfaces are clean and dry. • Do not cut, trim, punch, or otherwise alter the TEL. • Apply the wholly intact TEL firmly and completely to the target surfaces. •...
  • Page 43 User Guidance The User accesses the controller VPN functionality as an IPsec client. The user can also access the controller 802.11i functionality as an 802.11 client. Although outside the boundary of the controller, the User should be directed to be careful not to provide authentication information and session keys to others parties.
  • Page 44 (config) #exit #write memory Saving Configuration... Configuration Saved. To verify that FIPS mode has been enabled, issue the command “show fips”. Disabling the LCD Configuration through the front-panel LCD should be disabled. To disable the LCD screen, enter the Enable mode and use the following CLI commands: (host) #configure terminal (host) (config) #lcd-menu...

This manual is also suitable for:

Aruba 7200 series

Table of Contents