HP Aruba 2920 Switch Series Manual
  1. Manuals
  2. Brands
  3. HP Manuals
  4. Switch
  5. Aruba 2920 Switch Series
  6. Manual
HP Aruba 2920 Switch Series Manual

HP Aruba 2920 Switch Series Manual

Fips 140-2 non-proprietary security policy security level 1 validation
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Aruba 2920 Switch Series
FIPS 140-2 Non-Proprietary Security Policy
Security Level 1 Validation
Hardware Versions: J9726A, J9729A
Firmware version:
WB.16.02.0015
Version 1.4
August 1, 2017
FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series
Page 1 of 40

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the Aruba 2920 Switch Series and is the answer not in the manual?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for HP Aruba 2920 Switch Series

Summary of Contents for HP Aruba 2920 Switch Series

  • Page 1 Aruba 2920 Switch Series FIPS 140-2 Non-Proprietary Security Policy Security Level 1 Validation Hardware Versions: J9726A, J9729A Firmware version: WB.16.02.0015 Version 1.4 August 1, 2017 FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 1 of 40...
  • Page 2 © Copyright 2017 Hewlett Packard Enterprise This document may be freely reproduced and distributed whole and intact including this copyright notice. Products identified herein contain confidential commercial software. Valid license required. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 2 of 40...

  • Page 3: Table Of Contents

    FIPS Approved Cryptographic Algorithms ..................21 FIPS Allowed Cryptographic Algorithms ..................22 Non-FIPS Approved Cryptographic Algorithms ................22 9 Cryptographic Key Management ....................24 Cryptographic Security Parameters ....................24 FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 3 of 40...
  • Page 4 Table 7 - Crypto officer services ........................16 Table 8 - User services ............................. 18 Table 9 - Security Officer Services ........................19 Table 10 - FIPS-Approved Cryptography Algorithms ..................21 FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 4 of 40...
  • Page 5 Figure 3 - Aruba 2920 (J9726A) Switch ......................12 Figure 4 - Front of Aruba 2920 (J9729A) Switch ....................12 Figure 5 - Back of an Aruba 2920 Switch Series (All) ..................13 FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series...
  • Page 6 Routing Information Protocol Rivest Shamir and Adleman method for asymmetric encryption sFlow Sampled Flow Small Form-Factor Pluggable SFP+ Enhanced Small Form-Factor Pluggable Secure Hash Algorithm Secure Sockets Layer FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 6 of 40...

  • Page 7: Introduction

    This policy was prepared as part of the Overall Level 1 FIPS 140-2 validation of the module. The Aruba 2920 Switch Series is referred to in this document as Aruba 2920 Switch Series, the switches, the cryptographic modules, or the modules.

  • Page 8: Overview

    Networking (SDN) with OpenFlow support. The Aruba 2920 Switch Series is suitable for a range of uses. These switches can be deployed at enterprise edge and remote branch offices, and converged networks. Each device is based on the Aruba OS-CX Software, version WB.16.0.0015 platform.

  • Page 9: Security Validation Level

    Roles, Services, and Authentication Finite State Model Physical Security Operational Environment Cryptographic Key management Electromagnetic Interface/Electromagnetic Compatibility Self-Tests Design Assurance Mitigation of Other Attacks Overall Level FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 9 of 40...

  • Page 10: Cryptographic Module Specifications

    Cryptographic Module Specifications The Aruba 2920 Switch Series is a multi-chip standalone network device. The cryptographic boundary is defined as encompassing the “top,” “front,” “rear”, “left,” “right,” and “bottom” surfaces of the case. The general components of the Aruba 2920 Switch Series include firmware and hardware, which are placed in the three-dimensional space within the case.

  • Page 11: Cryptographic Module Port And Interfaces

    DHCP/Bootp server. A networked out-of-band connection through the Management port allows you to manage data network switches from a physically and logically separate management network. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 11 of 40...

  • Page 12: Aruba 2920 Series Ports

    LABEL Power, Fault and Locator LEDs Console Ports LED Mode button and 5 mode indicator LEDs Status LEDs for components on the back of the switch FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 12 of 40...

  • Page 13: Aruba 2920 Series Ports And Interfaces

    Aruba 2920 Series Ports and Interfaces The mapping of logical and physical interfaces to the FIPS validated configuration of the Aruba 2920 switch is detailed in Table 5. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 13 of 40...
  • Page 14 RJ-45 Gig-T Ethernet PoE+ ports (for J7929A) Note : 20 RJ-45 Gig-T Ethernet ports on J9726A Note : 44 RJ-45 Gig-T Ethernet PoE+ ports on J9729A FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 14 of 40...

  • Page 15: Roles, Services, And Authentication

    Services associated with each role are listed in the following sections. The Crypto Officer is responsible for the set up and initialization of the Aruba 2920 Switch Series as documented in Section 11 (Delivery and Operation) of this document. The Crypto Officer has complete control of the switches and is in charge of configuring all of the settings for each switch.

  • Page 16: Services

    1. View memory status, packet statistics, interface status, current configuration, routing Status of Commands device None table, active sessions, functions temperature and SNMP MIB statistics. Perform Network Functions FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 16 of 40...
  • Page 17 CSP5-4 TLS traffic authentication key 12. Perform self-tests (write/delete) 13. Shut down or Reboot the CSP5-6 TLS Server public networking device; key(write/delete) Perform Configuration Functions FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 17 of 40...

  • Page 18: User Services

    (read/write/delete) data such as “SSHv2” client; data CSP2-4 SSH Session authentication Key (read/write/delete) Security Officer Services The following table describes the services available to security officer. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 18 of 40...

  • Page 19: Unauthenticated Services

    Observe status LED Authentication Mechanisms The Aruba 2920 Switch Series supports identity-based authentication to control access to all services provided by the switches. The username and password will be configured by the Crypto Officer and the operator or Security officer will be able to login using these credentials. Once the operator or security officer is authenticated, they will assume their respective role and will be able to carry out the available services listed in Table 7, Table 8, and Table 9.

  • Page 20: Physical Security Mechanism

    There is a CLI command to configure the minimum password length between 8 and 64. Physical Security Mechanism The Aruba 2920 Switch Series meets the FIPS 140-2 Level 1 security requirements as production grade equipment. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series...

  • Page 21: Cryptographic Algorithms

    Cryptographic Algorithms FIPS Approved Cryptographic Algorithms The following table lists the FIPS-Approved algorithms Aruba 2920 Switch Series provide. 10 - FIPS-A ABLE PPROVED RYPTOGRAPHY LGORITHMS Key Lengths, CAVP Algorithm Mode/ Method Curves or Standard Certificate Moduli FIPS 197, #4305 CBC, ECB...

  • Page 22: Fips Allowed Cryptographic Algorithms

    FIPS-mode. These algorithms are used in non-FIPS-mode. 12 - N -FIPS A ABLE PPROVED RYPTOGRAPHY LGORITHMS Algorithm Application Encryption/Decryption Diffie-Hellman Key Agreement (< 2048-bits) Encryption/Decryption Hashing HMAC MD5 Message Authentication FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 22 of 40...
  • Page 23 Algorithm Application (< 2048-bits) Key Pair Generation, Digital Signature Generation Digital Signature Verification ECDSA Digital Signature Generation (non-compliant) Digital Signature Verification FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 23 of 40...

  • Page 24: Cryptographic Key Management

    The networking devices use a variety of Critical Security Parameters (CSP) during operation. The following table lists the CSP including cryptographic keys used by the Aruba 2920 Switch Series. It summarizes generation, storage, and zeroization methods for the CSP. 13 - C...
  • Page 25 Using CLI User-role parameters used Entered CSP3-2 Password 8 ~ 64 bytes command to Password to authenticate the Electronically (obfuscated / zeroize user- role plain text) FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 25 of 40...
  • Page 26 Entered CSP3-5 Officer Password 8 ~ 64 bytes command to to authenticate the Electronically (obfuscated / Password zeroize security officer. plain text) Random Bits Generation FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 26 of 40...
  • Page 27 CTR_DRBG CTR_DRBG device Private key used Using CLI 2048 bits TLS Server CSP5-1 for TLS Internal /FLASH command to private key negotiations. (plain text) zeroize FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 27 of 40...
  • Page 28 (plain text) finishing secp224r1 Pairs Using CLI FLASH / TLS Server Key agreement for command to CSP5-6 2048 bits Internal public key TLS sessions. (plain text) zeroize FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 28 of 40...
  • Page 29 *There is a hardcoded key in the firmware that is used to obfuscate keys stored in the ‘config’ file. Data obfuscated by this key is considered equivalent to plaintext and does not provide any security. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 29 of 40...

  • Page 30: Self-Tests

    Successful completion of the power-up self-tests will return the module to normal operation. Power-Up Self-Tests Power-up self-tests are performed when the Aruba 2920 Switch Series first powers up. There are two instances of power-up self-tests that are performed. ...

  • Page 31: Conditional Self-Tests

    2. Packing List Verification Check against the packing list for discrepancy in material type and quantity. If any discrepancy found, the goods shall be treated as DOA goods. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 31 of 40...

  • Page 32: Secure Operation

    HPE for further investigation. The damaged goods will be replaced if necessary. Secure Operation The Aruba 2920 Switch Series is capable of two different modes of operation.  Standard Secure-Mode - non-FIPS Approved of operation for the switches ...

  • Page 33: Pre-Initialization

    FIPS-Approved mode of operation. This is required so that private keys and CSPs established in one mode of operation cannot be used in another. Zeroization can take up to an hour to complete. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 33 of 40...

  • Page 34: Initialization And Configuration

    BootROM console services. The Crypto Officer shall be the only one with knowledge of the BootROM password. ARUBA-SWITCH(config)# password operator New password for operator: ********** Please retype new password for operator: ********** FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 34 of 40...
  • Page 35 As an added security measure, the Crypto Officer will type the following commands to ensure the switch does not have access to the TFTP client and server services: FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 35 of 40...
  • Page 36 Crypto Officer will limit access to SNMPv1 and SNMPv2c messages to ‘read only’. This does not disable SNMPv1 and SNMPv2. User creation is done. SNMPv3 is now functional. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 36 of 40...
  • Page 37 Ensure that you are familiar with the front panel security options before proceeding. HTTPS – Secure Hypertext Transfer Protocol SSL – Secure Socket Layer TLS – Transport Layer Security FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 37 of 40...

  • Page 38: Zeroization

    “secure-mode standard” state. The module will not execute zeroization if calling secure-mode enhanced while the switch is currently in the “secure-mode enhanced” state. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 38 of 40...

  • Page 39: Secure Management

    BootROM image versioning information. The BootROM console may be exited at any time, to access the image selection menu, via the quit command. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 39 of 40...

  • Page 40: Mitigation Of Other Attacks

    Aruba Switches, such as datasheet, installation manual, configuration guide, command reference, and other reference documents. Technical support For technical or sales related question please refer to the contacts list on the HPE website: http://www.hpe.com. FIPS 140-2 Non-Proprietary Security Policy for Aruba 2920 Switch Series Page 40 of 40...

This manual is also suitable for:

J9726aJ9729a

Table of Contents