FIPS 140-2 Non-Proprietary Security Policy
for Aruba AP-92, AP-93, AP-105, AP-175 Dell W- AP92, W-AP93, W-AP105 and W-AP175
Wireless Access Points
Version 1.2
Feb. 2012
Aruba Networks™
1322 Crossman Ave.
Sunnyvale, CA 94089-1113
1
2
1 |
INTRODUCTION .................................................................................................................................. |
5 |
|||
|
1.1 |
ARUBA DELL RELATIONSHIP ............................................................................................................. |
5 |
||
|
1.2 |
ACRONYMS AND ABBREVIATIONS ..................................................................................................... |
5 |
||
2 |
PRODUCT OVERVIEW....................................................................................................................... |
7 |
|||
|
2.1 |
AP-92 |
................................................................................................................................................ |
7 |
|
|
2.1.1 |
Physical ..................................................................................................................Description |
7 |
||
|
|
2.1.1.1 ............................................................................................................ |
Dimensions/Weight |
8 |
|
|
|
2.1.1.2 ............................................................................................................................. |
Interfaces |
8 |
|
|
|
2.1.1.3 .................................................................................................................... |
Indicator LEDs |
8 |
|
|
2.2 |
AP-93................................................................................................................................................ |
|
9 |
|
|
2.2.1 |
Physical ..................................................................................................................Description |
9 |
||
|
|
2.2.1.1 ........................................................................................................... |
Dimensions/Weight |
10 |
|
|
|
2.2.1.2 ............................................................................................................................ |
Interfaces |
10 |
|
|
|
2.2.1.3 ................................................................................................................... |
Indicator LEDs |
10 |
|
|
2.3 |
AP-105 .................................................................................................................................SERIES |
11 |
||
|
2.3.1 |
Physical .................................................................................................................Description |
12 |
||
|
|
2.3.1.1 ........................................................................................................... |
Dimensions/Weight |
12 |
|
|
|
2.3.1.2 ............................................................................................................................ |
Interfaces |
12 |
|
|
|
2.3.1.3 ................................................................................................................... |
Indicator LEDs |
12 |
|
|
2.4 |
AP-175 .................................................................................................................................SERIES |
13 |
||
|
2.4.1 |
Physical .................................................................................................................Description |
14 |
||
|
|
2.4.1.1 ........................................................................................................... |
Dimensions/Weight |
14 |
|
|
|
2.4.1.2 ............................................................................................................................ |
Interfaces |
14 |
|
|
|
2.4.1.3 ................................................................................................................... |
Indicator LEDs |
15 |
|
3 |
MODULE ....................................................................................................................OBJECTIVES |
16 |
|||
|
3.1 |
SECURITY ............................................................................................................................LEVELS |
16 |
||
|
3.2 |
PHYSICAL ........................................................................................................................SECURITY |
16 |
||
|
3.2.1 |
Applying ..........................................................................................................................TELs |
16 |
||
|
3.2.2 |
AP ..............................................................................................................-92 TEL Placement |
17 |
||
|
|
3.2.2.1 ...................................................................................To detect access to restricted ports: |
17 |
||
|
|
3.2.2.2 .............................................................................To detect opening of the chassis cover: |
17 |
||
|
3.2.3 |
AP ..............................................................................................................-93 TEL Placement |
19 |
||
|
|
3.2.3.1 ...................................................................................To detect access to restricted ports: |
19 |
||
|
|
3.2.3.2 .............................................................................To detect opening of the chassis cover: |
19 |
||
|
3.2.4 |
AP ............................................................................................................-105 TEL Placement |
21 |
||
|
|
3.2.4.1 .............................................................................To detect opening of the chassis cover: |
21 |
||
|
|
3.2.4.2 ...................................................................................To detect access to restricted ports: |
21 |
||
|
|
|
|
3 |
|
|
3.2.5 |
AP-175 TEL Placement ............................................................................................................ |
23 |
|
|
|
3.2.5.1 To detect access to restricted ports: ................................................................................... |
23 |
|
|
|
3.2.5.2 To detect opening of the chassis cover: ............................................................................. |
23 |
|
|
3.2.6 Inspection/Testing of Physical Security Mechanisms ............................................................... |
25 |
||
|
3.3 |
MODES OF OPERATION ..................................................................................................................... |
26 |
|
|
3.3.1 Configuring Remote AP FIPS Mode ......................................................................................... |
26 |
||
|
3.3.2 Configuring Control Plane Security (CPSec) protected AP FIPS mode .................................. |
27 |
||
|
3.3.3 Configuring Remote Mesh Portal FIPS Mode .......................................................................... |
28 |
||
|
3.3.4 Configuring Remote Mesh Point FIPS Mode............................................................................ |
29 |
||
|
3.3.5 Verify that the module is in FIPS mode .................................................................................... |
30 |
||
|
3.4 |
OPERATIONAL ENVIRONMENT.......................................................................................................... |
30 |
|
|
3.5 |
LOGICAL INTERFACES ...................................................................................................................... |
31 |
|
4 ROLES, AUTHENTICATION AND SERVICES ............................................................................. |
32 |
|||
|
4.1 |
ROLES............................................................................................................................................... |
32 |
|
|
4.1.1 |
Crypto Officer Authentication................................................................................................... |
32 |
|
|
4.1.2 |
User Authentication .................................................................................................................. |
33 |
|
|
4.1.3 |
Wireless Client Authentication ................................................................................................. |
33 |
|
|
4.1.4 Strength of Authentication Mechanisms ................................................................................... |
33 |
||
|
4.2 |
SERVICES.......................................................................................................................................... |
35 |
|
|
4.2.1 |
Crypto Officer Services............................................................................................................. |
35 |
|
|
4.2.2 |
User Services ............................................................................................................................ |
36 |
|
|
4.2.3 |
Wireless Client Services............................................................................................................ |
37 |
|
|
4.2.4 |
Unauthenticated Services.......................................................................................................... |
37 |
|
5 |
CRYPTOGRAPHIC ALGORITHMS................................................................................................ |
39 |
||
6 |
CRITICAL SECURITY PARAMETERS.......................................................................................... |
40 |
||
7 |
SELF TESTS......................................................................................................................................... |
44 |
4
1 Introduction
This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-92, AP93, AP-105 and AP-175 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Web-site at:
http://csrc.nist.gov/groups/STM/cmvp/index.html
This document can be freely distributed.
1.1 Aruba Dell Relationship
Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to the Aruba products other than branding and Dell software is identical to Aruba software other than branding.
Table 1 - Corresponding Aruba and Dell Part Numbers
Aruba Part Number |
Dell Corresponding Part Number |
|
|
AP-92-F1 |
W-AP92-F1 |
|
|
AP-93-F1 |
W-AP93-F1 |
|
|
AP-105-F1 |
W-AP105-F1 |
|
|
AP-175P-F1 |
W-AP175P-F1 |
|
|
AP-175AC-F1 |
W-AP175AC-F1 |
|
|
AP-175DC-F1 |
W-AP175DC-F1 |
|
|
NOTE: References to Aruba, ArubaOS, Aruba AP-92, Aruba AP-93, Aruba AP-105 and Aruba AP-175 wireless access points apply to both the Aruba and Dell versions of these products and documentation.
1.2 Acronyms and Abbreviations
AES |
Advanced Encryption Standard |
AP |
Access Point |
CBC |
Cipher Block Chaining |
CLI |
Command Line Interface |
CO |
Crypto Officer |
CPSec |
Control Plane Security protected |
CSEC |
Communications Security Establishment Canada |
CSP |
Critical Security Parameter |
ECO |
External Crypto Officer |
EMC |
Electromagnetic Compatibility |
EMI |
Electromagnetic Interference |
FE |
Fast Ethernet |
5
GE |
Gigabit Ethernet |
GHz |
Gigahertz |
HMAC |
Hashed Message Authentication Code |
Hz |
Hertz |
IKE |
Internet Key Exchange |
IPSec |
Internet Protocol security |
KAT |
Known Answer Test |
KEK |
Key Encryption Key |
L2TP |
Layer-2 Tunneling Protocol |
LAN |
Local Area Network |
LED |
Light Emitting Diode |
SHA |
Secure Hash Algorithm |
SNMP |
Simple Network Management Protocol |
SPOE |
Serial & Power Over Ethernet |
TEL |
Tamper-Evident Label |
TFTP |
Trivial File Transfer Protocol |
WLAN |
Wireless Local Area Network |
6
2 Product Overview
This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary of the physical features of each model covered by this FIPS 140-2 security policy.
2.1 AP-92
This section introduces the Aruba AP-92 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.
Figure 1 - AP-92 Wireless Access Point
The Aruba AP-92 is robust-performance 802.11n (2x2:2) MIMO, single radio supporting 2.4 GHz or 5 GHz (802.11a/ b/g/n), indoor wireless access points capable of delivering wireless data rates of up to 300Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention. The access point works in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications.
2.1.1 Physical Description
The Aruba AP-92 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceiver and supports external antennas through dual, detachable antenna interface
The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
Aruba Part Number |
Dell Corresponding Part Number |
|
|
AP-92-F1 |
W-AP92-F1 |
|
|
7
The exact firmware versions tested were:
ArubaOS_6xx_6.1.2.3-FIPS
Dell_PCW_6xx_6.1.2.3-FIPS
2.1.1.1Dimensions/Weight
The AP has the following physical dimensions:
120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")
255 g (9 oz)
2.1.1.2Interfaces
The module provides the following network interfaces:
1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna
o2x RP-SMA antenna interfaces (supports up to 2x2 MIMO with spatial diversity)
1 x RJ-45 console interface
The module provides the following power interfaces:
48 V DC 802.3af power over Ethernet
12 V DC for external AC supplied power (adapter sold separately)
2.1.1.3Indicator LEDs
There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 2- AP-92 Indicator LEDs
Label |
Function |
Action |
Status |
|
|
|
|
|
|
|
|
PWR |
AP power / ready status |
Off |
No power to AP |
|
|
|
|
|
|
|
|
|
|
Red |
Initial power-up condition |
|
|
|
|
|
|
|
|
|
|
Flashing – Green |
Device booting, not ready |
|
|
|
|
|
|
|
|
|
|
On – Green |
Device ready |
|
|
|
|
|
|
|
|
ENET |
Ethernet Network Link |
Off |
Ethernet link unavailable |
|
|
|
Status / Activity |
|
|
|
|
|
On – Amber |
10/100Mbs |
Ethernet |
link |
|
|
|
||||
|
|
|
negotiated |
|
|
|
|
|
|
||
|
|
On – Green |
1000Mbs Ethernet link negotiated |
||
|
|
|
|
|
|
|
|
Flashing |
Ethernet link activity |
|
|
|
|
|
|
|
|
11b/g/n |
2.4GHz Radio Status |
Off |
2.4GHz radio disabled |
|
|
|
|
|
|
||
|
|
On – Amber |
2.4GHz radio enabled in WLAN |
||
|
|
|
mode |
|
|
|
|
|
|
|
|
8
Label |
Function |
Action |
Status |
|
|
|
|
|
|
On – Green |
2.4GHz radio enabled in 802.11n |
|
|
|
mode |
|
|
|
|
|
|
Flashing - Green |
2.4GHz Air monitor or RF protect |
|
|
|
sensor |
|
|
|
|
11a/n |
5GHz Radio Status |
Off |
5GHz radio disabled |
|
|
|
|
|
|
On - Amber |
5GHz radio enabled in WLAN |
|
|
|
mode |
|
|
|
|
|
|
On – Green |
5GHz radio enabled in 802.11n |
|
|
|
mode |
|
|
|
|
|
|
Flashing - Green |
5GHz Air monitor or RF protect |
|
|
|
sensor |
|
|
|
|
2.2 AP-93
This section introduces the Aruba AP-93 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.
Figure 2 - AP-93 Wireless Access Point
The Aruba AP-93 is robust-performance 802.11n (2x2:2) MIMO, single radio supporting 2.4 GHz or 5 GHz (802.11a/ b/g/n), indoor wireless access points capable of delivering wireless data rates of up to 300Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention. The access point works in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications.
2.2.1 Physical Description
The Aruba AP-93 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceiver and 2 integrated omni-directional multi-band dipole antenna elements (supporting up to 2x2 MIMO with spatial diversity).
9
The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
Aruba Part Number |
Dell Corresponding Part Number |
|
|
AP-93-F1 |
W-AP93-F1 |
|
|
The exact firmware versions tested were:
ArubaOS_6xx_6.1.2.3-FIPS
Dell_PCW_6xx_6.1.2.3-FIPS
2.2.1.1Dimensions/Weight
The AP has the following physical dimensions:
120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")
255 g (9 oz)
2.2.1.2Interfaces
The module provides the following network interfaces:
1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna (internal)
1 x RJ-45 console interface
The module provides the following power interfaces:
48 V DC 802.3af power over Ethernet
12 V DC for external AC supplied power (adapter sold separately)
2.2.1.3Indicator LEDs
There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 3- AP-93 Indicator LEDs
Label |
Function |
Action |
Status |
|
|
|
|
|
|
|
|
PWR |
AP power / ready status |
Off |
No power to AP |
|
|
|
|
|
|
|
|
|
|
Red |
Initial power-up condition |
|
|
|
|
|
|
|
|
|
|
Flashing – Green |
Device booting, not ready |
|
|
|
|
|
|
|
|
|
|
On – Green |
Device ready |
|
|
|
|
|
|
|
|
ENET |
Ethernet Network Link |
Off |
Ethernet link unavailable |
|
|
|
Status / Activity |
|
|
|
|
|
On – Amber |
10/100Mbs |
Ethernet |
link |
|
|
|
||||
|
|
|
negotiated |
|
|
|
|
|
|
||
|
|
On – Green |
1000Mbs Ethernet link negotiated |
||
|
|
|
|
|
|
10
Label |
Function |
Action |
Status |
|
|
|
|
|
|
Flashing |
Ethernet link activity |
|
|
|
|
11b/g/n |
2.4GHz Radio Status |
Off |
2.4GHz radio disabled |
|
|
|
|
|
|
On – Amber |
2.4GHz radio enabled in WLAN |
|
|
|
mode |
|
|
|
|
|
|
On – Green |
2.4GHz radio enabled in 802.11n |
|
|
|
mode |
|
|
|
|
|
|
Flashing - Green |
2.4GHz Air monitor or RF protect |
|
|
|
sensor |
|
|
|
|
11a/n |
5GHz Radio Status |
Off |
5GHz radio disabled |
|
|
|
|
|
|
On - Amber |
5GHz radio enabled in WLAN |
|
|
|
mode |
|
|
|
|
|
|
On – Green |
5GHz radio enabled in 802.11n |
|
|
|
mode |
|
|
|
|
|
|
Flashing - Green |
5GHz Air monitor or RF protect |
|
|
|
sensor |
|
|
|
|
2.3 AP-105 Series
This section introduces the Aruba AP-120 series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.
Figure 3 - AP-105 Wireless Access Point
The Aruba AP-105 is high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention over the 2.4GHz and 5GHz RF spectrum. The access point works in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications.
11
2.3.1 Physical Description
The Aruba AP-105 Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains two dual-band 2.4-GHz/5-GHz 802.11 a/b/g/n transceivers, and 4 x integrated, omni-directional antenna elements (supporting up to 2x2 MIMO with spatial diversity).
The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
Aruba Part Number |
Dell Corresponding Part Number |
|
|
AP-105-F1 |
W-AP105-F1 |
|
|
The exact firmware versions tested were:
ArubaOS_6xx_6.1.2.3-FIPS
Dell_PCW_6xx_6.1.2.3-FIPS
2.3.1.1Dimensions/Weight
The AP has the following physical dimensions:
132 mm x 135 mm x 45 mm (5.2" x 5.3" x 1.8")
0.3 kg (10.56 oz)
2.3.1.2Interfaces
The module provides the following network interfaces:
1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna (internal)
1 x RJ-45 console interface
The module provides the following power interfaces:
48 V DC 802.3af power over Ethernet
12 V DC for external AC supplied power (adapter sold separately)
2.3.1.3Indicator LEDs
There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 4- AP-105 Indicator LEDs
Label |
Function |
Action |
Status |
|
|
|
|
PWR |
AP power / ready status |
Off |
No power to AP |
|
|
|
|
|
|
Red |
Initial power-up condition |
|
|
|
|
|
|
Flashing – Green |
Device booting, not ready |
|
|
|
|
|
|
On – Green |
Device ready |
|
|
|
|
12
ENET |
Ethernet Network Link |
Off |
Ethernet link unavailable |
|
Status / Activity |
|
|
|
On – Amber |
10/100Mbs Ethernet link negotiated |
|
|
|
||
|
|
|
|
|
|
On – Green |
1000Mbs Ethernet link negotiated |
|
|
|
|
|
|
Flashing |
Ethernet link activity |
|
|
|
|
11b/g/n |
2.4GHz Radio Status |
Off |
2.4GHz radio disabled |
|
|
|
|
|
|
On – Amber |
2.4GHz radio enabled in WLAN mode |
|
|
|
|
|
|
On – Green |
2.4GHz radio enabled in 802.11n mode |
|
|
|
|
|
|
Flashing - Green |
2.4GHz Air monitor or RFprotect sensor |
|
|
|
|
11a/n |
5GHz Radio Status |
Off |
5GHz radio disabled |
|
|
|
|
|
|
On - Amber |
5GHz radio enabled in WLAN mode |
|
|
|
|
|
|
On – Green |
5GHz radio enabled in 802.11n mode |
|
|
|
|
|
|
Flashing - Green |
5GHz Air monitor or RFprotect sensor |
|
|
|
|
2.4 AP-175 Series
This section introduces the Aruba AP-175 series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.
Figure 4 - AP-175 Wireless Access Point
The Aruba AP-175 is high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention over the 2.4GHz and 5GHz RF spectrum. The multifunction AP-175 is an affordable, fully hardened outdoor 802.11n access point (AP) that provides maximum deployment flexibility in high-density campuses, storage yards, warehouses, container/transportation facilities, extreme industrial production areas and other harsh environments.
13
2.4.1 Physical Description
The Aruba AP-175 Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard case. The module contains two 802.11 a/b/g/n transceivers, and 4 x N- type female interfaces (2 x 2.4 GHz, 2 x 5 GHz) for external antenna support (supports MIMO)
The hard case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
Aruba Part Number |
Dell Corresponding Part Number |
|
|
AP-175P-F1 |
W-AP175P-F1 |
|
|
AP-175AC-F1 |
W-AP175AC-F1 |
|
|
AP-175DC-F1 |
W-AP175DC-F1 |
|
|
The exact firmware versions tested were:
ArubaOS_6xx_6.1.2.3-FIPS
Dell_PCW_6xx_6.1.2.3-FIPS
2.4.1.1Dimensions/Weight
The AP has the following physical dimensions:
260 mm x 240 mm x 105 mm (10.2" x 9.4" x4.1")
3.25 kg (7 lb)
2.4.1.2Interfaces
The module provides the following network interfaces:
1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna
o4 x N-Type female antenna interfaces
1 x RJ-45 console interface
The module provides the following power interfaces:
AP-175P: 48-volt DC 802.3at power over Ethernet (PoE+)
AP-175AC: 100-240 volt AC from external AC power source
AP-175DC: 12-48 volt DC from external DC power source
14