Dell AP-105, W- AP92, AP-93, AP-92, AP-175 User Manual

...
0 (0)

FIPS 140-2 Non-Proprietary Security Policy

for Aruba AP-92, AP-93, AP-105, AP-175 Dell W- AP92, W-AP93, W-AP105 and W-AP175

Wireless Access Points

Version 1.2

Feb. 2012

Aruba Networks™

1322 Crossman Ave.

Sunnyvale, CA 94089-1113

1

Dell AP-105, W- AP92, AP-93, AP-92, AP-175 User Manual

2

1

INTRODUCTION ..................................................................................................................................

5

 

1.1

ARUBA DELL RELATIONSHIP .............................................................................................................

5

 

1.2

ACRONYMS AND ABBREVIATIONS .....................................................................................................

5

2

PRODUCT OVERVIEW.......................................................................................................................

7

 

2.1

AP-92

................................................................................................................................................

7

 

2.1.1

Physical ..................................................................................................................Description

7

 

 

2.1.1.1 ............................................................................................................

Dimensions/Weight

8

 

 

2.1.1.2 .............................................................................................................................

Interfaces

8

 

 

2.1.1.3 ....................................................................................................................

Indicator LEDs

8

 

2.2

AP-93................................................................................................................................................

 

9

 

2.2.1

Physical ..................................................................................................................Description

9

 

 

2.2.1.1 ...........................................................................................................

Dimensions/Weight

10

 

 

2.2.1.2 ............................................................................................................................

Interfaces

10

 

 

2.2.1.3 ...................................................................................................................

Indicator LEDs

10

 

2.3

AP-105 .................................................................................................................................SERIES

11

 

2.3.1

Physical .................................................................................................................Description

12

 

 

2.3.1.1 ...........................................................................................................

Dimensions/Weight

12

 

 

2.3.1.2 ............................................................................................................................

Interfaces

12

 

 

2.3.1.3 ...................................................................................................................

Indicator LEDs

12

 

2.4

AP-175 .................................................................................................................................SERIES

13

 

2.4.1

Physical .................................................................................................................Description

14

 

 

2.4.1.1 ...........................................................................................................

Dimensions/Weight

14

 

 

2.4.1.2 ............................................................................................................................

Interfaces

14

 

 

2.4.1.3 ...................................................................................................................

Indicator LEDs

15

3

MODULE ....................................................................................................................OBJECTIVES

16

 

3.1

SECURITY ............................................................................................................................LEVELS

16

 

3.2

PHYSICAL ........................................................................................................................SECURITY

16

 

3.2.1

Applying ..........................................................................................................................TELs

16

 

3.2.2

AP ..............................................................................................................-92 TEL Placement

17

 

 

3.2.2.1 ...................................................................................To detect access to restricted ports:

17

 

 

3.2.2.2 .............................................................................To detect opening of the chassis cover:

17

 

3.2.3

AP ..............................................................................................................-93 TEL Placement

19

 

 

3.2.3.1 ...................................................................................To detect access to restricted ports:

19

 

 

3.2.3.2 .............................................................................To detect opening of the chassis cover:

19

 

3.2.4

AP ............................................................................................................-105 TEL Placement

21

 

 

3.2.4.1 .............................................................................To detect opening of the chassis cover:

21

 

 

3.2.4.2 ...................................................................................To detect access to restricted ports:

21

 

 

 

 

3

 

 

3.2.5

AP-175 TEL Placement ............................................................................................................

23

 

 

3.2.5.1 To detect access to restricted ports: ...................................................................................

23

 

 

3.2.5.2 To detect opening of the chassis cover: .............................................................................

23

 

3.2.6 Inspection/Testing of Physical Security Mechanisms ...............................................................

25

 

3.3

MODES OF OPERATION .....................................................................................................................

26

 

3.3.1 Configuring Remote AP FIPS Mode .........................................................................................

26

 

3.3.2 Configuring Control Plane Security (CPSec) protected AP FIPS mode ..................................

27

 

3.3.3 Configuring Remote Mesh Portal FIPS Mode ..........................................................................

28

 

3.3.4 Configuring Remote Mesh Point FIPS Mode............................................................................

29

 

3.3.5 Verify that the module is in FIPS mode ....................................................................................

30

 

3.4

OPERATIONAL ENVIRONMENT..........................................................................................................

30

 

3.5

LOGICAL INTERFACES ......................................................................................................................

31

4 ROLES, AUTHENTICATION AND SERVICES .............................................................................

32

 

4.1

ROLES...............................................................................................................................................

32

 

4.1.1

Crypto Officer Authentication...................................................................................................

32

 

4.1.2

User Authentication ..................................................................................................................

33

 

4.1.3

Wireless Client Authentication .................................................................................................

33

 

4.1.4 Strength of Authentication Mechanisms ...................................................................................

33

 

4.2

SERVICES..........................................................................................................................................

35

 

4.2.1

Crypto Officer Services.............................................................................................................

35

 

4.2.2

User Services ............................................................................................................................

36

 

4.2.3

Wireless Client Services............................................................................................................

37

 

4.2.4

Unauthenticated Services..........................................................................................................

37

5

CRYPTOGRAPHIC ALGORITHMS................................................................................................

39

6

CRITICAL SECURITY PARAMETERS..........................................................................................

40

7

SELF TESTS.........................................................................................................................................

44

4

1 Introduction

This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-92, AP93, AP-105 and AP-175 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Web-site at:

http://csrc.nist.gov/groups/STM/cmvp/index.html

This document can be freely distributed.

1.1 Aruba Dell Relationship

Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to the Aruba products other than branding and Dell software is identical to Aruba software other than branding.

Table 1 - Corresponding Aruba and Dell Part Numbers

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-92-F1

W-AP92-F1

 

 

AP-93-F1

W-AP93-F1

 

 

AP-105-F1

W-AP105-F1

 

 

AP-175P-F1

W-AP175P-F1

 

 

AP-175AC-F1

W-AP175AC-F1

 

 

AP-175DC-F1

W-AP175DC-F1

 

 

NOTE: References to Aruba, ArubaOS, Aruba AP-92, Aruba AP-93, Aruba AP-105 and Aruba AP-175 wireless access points apply to both the Aruba and Dell versions of these products and documentation.

1.2 Acronyms and Abbreviations

AES

Advanced Encryption Standard

AP

Access Point

CBC

Cipher Block Chaining

CLI

Command Line Interface

CO

Crypto Officer

CPSec

Control Plane Security protected

CSEC

Communications Security Establishment Canada

CSP

Critical Security Parameter

ECO

External Crypto Officer

EMC

Electromagnetic Compatibility

EMI

Electromagnetic Interference

FE

Fast Ethernet

5

GE

Gigabit Ethernet

GHz

Gigahertz

HMAC

Hashed Message Authentication Code

Hz

Hertz

IKE

Internet Key Exchange

IPSec

Internet Protocol security

KAT

Known Answer Test

KEK

Key Encryption Key

L2TP

Layer-2 Tunneling Protocol

LAN

Local Area Network

LED

Light Emitting Diode

SHA

Secure Hash Algorithm

SNMP

Simple Network Management Protocol

SPOE

Serial & Power Over Ethernet

TEL

Tamper-Evident Label

TFTP

Trivial File Transfer Protocol

WLAN

Wireless Local Area Network

6

2 Product Overview

This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary of the physical features of each model covered by this FIPS 140-2 security policy.

2.1 AP-92

This section introduces the Aruba AP-92 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

Figure 1 - AP-92 Wireless Access Point

The Aruba AP-92 is robust-performance 802.11n (2x2:2) MIMO, single radio supporting 2.4 GHz or 5 GHz (802.11a/ b/g/n), indoor wireless access points capable of delivering wireless data rates of up to 300Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention. The access point works in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications.

2.1.1 Physical Description

The Aruba AP-92 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceiver and supports external antennas through dual, detachable antenna interface

The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.

The Access Point configuration tested during the cryptographic module testing included:

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-92-F1

W-AP92-F1

 

 

7

The exact firmware versions tested were:

ArubaOS_6xx_6.1.2.3-FIPS

Dell_PCW_6xx_6.1.2.3-FIPS

2.1.1.1Dimensions/Weight

The AP has the following physical dimensions:

120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")

255 g (9 oz)

2.1.1.2Interfaces

The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX

Antenna

o2x RP-SMA antenna interfaces (supports up to 2x2 MIMO with spatial diversity)

1 x RJ-45 console interface

The module provides the following power interfaces:

48 V DC 802.3af power over Ethernet

12 V DC for external AC supplied power (adapter sold separately)

2.1.1.3Indicator LEDs

There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:

Table 2- AP-92 Indicator LEDs

Label

Function

Action

Status

 

 

 

 

 

 

 

 

PWR

AP power / ready status

Off

No power to AP

 

 

 

 

 

 

 

 

 

Red

Initial power-up condition

 

 

 

 

 

 

 

 

Flashing – Green

Device booting, not ready

 

 

 

 

 

 

 

 

 

On – Green

Device ready

 

 

 

 

 

 

 

ENET

Ethernet Network Link

Off

Ethernet link unavailable

 

 

Status / Activity

 

 

 

 

 

On – Amber

10/100Mbs

Ethernet

link

 

 

 

 

 

negotiated

 

 

 

 

 

 

 

 

On – Green

1000Mbs Ethernet link negotiated

 

 

 

 

 

 

 

Flashing

Ethernet link activity

 

 

 

 

 

 

11b/g/n

2.4GHz Radio Status

Off

2.4GHz radio disabled

 

 

 

 

 

 

 

On – Amber

2.4GHz radio enabled in WLAN

 

 

 

mode

 

 

 

 

 

 

 

 

8

Label

Function

Action

Status

 

 

 

 

 

 

On – Green

2.4GHz radio enabled in 802.11n

 

 

 

mode

 

 

 

 

 

 

Flashing - Green

2.4GHz Air monitor or RF protect

 

 

 

sensor

 

 

 

 

11a/n

5GHz Radio Status

Off

5GHz radio disabled

 

 

 

 

 

 

On - Amber

5GHz radio enabled in WLAN

 

 

 

mode

 

 

 

 

 

 

On – Green

5GHz radio enabled in 802.11n

 

 

 

mode

 

 

 

 

 

 

Flashing - Green

5GHz Air monitor or RF protect

 

 

 

sensor

 

 

 

 

2.2 AP-93

This section introduces the Aruba AP-93 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

Figure 2 - AP-93 Wireless Access Point

The Aruba AP-93 is robust-performance 802.11n (2x2:2) MIMO, single radio supporting 2.4 GHz or 5 GHz (802.11a/ b/g/n), indoor wireless access points capable of delivering wireless data rates of up to 300Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention. The access point works in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications.

2.2.1 Physical Description

The Aruba AP-93 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceiver and 2 integrated omni-directional multi-band dipole antenna elements (supporting up to 2x2 MIMO with spatial diversity).

9

The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.

The Access Point configuration tested during the cryptographic module testing included:

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-93-F1

W-AP93-F1

 

 

The exact firmware versions tested were:

ArubaOS_6xx_6.1.2.3-FIPS

Dell_PCW_6xx_6.1.2.3-FIPS

2.2.1.1Dimensions/Weight

The AP has the following physical dimensions:

120 mm x 130 mm x 35 mm (4.7" x 5.1" x 1.4")

255 g (9 oz)

2.2.1.2Interfaces

The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX

Antenna (internal)

1 x RJ-45 console interface

The module provides the following power interfaces:

48 V DC 802.3af power over Ethernet

12 V DC for external AC supplied power (adapter sold separately)

2.2.1.3Indicator LEDs

There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:

Table 3- AP-93 Indicator LEDs

Label

Function

Action

Status

 

 

 

 

 

 

 

 

PWR

AP power / ready status

Off

No power to AP

 

 

 

 

 

 

 

 

 

Red

Initial power-up condition

 

 

 

 

 

 

 

 

Flashing – Green

Device booting, not ready

 

 

 

 

 

 

 

 

 

On – Green

Device ready

 

 

 

 

 

 

 

ENET

Ethernet Network Link

Off

Ethernet link unavailable

 

 

Status / Activity

 

 

 

 

 

On – Amber

10/100Mbs

Ethernet

link

 

 

 

 

 

negotiated

 

 

 

 

 

 

 

 

On – Green

1000Mbs Ethernet link negotiated

 

 

 

 

 

 

10

Label

Function

Action

Status

 

 

 

 

 

 

Flashing

Ethernet link activity

 

 

 

 

11b/g/n

2.4GHz Radio Status

Off

2.4GHz radio disabled

 

 

 

 

 

 

On – Amber

2.4GHz radio enabled in WLAN

 

 

 

mode

 

 

 

 

 

 

On – Green

2.4GHz radio enabled in 802.11n

 

 

 

mode

 

 

 

 

 

 

Flashing - Green

2.4GHz Air monitor or RF protect

 

 

 

sensor

 

 

 

 

11a/n

5GHz Radio Status

Off

5GHz radio disabled

 

 

 

 

 

 

On - Amber

5GHz radio enabled in WLAN

 

 

 

mode

 

 

 

 

 

 

On – Green

5GHz radio enabled in 802.11n

 

 

 

mode

 

 

 

 

 

 

Flashing - Green

5GHz Air monitor or RF protect

 

 

 

sensor

 

 

 

 

2.3 AP-105 Series

This section introduces the Aruba AP-120 series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

Figure 3 - AP-105 Wireless Access Point

The Aruba AP-105 is high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention over the 2.4GHz and 5GHz RF spectrum. The access point works in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications.

11

2.3.1 Physical Description

The Aruba AP-105 Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains two dual-band 2.4-GHz/5-GHz 802.11 a/b/g/n transceivers, and 4 x integrated, omni-directional antenna elements (supporting up to 2x2 MIMO with spatial diversity).

The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.

The Access Point configuration tested during the cryptographic module testing included:

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-105-F1

W-AP105-F1

 

 

The exact firmware versions tested were:

ArubaOS_6xx_6.1.2.3-FIPS

Dell_PCW_6xx_6.1.2.3-FIPS

2.3.1.1Dimensions/Weight

The AP has the following physical dimensions:

132 mm x 135 mm x 45 mm (5.2" x 5.3" x 1.8")

0.3 kg (10.56 oz)

2.3.1.2Interfaces

The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX

Antenna (internal)

1 x RJ-45 console interface

The module provides the following power interfaces:

48 V DC 802.3af power over Ethernet

12 V DC for external AC supplied power (adapter sold separately)

2.3.1.3Indicator LEDs

There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows:

Table 4- AP-105 Indicator LEDs

Label

Function

Action

Status

 

 

 

 

PWR

AP power / ready status

Off

No power to AP

 

 

 

 

 

 

Red

Initial power-up condition

 

 

 

 

 

 

Flashing – Green

Device booting, not ready

 

 

 

 

 

 

On – Green

Device ready

 

 

 

 

12

ENET

Ethernet Network Link

Off

Ethernet link unavailable

 

Status / Activity

 

 

 

On – Amber

10/100Mbs Ethernet link negotiated

 

 

 

 

 

 

 

 

On – Green

1000Mbs Ethernet link negotiated

 

 

 

 

 

 

Flashing

Ethernet link activity

 

 

 

 

11b/g/n

2.4GHz Radio Status

Off

2.4GHz radio disabled

 

 

 

 

 

 

On – Amber

2.4GHz radio enabled in WLAN mode

 

 

 

 

 

 

On – Green

2.4GHz radio enabled in 802.11n mode

 

 

 

 

 

 

Flashing - Green

2.4GHz Air monitor or RFprotect sensor

 

 

 

 

11a/n

5GHz Radio Status

Off

5GHz radio disabled

 

 

 

 

 

 

On - Amber

5GHz radio enabled in WLAN mode

 

 

 

 

 

 

On – Green

5GHz radio enabled in 802.11n mode

 

 

 

 

 

 

Flashing - Green

5GHz Air monitor or RFprotect sensor

 

 

 

 

2.4 AP-175 Series

This section introduces the Aruba AP-175 series Wireless Access Points (APs) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

Figure 4 - AP-175 Wireless Access Point

The Aruba AP-175 is high-performance 802.11n (2x2:2) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 600Mbps. This multi-function access point provides wireless LAN access, air monitoring, and wireless intrusion detection and prevention over the 2.4GHz and 5GHz RF spectrum. The multifunction AP-175 is an affordable, fully hardened outdoor 802.11n access point (AP) that provides maximum deployment flexibility in high-density campuses, storage yards, warehouses, container/transportation facilities, extreme industrial production areas and other harsh environments.

13

2.4.1 Physical Description

The Aruba AP-175 Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard case. The module contains two 802.11 a/b/g/n transceivers, and 4 x N- type female interfaces (2 x 2.4 GHz, 2 x 5 GHz) for external antenna support (supports MIMO)

The hard case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.

The Access Point configuration tested during the cryptographic module testing included:

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-175P-F1

W-AP175P-F1

 

 

AP-175AC-F1

W-AP175AC-F1

 

 

AP-175DC-F1

W-AP175DC-F1

 

 

The exact firmware versions tested were:

ArubaOS_6xx_6.1.2.3-FIPS

Dell_PCW_6xx_6.1.2.3-FIPS

2.4.1.1Dimensions/Weight

The AP has the following physical dimensions:

260 mm x 240 mm x 105 mm (10.2" x 9.4" x4.1")

3.25 kg (7 lb)

2.4.1.2Interfaces

The module provides the following network interfaces:

1 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX

Antenna

o4 x N-Type female antenna interfaces

1 x RJ-45 console interface

The module provides the following power interfaces:

AP-175P: 48-volt DC 802.3at power over Ethernet (PoE+)

AP-175AC: 100-240 volt AC from external AC power source

AP-175DC: 12-48 volt DC from external DC power source

14

Loading...
+ 31 hidden pages