This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-134, AP135 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy
describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and
maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2
validation of the product.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the National Institute of
Standards and Technology (NIST) Web-site at:
http://csrc.nist.gov/groups/STM/cmvp/index.html
This document can be freely distributed.
1.1 Aruba Dell Relationship
Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to
the Aruba products other than branding and Dell software is identical to Aruba software other than
branding.
Table 1 - Corresponding Aruba and Dell Part Numbers
NOTE: References to Aruba, ArubaOS, Aruba AP-134 and AP-135 wireless access points apply to
both the Aruba and Dell versions of these products and documentation.
1.2 Acronyms and Abbreviations
AES Advanced Encryption Standard
AP Access Point
CBC Cipher Block Chaining
CLI Command Line Interface
CO Crypto Officer
CPSec Control Plane Security protected
CSEC Communications Security Establishment Canada
CSP Critical Security Parameter
ECO External Crypto Officer
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FE Fast Ethernet
GE Gigabit Ethernet
GHz Gigahertz
HMAC Hashed Message Authentication Code
Hz Hertz
IKE Internet Key Exchange
IPsec Internet Protocol security
KAT Known Answer Test
KEK Key Encryption Key
L2TP Layer-2 Tunneling Protocol
LAN Local Area Network
LED Light Emitting Diode
5
SHA Secure Hash Algorithm
SNMP Simple Network Management Protocol
SPOE Serial & Power Over Ethernet
TEL Tamper-Evident Label
TFTP Trivial File Transfer Protocol
WLAN Wireless Local Area Network
6
2 Product Overview
Aruba Part Number
Dell Corresponding Part Number
AP-134-F1
W-AP134-F1
This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary
of the physical features of each model covered by this FIPS 140-2 security policy.
2.1 AP-134
This section introduces the Aruba AP-134 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation.
It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-134 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.11a/n + b/g/n)
indoor wireless access points capable of delivering combined wireless data rates of up to 900Mbps. These
multi-function access points provide wireless LAN access, air monitoring, and wireless intrusion detection
and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in conjunction with
Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education,
enterprise, finance, government, healthcare, and retail applications
2.1.1 Physical Description
The Aruba AP-134 series Access Point is a multi-chip standalone cryptographic module consisting of
hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n
transceivers and supports external antennas through 3 x dual-band (RP-SMA) antenna interfaces for
supporting external antennas.
The plastic case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
170 mm (H) x 170 mm (W) x 45 mm.
760 g (1.68 lb)
2.1.1.2 Interfaces
The module provides the following network interfaces:
2 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna
o 3x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)
1 x RJ-45 console interface
7
The module provides the following power interfaces:
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Initial power-up condition
Flashing – Green
Device booting, not ready
On – Green
Device ready
ENET0
ENET1
Ethernet Network Link
Status / Activity
Off
Ethernet link unavailable
On – Amber
10/100Mbs Ethernet link
negotiated
On – Green
1000Mbps Ethernet link
negotiated
Flashing
Ethernet link activity
11b/g/n
2.4GHz Radio Status
Off
2.4GHz radio disabled
On – Amber
2.4GHz radio enabled in non-HT
WLAN mode
On – Green
2.4GHz radio enabled in HT
WLAN mode
Flashing – Green
2.4GHz Air monitor
11a/n
5GHz Radio Status
Off
5GHz radio disabled
On – Amber
5GHz radio enabled in non-HT
WLAN mode
On – Green
5GHz radio enabled in HT WLAN
mode
Flashing – Green
5GHz Air monitor
48V DC 802.3af or 802.3at or PoE + interoperable Power-over-Ethernet (PoE) with intelli-source
PSE sourcing intelligence
12V DC for external AC supplied power (adapter sold separately)
2.1.1.3 Indicator LEDs
There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 1- AP-134 Indicator LEDs
8
2.2 AP-135
Aruba Part Number
Dell Corresponding Part Number
AP-135-F1
W-AP135-F1
This section introduces the Aruba AP-135 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation.
It describes the purpose of the AP, its physical attributes, and its interfaces.
The Aruba AP-135 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.11a/n + b/g/n)
indoor wireless access points capable of delivering combined wireless data rates of up to 900Mbps. These
multi-function access points provide wireless LAN access, air monitoring, and wireless intrusion detection
and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in conjunction with
Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education,
enterprise, finance, government, healthcare, and retail applications
2.2.1 Physical Description
The Aruba AP-135 series Access Point is a multi-chip standalone cryptographic module consisting of
hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n
transceivers and supports 3 integrated omni-directional multi-band dipole antenna elements (supporting up
to 3x3 MIMO with spatial diversity).
The plastic case physically encloses the complete set of hardware and software components and represents
the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
170 mm (H) x 170 mm (W) x 45 mm.
760 g (1.68 lb)
2.2.1.2 Interfaces
The module provides the following network interfaces:
2 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna
o 3x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)
1 x RJ-45 console interface
The module provides the following power interfaces:
48V DC 802.3af or 802.3at or PoE + interoperable Power-over-Ethernet (PoE) with intelli-source
PSE sourcing intelligence
9
5V DC for external AC supplied power (adapter sold separately)
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Initial power-up condition
Flashing – Green
Device booting, not ready
On – Green
Device ready
ENET0
ENET1
Ethernet Network Link
Status / Activity
Off
Ethernet link unavailable
On – Amber
10/100Mbs Ethernet link
negotiated
On – Green
1000Mbps Ethernet link
negotiated
Flashing
Ethernet link activity
11b/g/n
2.4GHz Radio Status
Off
2.4GHz radio disabled
On – Amber
2.4GHz radio enabled in non-HT
WLAN mode
On – Green
2.4GHz radio enabled in HT
WLAN mode
Flashing – Green
2.4GHz Air monitor
11a/n
5GHz Radio Status
Off
5GHz radio disabled
On – Amber
5GHz radio enabled in non-HT
WLAN mode
On – Green
5GHz radio enabled in HT WLAN
mode
Flashing – Green
5GHz Air monitor
2.2.1.3 Indicator LEDs
There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows:
Table 2- AP-135 Indicator LEDs
10
3 Module Objectives
Section
Section Title
Level
1
Cryptographic Module Specification
2
2
Cryptographic Module Ports and Interfaces
2
3
Roles, Services, and Authentication
2
4
Finite State Model
2
5
Physical Security
2
6
Operational Environment
N/A
7
Cryptographic Key Management
2
8
EMI/EMC
2
9
Self-tests
2
10
Design Assurance
2
11
Mitigation of Other Attacks
N/A
This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. In
addition, it provides information on placing the module in a FIPS 140-2 approved configuration.
3.1 Security Levels
3.2 Physical Security
The Aruba Wireless AP is a scalable, multi-processor standalone network device and is enclosed in a robust
plastic housing. The AP enclosure is resistant to probing(please note that this feature has not been tested as
part of the FIPS 140-2 validation) and is opaque within the visible spectrum. The enclosure of the AP has
been designed to satisfy FIPS 140-2 Level 2 physical security requirements.
3.2.1 Applying TELs
The Crypto Officer is responsible for securing and having control at all times of any unused tamper evident
labels. The Crypto Officer should employ TELs as follows:
Before applying a TEL, make sure the target surfaces are clean and dry.
Do not cut, trim, punch, or otherwise alter the TEL.
Apply the wholly intact TEL firmly and completely to the target surfaces.
Ensure that TEL placement is not defeated by simultaneous removal of multiple modules.
Allow 24 hours for the TEL adhesive seal to completely cure.
Record the position and serial number of each applied TEL in a security log.
For physical security, the AP requires Tamper-Evident Labels (TELs) to allow detection of the opening of
the device, and to block the serial console port (on the bottom of the device). The tamper-evident labels
shall be installed for the module to operate in a FIPS approved mode of operation. To protect the device
from tampering, TELs should be applied by the Crypto Officer as pictured below:
11
Loading...
+ 24 hidden pages
You need points to download manuals.
1 point = 1 manual.
You can buy points or you can get point for every manual you upload.