Dell AP-135, W-AP134, W-AP135, AP-134 User Manual

0 (0)

FIPS 140-2 Non-Proprietary Security Policy

for Aruba AP-134, AP-135 and Dell W-AP134, W-AP135 Wireless Access Points

Version 1.2

February 2012

Aruba Networks™

1322 Crossman Ave.

Sunnyvale, CA 94089-1113

1

Dell AP-135, W-AP134, W-AP135, AP-134 User Manual

2

1

INTRODUCTION ..................................................................................................................................

5

 

1.1

ARUBA DELL RELATIONSHIP .............................................................................................................

5

 

1.2

ACRONYMS AND ABBREVIATIONS .....................................................................................................

5

2

PRODUCT OVERVIEW.......................................................................................................................

7

 

2.1

AP-134

..............................................................................................................................................

7

 

2.1.1

Physical ..................................................................................................................Description

7

 

 

2.1.1.1 ............................................................................................................

Dimensions/Weight

7

 

 

2.1.1.2 .............................................................................................................................

Interfaces

7

 

 

2.1.1.3 ....................................................................................................................

Indicator LEDs

8

 

2.2

AP-135..............................................................................................................................................

 

9

 

2.2.1

Physical ..................................................................................................................Description

9

 

 

2.2.1.1 ............................................................................................................

Dimensions/Weight

9

 

 

2.2.1.2 .............................................................................................................................

Interfaces

9

 

 

2.2.1.3 ...................................................................................................................

Indicator LEDs

10

3

MODULE OBJECTIVES ....................................................................................................................

11

 

3.1

SECURITY ............................................................................................................................LEVELS

11

 

3.2

PHYSICAL ........................................................................................................................SECURITY

11

 

3.2.1

Applying ..........................................................................................................................TELs

11

 

3.2.2

AP- ............................................................................................................134 TEL Placement

12

 

 

3.2.2.1 .............................................................................To detect opening of the chassis cover:

12

 

 

3.2.2.2 ....................................................................................To detect access to restricted ports

12

 

3.2.3

AP- ............................................................................................................135 TEL Placement

13

 

 

3.2.3.1 .............................................................................To detect opening of the chassis cover:

13

 

 

3.2.3.2 ....................................................................................To detect access to restricted ports

14

 

3.2.4 Inspection/Testing ...............................................................of Physical Security Mechanisms

15

 

3.3

MODES .....................................................................................................................OF OPERATION

16

 

3.3.1 Configuring .........................................................................................Remote AP FIPS Mode

16

 

3.3.2 Configuring ..................................Control Plane Security (CPSec) protected AP FIPS mode

17

 

3.3.3 Configuring ..........................................................................Remote Mesh Portal FIPS Mode

18

 

3.3.4 Configuring ............................................................................Remote Mesh Point FIPS Mode

19

 

3.3.5 Verify ....................................................................................that the module is in FIPS mode

20

 

3.4

OPERATIONAL ..........................................................................................................ENVIRONMENT

20

 

3.5

LOGICAL ......................................................................................................................INTERFACES

21

4 ROLES, AUTHENTICATION .............................................................................AND SERVICES

22

 

4.1

ROLES...............................................................................................................................................

 

22

 

4.1.1

Crypto ...................................................................................................Officer Authentication

22

 

4.1.2

User ..................................................................................................................Authentication

23

 

 

 

 

3

 

 

4.1.3

Wireless Client Authentication .................................................................................................

23

 

4.1.4 Strength of Authentication Mechanisms ...................................................................................

23

 

4.2 SERVICES..........................................................................................................................................

25

 

4.2.1

Crypto Officer Services.............................................................................................................

25

 

4.2.2

User Services ............................................................................................................................

26

 

4.2.3

Wireless Client Services............................................................................................................

27

 

4.2.4

Unauthenticated Services..........................................................................................................

27

5

CRYPTOGRAPHIC ALGORITHMS................................................................................................

29

6

CRITICAL SECURITY PARAMETERS..........................................................................................

30

7

SELF TESTS.........................................................................................................................................

34

4

1 Introduction

This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-134, AP135 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Web-site at:

http://csrc.nist.gov/groups/STM/cmvp/index.html

This document can be freely distributed.

1.1 Aruba Dell Relationship

Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to the Aruba products other than branding and Dell software is identical to Aruba software other than branding.

Table 1 - Corresponding Aruba and Dell Part Numbers

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-134-F1

W-AP134-F1

 

 

AP-135-F1

W-AP135-F1

 

 

NOTE: References to Aruba, ArubaOS, Aruba AP-134 and AP-135 wireless access points apply to both the Aruba and Dell versions of these products and documentation.

1.2 Acronyms and Abbreviations

AES

Advanced Encryption Standard

AP

Access Point

CBC

Cipher Block Chaining

CLI

Command Line Interface

CO

Crypto Officer

CPSec

Control Plane Security protected

CSEC

Communications Security Establishment Canada

CSP

Critical Security Parameter

ECO

External Crypto Officer

EMC

Electromagnetic Compatibility

EMI

Electromagnetic Interference

FE

Fast Ethernet

GE

Gigabit Ethernet

GHz

Gigahertz

HMAC

Hashed Message Authentication Code

Hz

Hertz

IKE

Internet Key Exchange

IPsec

Internet Protocol security

KAT

Known Answer Test

KEK

Key Encryption Key

L2TP

Layer-2 Tunneling Protocol

LAN

Local Area Network

LED

Light Emitting Diode

5

SHA

Secure Hash Algorithm

SNMP

Simple Network Management Protocol

SPOE

Serial & Power Over Ethernet

TEL

Tamper-Evident Label

TFTP

Trivial File Transfer Protocol

WLAN

Wireless Local Area Network

6

2 Product Overview

This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary of the physical features of each model covered by this FIPS 140-2 security policy.

2.1 AP-134

This section introduces the Aruba AP-134 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

The Aruba AP-134 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 900Mbps. These multi-function access points provide wireless LAN access, air monitoring, and wireless intrusion detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications

2.1.1 Physical Description

The Aruba AP-134 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceivers and supports external antennas through 3 x dual-band (RP-SMA) antenna interfaces for supporting external antennas.

The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.

The Access Point configuration tested during the cryptographic module testing included:

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-134-F1

W-AP134-F1

 

 

The exact firmware versions tested were:

ArubaOS_6xx_6.1.2.3-FIPS

Dell_PCW_6xx_6.1.2.3-FIPS

2.1.1.1Dimensions/Weight

The AP has the following physical dimensions:

170 mm (H) x 170 mm (W) x 45 mm.

760 g (1.68 lb)

2.1.1.2Interfaces

The module provides the following network interfaces:

2 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX

Antenna

o3x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)

1 x RJ-45 console interface

7

The module provides the following power interfaces:

48V DC 802.3af or 802.3at or PoE + interoperable Power-over-Ethernet (PoE) with intelli-source PSE sourcing intelligence

12V DC for external AC supplied power (adapter sold separately)

2.1.1.3Indicator LEDs

There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows:

Table 1- AP-134 Indicator LEDs

 

 

 

 

 

 

 

 

 

 

Label

Function

Action

Status

 

 

 

 

 

 

 

 

PWR

AP power / ready status

Off

No power to AP

 

 

 

 

 

 

 

 

 

Red

Initial power-up condition

 

 

 

 

 

 

 

 

Flashing – Green

Device booting, not ready

 

 

 

 

 

 

 

 

 

On – Green

Device ready

 

 

 

 

 

 

 

ENET0

Ethernet Network Link

Off

Ethernet link unavailable

 

ENET1

Status / Activity

 

 

 

 

 

 

 

 

 

 

 

 

On – Amber

10/100Mbs

Ethernet

link

 

 

 

negotiated

 

 

 

 

 

 

 

 

 

 

On – Green

1000Mbps

Ethernet

link

 

 

 

negotiated

 

 

 

 

 

 

 

 

 

Flashing

Ethernet link activity

 

 

 

 

 

 

11b/g/n

2.4GHz Radio Status

Off

2.4GHz radio disabled

 

 

 

 

 

 

 

On – Amber

2.4GHz radio enabled in non-HT

 

 

 

WLAN mode

 

 

 

 

 

 

 

 

On – Green

2.4GHz radio enabled in HT

 

 

 

WLAN mode

 

 

 

 

 

 

 

 

 

Flashing – Green

2.4GHz Air monitor

 

 

 

 

 

 

11a/n

5GHz Radio Status

Off

5GHz radio disabled

 

 

 

 

 

 

 

On – Amber

5GHz radio enabled in non-HT

 

 

 

WLAN mode

 

 

 

 

 

 

 

 

On – Green

5GHz radio enabled in HT WLAN

 

 

 

mode

 

 

 

 

 

 

 

 

 

Flashing – Green

5GHz Air monitor

 

 

 

 

 

 

 

8

2.2 AP-135

This section introduces the Aruba AP-135 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

The Aruba AP-135 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 900Mbps. These multi-function access points provide wireless LAN access, air monitoring, and wireless intrusion detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications

2.2.1 Physical Description

The Aruba AP-135 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceivers and supports 3 integrated omni-directional multi-band dipole antenna elements (supporting up to 3x3 MIMO with spatial diversity).

The plastic case physically encloses the complete set of hardware and software components and represents the cryptographic boundary of the module.

The Access Point configuration tested during the cryptographic module testing included:

Aruba Part Number

Dell Corresponding Part Number

 

 

AP-135-F1

W-AP135-F1

 

 

The exact firmware versions tested were:

ArubaOS_6xx_6.1.2.3-FIPS

Dell_PCW_6xx_6.1.2.3-FIPS

2.2.1.1Dimensions/Weight

The AP has the following physical dimensions:

170 mm (H) x 170 mm (W) x 45 mm.

760 g (1.68 lb)

2.2.1.2Interfaces

The module provides the following network interfaces:

2 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX

Antenna

o3x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)

1 x RJ-45 console interface

The module provides the following power interfaces:

48V DC 802.3af or 802.3at or PoE + interoperable Power-over-Ethernet (PoE) with intelli-source PSE sourcing intelligence

9

5V DC for external AC supplied power (adapter sold separately)

2.2.1.3Indicator LEDs

There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows:

Table 2- AP-135 Indicator LEDs

Label

Function

Action

Status

 

 

 

 

 

 

 

 

PWR

AP power / ready status

Off

No power to AP

 

 

 

 

 

 

 

 

 

Red

Initial power-up condition

 

 

 

 

 

 

 

 

Flashing – Green

Device booting, not ready

 

 

 

 

 

 

 

 

 

On – Green

Device ready

 

 

 

 

 

 

 

ENET0

Ethernet Network Link

Off

Ethernet link unavailable

 

ENET1

Status / Activity

 

 

 

 

 

 

 

 

 

 

 

 

On – Amber

10/100Mbs

Ethernet

link

 

 

 

negotiated

 

 

 

 

 

 

 

 

 

 

On – Green

1000Mbps

Ethernet

link

 

 

 

negotiated

 

 

 

 

 

 

 

 

 

Flashing

Ethernet link activity

 

 

 

 

 

 

11b/g/n

2.4GHz Radio Status

Off

2.4GHz radio disabled

 

 

 

 

 

 

 

On – Amber

2.4GHz radio enabled in non-HT

 

 

 

WLAN mode

 

 

 

 

 

 

 

 

On – Green

2.4GHz radio enabled in HT

 

 

 

WLAN mode

 

 

 

 

 

 

 

 

 

Flashing – Green

2.4GHz Air monitor

 

 

 

 

 

 

11a/n

5GHz Radio Status

Off

5GHz radio disabled

 

 

 

 

 

 

 

On – Amber

5GHz radio enabled in non-HT

 

 

 

WLAN mode

 

 

 

 

 

 

 

 

On – Green

5GHz radio enabled in HT WLAN

 

 

 

mode

 

 

 

 

 

 

 

 

 

Flashing – Green

5GHz Air monitor

 

 

 

 

 

 

 

10

3 Module Objectives

This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. In addition, it provides information on placing the module in a FIPS 140-2 approved configuration.

3.1 Security Levels

Section

Section Title

Level

 

 

 

1

Cryptographic Module Specification

2

 

 

 

2

Cryptographic Module Ports and Interfaces

2

 

 

 

3

Roles, Services, and Authentication

2

 

 

 

4

Finite State Model

2

 

 

 

5

Physical Security

2

 

 

 

6

Operational Environment

N/A

 

 

 

7

Cryptographic Key Management

2

 

 

 

8

EMI/EMC

2

 

 

 

9

Self-tests

2

 

 

 

10

Design Assurance

2

 

 

 

11

Mitigation of Other Attacks

N/A

 

 

 

3.2 Physical Security

The Aruba Wireless AP is a scalable, multi-processor standalone network device and is enclosed in a robust plastic housing. The AP enclosure is resistant to probing (please note that this feature has not been tested as part of the FIPS 140-2 validation) and is opaque within the visible spectrum. The enclosure of the AP has been designed to satisfy FIPS 140-2 Level 2 physical security requirements.

3.2.1 Applying TELs

The Crypto Officer is responsible for securing and having control at all times of any unused tamper evident labels. The Crypto Officer should employ TELs as follows:

Before applying a TEL, make sure the target surfaces are clean and dry.

Do not cut, trim, punch, or otherwise alter the TEL.

Apply the wholly intact TEL firmly and completely to the target surfaces.

Ensure that TEL placement is not defeated by simultaneous removal of multiple modules.

Allow 24 hours for the TEL adhesive seal to completely cure.

Record the position and serial number of each applied TEL in a security log.

For physical security, the AP requires Tamper-Evident Labels (TELs) to allow detection of the opening of the device, and to block the serial console port (on the bottom of the device). The tamper-evident labels shall be installed for the module to operate in a FIPS approved mode of operation. To protect the device from tampering, TELs should be applied by the Crypto Officer as pictured below:

11

Loading...
+ 24 hidden pages