Dell W- FIPS Quick Reference Guide
FIPS 140-2 Non-Proprietary Security Policy
for Aruba AP-120 Series and Dell W-AP120 Series
Wireless Access Points
Version 1.4
February 2012
Aruba Networks™
1322 Crossman Ave.
Sunnyvale, CA 94089-1113
1 INTRODUCTION .................................................................................................................................. 5
1.1 ARUBA DELL RELATIONSHIP ............................................................................................................. 5
1.2 ACRONYMS AND ABBREVIATIONS ..................................................................................................... 5
2 PRODUCT OVERVIEW ....................................................................................................................... 7
2.1 ARUBA AP-120 SERIES ..................................................................................................................... 7
2.1.1 Physical Description .................................................................................................................. 7
2.1.1.1 Dimensions/Weight ............................................................................................................ 8
2.1.1.2 Interfaces ............................................................................................................................. 8
2.1.1.3 Indicator LEDs .................................................................................................................... 8
3 MODULE OBJECTIVES .................................................................................................................... 10
3.1 SECURITY LEVELS ............................................................................................................................10
3.2 PHYSICAL SECURITY ........................................................................................................................10
3.2.1 Applying TELs ..........................................................................................................................10
3.2.2 Aruba AP-124 TEL Placement ..................................................................................................11
3.2.2.1 To detect opening of the chassis cover: .............................................................................11
3.2.2.2 To detect access to restricted ports ....................................................................................11
3.2.3 Aruba AP-125 TEL Placement ..................................................................................................13
3.2.3.1 To detect opening of the chassis cover: .............................................................................13
3.2.3.2 To detect access to restricted ports ....................................................................................13
3.2.4 Inspection/Testing of Physical Security Mechanisms ...............................................................16
3.3 MODES OF OPERATION .....................................................................................................................17
3.3.1 Configuring Remote AP FIPS Mode .........................................................................................17
3.3.2 Configuring Control Plane Security (CPSec) protected AP FIPS mode ..................................18
3.3.3 Configuring Remote Mesh Portal FIPS Mode ..........................................................................19
3.3.4 Configuring Remote Mesh Point FIPS Mode ............................................................................20
3.3.5 Verify that the module is in FIPS mode ....................................................................................21
3.4 OPERATIONAL ENVIRONMENT ..........................................................................................................21
3.5 LOGICAL INTERFACES ......................................................................................................................22
4 ROLES, AUTHENTICATION, AND SERVICES ............................................................................ 23
4.1 ROLES...............................................................................................................................................23
4.1.1 Crypto Officer Authentication ...................................................................................................23
4.1.2 User Authentication ..................................................................................................................24
4.1.3 Wireless Client Authentication .................................................................................................24
4.1.4 Strength of Authentication Mechanisms ...................................................................................24
4.2 SERVICES ..........................................................................................................................................26
4.2.1 Crypto Officer Services .............................................................................................................26
4.2.2 User Services ............................................................................................................................27
4.2.3 Wireless Client Services ............................................................................................................28
4.2.4 Unauthenticated Services..........................................................................................................29
5 CRYPTOGRAPHIC ALGORITHMS ................................................................................................ 30
6 CRITICAL SECURITY PARAMETERS .......................................................................................... 31
7 SELF TESTS ......................................................................................................................................... 35
4
1 Introduction
Aruba Part Number
Dell Corresponding Part Number
AP-124-F1
W-AP124-F1
AP-125-F1
W-AP125-F1
This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-120 series
Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy
describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and
maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2
validation of the product.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the National Institute of
Standards and Technology (NIST) Web-site at:
http://csrc.nist.gov/groups/STM/cmvp/index.html
This document can be freely distributed.
1.1 Aruba Dell Relationship
Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to
the Aruba products other than branding and Dell firmware is identical to Aruba firmware other than
branding.
Table 1 - Corresponding Aruba and Dell Part Numbers
NOTE: References to Aruba, ArubaOS, Aruba AP-120 Series wireless access points apply to both the
Aruba and Dell versions of these products and documentation.
1.2 Acronyms and Abbreviations
AES Advanced Encryption Standard
AP Access Point
CBC Cipher Block Chaining
CLI Command Line Interface
CO Crypto Officer
CPSec Control Plane Security protected
CSEC Communications Security Establishment Canada
CSP Critical Security Parameter
ECO External Crypto Officer
EMC Electromagnetic Compatibility
EMI Electromagnetic Interference
FE Fast Ethernet
GE Gigabit Ethernet
GHz Gigahertz
HMAC Hashed Message Authentication Code
Hz Hertz
IKE Internet Key Exchange
IPSec Internet Protocol security
KAT Known Answer Test
KEK Key Encryption Key
L2TP Layer-2 Tunneling Protocol
LAN Local Area Network
LED Light Emitting Diode
SHA Secure Hash Algorithm
SNMP Simple Network Management Protocol
SPOE Serial & Power Over Ethernet
TEL Tamper-Evident Label
TFTP Trivial File Transfer Protocol
WLAN Wireless Local Area Network
6
2 Product Overview
Aruba Part Number
Dell Corresponding Part Number
AP-124-F1
W-AP124-F1
AP-125-F1
W-AP125-F1
This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary
of the physical features of each model covered by this FIPS 140-2 security policy.
2.1 Aruba AP-120 Series
This section introduces the Aruba AP-120 series Wireless Access Points (APs) with FIPS 140-2 Level 2
validation. It describes the purpose of the AP, its physical attributes, and its interfaces.
Figure 1 – Aruba AP-120 Series Wireless Access Points
The Aruba AP-124 and AP -125 are high-performance 802.11n (3x3) MIMO, dual-radio (concurrent
802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to
600Mbps. These multi-function access points provide wireless LAN access, air monitoring, and wireless
intrusion detection and prevention over the 2.4-2.5GHz and 5GHz RF spectrum. The access points work in
conjunction with Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in
education, enterprise, finance, government, healthcare, and retail applications.
2.1.1 Physical Description
The Aruba AP-120 series Access Point is a multi-chip standalone cryptographic module consisting of
hardware and firmware, all contained in a hard plastic case. The module contains IEEE 802.11a, 802.11b,
802.11g, and 802.11n transceivers, and up to 3 integrated or external omni-directional multi-band dipole
antenna elements may be attached to the module.
The plastic case physically encloses the complete set of hardware and firmware components and represents
the cryptographic boundary of the module.
The Access Point configuration tested during the cryptographic module testing included:
The exact firmware versions tested were:
ArubaOS_6xx_6.1.2.3-FIPS
Dell_PCW_6xx_6.1.2.3-FIPS
7
2.1.1.1 Dimensions/Weight
Label
Function
Action
Status
PWR
AP power / ready status
Off
No power to AP
Red
Power applied, bootloader starting
Flashing - Green
Device booting, not ready
On - Green
Device ready
ENET 0
Ethernet Network Link
Status / Activity
Off
Ethernet link unavailable
On - Amber
10/100Mbs Ethernet link negotiated
On - Green
1000Mbs Ethernet link negotiated
Flashing
Ethernet link activity
ENET 1
(Dual radio
only)
Ethernet Network Link
Status / Activity
Off
Ethernet link unavailable
On - Amber
10/100Mbs Ethernet link negotiated
On - Green
1000Mbs Ethernet link negotiated
Flashing
Ethernet link activity
WLAN 2.4Ghz
2.4GHz Radio Status
Off
2.4GHz radio disabled
On - Amber
2.4GHz radio enabled in WLAN mode
On – Green
2.4GHz radio enabled in 802.11n mode
The AP has the following physical dimensions:
4.9” x 5.13” x 2.0” (124mm x 130mm x 51mm)
15oz (0.42 Kgs)
2.1.1.2 Interfaces
The module provides the following network interfaces:
2 x 10/100/1000 Base-T Ethernet (RJ45) Auto-sensing link speed and MDI/MDX
Antenna (model Aruba AP-124 only)
o 3 x RP-SMA antenna interfaces (supports up to 3x3 MIMO with spatial diversity)
1 x RJ-45 console interface
The module provides the following power interfaces:
48V DC 802.3af or 802.3at or PoE + interoperable Power-over-Ethernet (PoE) with intelli-source
PSE sourcing intelligence
5V DC for external AC supplied power (adapter sold separately)
2.1.1.3 Indicator LEDs
There are 5 bicolor (power, ENET 0, 1, and WLAN) LEDs which operate as follows:
Table 1- Indicator LEDs
8
Label
Function
Action
Status
Flashing
2.4GHz Air monitor
WLAN 5Ghz
5GHz Radio Status
Off
5GHz radio disabled
On - Amber
5GHz radio enabled in WLAN mode
On – Green
5GHz radio enabled in 802.11n mode
Flashing
2.4GHz Air monitor
9
3 Module Objectives
Section
Section Title
Level
1
Cryptographic Module Specification
2 2 Cryptographic Module Ports and Interfaces
2 3 Roles, Services, and Authentication
2
4
Finite State Model
2
5
Physical Security
2 6 Operational Environment
N/A 7 Cryptographic Key Management
2 8 EMI/EMC
2 9 Self-tests
2
10
Design Assurance
2
11
Mitigation of Other Attacks
N/A
This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. In
addition, it provides information on placing the module in a FIPS 140-2 approved configuration.
3.1 Security Levels
3.2 Physical Security
The Aruba Wireless AP is a scalable, multi-processor standalone network device and is enclosed in a robust
plastic housing. The AP enclosure is resistant to probing (please note that this feature has not been tested as
part of the FIPS 140-2 validation) and is opaque within the visible spectrum. The enclosure of the AP has
been designed to satisfy FIPS 140-2 Level 2 physical security requirements.
3.2.1 Applying TELs
The Crypto Officer is responsible for securing and having control at all times of any unused tamper evident
labels. The Crypto Officer should employ TELs as follows:
Before applying a TEL, make sure the target surfaces are clean and dry.
Do not cut, trim, punch, or otherwise alter the TEL.
Apply the wholly intact TEL firmly and completely to the target surfaces.
Ensure that TEL placement is not defeated by simultaneous removal of multiple modules.
Allow 24 hours for the TEL adhesive seal to completely cure.
Record the position and serial number of each applied TEL in a security log.
For physical security, the AP requires Tamper-Evident Labels (TELs) to allow detection of the opening of
the device, and to block the serial console port (on the bottom of the device). To protect the device from
tampering, TELs should be applied by the Crypto Officer as pictured below:
10
3.2.2 Aruba AP-124 TEL Placement
This section displays all the TEL locations on the Aruba AP-124. The AP124 requires a minimum of 3
TELs to be applied as follows:
3.2.2.1 To detect opening of the chassis cover:
1. Spanning the left chassis cover and the top and bottom chassis covers
2. Spanning the right chassis cover and the top and bottom chassis covers
3.2.2.2 To detect access to restricted ports
3. Spanning the serial port
The tamper-evident labels shall be installed for the module to operate in a FIPS approved mode of
operation.
Following is the TEL placement for the Aruba AP-124:
Figure 1: AP-124 Front view
11
Loading...