Dell W- FIPS Quick Reference Guide

Aruba 3000, 6000/M3 and Dell

W-3000, W-6000M3

Controllers with ArubaOS FIPS

Firmware Non-Proprietary Security

Policy FIPS 140-2 Level 2 Release

Supplement

© 2011 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners. Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site:

, Mobile Edge Architecture®, People Move.

, Aruba Wireless Networks®, the

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.

Warranty

This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.

Altering this device (such as painting it) voids the warranty.

© 2011 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®,the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, andPowerConnect™ are trademarks of Dell Inc.

www.arubanetworks.com 1344 Crossman Avenue

Sunnyvale, California 94089 Phone: 408.227.4500

Fax 408.227.4550

Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement 0510541-16 | October 2011

Preface...................................................................................................................................5

Purpose of this Document.....................................................................................5

Aruba Dell Relationship................................................................................... 5

Related Documents ...............................................................................................6

Additional Product Information .......................................................................6

Chapter 1 The Aruba 3000 and 6000/M3 Controllers.............................................7

Overview................................................................................................................7

Physical Description .............................................................................................. 8

Dimensions .....................................................................................................8

Cryptographic Module Boundaries .................................................................8

Chassis............................................................................................................9

Chapter 2 FIPS 140-2 Level 2 Features .................................................................11

Intended Level of Security...................................................................................11

Physical Security .................................................................................................11

Operational Environment .....................................................................................12

Logical Interfaces ................................................................................................12

Roles and Services..............................................................................................13

Crypto Officer Role .......................................................................................13

User Role ......................................................................................................15

Authentication Mechanisms..........................................................................16

Unauthenticated Services .............................................................................16

Cryptographic Key Management.........................................................................17

Implemented Algorithms ...............................................................................17

Revision C4............................................................................................. 17

Revision B2.............................................................................................17

Non-FIPS Approved Algorithms....................................................................18

Critical Security Parameters..........................................................................18

Self-Tests.............................................................................................................21

Alternating Bypass State ..................................................................................... 22

Mitigation of Other Attacks..................................................................................23

XSec..............................................................................................................23

Wireless Intrusion Detection ......................................................................... 23

Unique Station and User Classification ..................................................23

Detecting and Disabling Rogue APs ......................................................24

Denial of Service and Impersonation Protection...........................................24

Man-in-the-Middle Protection.......................................................................24

Policy Definition and Enforcement ................................................................24

Using Wireless to Protect your Wired Network.............................................24

Using Wireless to Protect your Existing Wireless Network........................... 24

Chapter 3 Installing the Controller.........................................................................25

Pre-Installation Checklist..................................................................................... 25

Precautions.......................................................................................................... 25

The Security Kit ...................................................................................................26

Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement | 3

Product Examination.....................................................................................26

Package Contents.........................................................................................26

Minimum Configuration for the Aruba 6000..................................................26

Tamper-Evident Labels .......................................................................................27

Reading TELs................................................................................................27

Required TEL Locations................................................................................27

To Detect Opening the Chassis Cover ...................................................27

To Detect the Removal of Any Module or Cover Plate...........................27

To Detect Access to Restricted Ports .................................................... 28

To Detect Access to Restricted Port ......................................................28

To Detect Opening the Chassis Cover ...................................................28

Applying TELs ...............................................................................................28

Chapter 4 Ongoing Management........................................................................... 29

Crypto Officer Management ................................................................................29

User Guidance.....................................................................................................29

Chapter 5 Setup and Configuration....................................................................... 31

Setting Up Your Controller ..................................................................................31

Enabling FIPS Mode............................................................................................31

Enabling FIPS with the Setup Wizard ...........................................................31

Enabling FIPS with the WebUI ......................................................................31

Disallowed FIPS Mode Configurations................................................................32

4 | Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement

Preface

NOTE

This security policy document can be copied and distributed freely.

Purpose of this Document

This release supplement provides information regarding the Aruba 3000 and 6000/M3 Controller and Dell W3000 and W-6000 M3 controllers with FIPS 140-2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation included with this product and should be kept with your Aruba product documentation.

This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba Controller. This security policy describes how the switch meets the security requirements of FIPS 140-2 Level 2 and how to place and maintain the switch in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Web-site at:

http://csrc.nist.gov/groups/STM/cmvp/index.html

Aruba Dell Relationship

Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to the Aruba products other than branding and Dell software is identical to Aruba software other than branding.

Table 1 Aruba and Dell Part Numbers

Aruba Part Number Corresponding Dell Part Number

3200-USF1 W-3200-USF1 3400-USF1 W-3400-USF1 3600-USF1 W-3600-USF1 3200-F1 W-3200-F1 3400-F1 W-3400-F1 3600-F1 W-3600-F1 6000-400-F1 W-6000-400-F1 6000-400-USF1 W-6000-400-USF1 M3mk1-S-F1 W-6000M3 LC-2G-1 N/A LC-2G24F-1 N/A LC-2G24FP-1 N/A

Aruba part numbers have two XLR processor version varieties, which includes the use of the XLR Rev. B2 processor and the XLR Rev C4 processor. The XLR Rev. B2 processor is no longer sold. A B2 unit can be identified by a serial number beginning with an A and a C4 unit has a serial number beginning with AK or BG.

Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement Preface | 5

NOTE

References to Aruba, ArubaOS, Aruba 6000 series, Aruba 3000 series and Aruba 6000/M3 series apply to both the Aruba and Dell versions of these products and documentation. There is no Dell equivalent for the LC-2G-1, LC2G24F-1, or LC-2G24FP-1.

Overview

Aruba Networks has developed a purpose-built Wireless LAN voice and data switching solution designed to specifically address the needs of large-scale WiFi network deployments for Government agencies and global enterprises. The Aruba Controller solution provides advanced security and management of the corporate RF environment and enforces User security and service policies to both wired and wireless users.

The Aruba Wireless FIPS 140-2 Level 2 validated Controlling platform serves value-add high speed data and QoS assured voice services to thousands of mobile wireless users simultaneously from a single, cost effective, redundant and scalable solution that performs centralized functionality for:

 Uncompromised User security, authentication and encryption  Stateful LAN-speed firewalling  VPN termination  Wireless intrusion detection, prevention and rogue containment  RF Air monitoring  Powerful packet processing switching  Mobility management  Advanced RF management  Advanced User and network service / element management

The Aruba FIPS 140-2 Level 2 validated Controller solution is a highly available, modular and upgradeable switching platform which connects, controls, secures, and intelligently integrates wireless Access Points and Air Monitors into the wired LAN, serving as a gateway between a wireless network and the wired network. The wireless network traffic from the APs is securely tunneled over a L2/L3 network and is terminated centrally on the switch via 10/100/1000 Ethernet physical interfaces where it is authenticated, assigned the appropriate security policies and VLAN assignments and up-linked onto the wired network.

The Aruba Controller solution consists of the three major components:

 Aruba Controller. This is an enterprise-class switch into which multiple Access Points (APs) and Air

Monitors (AMs) may be directly or in-directly (tunneled over a L2/L3 network) connected and controlled.

 Aruba Wireless Access Point. This is a next-generation wireless transceiver which functions as an AP

or AM. Although third-party APs can be used with the Aruba WLAN system, the Aruba AP provides the most comprehensive features and simpler integration.

 Aruba ArubaOS Switch firmware. This firmware intelligently integrates the Controller and APs to

provide load balancing, rate limiting, self healing, authentication, mobility, security, firewalls, encryption, and centralization for monitoring and upgrades.

The Aruba switch configurations tested during the cryptographic module testing included:

 Aruba 3200 Revision B2  Aruba 3200 Revision C4

Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement The Aruba 3000 and 6000/M3 Controllers | 7

 Aruba 3400 Revision B2  Aruba 3400 Revision C4  Aruba 3600 Revision B2  Aruba 3600 Revision C4  Aruba 6000 Revision B2 with [(minimum one: LC-2G-1, LC-2G24F-1, or LC-2G24FP-1) and (one or

two: M3mk1-G10X-10G2X)] (no more than four total).

 Aruba 6000 Revision C4 with [(minimum one: LC-2G-1, LC-2G24F-1, or LC-2G24FP-1) and (one or

two: M3mk1-G10X-10G2X Revision C4)] (no more than four total).

 The exact firmware versions tested were ArubaOS_MMC_6.1.2.3-FIPS and Dell_PCW_MMC_6.1.2.3-

FIPS

Physical Description

Dimensions

The Aruba 6000 Controller has the following physical dimensions:

 3 RU chassis is designed to fit in a standard 19" rack. A separate mounting kit is needed for a 23" rack.  Size:

 Width 17.4" (19" rack width)  Height 5.25" (3 RU)—3.5" for the card slots plus 1 RU for the power supply slots  Depth 14"

 Maximum weight: Up to 58 lbs (26.5 kg)

The Aruba 3200 Controller has the following physical dimensions:

 1 RU chassis is designed to fit in a standard 19" rack with the included mounting kit. A separate

mounting kit is needed for a 23" rack.

 Size:

 Width 13.8"  Height 1.75" (1 RU)  Depth 11.7"

 Maximum weight: Up to 7.1 lbs (3.2 kg)

The Aruba 3400 and 3600 Controllers have the following physical dimensions:

 1 RU chassis is designed to fit in a standard 19" rack with the included mounting kit. A separate

mounting kit is needed for a 23" rack.

 Size:

 Width 13.8"  Height 1.75" (1 RU)  Depth 11.7"

 Maximum weight: Up to 7.4 lbs (3.4 kg)

Cryptographic Module Boundaries

For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone cryptographic module. The steel chassis physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the switch. The cryptographic boundary is defined as encompassing the top, front, left, right, rear, and bottom surfaces of the case.

8 | The Aruba 3000 and 6000/M3 Controllers Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement

Chassis

arun_0118A

Slot 2

Slot 0

Slot 3

Slot 1

Fan Tray

PS1 PS2 PS3

Optional 1000Base-X ports

Serial Console Port

System indicator LEDs

Gigabit Ethernet ports

The Aruba 6000 Controller chassis is designed to be modular. All of the modular components, consisting of the switching supervisor and network line cards, the fan tray, and the power supplies, are accessible from the front of the chassis and are field replaceable and hot-swappable.

Figure 1 The Aruba 6000 Controller with M3 Mark I

Figure 1 shows the front of the Aruba 6000 Controller, and illustrates the following:

 Slots 2 and 3 are for optional Line Card modules to provide extra port capacity.  Slots 0 and 1 are for one or two Multi-service Mobility Modules (M3), which combine the Supervisor

Card and Line Card functionality in a single module. Note that this validation covers only configurations with one or two M3s.

 M3 indicator LEDs indicate power state, status of the device, and link activity.  The hot-swappable fan tray cools the switch. The fan tray pulls air from right to left, as viewed from the

front of the chassis, across the installed cards.

 PS1, PS2, and PS3 are for Power Supply modules. The number of power supplies required for the system

depends on the number and type of Line Cards installed, and whether to include redundancy for fault tolerance.

The Aruba 3000-series Controller chassis is a 1U not-modular chassis.

Figure 2 The Aruba 3000-series Controller Chassis

Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement The Aruba 3000 and 6000/M3 Controllers | 9

Figure 2 shows the front of the Aruba 3000-series Controller, and illustrates the following:

 System indicator LEDs indicate power state and status of the device.  Four Gigabit Ethernet ports provide network connectivity.  Optional 1000Base-X fiber optic ports provide network connectivity.



Serial Console port is for connecting to a local management console.

10 | The Aruba 3000 and 6000/M3 Controllers Aruba 3000, 6000/M3 and Dell W-3000, W-6000M3 | FIPS 140-2 Level 2 Release Supplement

+ 22 hidden pages

Dell W- FIPS Quick Reference Guide

Specifications and Main Features

Frequently Asked Questions

User Manual

Contents