Aruba networks 3000 series User manual

Dell W-3000, W-6000/M3 Series Controllers FIPS 140-2 Security Policy 1

Dell W-3000 and W-6000/M3 Mobility Controllers with Dell AOS

FIPS Firmware

Non-Proprietary Security Policy FIPS 140-2 Level 2

January 26, 2015

This is to advise that the document entitled “Aruba 3000 and 6000/M3 Mobility Controllers with

ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2”Version 3.2, dated August

2014,applies to Dell W-3000 and W-6000/M3 Mobility Controllers with Dell AOS FIPS Firmware. Aruba

Networks is the Original Equipment Manufacturer (OEM) for the Dell Networking W-Series of products.

This document, provided below, is applicable for use by Dell W-Series customers for security policy

information and instruction on how to place and maintain the W-3000 and W-6000/M3 Mobility

Controllers in a secure FIPS 140-2 mode.

Dell Networking W-Series products are equivalent in features and functionality to the corresponding

Aruba Networks product models. Accordingly, the Dell AOS FIPS firmware is the validated ArubaOS FIPS

firmware version, with the exception of branding. When using the FIPS Security Policy document, the

screenshots, configurations, TEL placement locations, and images can be applied to Dell Networking W-

Series products without any need for changes.

Product Name Mapping:

Aruba Networks Model name

Dell Networking Model name

Description

Aruba 3200-F1

W-3200-F1

Non-US –32 AP Controller

Aruba 3200-USF1

W-3200-USF1

US –32 AP Controller

Aruba 3400-F1

W-3400-F1

Non-US –64 AP Controller

Aruba 3400-USF1

W-3400-USF1

US –64 AP Controller

Aruba 3600-F1

W-3600-F1

Non-US –128 AP Controller

Aruba 3600-USF1

W-3600-USF1

US –128 AP Controller

Aruba 6000-400-F1

W-6000-F1

Non-US –Controller Chassis

Aruba 6000-400-USF1

W-6000-USF1

US –Controller Chassis

M3mk1-S-F1

W-6000M3

M3 Controller Module for

Chassis

HW-PSU-200

Power Supply (not re-branded)

HW-PSU-400

Power Supply (not re-branded)

LC-2G-1

No Dell model

Ethernet Line card

LC-2G24F-1

No Dell model

Ethernet Line card

LC-2G24FP-1

No Dell model

Ethernet Line card

These models include Aruba FIPS kit 4010061-01 (contains tamper evident labels)

The exact firmware version validated was ArubaOS 6.3.1.7-FIPS

The Dell Networking W-Series products are rebranded for Dell customers, as shown in the product

images below.

Dell W-3000, W-6000/M3 Series Controllers FIPS 140-2 Security Policy 2

Dell Networking W-3000 Controller Series Product Images:

Aruba 3000 Controller Series Product Images:

Dell W-3000, W-6000/M3 Series Controllers FIPS 140-2 Security Policy 3

Dell Networking W-6000 Controller chassis with W-6000M3 module (1) and PSU (2):

Aruba 6000-400 controller chassis with M3 Mark I modules (4) and PSU (3):

If you have questions or concerns, please contact Dell Technical Support at www.dell.com/support,

additional product documentation is also available by device under user manuals.

Attachment: Aruba 3000 and 6000/M3 Mobility Controllers with ArubaOS FIPS Firmware Non-Proprietary

Security Policy FIPS 140-2 Level 2



Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy 



Aruba 3000 and 6000/M3 Mobility

Controllers

with ArubaOS FIPS Firmware

Non-Proprietary Security Policy

FIPS 140-2 Level 2

Version 3.2

August 2014

2|Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy

Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®,

their respective owners. Open Source Code

Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU

General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code

used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN

client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba

Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those

vendors.

Warranty

This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the

ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.

Altering this device (such as painting it) voids the warranty.

the Mobile Edge Company logo, and Aruba Mobility Management System®.

www.arubanetworks.com

1344 Crossman Avenue

Sunnyvale, California 94089

Phone: 408.227.4500

Fax 408.227.4550

Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy|3

Contents



Contents.............................................................................................................................................................................3

Preface...............................................................................................................................................................................5

Purpose of this Document...............................................................................................................................................5

Related Documents.........................................................................................................................................................5

Additional Product Information ......................................................................................................................5

Overview............................................................................................................................................................................6

Cryptographic Module Boundaries................................................................................................................7

Aruba 6000....................................................................................................................................................7

Aruba 3000 Series.........................................................................................................................................9

Intended Level of Security............................................................................................................................................10

Physical Security............................................................................................................................................................11

Operational Environment..............................................................................................................................................11

Logical Interfaces...........................................................................................................................................................11

Roles and Services........................................................................................................................................................12

Crypto Officer Role......................................................................................................................................12

Authentication Mechanisms.........................................................................................................................17

Unauthenticated Services............................................................................................................................18

Non-Approved Services...............................................................................................................................18

Cryptographic Key Management.................................................................................................................................19

Implemented Algorithms..............................................................................................................................19

Non-FIPS Approved Algorithms Allowed in FIPS Mode..............................................................................20

Non-FIPS Approved Algorithms ..................................................................................................................20

Critical Security Parameters........................................................................................................................21

Self-Tests.........................................................................................................................................................................26

Alternating Bypass State...............................................................................................................................................27

InstallingtheController........................................................................................................................................................28

Pre-Installation Checklist...............................................................................................................................................28

Precautions.....................................................................................................................................................................28

Product Examination ...................................................................................................................................28

Package Contents.......................................................................................................................................29

Minimum Configuration for the Aruba 6000-400..........................................................................................29

4|Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy

Tamper-Evident Labels.................................................................................................................................................30

Reading TELs..............................................................................................................................................30

Required TEL Locations..............................................................................................................................31

To Detect Opening the Chassis Cover...............................................................................................................31

To Detect the Removal of Any Module or Cover Plate.....................................................................................31

To Detect Access to Restricted Ports.................................................................................................................31

To Detect Access to Restricted Port...................................................................................................................31

To Detect Opening the Chassis Cover...............................................................................................................32

Applying TELs .............................................................................................................................................32

OngoingManagement..........................................................................................................................................................32

Crypto Officer Management..........................................................................................................................................32

User Guidance................................................................................................................................................................33

Setup and Configuration................................................................................................................................................34

Setting Up Your Controller............................................................................................................................................34

Enabling FIPS Mode......................................................................................................................................................34

Enabling FIPS Mode with the WebUI..........................................................................................................34

Enabling FIPS Mode with the CLI................................................................................................................34

Disallowed FIPS Mode Configurations.......................................................................................................................35

Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy|5

Preface

Thissecuritypolicydocumentcanbecopiedanddistributedfreely.

Purpose of this Document

This release supplement provides information regarding the Aruba 3000 and 6000/M3 Mobility Controllers with FIPS 140-

2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and

firmware documentation included with this product and should be kept with your Aruba product documentation.

This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba Controller. This

security policy describes how the controller meets the security requirements of FIPS 140-2 Level 2 and how to place and

maintain the controller in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2

validation of the product.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic

Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2

standard and validation program is available on the National Institute of Standards and Technology (NIST) website at:

http://csrc.nist.gov/groups/STM/cmvp/index.html

Related Documents

The following items are part of the complete installation and operations documentation included with this product:

Aruba 6000 Mobility Controller Installation Guide

Aruba 3000-series Mobility Controller Installation Guide

ArubaOS 6.3 User Guide

ArubaOS 6.3 CLI Reference Guide

ArubaOS 6.3 Quick Start Guide

ArubaOS 6.3 Upgrade Guide

Aruba AP Installation Guides

Additional Product Information

More information is available from the following sources:

The Aruba Networks Web-site contains information on the full line of products from Aruba Networks:

http://www.arubanetworks.com

The NIST Validated Modules Web-site contains contact information for answers to technical or sales-related

questions for the product:

http://csrc.nist.gov/groups/STM/cmvp/index.html

6|Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy

Overview

The Aruba 6000 and 3000 series Mobility Controllers are network infrastructure devices providing secure,

scalable solutions for enterprise Wi-Fi, network security policy enforcement, VPN services, and wireless

intrusion detection and prevention. Mobility controllers serve as central points of authentication,

encryption, access control, and network coordination for all mobile network services.

The controller configurations tested during the cryptographic module testing included:

Aruba 3200-F1

Aruba 3200-USF1

Aruba 3400-F1

Aruba 3400-USF1

Aruba 3600-F1

Aruba 3600-USF1

M3mk1-S-F1 (used in both Aruba 6000-400-F1 and Aruba-6000-400-USF1 chassis)

Aruba 6000-400-F1 and Aruba 6000-400-USF1 chassis (no more than four Aruba line cards,

including the combinations among M3mk1-S-F1, LC-2G-1, LC-2G24F-1, or LC-2G24FP-1, in a

single hardware configuration). Please note that the use of LC-2G-1, LC-2G24F-1 and LC-

2G24FP-1 is optional, but at least one M3mk1-S-F1 is required in a single hardware

configuration).

FIPS Kit

o4010061-01 (Part number for Tamper Evident Labels)

The exact firmware version validated was ArubaOS 6.3.1.7-FIPS

Note: For radio regulatory reasons, Aruba 3200-USF1, Aruba 3400-USF1, Aruba 3600-USF1 and Aruba

6000-400-USF1 are to be sold in the US only. Aruba 3200-F1, Aruba 3400-F1, Aruba 3600-F1 and

Aruba 6000-400-F1 must not be used for deployment in the United States. From a FIPS perspective,

both -USF1 and -F1 models are identical and fully FIPS compliant.

Aruba 3000, 6000/M3 Mobility Controller FIPS 140-2 Level 2 Security Policy|7

Physical Description

Cryptographic Module Boundaries

For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone

cryptographic module. The steel chassis physically encloses the complete set of hardware and firmware

components and represents the cryptographic boundary of the controller. The cryptographic boundary is

defined as encompassing the top, front, left, right, rear, and bottom surfaces of the chassis.

Aruba 6000

Figure1‐TheAruba6000‐400controllerchassiswithM3MarkI

Figure 1shows the front of the Aruba 6000 controller chassis, and illustrates the following:

In each Aruba 6000-400-F1 or Aruba 6000-400-USF1 controller chassis:

One M3mk1-S-F1 card is required to be installed in slot 0.

Up to three Aruba line cards (the combination of LC-2G-1, LC-2G24F-1, LC-2G24FP-1, or

M3mk1-S-F1) can be installed in slots 1, 2 and 3 respectively

Table 1

below lists a detailed line cards configuration in a single Aruba 6000-400-F1 or Aruba 6000-400-

USF1 controller chassis.

Table1‐6000‐400‐F1or6000‐400‐USF1ControllerChassisConfigurations 

Slot 0 Slot 1 Slot 2 Slot 3

M3mk1-S-F1 x x x

M3mk1-S-F1 LC-2G-1 x x

M3mk1-S-F1 LC-2G-1 LC-2G-1 x

This manual suits for next models

Table of contents

Other Aruba Networks Controllers manuals

Aruba Networks

Aruba Networks 7210 User manual

Aruba Networks

Aruba Networks 7030-MNT-19 User manual

Popular Controllers manuals by other brands

Sunricher

Sunricher SR-ZV9003T3-RGBW-US Installation

Ksenia

Ksenia intro Installation and configuration manual

Inovance

Inovance CAN200 Series manual

Gauzy

Gauzy LC6 FLEX Controller Installation and operation guide

Viking

Viking SLP-1 Technical practice

CKD

CKD KBX-30E-U Series instruction manual

Sharp Energy

Sharp Energy Sun Flux User manual & installation guide

Yamaha

Yamaha RCX40 user manual

AB Quality

AB Quality PowerFlex 400 Frames D-H Service bulletin

Yamaha

Yamaha MJC8 owner's manual

AL-KO

AL-KO ATC operating instructions

Savant

Savant SmartControl 2 Deployment guide

GameSir

GameSir T3S user manual

Kostal

Kostal inveor operating manual

Emerson

Emerson Yarway 20-55 Operating and safety instructions

CoCo

CoCo ACM-LV24 Quick installation guide

Brooks

Brooks SLA5810/20 Installation and operation manual

SIGMA TEK

SIGMA TEK SR 011 Technical manual

Aruba Networks 3000 Series User manual

Popular Controllers manuals by other brands