Aruba networks Fips 140-2 User manual

FIPS 140-2 Non-Proprietary Security Policy

for Aruba RAP-5WN and Dell W-RAP-5WN

Remote Access Points

Version 1.4

September 2012

Aruba Networks™

1322 Crossman Ave.

Sunnyvale, CA 94089-1113

,Aruba Networks®, Aruba Wireless Networks®, the registered Aruba

the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge

Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All

rights reserved. All other trademarks are the property of their respective

owners. Open Source Code

Certain Aruba products include Open Source software code developed by third

parties, including software code subject to the GNU General Public License

(GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses.

The Open Source code used can be found at this site:

http://www.arubanetworks.com/open_source

Legal Notice

The use of Aruba Networks, Inc. switching platforms and software, by all

individuals or corporations, to terminate other vendors’ VPN client devices

constitutes complete acceptance of liability by that individual or corporation

for this action and indemnifies, in full, Aruba Networks, Inc. from any and all

legal actions that might be taken against it with respect to infringement of

Warranty

This hardware product is protected by the standard Aruba warranty of one year

parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT

TERMS AND CONDITIONS.

Altering this device (such as painting it) voids the warranty.

Aruba Wireless Networks®,the registered Aruba the Mobile Edge Company logo, and

Aruba Mobility Management System®. Dell™, the DELL™ logo, andPowerConnect™ are

trademarks of Dell Inc.

1INTRODUCTION.................................................................................................................................4

1.1ARUBA DELL RELATIONSHIP........................................................................................................... 4

1.2ACRONYMS AND ABBREVIATIONS................................................................................................... 4

2PRODUCT OVERVIEW......................................................................................................................6

2.1RAP-5WN ...................................................................................................................................... 6

2.1.1Physical Description............................................................................................................... 6

2.1.1.1Dimensions/Weight............................................................................................................ 7

2.1.1.2Interfaces ............................................................................................................................ 7

2.1.1.3Indicator LEDs ................................................................................................................... 7

3MODULE OBJECTIVES.....................................................................................................................9

3.1SECURITY LEVELS........................................................................................................................... 9

3.2PHYSICAL SECURITY ....................................................................................................................... 9

3.2.1Applying TELs ........................................................................................................................ 9

3.2.2Required TEL Locations....................................................................................................... 10

3.2.3Inspection/Testing of Physical Security Mechanisms........................................................... 12

3.3MODES OF OPERATIONS ................................................................................................................ 12

3.3.1Configuring Remote AP FIPS Mode..................................................................................... 13

3.3.2Configuring Remote Mesh Portal FIPS Mode...................................................................... 14

3.4OPERATIONAL ENVIRONMENT....................................................................................................... 16

3.5LOGICAL INTERFACES ................................................................................................................... 16

4ROLES, AUTHENTICATION AND SERVICES............................................................................17

4.1ROLES ........................................................................................................................................... 17

4.1.1Crypto Officer Authentication .............................................................................................. 17

4.1.2User Authentication.............................................................................................................. 17

4.1.3Wireless Client Authentication ............................................................................................. 18

4.1.4Strength of Authentication Mechanisms ............................................................................... 18

4.2SERVICES ...................................................................................................................................... 20

4.2.1Crypto Officer Services......................................................................................................... 20

The CO role in each of Remote AP FIPS mode and Remote Mesh Portal FIPS mode has the same

services................................................................................................................................................. 20

4.2.2User Services........................................................................................................................ 21

4.2.3Wireless Client Services ....................................................................................................... 22

4.2.4Unauthenticated Services ..................................................................................................... 23

5CRYPTOGRAPHIC ALGORITHMS ..............................................................................................24

6CRITICAL SECURITY PARAMETERS.........................................................................................26

7SELF TESTS........................................................................................................................................30

1 Introduction

This document constitutes the non-proprietary Cryptographic Module Security Policy for the RAP-5WN

Wireless Access Point with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy

describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and

maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2

validation of the product.

FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for

Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More

information about the FIPS 140-2 standard and validation program is available on the National Institute of

Standards and Technology (NIST) Web-site at:

http://csrc.nist.gov/groups/STM/cmvp/index.html

This document can be freely distributed.

1.1 Aruba Dell Relationship

Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to

the Aruba products other than branding and Dell firmware is identical to Aruba firmware other than

branding. For example, Aruba "RAP-5WN-F1" is equivalent to Dell "W-RAP-5WN-F1", and

"ArubaOS_6.12.3-FIPS " is equivalent to "DELL_PCW_6.1.2.3-FIPS”.

Table 1 - Corresponding Aruba and Dell Part Numbers

Aruba Part Number Aruba Firmware Dell Part Number Dell Firmware

RAP-5WN-F1 ArubaOS_6.1.2.3-FIPS W-RAP-5WN-F1 DELL_PCW_6.1.2.3-FIPS

NOTE: References to Aruba, ArubaOS and the Aruba RAP-5WN apply to both the Aruba and Dell

versions of these products and documentation.

1.2 Acronyms and Abbreviations

AES Advanced Encryption Standard

AP Access Point

CBC Cipher Block Chaining

CLI Command Line Interface

CO Crypto Officer

CSEC Communications Security Establishment Canada

CSP Critical Security Parameter

ECO External Crypto Officer

EMC Electromagnetic Compatibility

EMI Electromagnetic Interference

FE Fast Ethernet

GE Gigabit Ethernet

GHz Gigahertz

HMAC Hashed Message Authentication Code

Hz Hertz

IKE Internet Key Exchange

IPSec Internet Protocol security

KAT Known Answer Test

KEK Key Encryption Key

L2TP Layer-2 Tunneling Protocol

LAN Local Area Network

LED Light Emitting Diode

SHA Secure Hash Algorithm

SNMP Simple Network Management Protocol

SPOE Serial & Power Over Ethernet

TEL Tamper-Evident Label

TFTP Trivial File Transfer Protocol

WLAN Wireless Local Area Network

2 Product Overview

This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary

of the physical features of each model covered by this FIPS 140-2 security policy.

2.1 RAP-5WN

This section introduces the Aruba RAP-5WN Wireless Access Point (AP) with FIPS 140-2 Level 2

validation. It describes the purpose of the AP, its physical attributes, and its interfaces.

Figure 1 - RAP-5WN Wireless Access Point

The RAP-5WN is a powerful platform for the multi-user small branch office or for power users who work

from a home office. The RAP-5WN is a high-performance indoor Remote Access Point platform with

multiple access and uplink technologies available. The RAP-5WN features wired and wireless connectivity

and security, the ability forward traffic based on policy, user centric security, and backup connectivity over

cellular networks make this platform ideally suited to the always-on office. The RAP-5WN features

wireless LAN capabilities on multiple SSIDs, air monitoring, and wireless intrusion detection and

prevention over the 2.4GHz and 5GHz bands (802.11a/b/g and 802.11n). The RAP-5WN provides a USB

port for connection to a 3G modem for cellular backup of the WAN link. The Remote Access Point works

in conjunction with Aruba's Multi-Service Controllers to deliver high-speed, secure network services to

your remote locations.

2.1.1 Physical Description

The Aruba RAP-5WN series Access Point is a multi-chip standalone cryptographic module consisting of

hardware and firmware, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceiver

and supports external antennas through dual, detachable antenna interface

The plastic case physically encloses the complete set of hardware and firmware components and represents

the cryptographic boundary of the module.

Access Point configuration validated during the cryptographic module testing included:

Aruba Part Number Dell Corresponding Part Number

RAP-5WN-F1 W-RAP-5WN-F1

The exact firmware versions validated were:

•ArubaOS_6.1.2.3-FIPS

•Dell_PCW_6.1.2.3-FIPS

2.1.1.1 Dimensions/Weight

The AP has the following physical dimensions:

•6.9" x 9.5" x 1.4" (175 mm x 240 mm x 35 mm)

•1.0 pounds (450 grams)

2.1.1.2 Interfaces

The module provides the following network interfaces:

•1 x 10/100/1000Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX

•4 x 10/100Base-T Ethernet (RJ45), Auto-sensing link speed and MDI/MDX

•Antenna

o3 x integral, omni-directional multi-band

•1 x USB 2.0 (type A connector)

The module provides the following power interfaces:

•1 x DC power connector DC Output: 12V/1.25A)

2.1.1.3 Indicator LEDs

There are 8 bicolor (power, ENET and WLAN) LEDs which operate as follows:

Table 1- RAP-5WN Indicator LEDs

Label Function Action Status

POWER AP power / ready status Off No power to AP

Flashing Device booting, not ready

On Device ready

ENET 0 Ethernet Network Link

Status / Activity Off Ethernet link unavailable

On - Amber 10/100 Mbps Ethernet link

negotiated

On - Green 1000 Mbps Ethernet link

negotiated