Dell PowerConnect W-Series FIPS Owner's manual
Aruba 620, 650 and Dell W-
620, W-650
Controllers with ArubaOS FIPS
Firmware Non-Proprietary Security
Policy FIPS 140-2 Level 2 Release
Supplement
www.arubanetworks.com
1344 Crossman Avenue
Sunnyvale, California 94089
Phone: 408.227.4500
Fax 408.227.4550
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement 0510888-02 | October 2011
Copyright
© 2011 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®, the
registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move.
Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.
Open Source Code
Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU
General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used
can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN
client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba
Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those
vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the
ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
Copyright
© 2011 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®,the registered Aruba
the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, andPowerConnect™ are trademarks
of Dell Inc.
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement | 3
Contents
Preface ...................................................................................................................................5
Purpose of this Document.....................................................................................5
Aruba Dell Relationship...................................................................................5
Related Documents ...............................................................................................6
Product Manuals.............................................................................................6
Additional Product Information .......................................................................6
Chapter 1 The Aruba 620 and 650 Mobility Controllers .........................................7
Overview................................................................................................................7
Physical Description ..............................................................................................8
Dimensions......................................................................................................8
Cryptographic Module Boundaries .......................................................................8
Aruba 620 Chassis ..........................................................................................8
Aruba 650 Chassis ........................................................................................11
Chapter 2 FIPS 140-2 Level 2 Features .................................................................15
Intended Level of Security...................................................................................15
Physical Security .................................................................................................15
Operational Environment .....................................................................................15
Logical Interfaces ................................................................................................16
Roles and Services ..............................................................................................17
Crypto Officer Role .......................................................................................17
User Role.......................................................................................................19
Authentication Mechanisms..........................................................................20
Unauthenticated Services .............................................................................20
Cryptographic Key Management.........................................................................21
Implemented Algorithms ...............................................................................21
Non-FIPS Approved Algorithms....................................................................21
Critical Security Parameters..........................................................................22
Self-Tests.............................................................................................................25
Alternating Bypass State .....................................................................................26
Mitigation of Other Attacks..................................................................................26
XSec..............................................................................................................26
Wireless Intrusion Detection .........................................................................27
Unique Station and User Classification ..................................................27
Detecting and Disabling Rogue APs ......................................................27
Denial of Service and Impersonation Protection...........................................27
Man-in-the-Middle Protection.......................................................................27
Policy Definition and Enforcement................................................................28
Using Wireless to Protect your Wired Network.............................................28
Using Wireless to Protect your Existing Wireless Network...........................28
Chapter 3 Installing the Controller.........................................................................29
Pre-Installation Checklist.....................................................................................29
Precautions..........................................................................................................29
The Security Kit ...................................................................................................30
4| Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Product Examination.....................................................................................30
Package Contents.........................................................................................30
Tamper-Evident Labels .......................................................................................30
Reading TELs................................................................................................31
Required TEL Locations................................................................................31
Aruba 620 ...............................................................................................31
Aruba 650 ...............................................................................................34
Applying TELs ...............................................................................................36
Chapter 4 Ongoing Management...........................................................................37
Crypto Officer Management ................................................................................37
User Guidance.....................................................................................................37
Chapter 5 Setup and Configuration ....................................................................... 39
Setting Up Your Controller ..................................................................................39
Enabling FIPS Mode ............................................................................................39
Enabling FIPS with the Setup Wizard ...........................................................39
Enabling FIPS with the WebUI ......................................................................39
Disallowed FIPS Mode Configurations................................................................40
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Preface | 5
Preface
This security policy document can be copied and distributed freely.
Purpose of this Document
This release supplement provides information regarding the Aruba 620 and 650 Mobility Controllers and
Dell W-620 and W-650 controllers with FIPS 140-2 Level 2 validation from Aruba Networks. The material in
this supplement modifies the general Aruba hardware and firmware documentation included with this
product and should be kept with your Aruba product documentation.
This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba
Mobility Controller. This security policy describes how the switch meets the security requirements of FIPS
140-2 Level 2 and how to place and maintain the switch in a secure FIPS 140-2 mode. This policy was
prepared as part of the FIPS 140-2 Level 2 validation of the product.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for
Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More
information about the FIPS 140-2 standard and validation program is available on the National Institute of
Standards and Technology (NIST) Web-site at:
http://csrc.nist.gov/groups/STM/cmvp/index.html
Aruba Dell Relationship
Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to
the Aruba products other than branding and Dell software is identical to Aruba software other than
branding.
The contents of this document will use the Aruba 620 and 650 as examples and all corresponding Dell
models follow the same rules.
Related Documents
Product Manuals
The following items are part of the complete installation and operations documentation included with this
product:
Table 1 Aruba and Dell Part Numbers
Aruba Part Number Corresponding Dell Part Number
620-F1 W-620-F1
620-USF1 W-620-USF1
650-F1 W-650-F1
650-USF1 W-650-USF1
References to Aruba, ArubaOS and Aruba 600 series apply to both the Aruba and Dell versions of these
products and documentation.
6| Preface Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Aruba 620 and 650 Mobility Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy
(this document)
Aruba 620 Mobility Controller Installation Guide
Aruba 650 Mobility Controller Installation Guide
ArubaOS 6.1 User Guide
ArubaOS 6.1 CLI Reference Guide
ArubaOS 6.1 Quick Start Guide
ArubaOS 6.1 Upgrade Guide
Aruba AP Installation Guides
Additional Product Information
More information is available from the following sources:
The Aruba Networks Web-site contains information on the full line of products from Aruba Networks:
http://www.arubanetworks.com
The Dell Web site contains information on the full line of products from Dell.
http://www.dell.com/
The NIST Validated Modules Web-site contains contact information for answers to technical or sales-
related questions for the product:
http://csrc.nist.gov/groups/STM/cmvp/index.html
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 7
Chapter 1
The Aruba 620 and 650
Mobility Controllers
This chapter introduces the Aruba 620 and 650 Mobility Controllers with FIPS 140-2 Level 2 validation. It
describes the purpose of the controller, its physical attributes, and its interfaces.
Overview
Aruba Networks has developed a purpose-built Wireless LAN voice and data switching solution designed to
specifically address the needs of large-scale WiFi network deployments for Government agencies and
global enterprises. The Aruba Mobility Controller solution provides advanced security and management of
the corporate RF environment and enforces User security and service policies to both wired and wireless
users.
The Aruba Wireless FIPS 140-2 Level 2 validated Mobility Controlling platform serves value-add high speed
data and QoS assured voice services to thousands of mobile wireless users simultaneously from a single,
cost effective, redundant and scalable solution that performs centralized functionality for:
Uncompromised User security, authentication and encryption
Stateful LAN-speed firewalling
VPN termination
Wireless intrusion detection, prevention and rogue containment
RF Air monitoring
Powerful packet processing switching
Mobility management
Advanced RF management
Advanced User and network service / element management
The Aruba FIPS 140-2 Level 2 validated Mobility Controller solution is a highly available, modular and
upgradeable switching platform which connects, controls, secures, and intelligently integrates wireless
Access Points and Air Monitors into the wired LAN, serving as a gateway between a wireless network and
the wired network. The wireless network traffic from the APs is securely tunneled over a L2/L3 network and
is terminated centrally on the switch via 10/100/1000 Ethernet physical interfaces where it is authenticated,
assigned the appropriate security policies and VLAN assignments and up-linked onto the wired network.
The Aruba Mobility Controller solution consists of the three major components:
Aruba Mobility Controller. This is an enterprise-class switch into which multiple Access Points (APs)
and Air Monitors (AMs) may be directly or in-directly (tunneled over a L2/L3 network) connected and
controlled.
Aruba Wireless Access Point. This is a next-generation wireless transceiver which functions as an AP or
AM. Although third-party APs can be used with the Aruba WLAN system, the Aruba AP provides the
most comprehensive features and simpler integration.
Aruba’s ArubaOS Switch firmware. This firmware intelligently integrates the Mobility Controller and
APs to provide load balancing, rate limiting, self healing, authentication, mobility, security, firewalls,
encryption, and centralization for monitoring and upgrades.
The switch configurations tested during the cryptographic module testing included:
Aruba 620 (620-AOS-STD-FIPS-US)
8| The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Dell W-620
Aruba 650 (650-AOS-STD-FIPS-US)
Dell W-650
The exact firmware versions tested were:
ArubaOS_6xx_6.1.2.3-FIPS
Dell_PCW_6xx_6.1.2.3-FIPS
Physical Description
See “Aruba 620 Chassis” on page8 or “Aruba 650 Chassis” on page12for a list of what ships with this
product.
Dimensions
The Aruba 620 Mobility Controller has the following physical dimensions:
Size:
Width 12.6" (320 mm)
Height 1.75" (45 mm)
Depth 6.8" (173 mm)
Weight: 2.7 lbs/1.23 kgs
The 620 Rack Mounting Kit provides the means to install a 620 controller in a standard 19-inch rack.
The Aruba 650 Mobility Controller has the following physical dimensions:
Size:
Width 13.6" (346 mm)
Height 1.5" (38 mm)
Depth 8.9" (226 mm)
Weight: 4.9 lbs/2.2 kgs
The Aruba 650 Mobility Controller is rack mountable in a standard 19-inch rack.
Cryptographic Module Boundaries
For FIPS 140-2 Level 2 validation, the Mobility Controller has been validated as a multi-chip standalone
cryptographic module. The chassis physically encloses the complete set of hardware and firmware
components and represents the cryptographic boundary of the switch. The cryptographic boundary is
defined as encompassing the top, front, left, right, rear, and bottom surfaces of the case.
Aruba 620 Chassis
The Aruba 620 Mobility Controller chassis is designed to be 1U not-modular. The following diagrams
(Figure 1 and Figure 2) show the front and rear view of the chassis respectively. The Aruba 620 Mobility
Controller chassis contains:
1x Console (RS-232) RJ-45 port
4xFast Ethernet (10/100BASE-T) port
4x Fast Ethernet (10/100BASE-T) with PoE+ port
1x Gigabit Ethernet (1000BASE-T) port
1x ExpressCard® port
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 9
1x USB 2.0 port
1x AC input voltage 100-240 V, Universal Input
10 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Figure 1 Aruba 620 Mobility Controller Front View
Figure 2 Aruba 620 Mobility Controller Rear View
The Aruba 620 is equipped with a media eject button, which allows users to eject storage devices safely and
place the system in standby. Pushing the media eject button changes the state of the Aruba 620; the table
below describes the states and LED behaviors associated with use of the media eject button:
ExpressCard Slot
Port LEDs
10/100/1000Base-T
Gigabit Ethernet Port
10/100Base-T
Ethernet Ports
USB port
Media Eject Button
Serial Console Port
AC Power Socket
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 11
In non-rack deployments, the Aruba 620 is placed with the front facing out. This allows the cables to be
hidden and creates a more aesthetically pleasing look. Therefore, a set of LEDs displaying link activity on
the ports is placed on the front side. Same LEDs also exist in back side too. For information about the
behavior of these LEDs, see table below.
Table 2 Media Eject Button LED Behavior
Initial State LED State Action Status LED Function LED Action
Completed
NAS Media Operational Green-solid Press and hold
media eject button
for 1 to 5 seconds
only
Amber-flashing Un-mount all NAS
media
Amber-solid
NAS Media Unmounted Amber-solid Press and hold
media eject button
for 1 to 5 seconds
only
Amber-flashing Mount all attached
NAS devices, and
return to fully
functional
operation
Green-solid
Operational Green-solid Press and hold
media eject button
for more than 5
seconds only
Red-flashing Controller goes
into Standby
Red-solid
Operating with NAS
Media un-mounted
Amber-solid Press and hold
media eject button
for more than 5
seconds only
Red-flashing Controller goes
into Standby
Red-solid
Standby Red-solid Press media eject
button
Amber-flashing Controller wake-up Green-solid
Table 3 Aruba 620 LED Status Indicators
LED Label Function Indicator Status
Power POWER Input Power Status Indicator On (Solid Green) Power on
Off No Power
Status STATUS Module Status Indicator On (Solid Green) Device is operational
On (Solid Red) Device failed or is in Standby
On (Solid Amber) Device is loading software
Off No power
10/100/1000Base-T Port LNK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established
On (Flashing Green) Port is transmitting or receiving
data
Off No link on port
1000 Interface Speed On (Solid Green) 1000 Mbps
Off 10/100 Mbps
12 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Aruba 650 Chassis
The Aruba 650 Mobility Controller chassis is also 1U not-modular. The following diagrams (Figure 3 and
Figure 4) show the front and rear view of the chassis respectively. The Aruba 650 Mobility Controller
chassis contains:
1x Console (RS-232) RJ-45 port
2x Gigabit Ethernet (10/100/1000Base-T)
4x Gigabit Ethernet (10/100/1000Base-T) with PoE+
2x Gigabit Ethernet pluggable (1000Base-X SFP)
1x ExpressCard® port
4x USB 2.0 port
1x AC input voltage 100-240 V, Universal Input
10/100Base-T Ports LINK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established
On (Flashing Green) Port is transmitting or receiving
data
Off No link on port
PoE PoE Status Indicator On (Solid Green) PoE is being provided
On (Solid Amber) The attached device has
requested PoE, but PoE is not
being provided by the port
Off PoE is not being provided
100 Interface Speed On (Solid Green) 100 Mbps
Off 10 Mbps
Table 3 Aruba 620 LED Status Indicators
LED Label Function Indicator Status
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 13
Figure 3 Aruba 650 Mobility Controller Front View
Figure 4 Aruba 650 Mobility Controller Rear View
The Aruba 650 Series is equipped with a media eject button, which allows users to eject storage devices
safely and place the system in standby. Pushing the media eject button changes the state of the Aruba 650
LINK/
ACT POE
CONSOLE
0 1 2 3 4 5 6 7
LINK/
ACT 1000
LINK/
ACT
LINK/
ACT
10/100/1000Base-T Gigabit
Ethernet Ports with PoE
1000Base-X (SFP) Ports
USB ports
10/100/1000Base-T
Gigabit Ethernet Ports
Media Eject Button
Serial Console Port
Slot
AC Power Socket
ExpressCard Slot
Antennae Interfaces
(651 Only)
14 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Series; the table below describes the states and LED behaviors associated with use of the media eject
button.
The behavior of the Power, Status and port LEDs is described in the table below:
Table 4 Media Eject Button LED Behavior
Initial State LED State Action Status LED Function LED Action
Completed
NAS Media Operational Green-solid Press and hold
media eject button
for 1 to 5 seconds
only
Amber-flashing Un-mount all NAS
media
Amber-solid
NAS Media Unmounted Amber-solid Press and hold
media eject button
for 1 to 5 seconds
only
Amber-flashing Mount all attached
NAS devices, and
return to fully
functional
operation
Green-solid
Operational Green-solid Press and hold
media eject button
for more than 5
seconds only
Red-flashing Controller goes
into Standby
Red-solid
Operating with NAS
Media un-mounted
Amber-solid Press and hold
media eject button
for more than 5
seconds only
Red-flashing Controller goes
into Standby
Red-solid
Standby Red-solid Press media eject
button
Amber-flashing Controller wake-up Green-solid
Table 5 Aruba 650 Series LED Status Indicators
LED Label Function Indicator Status
Power POWER Input Power Status Indicator On (Solid Green) Power on
Off No Power
Status STATUS Module Status Indicator On (Solid Green) Device is operational
On (Solid Red) Device failed or is in Standby
On (Solid Amber) Device is loading software
Off No power
1000Base-X Ports (SFP) LNK/ACT Link Status Indicator On (Solid Green) Link has been established
On (Flashing Green) Port is transmitting or receiving
data
Off No link on port
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 15
10/100/1000Base-T Ports LNK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established
On (Flashing Green) Port is transmitting or receiving
data
Off No link on port
1000 Interface Speed On (Solid Green) 1000 Mbps
Off 10/100 Mbps
10/100/1000Base-T Ports
with PoE
LINK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established
On (Flashing Green) Port is transmitting or receiving
data
Off No link on port
PoE PoE Status Indicator On (Solid Green) PoE is being provided
On (Solid Amber) The attached device has
requested PoE, but PoE is not
being provided by the port
Off PoE is not being provided
Table 5 Aruba 650 Series LED Status Indicators
LED Label Function Indicator Status
16 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 15
Chapter 2
FIPS 140-2 Level 2 Features
Intended Level of Security
The Aruba 620 and 650 Mobility Controllers and associated modules are intended to meet overall FIPS 140-
2 Level 2 requirements as shown in Table 2-1.
Physical Security
The Aruba Mobility Controller is a scalable, multi-processor standalone network device and is enclosed in a
robust steel housing. The switch enclosure is resistant to probing and is opaque within the visible spectrum.
The enclosure of the switch has been designed to satisfy FIPS 140-2 Level 2 physical security requirements.
To protect the Aruba 620 and 650 Mobility Controllers from any tampering with the product, TELs should be
applied by the Crypto Officer as covered under “Tamper-Evident Labels” on page30.
Operational Environment
The operational environment is non-modifiable. The control plane Operating System (OS) is Linux, a real-
time, multi-threaded operating system that supports memory protection between processes. Access to the
underlying Linux implementation is not provided directly. Only Aruba Networks provided interfaces are
used, and the CLI is a restricted command set.
Table 1 Intended Level of Security
Section Section Title Level
1 Cryptographic Module Specification 2
2 Cryptographic Module Ports and Interfaces 2
3 Roles, Services, and Authentication 2
4 Finite State Model 2
5 Physical Security 2
6 Operational Environment N/A
7 Cryptographic Key Management 2
8 EMI/EMC 2
9 Self-tests 2
10 Design Assurance 2
11 Mitigation of Other Attacks 2
16 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Logical Interfaces
All of these physical interfaces are separated into logical interfaces defined by FIPS 140-2, as described in
the following table.
Data input and output, control input, status output, and power interfaces are defined as follows:
Data input and output are the packets that use the firewall, VPN, and routing functionality of the
modules.
Control input consists of manual control inputs for media eject. It also consists of all of the data that is
entered into the switch while using the management interfaces.
Status output consists of the status indicators displayed through the LEDs, the status data that is output
from the switch while using the management interfaces, and the log file.
LEDs indicate the physical state of the module, such as power-up (or rebooting), utilization level,
activation state (including fan, ports, and power) and status of connected media. The log file records the
results of self-tests, configuration errors, and monitoring data.
Table 2 FIPS 140-2 Logical Interfaces
FIPS 140-2 Logical Interfaces Module Physical Interface
Data Input Interface 10/100 Mbps Ethernet Port
10/100/1000 Mbps Ethernet Port
Express Card slot (disabled)
USB 2.0 ports
Data Output Interface 10/100 Mbps Ethernet Port
10/100/1000 Mbps Ethernet Port
Express Card slot (disabled)
USB 2.0 ports
Control Input Interface 10/100 Mbps Ethernet Port
10/100/1000 Mbps Ethernet Port
Express Card slot (disabled)
Media Eject Button
Serial Console port (disabled)
Status Output Interface 10/100 Mbps Ethernet port
10/100/1000 Mbps Ethernet ports
LEDs
Serial Console port (disabled)
Power Interface Power Supply
PoE
Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 17
A power supply is used to connect the electric power cable. Operating power is also provided to a
compatible Power Over Ethernet (POE) device when connected. The power is provided through the
connected Ethernet cable.
The switch distinguishes between different forms of data, control, and status traffic over the network ports
by analyzing the packets header information and contents.
Roles and Services
The Aruba Mobility Controller supports role-based authentication. There are two roles in the switch (as
required by FIPS 140-2 Level 2) that operators may assume: a Crypto Officer role and a User role. The
Administrator maps to the Crypto-Officer role and the client Users map to the User role.
Crypto Officer Role
The Crypto Officer role has the ability to configure, manage, and monitor the switch. Three management
interfaces can be used for this purpose:
CLI
The Crypto Officer can use the CLI to perform non-security-sensitive and security-sensitive monitoring
and configuration. The CLI can be accessed remotely by using the SSHv2 secured management session
over the Ethernet ports or locally over the serial port. In FIPS mode, the serial port is disabled.
Web Interface
The Crypto Officer can use the Web Interface as an alternative to the CLI. The Web Interface provides a
highly intuitive, graphical interface for a comprehensive set of switch management tools. The Web
Interface can be accessed from a TLS-enabled Web browser using HTTPS (HTTP with Secure Socket
Layer) on logical port 4343.
Bootrom Monitor Mode
In Bootrom monitor mode, the Crypto Officer can reboot, update the Bootrom, issue file system-related
commands, modify network parameters, and issue various show commands. The Crypto Officer can
only enter this mode by pressing any key during the first four seconds of initialization. Bootrom Monitor
Mode is disabled in FIPS mode.
The Crypto Officer can also use SNMPv1/2c/3 to remotely perform non-security-sensitive monitoring and
use get and getnext commands. See the table below for descriptions of the services available to the Crypto
Officer role.
Table 3 Crypto-Officer Services
Service Description Input Output CSP Access
SSH Provide authenticated and
encrypted remote management
sessions while using the CLI
SSH key agreement
parameters, SSH
inputs, and data
SSH outputs and
data
Diffie-Hellman key pair
(read/ write access), session
key for SSH (read/write
access), RNG keys (read
access); Crypto Officer's
password (read access)
IKEv1/IKEv2-IPSec Provide authenticated and
encrypted remote management
sessions to access the CLI
functionality
IKEv1/IKEv2 inputs and
data; IPSec inputs,
commands, and data
IKEv1/IKEv2
outputs, status,
and data; IPSec
outputs, status,
and data
RSA or ECDSA key pair for
IKEv1/IKEv2 (read access),
Diffie-Hellman or Elliptic
curve Diffie-Hellman key pair
for IKEv1/IKEv2 (read/write
access), pre- shared keys
for IKEv1/IKEv2 (read
access); Session keys for
IPSec (read/write access)
18 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement
Configuring
Network
Management
Create management Users and
set their password and privilege
level; configure the SNMP agent
Commands and
configuration data
Status of
commands and
configuration data
Crypto Officer's password
for CLI (read/write access)
Configuring the
module Platform
Define the platform subsystem
firmware of the module by
entering Bootrom Monitor Mode,
File System, fault report, message
logging, and other platform
related commands
Commands and
configuration data
Status of
commands and
configuration data
None
Configuring
Hardware
Controllers
Define synchronization features
for module
Commands and
configuration data
Status of
commands and
configuration data
None
Configuring the
Internet Protocol
Set IP functionality Commands and
configuration data
Status of
commands and
configuration data
None
ConfiguringQuality
of Service (QoS)
Configure QOS values for module Commands and
configuration data
Status of
commands and
configuration data
None
Configuring the
VPN
Configure Public Key
Infrastructure (PKI); configure the
Internet Key Exchange (IKEv1/
IKEv2) Security Protocol;
configure the IPSec protocol
Commands and
configuration data
Status of
commands and
configuration data
RSA and ECDSA keys pair
(read/write access), Pre-
shared key (read/write
access)
Configuring DHCP Configure DHCP on module Commands and
configuration data
Status of
commands and
configuration data
None
Configuring
Security
Define security features for
module, including Access List,
AAA, and firewall functionality
Commands and
configuration data
Status of
commands and
configuration data
AAA User password (read/
write access), RADIUS
password (read/ write
access)
HTTPS over TLS Secure browser connection over
Transport Layer Security acting as
a Crypto Officer service (web
management interface)
TLS inputs, commands,
and data
TLS outputs,
status, and data
RSA key pair for TLS; TLS
Session Key
IPSec tunnel
establishment for
RADIUS protection
Provided authenticated/
encrypted channel to RADIUS
server
IKEv1/IKEv2 inputs and
data; IPSec inputs,
commands, and data
IKEv1/IKEv2
outputs, status,
and data; IPSec
outputs, status,
and data
Preshared key/RSA private
key for IKEv1/IKEv2 (read
access), Diffie-Hellman and
Elliptic curve Diffie-Hellman
key pair for IKEv1/IKEv2
(read/write access), Session
keys for IPSec (read/write
access)
Self-test Run Power On Self-Tests and
Conditional Tests
None Error messages
logged if a failure
occurs
None
Configuring
Bypass Operation
Configure bypass operation on
the module
Commands and
configuration data
Status of
commands and
configuration data
None
Table 3 Crypto-Officer Services
Service Description Input Output CSP Access
Other manuals for PowerConnect W-Series FIPS
1
This manual suits for next models
4
Table of contents
Other Dell Switch manuals
Dell
Dell Networking Z9500 User manual
Dell
Dell Networking S5000 User manual
Dell
Dell PowerConnect 8024F User manual
Dell
Dell PowerConnect 6224 User manual
Dell
Dell S6100 User manual
Dell
Dell PowerConnect B-TI24x Manual
Dell
Dell Networking S55 User manual
Dell
Dell PowerConnect M8428-k User manual
Dell
Dell S50N User manual
Dell
Dell Console Switch User manual
Dell
Dell DF10MXL User manual
Dell
Dell PowerConnect 2808 User manual
Dell
Dell S4820T User manual
Dell
Dell Force10 S50N Series Instruction Manual
Dell
Dell PowerConnect 2024 User manual
Dell
Dell EMC N2200-ON Series User manual
Dell
Dell X1000 Series User manual
Dell
Dell Force10 Software Defined Networking Quick reference guide
Dell
Dell PowerConnect 7048P User manual
Dell
Dell S4820T User manual
Popular Switch manuals by other brands
axing
axing premium-line SPU 94-09 Operation instructions
Honeywell
Honeywell 39351 quick start guide
Comelit
Comelit IPSWP06N100A quick start guide
Alereon Confidential
Alereon Confidential AL5612 user guide
Endress+Hauser
Endress+Hauser nivotester FTL 325 P manual
Advent Instruments
Advent Instruments AI-7280 Programmer's guide
Eaton
Eaton TM-1-8240 Series Instruction leaflet
EUCHNER
EUCHNER CES-I-BR Series operating instructions
Leonton
Leonton PT2-0702-SFP Series user manual
Foundry Networks
Foundry Networks EdgeIron 2402CF installation guide
Velux
Velux INTEGRA KLI 310 instructions
D-Link
D-Link SmartPro DGS-1500-20 reference guide