Aruba 620, 650 and Dell W- 620, W-650 Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Release Supplement Copyright , Aruba Networks®, Aruba Wireless Networks®, the © 2012 Aruba Networks, Inc. Aruba Networks trademarks include registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners. Open Source Code Certain Aruba products include Open Source software code developed by third parties, including software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source Licenses. The Open Source code used can be found at this site: http://www.arubanetworks.com/open_source Legal Notice The use of Aruba Networks, Inc. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba Networks, Inc. from any and all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors. Warranty This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS. Altering this device (such as painting it) voids the warranty. Copyright © 2012 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless Networks®,the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®. Dell™, the DELL™ logo, andPowerConnect™ are trademarks of Dell Inc. www.arubanetworks.com 1344 Crossman Avenue Sunnyvale, California 94089 Phone: 408.227.4500 Fax 408.227.4550 Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement 0510888-02 | May 2012 Contents Preface ................................................................................................................................... 5 Purpose of this Document.....................................................................................5 Aruba Dell Relationship...................................................................................5 Related Documents ...............................................................................................6 Product Manuals .............................................................................................6 Additional Product Information .......................................................................6 Chapter 1 The Aruba 620 and 650 Mobility Controllers ......................................... 7 Overview ................................................................................................................7 Physical Description ..............................................................................................8 Dimensions .....................................................................................................8 Cryptographic Module Boundaries .......................................................................8 Aruba 620 Chassis ..........................................................................................8 Aruba 650 Chassis ........................................................................................12 Chapter 2 FIPS 140-2 Level 2 Features ................................................................. 17 Intended Level of Security ...................................................................................17 Physical Security .................................................................................................17 Operational Environment .....................................................................................17 Logical Interfaces ................................................................................................18 Roles and Services ..............................................................................................19 Crypto Officer Role .......................................................................................19 User Role ......................................................................................................21 Authentication Mechanisms..........................................................................22 Unauthenticated Services .............................................................................23 Cryptographic Key Management.........................................................................23 Implemented Algorithms ...............................................................................23 Non-FIPS Approved Algorithms....................................................................24 Critical Security Parameters..........................................................................24 Self-Tests.............................................................................................................27 Alternating Bypass State .....................................................................................28 Mitigation of Other Attacks..................................................................................29 XSec ..............................................................................................................29 Wireless Intrusion Detection .........................................................................29 Unique Station and User Classification ..................................................29 Detecting and Disabling Rogue APs ......................................................30 Denial of Service and Impersonation Protection...........................................30 Man-in-the-Middle Protection.......................................................................30 Policy Definition and Enforcement ................................................................30 Using Wireless to Protect your Wired Network.............................................30 Using Wireless to Protect your Existing Wireless Network...........................30 Chapter 3 Installing the Controller......................................................................... 31 Pre-Installation Checklist.....................................................................................31 Precautions..........................................................................................................31 The Security Kit ...................................................................................................32 Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement |3 Product Examination.....................................................................................32 The units are shipped to the Crypto Officer in factory-sealed boxes using trusted commercial carrier shipping companies. The Crypto Officer should ex- amine the carton for evidence of tampering. Tamper-evidence includes tears, scratches, and other irregularities in the packaging. ....................................32 Package Contents.........................................................................................32 Tamper-Evident Labels .......................................................................................32 Reading TELs ................................................................................................33 Required TEL Locations................................................................................33 Aruba 620 ...............................................................................................33 Aruba 650 ...............................................................................................36 Applying TELs ...............................................................................................38 Chapter 4 Ongoing Management........................................................................... 39 Crypto Officer Management ................................................................................39 User Guidance.....................................................................................................39 Chapter 5 Setup and Configuration ....................................................................... 41 Setting Up Your Controller ..................................................................................41 Enabling FIPS Mode ............................................................................................41 Enabling FIPS with the Setup Wizard ...........................................................41 Enabling FIPS with the WebUI ......................................................................41 Disallowed FIPS Mode Configurations................................................................42 4| Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Preface This security policy document can be copied and distributed freely. Purpose of this Document This release supplement provides information regarding the Aruba 620 and 650 Mobility Controllers and Dell W-620 and W-650 controllers with FIPS 140-2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation included with this product and should be kept with your Aruba product documentation. This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba Mobility Controller. This security policy describes how the switch meets the security requirements of FIPS 140-2 Level 2 and how to place and maintain the switch in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product. FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2 standard and validation program is available on the National Institute of Standards and Technology (NIST) Web-site at: http://csrc.nist.gov/groups/STM/cmvp/index.html Aruba Dell Relationship Aruba Networks is the OEM for the Dell PowerConnect W line of products. Dell products are identical to the Aruba products other than branding and Dell software is identical to Aruba software other than branding. The contents of this document will use the Aruba 620 and 650 as examples and all corresponding Dell models follow the same rules. Table 1 Aruba and Dell Part Numbers Aruba Part Number Aruba Firmware Dell Part Number Dell Firmware 620-F1 ArubaOS_MMC_6.1.2.3-FIPS W-620-F1 DELL_PCW_MMC_6.1.2.3-FIPS 620-USF1 ArubaOS_MMC_6.1.2.3-FIPS W-620-USF1 DELL_PCW_MMC_6.1.2.3-FIPS 650-F1 ArubaOS_MMC_6.1.2.3-FIPS W-650-F1 DELL_PCW_MMC_6.1.2.3-FIPS 650-USF1 ArubaOS_MMC_6.1.2.3-FIPS W-650-USF1 DELL_PCW_MMC_6.1.2.3-FIPS References to Aruba, ArubaOS and Aruba 600 series apply to both the Aruba and Dell versions of these products and documentation. Products ending with -USF1 are to be sold in the US only. Products ending with -F1 are considered ‘rest of the world’ and must not be used for deployment in the United States. From FIPS perspective, both -USF1 and -F1 models are identical and fully FIPS compliant. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Preface | 5 Related Documents Product Manuals The following items are part of the complete installation and operations documentation included with this product: Aruba 620 and 650 Mobility Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy  (this document) Aruba 620 Mobility Controller Installation Guide  Aruba 650 Mobility Controller Installation Guide  ArubaOS 6.1 User Guide  ArubaOS 6.1 CLI Reference Guide  ArubaOS 6.1 Quick Start Guide  ArubaOS 6.1 Upgrade Guide  Aruba AP Installation Guides  Additional Product Information More information is available from the following sources: The Aruba Networks Web-site contains information on the full line of products from Aruba Networks:  http://www.arubanetworks.com The Dell Web site contains information on the full line of products from Dell.  http://www.dell.com/ The NIST Validated Modules Web-site contains contact information for answers to technical or sales-  related questions for the product: http://csrc.nist.gov/groups/STM/cmvp/index.html 6 | Preface Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Chapter 1 The Aruba 620 and 650 Mobility Controllers This chapter introduces the Aruba 620 and 650 Mobility Controllers with FIPS 140-2 Level 2 validation. It describes the purpose of the controller, its physical attributes, and its interfaces. Overview Aruba Networks has developed a purpose-built Wireless LAN voice and data switching solution designed to specifically address the needs of large-scale WiFi network deployments for Government agencies and global enterprises. The Aruba Mobility Controller solution provides advanced security and management of the corporate RF environment and enforces User security and service policies to both wired and wireless users. The Aruba Wireless FIPS 140-2 Level 2 validated Mobility Controlling platform serves value-add high speed data and QoS assured voice services to thousands of mobile wireless users simultaneously from a single, cost effective, redundant and scalable solution that performs centralized functionality for: Uncompromised User security, authentication and encryption  Stateful LAN-speed firewalling  VPN termination  Wireless intrusion detection, prevention and rogue containment  RF Air monitoring  Powerful packet processing switching  Mobility management  Advanced RF management  Advanced User and network service / element management  The Aruba FIPS 140-2 Level 2 validated Mobility Controller solution is a highly available, modular and upgradeable switching platform which connects, controls, secures, and intelligently integrates wireless Access Points and Air Monitors into the wired LAN, serving as a gateway between a wireless network and the wired network. The wireless network traffic from the APs is securely tunneled over a L2/L3 network and is terminated centrally on the switch via 10/100/1000 Ethernet physical interfaces where it is authenticated, assigned the appropriate security policies and VLAN assignments and up-linked onto the wired network. The Aruba Mobility Controller solution consists of the three major components: Aruba Mobility Controller. This is an enterprise-class switch into which multiple Access Points (APs)  and Air Monitors (AMs) may be directly or in-directly (tunneled over a L2/L3 network) connected and controlled. Aruba Wireless Access Point. This is a next-generation wireless transceiver which functions as an AP or  AM. Although third-party APs can be used with the Aruba WLAN system, the Aruba AP provides the most comprehensive features and simpler integration. Aruba’s ArubaOS Switch firmware. This firmware intelligently integrates the Mobility Controller and  APs to provide load balancing, rate limiting, self healing, authentication, mobility, security, firewalls, encryption, and centralization for monitoring and upgrades. The switch configurations tested during the cryptographic module testing included: Aruba 620 (620-USF1)  Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 7 Dell W-620 (W-620-USF1)  Aruba 650 (650-USF1)  Dell W-650 (W-650-USF1)  The exact firmware versions tested were:  ArubaOS_6xx_6.1.2.3-FIPS  Dell_PCW_6xx_6.1.2.3-FIPS  Physical Description See “Aruba 620 Chassis” on page 8 or “Aruba 650 Chassis” on page 12for a list of what ships with this product. Dimensions The Aruba 620 Mobility Controller has the following physical dimensions: Size:  Width 12.6" (320 mm)  Height 1.75" (45 mm)  Depth 6.8" (173 mm)  Weight: 2.7 lbs/1.23 kgs  The 620 Rack Mounting Kit provides the means to install a 620 controller in a standard 19-inch rack. The Aruba 650 Mobility Controller has the following physical dimensions: Size:  Width 13.6" (346 mm)  Height 1.5" (38 mm)  Depth 8.9" (226 mm)  Weight: 4.9 lbs/2.2 kgs  The Aruba 650 Mobility Controller is rack mountable in a standard 19-inch rack. Cryptographic Module Boundaries For FIPS 140-2 Level 2 validation, the Mobility Controller has been validated as a multi-chip standalone cryptographic module. The chassis physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the switch. The cryptographic boundary is defined as encompassing the top, front, left, right, rear, and bottom surfaces of the case. Aruba 620 Chassis The Aruba 620 Mobility Controller chassis is designed to be 1U not-modular. The following diagrams (Figure 1 and Figure 2) show the front and rear view of the chassis respectively. The Aruba 620 Mobility Controller chassis contains: 1x Console (RS-232) RJ-45 port  4xFast Ethernet (10/100BASE-T) port  4x Fast Ethernet (10/100BASE-T) with PoE+ port  1x Gigabit Ethernet (1000BASE-T) port  1x ExpressCard® port  8 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement 1x USB 2.0 port  1x AC input voltage 100-240 V, Universal Input  Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 9 Figure 1 Aruba 620 Mobility Controller Front View ExpressCard Slot Port LEDs Figure 2 Aruba 620 Mobility Controller Rear View Serial Console Port 10/100Base-T Ethernet Ports 10/100/1000Base-T Gigabit Ethernet Port Media Eject Button AC Power Socket USB port The Aruba 620 is equipped with a media eject button, which allows users to eject storage devices safely and place the system in standby. Pushing the media eject button changes the state of the Aruba 620; the table below describes the states and LED behaviors associated with use of the media eject button: 10 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Table 2 Media Eject Button LED Behavior LED Action Initial State LED State Action Status LED Function Completed NAS Media Operational Green-solid Press and hold Amber-flashing Un-mount all NAS Amber-solid media eject button media for 1 to 5 seconds only NAS Media Unmounted Amber-solid Press and hold Amber-flashing Mount all attached Green-solid media eject button NAS devices, and for 1 to 5 seconds return to fully only functional operation Operational Green-solid Press and hold Red-flashing Controller goes Red-solid media eject button into Standby for more than 5 seconds only Operating with NAS Amber-solid Press and hold Red-flashing Controller goes Red-solid Media un-mounted media eject button into Standby for more than 5 seconds only Standby Red-solid Press media eject Amber-flashing Controller wake-up Green-solid button In non-rack deployments, the Aruba 620 is placed with the front facing out. This allows the cables to be hidden and creates a more aesthetically pleasing look. Therefore, a set of LEDs displaying link activity on the ports is placed on the front side. Same LEDs also exist in back side too. For information about the behavior of these LEDs, see table below. Table 3 Aruba 620 LED Status Indicators LED Label Function Indicator Status Power POWER Input Power Status Indicator On (Solid Green) Power on Off No Power Status STATUS Module Status Indicator On (Solid Green) Device is operational On (Solid Red) Device failed or is in Standby On (Solid Amber) Device is loading software Off No power 10/100/1000Base-T Port LNK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established On (Flashing Green) Port is transmitting or receiving data Off No link on port 1000 Interface Speed On (Solid Green) 1000 Mbps Off 10/100 Mbps Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 11 Table 3 Aruba 620 LED Status Indicators LED Label Function Indicator Status 10/100Base-T Ports LINK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established On (Flashing Green) Port is transmitting or receiving data Off No link on port PoE PoE Status Indicator On (Solid Green) PoE is being provided On (Solid Amber) The attached device has requested PoE, but PoE is not being provided by the port Off PoE is not being provided 100 Interface Speed On (Solid Green) 100 Mbps Off 10 Mbps Aruba 650 Chassis The Aruba 650 Mobility Controller chassis is also 1U not-modular. The following diagrams (Figure 3 and Figure 4) show the front and rear view of the chassis respectively. The Aruba 650 Mobility Controller chassis contains: 1x Console (RS-232) RJ-45 port  2x Gigabit Ethernet (10/100/1000Base-T)  4x Gigabit Ethernet (10/100/1000Base-T) with PoE+  2x Gigabit Ethernet pluggable (1000Base-X SFP)  1x ExpressCard® port  4x USB 2.0 port  1x AC input voltage 100-240 V, Universal Input  12 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Figure 3 Aruba 650 Mobility Controller Front View 10/100/1000Base-T Gigabit Ethernet Ports USB ports OLE CONS 7 LINK/ 6 ACT LINK/ 5 ACT 4 1000 LINK/ ACT 3 2 1 0 POE LINK/ ACT Serial Console Port Media Eject Button 10/100/1000Base-T Gigabit Ethernet Ports with PoE 1000Base-X (SFP) Ports Figure 4 Aruba 650 Mobility Controller Rear View Antennae Interfaces (651 Only) Slot ExpressCard Slot AC Power Socket The Aruba 650 Series is equipped with a media eject button, which allows users to eject storage devices safely and place the system in standby. Pushing the media eject button changes the state of the Aruba 650 Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 13 Series; the table below describes the states and LED behaviors associated with use of the media eject button. Table 4 Media Eject Button LED Behavior LED Action Initial State LED State Action Status LED Function Completed NAS Media Operational Green-solid Press and hold Amber-flashing Un-mount all NAS Amber-solid media eject button media for 1 to 5 seconds only NAS Media Unmounted Amber-solid Press and hold Amber-flashing Mount all attached Green-solid media eject button NAS devices, and for 1 to 5 seconds return to fully only functional operation Operational Green-solid Press and hold Red-flashing Controller goes Red-solid media eject button into Standby for more than 5 seconds only Operating with NAS Amber-solid Press and hold Red-flashing Controller goes Red-solid Media un-mounted media eject button into Standby for more than 5 seconds only Standby Red-solid Press media eject Amber-flashing Controller wake-up Green-solid button The behavior of the Power, Status and port LEDs is described in the table below: Table 5 Aruba 650 Series LED Status Indicators LED Label Function Indicator Status Power POWER Input Power Status Indicator On (Solid Green) Power on Off No Power Status STATUS Module Status Indicator On (Solid Green) Device is operational On (Solid Red) Device failed or is in Standby On (Solid Amber) Device is loading software Off No power 1000Base-X Ports (SFP) LNK/ACT Link Status Indicator On (Solid Green) Link has been established On (Flashing Green) Port is transmitting or receiving data Off No link on port 14 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Table 5 Aruba 650 Series LED Status Indicators LED Label Function Indicator Status 10/100/1000Base-T Ports LNK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established On (Flashing Green) Port is transmitting or receiving data Off No link on port 1000 Interface Speed On (Solid Green) 1000 Mbps Off 10/100 Mbps 10/100/1000Base-T Ports LINK/ACT Link/Activity Status Indicator On (Solid Green) Link has been established with PoE On (Flashing Green) Port is transmitting or receiving data Off No link on port PoE PoE Status Indicator On (Solid Green) PoE is being provided On (Solid Amber) The attached device has requested PoE, but PoE is not being provided by the port Off PoE is not being provided Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The Aruba 620 and 650 Mobility Controllers | 15 16 | The Aruba 620 and 650 Mobility Controllers Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Chapter 2 FIPS 140-2 Level 2 Features Intended Level of Security The Aruba 620 and 650 Mobility Controllers and associated modules are intended to meet overall FIPS 140- 2 Level 2 requirements as shown in Table 2-1. Table 1 Intended Level of Security Section Section Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic Key Management 2 8 EMI/EMC 2 9 Self-tests 2 10 Design Assurance 2 11 Mitigation of Other Attacks 2 Physical Security The Aruba Mobility Controller is a scalable, multi-processor standalone network device and is enclosed in a robust steel housing. The switch enclosure is resistant to probing and is opaque within the visible spectrum. The enclosure of the switch has been designed to satisfy FIPS 140-2 Level 2 physical security requirements. To protect the Aruba 620 and 650 Mobility Controllers from any tampering with the product, TELs should be applied by the Crypto Officer as covered under “Tamper-Evident Labels” on page 32. Operational Environment The operational environment is non-modifiable. The control plane Operating System (OS) is Linux, a real- time, multi-threaded operating system that supports memory protection between processes. Access to the underlying Linux implementation is not provided directly. Only Aruba Networks provided interfaces are used, and the CLI is a restricted command set. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 17 Logical Interfaces All of these physical interfaces are separated into logical interfaces defined by FIPS 140-2, as described in the following table. Table 2 FIPS 140-2 Logical Interfaces FIPS 140-2 Logical Interfaces Module Physical Interface Data Input Interface 10/100 Mbps Ethernet Port 10/100/1000 Mbps Ethernet Port Express Card slot (disabled) USB 2.0 ports Data Output Interface 10/100 Mbps Ethernet Port 10/100/1000 Mbps Ethernet Port Express Card slot (disabled) USB 2.0 ports Control Input Interface 10/100 Mbps Ethernet Port 10/100/1000 Mbps Ethernet Port Express Card slot (disabled) Media Eject Button Serial Console port (disabled) Status Output Interface 10/100 Mbps Ethernet port 10/100/1000 Mbps Ethernet ports LEDs Serial Console port (disabled) Power Interface Power Supply PoE Data input and output, control input, status output, and power interfaces are defined as follows: Data input and output are the packets that use the firewall, VPN, and routing functionality of the  modules. Control input consists of manual control inputs for media eject. It also consists of all of the data that is  entered into the switch while using the management interfaces. Status output consists of the status indicators displayed through the LEDs, the status data that is output  from the switch while using the management interfaces, and the log file. LEDs indicate the physical state of the module, such as power-up (or rebooting), utilization level, activation state (including fan, ports, and power) and status of connected media. The log file records the results of self-tests, configuration errors, and monitoring data. 18 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement A power supply is used to connect the electric power cable. Operating power is also provided to a  compatible Power Over Ethernet (POE) device when connected. The power is provided through the connected Ethernet cable. The switch distinguishes between different forms of data, control, and status traffic over the network ports by analyzing the packets header information and contents. Roles and Services The Aruba Mobility Controller supports role-based authentication. There are two roles in the switch (as required by FIPS 140-2 Level 2) that operators may assume: a Crypto Officer role and a User role. The Administrator maps to the Crypto-Officer role and the client Users map to the User role. Crypto Officer Role The Crypto Officer role has the ability to configure, manage, and monitor the switch. Three management interfaces can be used for this purpose: CLI  The Crypto Officer can use the CLI to perform non-security-sensitive and security-sensitive monitoring and configuration. The CLI can be accessed remotely by using the SSHv2 secured management session over the Ethernet ports or locally over the serial port. In FIPS mode, the serial port is disabled. Web Interface  The Crypto Officer can use the Web Interface as an alternative to the CLI. The Web Interface provides a highly intuitive, graphical interface for a comprehensive set of switch management tools. The Web Interface can be accessed from a TLS-enabled Web browser using HTTPS (HTTP with Secure Socket Layer) on logical port 4343. Bootrom Monitor Mode  In Bootrom monitor mode, the Crypto Officer can reboot, update the Bootrom, issue file system-related commands, modify network parameters, and issue various show commands. The Crypto Officer can only enter this mode by pressing any key during the first four seconds of initialization. Bootrom Monitor Mode is disabled in FIPS mode. The Crypto Officer can also use SNMPv1/2c/3 to remotely perform non-security-sensitive monitoring and use get and getnext commands. See the table below for descriptions of the services available to the Crypto Officer role. Table 3 Crypto-Officer Services Service Description Input Output CSP Access SSH v 2.0 Provide authenticated and SSH key agreement SSH outputs and Diffie-Hellman key pair encrypted remote management parameters, SSH data (read/ write access), session sessions while using the CLI inputs, and data key for SSH (read/write access), RNG keys (read access); Crypto Officer's password (read access) IKEv1/IKEv2-IPSec Provide authenticated and IKEv1/IKEv2 inputs and IKEv1/IKEv2 RSA or ECDSA key pair for encrypted remote management data; IPSec inputs, outputs, status, IKEv1/IKEv2 (read access), sessions to access the CLI commands, and data and data; IPSec Diffie-Hellman or Elliptic functionality outputs, status, curve Diffie-Hellman key pair and data for IKEv1/IKEv2 (read/write access), pre- shared keys for IKEv1/IKEv2 (read access); Session keys for IPSec (read/write access) Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 19 Table 3 Crypto-Officer Services Service Description Input Output CSP Access Configuring Create management Users and Commands and Status of Crypto Officer's password Network set their password and privilege configuration data commands and for CLI (read/write access) Management level; configure the SNMP agent configuration data Configuring the Define the platform subsystem Commands and Status of None module Platform firmware of the module by configuration data commands and entering Bootrom Monitor Mode, configuration data File System, fault report, message logging, and other platform related commands Configuring Define synchronization features Commands and Status of None Hardware for module configuration data commands and Controllers configuration data Configuring the Set IP functionality Commands and Status of None Internet Protocol configuration data commands and configuration data Configuring Quality Configure QOS values for module Commands and Status of None of Service (QoS) configuration data commands and configuration data RSA and ECDSA keys pair Configuring the Configure Public Key Commands and Status of (read/write access), Pre- VPN Infrastructure (PKI); configure the configuration data commands and shared key (read/write Internet Key Exchange (IKEv1/ configuration data access) IKEv2) Security Protocol; configure the IPSec protocol Configuring DHCP Configure DHCP on module Commands and Status of None configuration data commands and configuration data Configuring Define security features for Commands and Status of AAA User password (read/ Security module, including Access List, configuration data commands and write access), RADIUS AAA, and firewall functionality configuration data password (read/ write access) HTTPS over TLS Secure browser connection over TLS inputs, commands, TLS outputs, RSA key pair for TLS; TLS Transport Layer Security acting as and data status, and data Session Key a Crypto Officer service (web management interface) IPSec tunnel Provided authenticated/ IKEv1/IKEv2 inputs and IKEv1/IKEv2 Preshared key/RSA private establishment for encrypted channel to RADIUS data; IPSec inputs, outputs, status, key for IKEv1/IKEv2 (read RADIUS protection server commands, and data and data; IPSec access), Diffie-Hellman and outputs, status, Elliptic curve Diffie-Hellman and data key pair for IKEv1/IKEv2 (read/write access), Session keys for IPSec (read/write access) Self-test Run Power On Self-Tests and None Error messages None Conditional Tests logged if a failure occurs Configuring Configure bypass operation on Commands and Status of None Bypass Operation the module configuration data commands and configuration data 20 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Table 3 Crypto-Officer Services Service Description Input Output CSP Access Updating Firmware Updating firmware on the module Commands and Status of None configuration data commands and configuration data Configuring OCSP Configuring OCSP responder OCSP inputs, OCSP outputs, RSA/ECDSA key pair for Responder functionality commands, and data status, and data signing OCSP responses Configuring Configuring Control Plane Commands and Status of RSA private key for IKEv1/ Control Plane Security mode to protect configuration data, commands, IKEv1/ IKEv2 and certificate signing Security (CPSec) communication with APs using IKEv1/IKEv2 inputs and IKEv2 outputs, (read access), Diffie-Hellman IPSec and issue self signed data; IPSec inputs, status, and data; key pair for IKEv1/IKEv2 certificates to APs commands, and data IPSec outputs, (read/write access), Session status, and data keys for IPSec (read/write and configuration access) data, self signed certificates Status Cryptographic officer may use Commands and Status of None CLI "show" commands or view configuration data commands and WebUI via TLS to the view the configuration switch configuration, routing tables, and active sessions; view health, temperature, memory status, voltage and packet statistics, review account logs, and view physical interface status. User Role The User role can access the switch’s IPSec and IKEv1/IKEv2 services. Service descriptions and inputs/ outputs are listed in the following table: Table 4 User Service Service Description Input Output CSP Access IKEv1/IKEv2-IPSec Access the module's IPSec IPSec inputs, IPSec outputs, RSA and ECDSA key pair for services in order to secure commands, and data status, and data IKEv1/IKEv2 (read access); network traffic Diffie-Hellman and Elliptic curve Diffie-Hellman key pair for IKEv1/IKEv2 (read and write access); pre-shared keys for IKEv1/IKEv2 (read access) HTTPS over TLS Access the module’s TLS TLS inputs, commands, TLS outputs, RSA key pair for TLS; TLS services in order to secure and data status, and data Session Key network traffic EAP-TLS Provide EAP-TLS termination EAP-TLS inputs, EAP-TLS outputs, EAP-TLS RSA private key termination commands and data status and data (read) EAP-TLS ECDSA private key (read) 802.11i Shared Access the module’s 802.11i 802.11i inputs, 802.11i outputs, 802.11i Pre-Shared Key Key Mode services in order to secure commands and data status and data (read) network traffic 802.11i Session key (read/ write) Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 21 Table 4 User Service Service Description Input Output CSP Access 802.11i with EAP- Access the module’s 802.11i 802.11i inputs, 802.11i outputs, EAP-TLS RSA private key TLS services in order to secure commands and data status, and data (read) network traffic EAP-TLS ECDSA private key (read) 802.11i Pair-Wise Master Key (read/ write) 802.11i Session key (read/write) Data link Data link encryption AES Data link (Layer 2) Access the module’s Layer 2 Data link encryption key (read) Encryption encrypted tunnel services to inputs, commands and encryption, status, secure network trafficData link data and data encryption inputs, commands and data Authentication Mechanisms The Aruba Mobility Controller supports role-based authentication. Role-based authentication is performed before the Crypto Officer enters privileged mode using admin password via Web Interface or SSH or by entering enable command and password in console. Role-based authentication is also performed for User authentication. This includes password and RSA/ECDSA-based authentication mechanisms. The strength of each authentication mechanism is described below. Table 5 Estimated Strength of Authentication Mechanisms Authentication Type Role Strength Password-based authentication Crypto Officer Passwords are required to be at least six characters long. (CLI and Web Interface) Numeric, alphabetic (upper and lowercase), and keyboard and extended characters can be used, which gives a total of 95 characters to choose from. Therefore, the number of potential six-character passwords is 956 (735091890625). RSA-based authentication User RSA signing and verification is used to authenticate to the (IKEv1/IKEv2) module during IKEv1/IKEv2. This mechanism is as strong as the RSA algorithm using a 1024 or 2048 bit key pair. Pre-shared key-based User Pre-shared keys must be at least six characters long and up authentication (IKEv1/IKEv2) to 64 bytes long. Even if only uppercase letters were used without repetition for a six character pre-shared key, the probability of randomly guessing the correct sequence is one in 165,765,600. Pre-shared key based User 1024 and 2048 bit RSA keys correspond to effective strength of 280 and 2112 respectively. authentication (802.11i) EAP-TLS authentication User 1024 and 2048 bit RSA keys correspond to effective strength of 280 and 2112 respectively. ECDSA-based authentication User ECDSA signing and verification is used to authenticate to the (IKEv1/IKEv2) module during IKEv1/IKEv2. Both P-256 and P-384 keys are supported. ECDSA P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security. 22 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Unauthenticated Services The Aruba Mobility Controller can perform SNMP management, VLAN, bridging, firewall, routing, and forwarding functionality without authentication. These services do not involve any cryptographic processing. Additional unauthenticated services include performance of the power-on self test and system status indication via LEDs. Cryptographic Key Management Implemented Algorithms FIPS-approved cryptographic algorithms have been implemented in hardware and firmware. Hardware encryption acceleration is provided for bulk cryptographic operations for the following FIPS approved algorithms: AES (Cert. #779)  Triple-DES (Cert. #673)  SHS (Cert. #781)  HMAC (Cert. #426)  The firmware supports the following cryptographic implemetations. ArubaOS OpenSSL Module implements the following FIPS-approved algorithms: AES (Cert. #1854)  Triple-DES (Cert. #1201)  SHS (Cert. #1631)  RNG (Cert. #972)  RSA (Cert. #937)  HMAC (Cert. #1101)  ECDSA (#258)  ArubaOS Crypto Module implementation supports the following FIPS Approved Algorithms: AES (Cert. #1850)  Triple-DES (Cert. #1198)  SHS (Cert. #1627)  RNG (Cert. #969)  RSA (Cert. #933)  HMAC (Cert. #1098)  ECDSA (Cert. #257)  ArubaOS UBOOT Bootloader implements the following FIPS-approved algorithms: RSA (Cert. #935)  SHS (Cert. #1629)  Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 23 Non-FIPS Approved Algorithms The cryptographic module implements the following non-approved algorithms that are not permitted for use in the FIPS 140-2 mode of operations: DES  HMAC-MD5  MD5  RC4  NDRNG  In addition, withing the FIPS Approved mode of operation, the module supports the following allowed key establishment schemes: Diffie-Hellman (key agreement; key establishment methodology provides 80 bits of encryption strength;  non-compliant less than 80-bits of encryption strength) EC Diffie-Hellman (key agreement; key establishment methodology provides between 128 and 192 bits  of encryption strength) RSA (key wrapping; key establishment methodology provides 80 bits of encryption strength)  Critical Security Parameters The following are the Critical Security Parameters (CSPs) used in the switch. Table 6 CSPs Used in Aruba Mobility Controllers CSPs CSPs type Generation Storage and Zeroization Use Key Encryption Key Triple-DES 168-bit key Hard Coded Stored in Flash and zeroized Encrypts IKEv1/IKEv2 (KEK) by using the CLI command Pre-shared key, wipe out flash RADIUS server shared secret, RSA private key, ECDSA private key, 802.11i pre-shared key and Passwords. IKEv1/IKEv2 Pre-shared 64 character pre- CO configured Stored encrypted in Flash User and module key shared key with the KEK. Zeroized by authentication during changing (updating) the pre- IKEv1, IKEv2 shared key through the User interface. RADIUS server shared 6-128 character shared CO configured Stored encrypted in Flash Module and RADIUS secret secret with the KEK. Zeroized by server authentication changing (updating) the pre- shared key through the User interface. Enable secret 6-64 character CO configured Store in ciphertext in flash. Administrator password Zeroized by changing authentication (updating) through the user interface. IPSec session 168-bit Triple-DES or Established during the Stored in plaintext in volatile Secure IPSec traffic encryption keys 128/192/256-bit AES- Diffie-Hellman key memory. Zeroized when the CBC or 128/256-bit agreement session is closed. AES-GCM keys IPSec session HMAC SHA-1 key Established during the Stored in plaintext in volatile User authentication authentication keys Diffie-Hellman key memory. Zeroized when the agreement session is closed. 24 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Table 6 CSPs Used in Aruba Mobility Controllers CSPs CSPs type Generation Storage and Zeroization Use SSH Diffie-Hellman 128-octet intermediate Established during the Stored in plain text in volatile Key agreement in SSH shared secret value used for key SSH Diffie-Hellman memory, Zeroized when derivation key agreement session is closed. Stored in the volatile memory. Used in establishing the IKEv1/IKEv2 Diffie- 768/1024-bit (MODP Generated internally Zeroized after the session is session key for an Hellman private key group) or 256/384-bit during IKEv1/IKEv2 (Elliptic curve group) negotiations closed. IPSec session Diffie-Hellman private key. Note: Key size 768 bits is not allowed in FIPS mode. IKEv1/IKEv2 Diffie- 128 octet or 32/48 Established during the Stored in plaintext in volatile Key agreement in Hellman shared secret octet (Elliptic curve Diffie-Hellman Key memory. Zeroized when IKEv1/IKEv2 Diffie Hellman) Agreement session is closed. intermediate value used for cryptographic key derivation Stored in plaintext in volatile IKEv1/IKEv2 payload IKEv1/IKEv2 session 160-bit HMAC-SHA1or Established as a result memory. Zeroized when integrity verification authentication key 256 byte HMAC-SHA- of Diffie-Hellman key session is closed. 256-128 or 384 byte agreement. HMAC-SHA-384-192 key Stored in plaintext in volatile IKEv1/IKEv2 payload IKEv1/IKEv2 session 168-bit Triple-DES or Established as a result memory. Zeroized when encryption encryption key 128/192/256-bit AES- of Diffie-Hellman key CBC key agreement. session is closed. SSH session keys 168-bit Triple-DES or Established during the Stored in plaintext in volatile Secure SSH traffic 128/192/256-bit AES SSH key exchange memory. Zeroized when the keys using the Diffie- session is closed. Hellman key agreement SSH session 160-bit HMAC-SHA-1 Established during the Stored in plaintext in volatile Secure SSH traffic authentication key SSH key exchange memory. Zeroized when the using the Diffie- session is closed. Hellman key agreement SSH Diffie-Hellman 768/1024-bit Diffie- Generated internally Stored in the volatile memory. Used in establishing the Private Key Hellman private key. during the SSH Zeroized after the session is session key for an SSH Note: Key size 768 bits session negotiations closed. session. is not allowed in FIPS mode. TLS pre-master secret 48 byte secret Externally generated Stored in plaintext in volatile Key agreement during input to the module by memory. Zeroized when the TLS being wrapped by session is closed. RSA public key TLS session encryption AES 128, 192, 256 Generated in the Stored in plaintext in volatile Key agreement during key module memory. Zeroized when the 802.1x connection session is closed. TLS session 160-bit HMAC-SHA1 Generated in the Stored in plaintext in volatile Key agreement during authentication key key module memory. Zeroized when the 802.1x connection session is closed. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 25 Table 6 CSPs Used in Aruba Mobility Controllers CSPs CSPs type Generation Storage and Zeroization Use RSA Private Key RSA 1024/2048 bit key Generated in the Stored in flash memory Used by TLS and EAP- module encrypted with KEK. Zeroized TLS/PEAP protocols by the CO command write during the handshake, erase all. used for signing OCSP responses, and used by IKEv1/IKEv2 for device authentication and for signing certificates ECDSA Private Key ECDSA suite B P-256 Generated in the Stored in flash memory Used by TLS and EAP- and P-384 curves module encrypted with KEK. Zeroized TLS/PEAP protocols by the CO command write during the handshake. erase all. Key agreement in skeyid Intermediate 160-bit/ Established during the Stored in plaintext in volatile IKEv1/IKEv2 256-byte/384-byte Diffie-Hellman Key memory. Zeroized when value used in key Agreement session is closed. derivation skeyid_d Intermediate 160-bit/ Established during the Stored in plaintext in volatile Key agreement in 256-byte/384-byte Diffie-Hellman Key memory. Zeroized when IKEv1/IKEv2 value used in key Agreement session is closed. derivation 802.11i Pre-Shared Key 802.11i pre-shared CO configured Stored in flash memory Used by the 802.11i (PSK) secret key (256-bit) encrypted with KEK. Zeroized protocol by the CO command write erase all. 802.11i Pair-Wise 802.11i secret key Derived during the Stored in the volatile memory. Used by the 802.11i Master key (PMK) (256-bit) EAP-TLS/PEAP Zeroized on reboot. protocol handshake 802.11i session key AES-CCM key (128 Derived from 802.11 Stored in plaintext in volatile Used for 802.11i bit), AES-GCM key PMK memory. Zeroized on reboot. encryption (128/256-bit) Data link (Layer 2) AES key (256 bit) Derived during the Stored in plaintext in volatile Used to encrypt encryption key EAP-TLS handshake memory. Zeroized on reboot. tunneled Layer 2 frames Data link (Layer 2) HMAC-SHA1 key (160- Derived during EAP- Stored in plaintext in volatile Used to integrity- integrity key bit) TLS handshake memory. Zeroized on reboot. protect tunneled Layer storage and 2 frames zeroization: Stored in plaintext in volatile memory Passwords 6-character password CO configured Stored encrypted in Flash Authentication for with KEK. Zeroized by either accessing the deleting the password management configuration file or by interfaces, RADIUS overwriting the password authentication with a new one. Seed ANSI X9.31 RNG ArubaOS OpenSSL RNG Seed (16 bytes) Derived using NON- Stored in plaintext in volatile memory only. Zeroized on Seed for FIPS compliant FIPS approved HW reboot. ANSI X9.31, Appendix RNG (/dev/urandom) A2.4 using AES-128 key algorithm 26 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Table 6 CSPs Used in Aruba Mobility Controllers CSPs CSPs type Generation Storage and Zeroization Use ArubaOS OpenSSL RNG Seed key (16 bytes, Derived using NON- Stored in plaintext in volatile Seed ANSI X9.31 RNG Seed key for FIPS AES-128 key FIPS approved HW memory only. Zeroized on compliant ANSI X9.31, algorithm) RNG (/dev/urandom) reboot. Appendix A2.4 using AES-128 key algorithm ArubaOS cryptographic Seed (64 bytes) Derived using NON- Stored in plaintext in volatile Seed 186-2 General Module RNG seed for FIPS approved HW memory. Zeroized on reboot. purpose (x-change FIPS compliant 186-2 RNG (/dev/urandom) Notice); SHA-1 RNG General purpose (x- change Notice); SHA-1 RNG ArubaOS cryptographic Seed key (64 bytes) Derived using NON- Stored in plaintext in volatile Seed 186-2 General Module RNG seed key FIPS approved HW memory. Zeroized on reboot. purpose (x-change for FIPS compliant 186- RNG (/dev/urandom) Notice); SHA-1 RNG 2 General purpose (x- change Notice); SHA-1 RNG Self-Tests The Aruba Mobility Controller performs both power-up and conditional self-tests. In the event any self-test fails, the switch will enter an error state, log the error, and reboot automatically. The following self-tests are performed: Aruba Hardware Known Answer Tests: AES KAT  AES-CCM KAT  AES-GCM KAT  Triple DES KAT  HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KAT  ArubaOS OpenSSL Module: AES KAT  Triple-DES KAT  RNG KAT  RSA KAT  ECDSA (sign/verify)  SHA (SHA1, SHA256 and SHA384) KAT  HMAC (HMAC-SHA1, HMAC-SHA256 and HMAC-SHA384) KAT  ArubaOS Cryptographic Module AES KAT  Triple-DES KAT  SHA (SHA1, SHA256, SHA384 and SHA512) KAT  HMAC (HMAC-SHA1, HMAC-SHA256, HMAC-SHA384 and HMAC-SHA512) KAT  RSA (sign/verify)  Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 27 ECDSA (sign/verify)  FIPS 186-2 RNG KAT  ArubaOS Uboot BootLoader Module Firmware Integrity Test: RSA PKCS#1 v1.5 (2048 bits) signature verification with SHA-1  Following Conditional Self-tests are performed in the switch: ArubaOS OpenSSL Module Bypass Test  CRNG Test on Approved RNG  ECDSA Pairwise Consistency Test  RSA Pairwise Consistency Test  Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification  Aruba OS Crypto Module CRNG Test on Approved RNG  ECDSA Pairwise Consistency Test  RSA Pairwise Consistency Test  Conditional Tests on Hardware CRNG test on non-Approved RNGs  Self-test results are logged in a log file. Upon successful completion of the power-up self tests, the module logs a KATS: passed message into a log file. Confirm the file update by checking the associated time of the file. In the event of a hardware KATs failure, the log file records one of the following messages depending on the algorith being tested:  AES256 HMAC-SHA1 hash failed  AES256 Encrypt failed  AES256 Decrypt Failed  3DES HMAC-SHA1 hash failed  3DES Encrypt failed  3DES Decrypt Failed  DES HMAC-SHA1 hash failed  DES Encrypt failed  DES Decrypt Failed  HW KAT test failed for AESCCM CTR. Rebooting  AESCCM Encrypt Failed This text is followed by this message: The POST Test failed!!!! Rebooting… Alternating Bypass State The controller implements an alternating bypass state when: a port is configured in trusted mode to provide unauthenticated services  a configuration provides wireless access without encryption  28 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement The alternating bypass status can be identified by retrieving the port configuration or the wireless network configuration. Mitigation of Other Attacks ArubaOS includes two modules that provide protection from attacks. These are: XSec  Wireless Intrusion Protection  XSec xSec is a highly secure data link layer (Layer 2) protocol that provides a unified framework for securing all wired and wireless connections using strong encryption and authentication. xSec provides greater security than Layer 3 encryption technologies through the use of FIPS-validated encryption algorithms (AES-CBC- 256 with HMAC-SHA1) to secure Layer 2 traffic, as well as the encryption of Layer 2 header information including MAC addresses. xSec was jointly developed by Aruba Networks and Funk Software. Many government agencies and commercial entities that transmit highly sensitive information over wireless networks mandate that strong Layer 2 encryption technologies be deployed to ensure absolute data privacy. U.S. DoD Directive 8100.2 requires that all data transmitted using commercial wireless devices be encrypted at Layer 2 or Layer 3. The U.S. Navy and Army are requiring Layer 2 encryption, and cryptographic engines used for all sensitive government communications must be validated as meeting FIPS 140-2 requirements. xSec has been designed to address this requirement and to provide a number of additional benefits. Wireless Intrusion Detection Aruba’s Wireless Intrusion Protection (WIP) module eliminates the need for a separate system of RF sensors and security appliances. The WIP module provides extraordinary capabilities to Aruba’s enterprise mobility system, giving administrators visibility into the network, along with the power to thwart malicious wireless attacks, impersonations and unauthorized intrusions. Wireless intrusion detection is only the first step in securing the corporate environment from unwanted wireless access. Without adequate measures to quickly shut down intrusions, detection is almost worthless. Without accurate classification of APs and stations (e.g., valid, rogue, or neighbor), providing an automated response to possible intrusion is impossible. Aruba access points constantly scan all channels of the RF spectrum, capturing all 802.11 traffic and locally examining the captured data. Only policy violations are sent to the central mobility controller to ensure minimal impact on wired network performance. While scanning the environment, the Aruba system learns about all wireless APs and stations and classifies these devices based on traffic flows seen on the wire and in the air. This traffic is collected and correlated on the mobility controller. Aruba’s WIP module provides both detection and prevention capabilities. Users and devices are detected and classified so administrators can react to both unintentional and malicious WLAN access. No other system on the market provides such capabilities. Unique Station and User Classification Aruba’s patent-pending classification system automatically identifies and classifies all APs and stations connected to the network. The system works by comparing traffic seen in the air with traffic seen on the wire. When a match is found, it is known with certainty that the device belongs to the local network rather than a neighboring network. This avoids false alarms for the administrator, because only true rogue devices are classified as such. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement FIPS 140-2 Level 2 Features | 29 Detecting and Disabling Rogue APs Aruba’s classification algorithms allow the system to accurately determine who is a threat and who is not. Once classified as rogue, these APs can be automatically disabled. Administrators are also notified of the presence of rogue devices, along with their precise physical location on a floorplan, so that they may be removed from the network. Denial of Service and Impersonation Protection Wireless networks, by their nature, make an attractive target for denial of service attacks. Such attacks include software that floods the network with association requests, attacks that make a laptop look like thousands of APs, and deauthentication floods. Aruba mobility controllers equipped with the Aruba WIP module maintain signatures of many different wireless attacks and are able to block them so service is not disrupted. Advanced Denial of Service (DoS) protection keeps enterprises safe against a variety of wireless attacks, including association and de-authentication floods, honeypots and AP and station impersonations. Based on location signatures and client classification, Aruba access points will drop illegal requests and generate alerts to notify administrators of the attack. Man-in-the-Middle Protection One of the common attacks possible in wireless networks is the “man-in-the-middle” attack. During a man- in-the-middle attack, a hacker masquerades as a legitimate AP. Then, acting as a relay point, this man-in-the- middle fools users and other APs into sending data through the unauthorized device. An attacker can then modify or corrupt data or conduct password-cracking routines. Aruba access points monitor the air to detect other wireless stations masquerading as valid APs. When such masquerading is detected, appropriate defense mechanisms are put into place. Aruba mobility controllers also track unique “signatures” for each wireless client in the network. If a new station is introduced claiming to be a particular client, but without the proper signature, a station impersonation attack is detected. Policy Definition and Enforcement Aruba WIP provides a number of policies that can be configured to take automatic action when a policy is violated. Examples of wireless policies include weak WEP implementation detection, AP misconfiguration protection, ad-hoc network detection and protection, unauthorized NIC type detection, wireless bridge detection and more. Using Wireless to Protect your Wired Network Even if wireless LANs are not sanctioned at this time, no security conscious company can afford to do nothing. Aruba’s WIP will keep wireless traffic from working its way into the wired network through rogue APs unknowingly attached to a network port. With Aruba’s mobility system equipped with WIP, the enterprise network is protected against wireless security holes. And when the enterprise is ready to deploy wireless LANs, the Aruba system can be easily reconfigured to provide a scalable and secure wireless LAN infrastructure. Using Wireless to Protect your Existing Wireless Network Aruba’s mobility system with WIP delivers the detection and protection necessary to keep your existing wireless network safe from undesirable wireless access. ArubaOS WIP complements and enhances any existing WLAN deployment, including Cisco deployments, by providing advanced RF security and control features not found in first-generation wireless products. 30 | FIPS 140-2 Level 2 Features Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Chapter 3 Installing the Controller This chapter covers the physical installation of the Aruba 620 and 650 Mobility Controllers with FIPS 140-2 Level 2 validation. The Crypto Officer is responsible for ensuring that the following procedures are used to place the switch in a FIPS-approved mode of operation. This chapter covers the following installation topics: Precautions to be observed during installation  Requirements for the switch components and rack mounting gear  Selecting a proper environment for the switch  Mounting the switch in a rack  Connecting power to the switch  Pre-Installation Checklist The following tools and equipment are required for installation of an Aruba 650 Series controller. Rack Mount Bracket (x2, not used for tabletop installation)  6-32 x 1/4” Phillips Flat Head Screws (4x, included with rack mount brackets)  12-24 x 5/8” Phillips Flat Head Screws (4x, 19-inch (48.26 cm) rack system mount screws).  Suitable Screwdrivers for both screw types.  AC Power Cord (country-specific)  Left and right side bezels (not used for rack mounting)  To deploy an Aruba 650 Series controller on a flat surface, such as a tabletop, insert the four rubber mounting feet to the bottom of the unit, attach side bezels by snapping them into place and then place the unit on a hard flat surface. The following tools and equipment are required for installation of an Aruba 620 controller. Rack Mount Bracket (x2, not used for tabletop installation)  Screws (4x, included with rack mount brackets)  Suitable Screwdriver.  AC Power Cord (country-specific)  Left and right side bezels (not used for rack mounting)  To deploy an Aruba 620 controller on a flat surface, such as a tabletop, insert the four rubber mounting feet to the bottom of the unit, attach side bezels by snapping them into place and then place the unit on a hard flat surface. Precautions Installation should be performed only by a trained technician.  Dangerous voltage in excess of 240 VAC is always present while the Aruba Power Supply is plugged into  an electrical outlet. Remove all rings, jewelry, and other potentially conductive material before working with this product. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Installing the Controller | 31 Never insert foreign objects into the chassis, the power supply, or any other component, even when the  power supplies have been turned off, unplugged, or removed. Main power is fully disconnected from the switch only by unplugging all power cords from their power  outlets. For safety reasons, make sure the power outlets and plugs are within easy reach of the operator. Do not handle electrical cables that are not insulated. This includes any network cables.  Keep water and other fluids away from the product.  Comply with electrical grounding standards during all phases of installation and operation of the  product. Do not allow the switch chassis, network ports, power supplies, or mounting brackets to contact any device, cable, object, or person attached to a different electrical ground. Also, never connect the device to external storm grounding sources. Installation or removal of the chassis or any module must be performed in a static-free environment. The  proper use of anti-static body straps and mats is strongly recommended. Keep modules in anti-static packaging when not installed in the chassis.  Do not ship or store this product near strong electromagnetic, electrostatic, magnetic or radioactive  fields. Do not disassemble chassis or modules. They have no internal user-serviceable parts. When service or  repair is needed, contact Aruba Networks. The Security Kit The Aruba Mobility Controller FIPS 140-2 Level 2 Security Kit modifies the standard Aruba Mobility Controller hardware, firmware, and documentation to assure FIPS 140-2 Level 2 validation. Product Examination The units are shipped to the Crypto Officer in factory-sealed boxes using trusted commercial carrier shipping companies. The Crypto Officer should examine the carton for evidence of tampering. Tamper- evidence includes tears, scratches, and other irregularities in the packaging. Package Contents The product carton should include the following: Aruba 620 or 650 Mobility Controller  Rack/tabletop mounting kit  Aruba User Documentation CD  Tamper-Evident Labels  Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the switch. When applied properly, the TELs allow the Crypto Officer to detect the opening of the chassis cover, the removal or replacement of modules or cover plates, or physical access to restricted ports. Vendor provides FIPS 140 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140-2 Standard. TELs are not endorsed by the Cryptographic Module Validation Program (CMVP). The tamper-evident labels shall be installed for the module to operate in a FIPS Approved mode of operation. 32 | Installing the Controller Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Aruba Provides double the required amount of TELs. If a customer requires replacement TELs, please call customer support and Aruba will provide the TELs (Part # 4010061-01). The Crypto officer shall be responsible for keeping the extra TELs at a safe location and managing the use of the TELs. Reading TELs Once applied, the TELs included with the switch cannot be surreptitiously broken, removed, or reapplied without an obvious change in appearance: Figure 1 Tamper-Evident Labels Each TELs also has a unique serial number to prevent replacement with similar labels. Required TEL Locations Aruba 620 This section displays all the TEL locations on the Aruba 620. The Aruba 620 requires a minimum of 8 TELs to be applied as follows: To detect opening of the chassis cover: 1. Spanning the front face plate and left and bottom chassis cover 2. Spanning the front face plate and top chassis cover 3. Spanning the front face plate and bottom chassis cover 4. Spanning the front face plate and right and bottom chassis cover 5. Spanning the front face plate and right and bottom chassis cover 6. Spanning the front face plate and top chassis cover 7. Spanning the front face plate and bottom chassis cover 8. Spanning the front face plate and left and bottom chassis cover To detect access to restricted ports: 3. Spanning the Express Card slot 7. Spanning the seriel port Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Installing the Controller | 33 Figure 2 Aruba 620 — Front view Figure 3 Aruba 620 — Back view Figure 4 Aruba 620 — Left-side view 34 | Installing the Controller Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Figure 5 Aruba 620 — Right-side view Figure 6 Aruba 620 — Top view Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Installing the Controller | 35 Figure 7 Aruba 620 — Bottom view Aruba 650 This section displays all the TEL locations on the Aruba 650. The Aruba 650 requires a minimum of 8 TELs to be applied as follows: To detect opening of the chassis cover: 1. Spanning the front face plate and left chassis cover 2. Spanning the front face plate and bottom chassis cover 3. Spanning the front face plate and right chassis cover 4. Spanning the right chassis cover and top chassis cover 6. Spanning the left chassis cover and top chassis cover 7. Spanning the front face plate and bottom chassis cover 8. Spanning the rear face plate and bottom chassis cover To detect access to restricted ports: 2. Spanning the seriel port 5. Spanning the Express Card slot Figure 8 Aruba 650 — Front view 36 | Installing the Controller Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Figure 9 Aruba 650 — Back view Figure 10 Aruba 650 — Left-side view Figure 11 Aruba 650 — Right-side view Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Installing the Controller | 37 Figure 12 Aruba 650 — Top view Figure 13 Aruba 650 — Bottom view Applying TELs The Crypto Officer is responsible for securing and having control at all times of any unused tamper evident labels. The Crypto Officer should employ TELs as follows: Before applying a TEL, make sure the target surfaces are clean and dry.  Do not cut, trim, punch, or otherwise alter the TEL.  Apply the wholly intact TEL firmly and completely to the target surfaces.  Ensure that TEL placement is not defeated by simultaneous removal of multiple modules.  Allow 24 hours for the TEL adhesive seal to completely cure.  Record the position and serial number of each applied TEL in a security log.  Once the TELs are applied, the Crypto Officer (CO) should perform initial setup and configuration as described in the next chapter. 38 | Installing the Controller Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Chapter 4 Ongoing Management The Aruba 620 and 650 Mobility Controllers meet FIPS 140-2 Level 2 requirements. The information below describe how to keep the switch in FIPS-approved mode of operation. The Crypto Officer must ensure that the switch is kept in a FIPS-approved mode of operation. Crypto Officer Management The Crypto Officer must ensure that the switch is always operating in a FIPS-approved mode of operation. This can be achieved by ensuring the following: FIPS mode must be enabled on the switch before Users are permitted to use the switch (see “Enabling  FIPS Mode” on page 41) CO can check if the switch is in FIPS mode using the WebUI Configuration > Network > Controller  > Systems Settings or 'FIPS enable' is shown on the SSH Command Line Interface (CLI) after issuing the command show fips The admin role must be root.  Passwords must be at least six characters long.  VPN services can only be provided by IPsec or L2TP over IPsec.  Access to the switch Web Interface is permitted only using HTTPS over a TLS tunnel. Basic HTTP and  HTTPS over SSL are not permitted. Only SNMP read-only may be enabled.  Only FIPS-approved algorithms can be used for cryptographic services (such as HTTPS, L2, AES-CBC,  SSH, and IKEv1/IKEv2-IPSec), which include AES, Triple-DES, SHA-1, HMAC SHA-1, and RSA signature and verification. TFTP can only be used to load backup and restore files. These files are: Configuration files (system  setup configuration), the WMS database (radio network configuration), and log files. (FTP and TFTP over IPsec can be used to transfer configuration files.) The switch logs must be monitored. If a strange activity is found, the Crypto Officer should take the  switch off line and investigate. The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering.  The Crypto Officer shall not configure the Diffie-Hellman algorithm with 768-bits (Group 1) in FIPS  mode for IKEv1/IKEv2-IPSec and SSH. User Guidance The User accesses the switch VPN functionality as an IPsec client. The user can also access the switch 802.11i functionality as an 802.11 client. Although outside the boundary of the switch, the User should be directed to be careful not to provide authentication information and session keys to others parties. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Ongoing Management | 39 40 | Ongoing Management Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Chapter 5 Setup and Configuration The Aruba 620 and 650 Mobility Controllers meet FIPS 140-2 Level 2 requirements. The sections below describe how to place and keep the switch in FIPS-approved mode of operation. The Crypto Officer (CO) must ensure that the switch is kept in a FIPS-approved mode of operation. The switch can operate in two modes: the FIPS-approved mode, and the standard non-FIPS mode. By default, the switch operates in non-FIPS mode. Setting Up Your Controller To set up your controller: 1. Make sure that the controller is not connected to any device on your network. 2. Boot up the controller. 3. Connect your PC or workstation to a line port on the controller. For further details, see the ArubaOS 6.1 Quick Start Guide. Enabling FIPS Mode For FIPS compliance, users cannot be allowed to access the switch until the CO changes the mode of operation to FIPS mode. There are two ways to enable FIPS mode: Use the WebUI  Use the Setup Wizard  Enabling FIPS with the Setup Wizard The Setup Wizard allows you to configure access to the controller, install software licenses, and configure wireless local area networks (WLANs) for internal or guest users. The Setup Wizard is available the first time you connect to and log into the controller or whenever the controller is reset to its factory default configuration. After you complete the Setup Wizard, the controller reboots using the new configuration information you entered. For details on running the Setup Wizard, see the ArubaOS 6.1 Quick Start Guide. Enabling FIPS with the WebUI The default IP address of the controller is 172.16.0.254. When you connect a PC or workstation to a line port on the controller, you can connect to this IP address through a Web browser. The system must be configured to either obtain its IP address via DHCP or have a static IP address on the 172.16.0.0/24 subnetwork. To log in with the WebUI: 1. Open a Web browser and connect to http://172.16.0.254. 2. Log in. 3. Go to the Configuration > Network > Controller > System Settings page (the default page when you click the Configuration tab). Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Setup and Configuration | 41 4. Click the FIPS Mode for Mobility Controller Enable checkbox. If you need to enable FIPS mode on a controller that is no longer in the factory default configuration, you can either: Log in through the WebUI as described previously  Enable FIPS on the Configuration > Wizards > Controller Wizard page  5. 'FIPS Enable' is shown on SSH command Line Interface (CLI) after issuing the command show fips. Disallowed FIPS Mode Configurations When you enable FIPS mode, the following configuration options are disallowed: All WEP features  WPA  TKIP mixed mode  Any combination of DES, MD5, and PPTP  42 | Setup and Configuration Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement