Aruba 200, 800, and 6000
29
FIPS 140-2 Level 2 Release Supplement
FIPS 140-2 Level 2 Features
Directive 8100.2 requires that all data transmitted using commercial wireless
devices be encrypted at Layer 2 or Layer 3. The U.S. Navy and Army are requiring
Layer 2 encryption, and cryptographic engines used for all sensitive government
communications must be validated as meeting FIPS 140-2 requirements.
xSec has been designed to address this requirement and provide a number of
additional benefits.
A Unified Security Framework
xSec enables universal authentication and encryption regardless of access
method. Every client that connects to the network, wired or wireless, can
authenticate to an Aruba mobility controller using an xSec client. Authentication
inside the xSec protocol is accomplished using standard 802.1x EAP (Extensible
Authentication Protocol) and utilizes a standard RADIUS server to validate
credentials. xSec supports authentication using passwords, certificates, smart
cards, token cards, and other credentials supported by the chosen EAP type.
FIPS 140-2 Validation
Through the use of AES-CBC with a 256-bit key length for encryption, xSec
provides a COTS (Commercial Off-the-Shelf) Layer 2 protocol that is implemented
in a FIPS 140-2 validated module. As a result, xSec is an ideal solution for
security-sensitive applications in the government, finance, and healthcare
markets. FIPS 140-2 is a more stringent security standard than those required in
the commercial sector, assuring compliance with commercial regulations such as
HIPAA and GLBA.
NOTE:
The xSec protocol provides 80 bits of security strength.
Legacy Investment Protection
Most legacy equipment cannot be upgraded to support the latest security
standards such as 802.11i and WPA2. xSec encryption, however, is performed in
hardware by the Aruba mobility controller, and in firmware at the client level. This
means that an existing network can be upgraded to support the latest security
technology without the need to replace older access points or wireless NICs
(network interface cards).
Designed for Compatibility
xSec is based on the IEEE security standard 802.1x. Secure EAP methods
supported include EAP-TLS, TTLS and PEAP, allowing compatibility with existing
security mechanisms such as RSA Tokens and PKI certificates. xSec is designed
to be transparent to the Layer 2 infrastructure and can operate through a
switched Ethernet network without the risk of EAP frames being intercepted by
802.1x-aware Ethernet switches. Funk Software's Odyssey Client with xSec
support is available for Windows 2000 and Windows XP.