Resumo do conteúdo contido na página número 1
FIPS 140-2 Non-Proprietary Security Policy
for Aruba AP-134, AP-135 and Dell W-AP134, W-AP135
Wireless Access Points
Version 1.2
February 2012
Aruba Networks™
1322 Crossman Ave.
Sunnyvale, CA 94089-1113
1
Resumo do conteúdo contido na página número 2
2
Resumo do conteúdo contido na página número 3
1 INTRODUCTION .................................................................................................................................. 5 1.1 ARUBA DELL RELATIONSHIP ............................................................................................................. 5 1.2 ACRONYMS AND ABBREVIATIONS ..................................................................................................... 5 2 PRODUCT OVERVIEW .......................................................
Resumo do conteúdo contido na página número 4
4.1.3 Wireless Client Authentication .................................................................................................23 4.1.4 Strength of Authentication Mechanisms ...................................................................................23 4.2 SERVICES ..........................................................................................................................................25 4.2.1 Crypto Officer Services ..............................................
Resumo do conteúdo contido na página número 5
1 Introduction This document constitutes the non-proprietary Cryptographic Module Security Policy for the AP-134, AP- 135 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product. FIPS 140-2 (Federal Information Processing St
Resumo do conteúdo contido na página número 6
SHA Secure Hash Algorithm SNMP Simple Network Management Protocol SPOE Serial & Power Over Ethernet TEL Tamper-Evident Label TFTP Trivial File Transfer Protocol WLAN Wireless Local Area Network 6
Resumo do conteúdo contido na página número 7
2 Product Overview This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary of the physical features of each model covered by this FIPS 140-2 security policy. 2.1 AP-134 This section introduces the Aruba AP-134 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. The Aruba AP-134 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.1
Resumo do conteúdo contido na página número 8
The module provides the following power interfaces: 48V DC 802.3af or 802.3at or PoE + interoperable Power-over-Ethernet (PoE) with intelli-source PSE sourcing intelligence 12V DC for external AC supplied power (adapter sold separately) 2.1.1.3 Indicator LEDs There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows: Table 1- AP-134 Indicator LEDs Label Function Action Status PWR AP power / ready status Off No power to AP Red Initial power-up condition Fl
Resumo do conteúdo contido na página número 9
2.2 AP-135 This section introduces the Aruba AP-135 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. The Aruba AP-135 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 900Mbps. These multi-function access points provide wireless LAN access, air monitoring, and wireless in
Resumo do conteúdo contido na página número 10
5V DC for external AC supplied power (adapter sold separately) 2.2.1.3 Indicator LEDs There are 5 bicolor (power, ENET and WLAN) LEDs which operate as follows: Table 2- AP-135 Indicator LEDs Label Function Action Status PWR AP power / ready status Off No power to AP Red Initial power-up condition Flashing – Green Device booting, not ready On – Green Device ready ENET0 Ethernet Network Link Off Ethernet link unavailable ENET1 Status / Activity On – Amber 10/100Mbs Ether
Resumo do conteúdo contido na página número 11
3 Module Objectives This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. In addition, it provides information on placing the module in a FIPS 140-2 approved configuration. 3.1 Security Levels Section Section Title Level 1 Cryptographic Module Specification 2 2 Cryptographic Module Ports and Interfaces 2 3 Roles, Services, and Authentication 2 4 Finite State Model 2 5 Physical Security 2 6 Operational Environment N/A 7 Cryptographic
Resumo do conteúdo contido na página número 12
3.2.2 AP-134 TEL Placement This section displays all the TEL locations of the Aruba AP-134. The AP-134 requires a minimum of 5 TELs to be applied as follows: 3.2.2.1 To detect opening of the chassis cover: 1. Spanning the bottom and top chassis covers and placed in the front left corner 2. Spanning the bottom and top chassis covers and placed in the back left corner 3. Spanning the chassis screw on the bottom left corner 4. Spanning the chassis screw on the bottom right corner 3.2.2.2 T
Resumo do conteúdo contido na página número 13
Figure 4: AP-134 Top View Figure 5: AP-134 Right View Figure 6: AP-134 Bottom View 3.2.3 AP-135 TEL Placement This section displays all the TEL locations of the Aruba AP-135. The AP-134 requires a minimum of 5 TELs to be applied as follows: 3.2.3.1 To detect opening of the chassis cover: 1. Spanning the bottom and top chassis covers and placed in the front left corner 13
Resumo do conteúdo contido na página número 14
2. Spanning the bottom and top chassis covers and placed in the back left corner 3. Spanning the chassis screw on the bottom left corner 4. Spanning the chassis screw on the bottom right corner 3.2.3.2 To detect access to restricted ports 5. Spanning the serial port Following is the TEL placement for the AP-135: Figure 7: AP-135 Front view Figure 8: AP-135 Back view Figure 9: AP-135 Left view Figure 10: AP-135 Right view 14
Resumo do conteúdo contido na página número 15
Figure 11: AP-135 Top view Figure 12: AP-135 Bottom View 3.2.4 Inspection/Testing of Physical Security Mechanisms Physical Security Mechanism Recommended Test Frequency Guidance Tamper-evident labels (TELs) Once per month Examine for any sign of removal, replacement, tearing, etc. See images above for locations of TELs Opaque module enclosure Once per month Examine module enclosure for any evidence of new openings or other access to the module internals. 15
Resumo do conteúdo contido na página número 16
3.3 Modes of Operation The module has the following FIPS approved modes of operations: • Remote AP (RAP) FIPS mode – When the module is configured as a Remote AP, it is intended to be deployed in a remote location (relative to the Mobility Controller). The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller. • Control Plane Security (CPSec) protected AP FIPS mode – When the module is configured as a Control Plane Security prot
Resumo do conteúdo contido na página número 17
6. If the staging controller does not provide PoE, either ensure the presence of a PoE injector for the LAN connection between the module and the controller, or ensure the presence of a DC power supply appropriate to the particular model of the module. 7. Connect the module via an Ethernet cable to the staging controller; note that this should be a direct connection, with no intervening network or devices; if PoE is being supplied by an injector, this represents the only exception. That is,
Resumo do conteúdo contido na página número 18
7. Connect the module via an Ethernet cable to the staging controller; note that this should be a direct connection, with no intervening network or devices; if PoE is being supplied by an injector, this represents the only exception. That is, nothing other than a PoE injector should be present between the module and the staging controller. 8. Once the module is connected to the controller by the Ethernet cable, navigate to the Configuration > Wireless > AP Installation page, where you shoul
Resumo do conteúdo contido na página número 19
Section “Provisioning an Individual AP” of Chapter “The Basic User-Centric Networks” of the Aruba OS User Guide. Click “Apply and Reboot” to complete the provisioning process. a. During the provisioning process as Remote Mesh Portal, if Pre-shared key is selected to be the Remote IP Authentication Method, the IKE pre-shared key (which is at least 8 characters in length) is input to the module during provisioning. Generation of this key is outside the scope of this policy. In the initial p
Resumo do conteúdo contido na página número 20
represents the only exception. That is, nothing other than a PoE injector should be present between the module and the staging controller. 8. Once the module is connected to the controller by the Ethernet cable, navigate to the Configuration > Wireless > AP Installation page, where you should see an entry for the AP. Select that AP, click the “Provision” button, which will open the provisioning window. Now provision the AP as Remote Mesh Portal by filling in the form appropriately. Detailed