Dell W-7200 Series Controllers with Dell AOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 January 12, 2015 This is to advise that the document entitled “Aruba 7200 Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2” Version 1.4, dated May 2014, applies to Dell WSeries 7200 Series Controllers with Dell AOS FIPS Firmware. Aruba Networks is the Original Equipment Manufacturer (OEM) for the Dell Networking W-Series of products.
Dell Networking W-7240 Controller Product Image: Aruba 7200 Series Controller Product Images: If you have questions or concerns, please contact Dell Technical Support at www.dell.com/support, additional product documentation is also available by device under user manuals.
Aruba 7200 Series Controllers with ArubaOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 Level 2 Version 1.
Copyright © 2014 Aruba Networks, Inc. Aruba Networks trademarks include , Aruba Networks®, Aruba Wireless ® ® ® Networks , the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System , Mobile Edge Architecture , ® ® ® People Move. Networks Must Follow , RFprotectrotect , Green Island . All rights reserved. All other trademarks are the property of their respective owners.
Contents Contents............................................................................................................................................................................. 3 Preface ............................................................................................................................................................................... 5 Purpose of this Document.............................................................................................................
Applying TELs .............................................................................................................................................32 Ongoing Management .......................................................................................................................................................... 33 Crypto Officer Management..........................................................................................................................................
Preface This security policy document can be copied and distributed freely. Purpose of this Document This release supplement provides information regarding the Aruba 7200 Controllers with FIPS 140-2 Level 2 validation from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation included with this product and should be kept with your Aruba product documentation.
Overview Aruba 7200 series Mobility Controllers are optimized for 802.11ac and mobile app delivery. Fully application-aware, the 7200 series prioritizes mobile apps based on user identity and offers exceptional scale for BYOD transactions and device densities. With a new central processor employing eight CPU cores and four virtual cores, the 7200 series supports over 32,000 wireless devices and performs stateful firewall policy enforcement at speeds up to 40 Gbps – plenty of capacity for BYOD and 802.
Physical Description Cryptographic Module Boundaries For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone cryptographic module. The steel chassis physically encloses the complete set of hardware and firmware components and represents the cryptographic boundary of the controller. The cryptographic boundary is defined as encompassing the top, front, left, right, rear, and bottom surfaces of the chassis.
Intended Level of Security The 7200 Controller and associated modules are intended to meet overall FIPS 140-2 Level 2 requirements as shown in Table 1.
Physical Security The Aruba Controller is a scalable, multi-processor standalone network device and is enclosed in a robust steel housing. The controller enclosure is resistant to probing and is opaque within the visible spectrum. The enclosure of the module has been designed to satisfy FIPS 140-2 Level 2 physical security requirements. The Aruba 7200 Controller requires Tamper-Evident Labels (TELs) to allow the detection of the opening of the chassis cover and to block the Serial console port.
Table 2 FIPS 140-2 Logical Interfaces Power Interface Power Supply Data input and output, control input, status output, and power interfaces are defined as follows: Data input and output are the packets that use the firewall, VPN, and routing functionality of the modules. Control input consists of manual control inputs for power and reset through the power and reset switch. It also consists of all of the data that is entered into the controller while using the management interfaces.
See the table below for descriptions of the services available to the Crypto Officer role. Table 3 Crypto-Officer Services Service Description Input Output CSP Access SSH v2.
Table 3 Crypto-Officer Services Configuring Internet Protocol Set IP functionality Commands and configuration data Status of commands and configuration data None Configuring Quality of Service (QoS) Configure QOS values for module Commands and configuration data Status of commands and configuration data None Configuring VPN Configure Public Key Infrastructure (PKI); configure the Internet Key Exchange (IKEv1/IKEv2) Security Protocol; configure the IPSec protocol Commands and configuration data S
Table 3 Crypto-Officer Services IPSec tunnel establishment for RADIUS protection Provided authenticated/encrypted channel to RADIUS server IKEv1/IKEv2 inputs and IKEv1/IKEv2 data; IPSec inputs, outputs, status, and commands, and data data; IPSec outputs, status, and data Self-Test Perform FIPS start-up tests on demand None Error messages logged if a failure occurs None Configuring Bypass Operation Configure bypass operation on the module Commands and configuration data Status of commands and conf
User Role The User role can access the controller’s IPSec and IKEv1/IKEv2 services.
Authentication Mechanisms The Aruba Controller supports role-based authentication. Role-based authentication is performed before the Crypto Officer enters privileged mode using admin password via Web Interface or SSHv2 or by entering enable command and password in console. Role-based authentication is also performed for User authentication. This includes password and RSA/ECDSA-based authentication mechanisms. The strength of each authentication mechanism is described below.
EAP-TLS authentication User If RSA is used, 2048 bit RSA keys correspond to effective strength of 2112; If ECDSA (P-256 and P-384) is used, curve P-256 provides 128 bits of equivalent security, and P-384 provides 192 bits of equivalent security.. Unauthenticated Services The Aruba Controller can perform VLAN, bridging, firewall, routing, and forwarding functionality without authentication. These services do not involve any cryptographic processing.
The firmware supports the following cryptographic implementations. ArubaOS OpenSSL Module implements the following FIPS-approved algorithms: AES (Cert. #2680) CVL (Cert. #152) DRBG (Cert. #433) ECDSA (Cert. #469) HMAC (Cert. #1666) KBKDF (Cert. #16) RSA (Cert. #1379) SHS (Cert. #2249) Triple-DES (Cert. #1607) Note: o RSA (Cert. #1379; non-compliant with the functions from the CAVP Historical RSA List) FIPS186-2: ALG[ANSIX9.
o SHS (Cert.
Critical Security Parameters The following are the Critical Security Parameters (CSPs) used in the controller. Table 6 CSPs/Keys Used in Aruba Controllers # Name CSPs type Generation Storage and Zeroization Use 1 Key Encryption Key (KEK) Triple-DES 168-bit key Hardcoded during manufacturing Stored in Flash. Zeroized by using command ‘wipe out flash’ Encrypts IKEv1/IKEv2 Pre-shared key, RADIUS server shared secret, RSA private key, ECDSA private key, 802.11i pre-shared key and Passwords.
Table 6 CSPs/Keys Used in Aruba Controllers 7 RNG seed key FIPS 186-2 RNG Seed key (512 bits) Derived using NONFIPS approved HW RNG Stored in plaintext in volatile memory. Zeroized on reboot. Seed 186-2 General purpose (x-change Notice); SHA-1 RNG 8 Diffie-Hellman private key Diffie-Hellman private key (224 bits) Generated internally during Diffie-Hellman Exchange Stored in the volatile memory. Zeroized after the session is closed.
Table 6 CSPs/Keys Used in Aruba Controllers 14 RADIUS server shared secret 8-128 character shared secret CO configured Stored encrypted in Flash with the KEK. Zeroized by changing (updating) the preshared key through the User interface. Module and RADIUS server authentication 15 Enable secret 8-64 character password CO configured Store in ciphertext in flash. Zeroized by changing (updating) through the user interface.
Table 6 CSPs/Keys Used in Aruba Controllers 21 IKEv1/IKEv2 session encryption key Triple-DES (168 bits/AES (128/196/256 bits) Established as a result of IKEv1/IKEv2 service implementation. Stored in plaintext in volatile memory. Zeroized when session is closed. IKEv1/IKEv2 payload encryption 22 IPSec session encryption keys Triple-DES (168 bits / AES (128/196/256 bits) Established during the IPSec service implementation Stored in plaintext in volatile memory. Zeroized when the session is closed.
Table 6 CSPs/Keys Used in Aruba Controllers 29 RSA Private Key RSA 2048 bit private key Generated in the module Stored in flash memory encrypted with KEK. Zeroized by the CO command write erase all. Used by TLS and EAP-TLS/PEAP protocols during the handshake, used for signing OCSP responses, and used by IKEv1/IKEv2 for device authentication and for signing certificates 30 RSA public key RSA 2048 bit public key Generated in the module Stored in flash memory encrypted with KEK.
Table 6 CSPs/Keys Used in Aruba Controllers by the CO command write erase all. password 8-64 character password 37 SNMPv3 privacy password 38 SNMPv3 session key AES-CFB key (128 bits) CO configured Stored in flash memory encrypted with KEK. Zeroized by the CO command write erase all. Used to derive SNMPv3 session key Derived from SNMPv3 privacy password using an approved KDF Stored in volatile memory. Zeroized on reboot.
Aruba Hardware Known Answer Tests: AES (encrypt/decrypt) KATs AES-CCM KAT AES-GCM KAT Triple-DES(encrypt/decrypt) KATs HMAC (HMAC-SHA1) KAT The following Conditional Self-tests are performed in the controller: ArubaOS OpenSSL Module Bypass Tests (Wired Bypass Test and Wireless Bypass Test) CRNG Test on Approved RNG (DRBG) ECDSA Pairwise Consistency Test RSA Pairwise Consistency Test ArubaOS Crypto Module CRNG Test on Approved RNG (FIPS 186-2 RNG) ECDSA Pairwise Consistency Test
Alternating Bypass State The controller implements an alternating bypass state when: a port is configured in trusted mode to provide unauthenticated services a configuration provides wireless access without encryption The alternating bypass status can be identified by retrieving the port configuration or the wireless network configuration.
Installing the Controller This chapter covers the physical installation of the 7200 Controllers with FIPS 140-2 Level 2 validation. The Crypto Officer is responsible for ensuring that the following procedures are used to place the controller in a FIPS-approved mode of operation.
Package Contents The product carton should include the following: 7200 Controller Rack mounting kit Aruba User Documentation CD Tamper-Evident Labels 28| Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy
Tamper-Evident Labels After testing, the Crypto Officer must apply Tamper-Evident Labels (TELs) to the controller. When applied properly, the TELs allow the Crypto Officer to detect the opening of the chassis cover, the removal or replacement of modules or cover plates, or physical access to restricted ports. Vendor provides FIPS 140 designated TELs which have met the physical security testing requirements for tamper evident labels under the FIPS 140-2 Standard.
Required TEL Locations The Aruba 7200 Mobility Controller requires a minimum of 15 TELs to be applied as follows: To Detect Opening the Chassis Lid Spanning the left side and right side of the chassis lid where it meets the chassis bottom, as shown in Figures 6, 7, and 8. Spanning the front bezel and the chassis lid, as shown in Figures 3 and 4. Spanning the expansion slot cover plate and the top of the chassis, as shown in Figures 3 and 4.
Figure 3 Required TELs for the Aruba 7200 Mobility Controller – Top Figure 4 Required TELs for the Aruba 7200 Mobility Controller – Front Figure 5 Required TELs for the Aruba 7200 Mobility Controller – Rear Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy|31
Figure 6 Required TELs for the Aruba 7200 Mobility Controller – Right Side Figure 7 Required TELs for the Aruba 7200 Mobility Controller – Left Side Figure 8 Required TELs for the Aruba 7200 Mobility Controller – Bottom Applying TELs The Crypto Officer should employ TELs as follows: Before applying a TEL, make sure the target surfaces are clean and dry. Do not cut, trim, punch, or otherwise alter the TEL. Apply the wholly intact TEL firmly and completely to the target surfaces.
Ongoing Management The Aruba 7200 Controllers meet FIPS 140-2 Level 2 requirements. The information below describes how to keep the controller in FIPS-approved mode of operation. The Crypto Officer must ensure that the controller is kept in a FIPSapproved mode of operation. Crypto Officer Management The Crypto Officer must ensure that the controller is always operating in a FIPS-approved mode of operation.
Setup and Configuration The Aruba 7200 Controllers meet FIPS 140-2 Level 2 requirements. The sections below describe how to place and keep the controller in FIPS-approved mode of operation. The Crypto Officer (CO) must ensure that the controller is kept in a FIPS-approved mode of operation. The controller can operate in two modes: the FIPS-approved mode, and the standard non-FIPS mode. By default, the controller operates in non-FIPS mode. Setting Up Your Controller To set up your controller: 1.
To verify that FIPS mode has been enabled, issue the command “show fips”. Disabling the LCD Configuration through the front-panel LCD should be disabled.