Dell W-IAP3WN, W-IAP3WNP, W-IAP108, W-IAP109, W-AP114, and W-AP115 Wireless Access Points with Dell AOS FIPS Firmware Non-Proprietary Security Policy FIPS 140-2 January 26, 2015 This is to advise that the Aruba Networks document entitled “FIPS 140-2 Non-Proprietary Security Policy for Aruba RAP-3WN, RAP-3WNP, RAP-108, RAP-109, AP-114 and AP-115 Wireless Access Points” Version 1.
The Dell Networking W-Series products are rebranded for Dell customers, as shown in the product images below.
Dell Networking W-IAP108 and W-IAP109 Product Image: Aruba Networks RAP-109 and RAP-108 Product Image: Dell W-IAP3WN/P, W-IAP108/9, and W-AP114/5 Wireless Access Points with AOS FIPS 140-2 Security Policy 3
Dell Networking W-AP114 and W-AP115 Product Image: Aruba Networks AP-114 and AP-115 Product Image: If you have questions or concerns, please contact Dell Technical Support at www.dell.com/support, additional product documentation is also available by device under user manuals.
FIPS 140-2 Non-Proprietary Security Policy for Aruba RAP-3WN, RAP-3WNP, RAP-108, RAP-109, AP-114 and AP-115 Wireless Access Points Version 1.3 June 2014 Aruba Networks™ 1322 Crossman Ave.
Copyright © 2013 Aruba Networks, Inc. Aruba Networks trademarks include ,Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFProtect®, Green Island®. All rights reserved. All other trademarks are the property of their respective owners.
1 INTRODUCTION .................................................................................................................................5 1.1 2 ACRONYMS AND ABBREVIATIONS ................................................................................................... 5 PRODUCT OVERVIEW ......................................................................................................................6 2.1 RAP-3WN AND RAP-3WNP ................................................................
3.2.3.2 3.2.4 AP-114/115 TEL Placement ................................................................................................. 20 3.2.4.1 To detect opening of the chassis cover: ............................................................................ 20 3.2.4.2 To detect access to restricted ports ................................................................................... 20 3.2.5 4 To detect opening of the chassis cover and access to restricted ports...........................
1 Introduction This document constitutes the non-proprietary Cryptographic Module Security Policy for the Aruba RAP3WN, RAP-3WNP, RAP-108, RAP-109, AP-114, and AP-115 Wireless Access Points with FIPS 140-2 Level 2 validation from Aruba Networks. This security policy describes how the AP meets the security requirements of FIPS 140-2 Level 2, and how to place and maintain the AP in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2 validation of the product.
2 Product Overview This section introduces the various Aruba Wireless Access Points, providing a brief overview and summary of the physical features of each model covered by this FIPS 140-2 security policy. 2.1 RAP-3WN and RAP-3WNP This section introduces the Aruba RAP-3WN and RAP-3WNP Wireless Access Points (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. The Aruba RAP-3WN/3WNP is a high-performance 802.11n MIMO, single-radio (802.
2.1.1.2 Interfaces The module provides the following network interfaces: 3 x 10/100 Base-T Ethernet (RJ45) ports 1 x console interface (proprietary connector - disabled in FIPS mode by TEL) 802.11a/b/g/n Antenna Interfaces (Internal) The module provides the following power interfaces: 12V DC using supplied AC adapter (RAP-3WN) 48V DC using supplied AC adapter (RAP-3WNP) 2.1.1.
2.2 RAP-108 This section introduces the Aruba RAP-108 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. The Aruba AP-108 is a high-performance 802.11n 2x2 MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access point capable of delivering combined wireless data rates of up to 600Mbps.
1 x USB 2.0 port The module provides the following power interfaces: 48V DC via Power-over-Ethernet (POE) 12V DC power supply 2.2.1.
2.3 RAP-109 This section introduces the Aruba RAP-109 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. The Aruba AP-109 is a high-performance 802.11n 2x2 MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access point capable of delivering combined wireless data rates of up to 600Mbps.
1 x USB 2.0 port The module provides the following power interfaces: 48V DC via Power-over-Ethernet (POE) 12V DC power supply 2.3.1.
2.4 AP-114 This section introduces the Aruba AP-114 Wireless Access Point (AP) with FIPS 140-2 Level 2 validation. It describes the purpose of the AP, its physical attributes, and its interfaces. The Aruba AP-114 is high-performance 802.11n (3x3:3) MIMO, dual-radio (concurrent 802.11a/n + b/g/n) indoor wireless access points capable of delivering combined wireless data rates of up to 900Mbps.
2.4.1.3 Indicator LEDs There are 4 bicolor (power, ENET and WLAN) LEDs which operate as follows: Table 4 - AP-114 Indicator LEDs Label Function Action Status PWR AP power / ready status Off No power to AP Red Initial power-up condition Flashing – Green Device booting, not ready On – Green Device ready Off Ethernet link unavailable On – Amber 10/100Mbps negotiated On – Green 1000Mbps negotiated Flashing Ethernet link activity Off 2.4GHz radio disabled On – Amber 2.
Aruba Mobility Controllers to deliver high-speed, secure user-centric network services in education, enterprise, finance, government, healthcare, and retail applications 2.5.1 Physical Description The Aruba AP-115 series Access Point is a multi-chip standalone cryptographic module consisting of hardware and software, all contained in a hard plastic case. The module contains 802.11 a/b/g/n transceivers and contains internal omni-directional antennas.
Table 5 - AP-115 Indicator LEDs Label Function Action Status PWR AP power / ready status Off No power to AP Red Initial power-up condition Flashing – Green Device booting, not ready On – Green Device ready Off Ethernet link unavailable On – Amber 10/100Mbps negotiated On – Green 1000Mbps negotiated Flashing Ethernet link activity Off 2.4GHz radio disabled On – Amber 2.4GHz radio enabled in non-HT WLAN mode On – Green 2.4GHz radio enabled in HT WLAN mode Flashing – Green 2.
3 Module Objectives This section describes the assurance levels for each of the areas described in the FIPS 140-2 Standard. . 3.
Ensure that TEL placement is not defeated by simultaneous removal of multiple modules. Allow 24 hours for the TEL adhesive seal to completely cure. Record the position and serial number of each applied TEL in a security log. Once applied, the TELs included with the AP cannot be surreptitiously broken, removed or reapplied without an obvious change in appearance: Each TEL has a unique serial number to prevent replacement with similar label.
Figure 1 - RAP-3WN/RAP-3WNP Top View Figure 2 - RAP-3WN/RAP-3WNP Bottom View 18
3.2.3 RAP-108/109 TEL Placement This section displays all the TEL locations of the Aruba RAP-108 and RAP-109. The RAP-108/109 requires a minimum of 3 TELs to be applied as follows: 3.2.3.1 To detect opening of the chassis cover: 1. Spanning the left and right chassis covers across the top of the chassis 2. Spanning the left and right chassis covers across the bottom of the chassis 3.2.3.2 3.
3.2.4 AP-114/115 TEL Placement This section displays all the TEL locations of the Aruba AP-114 and AP-115. The AP-114/115 requires a minimum of 3 TELs to be applied as follows: 3.2.4.1 To detect opening of the chassis cover: 1. Spanning the top and bottom chassis covers across the left side of the chassis 2. Spanning the top and bottom chassis covers across the right side of the chassis 3.2.4.2 3. To detect access to restricted ports Covering the RJ-45 console connector.
Figure 6 - AP-114/115 Bottom View 3.2.5 Inspection/Testing of Physical Security Mechanisms Table 7 - Inspection/Testing of Physical Security Mechanisms Physical Security Mechanism Recommended Test Frequency Guidance Tamper-evident labels (TELs) Once per month Examine for any sign of removal, replacement, tearing, etc. See images above for locations of TELs.
3.3 Operational Environment This section does not apply as the operational environment is non-modifiable. 3.4 Logical Interfaces The physical interfaces are divided into logical interfaces defined by FIPS 140-2 as described in the following table.
Data input and output, control input, status output, and power interfaces are defined as follows: Data input and output are the packets that use the networking functionality of the module. Control input consists of manual control inputs for power and reset through the power interfaces (DC power supply or POE). It also consists of all of the data that is entered into the access point while using the management interfaces.
4 Roles, Authentication and Services 4.1 Roles The module supports the roles of Crypto Officer, User, and Wireless Client; no additional roles (e.g., Maintenance) are supported. Administrative operations carried out by the Aruba Mobility Controller map to the Crypto Officer role. The Crypto Officer has the ability to configure, manage, and monitor the module, including the configuration, loading, and zeroization of CSPs.
o Wireless Client role: in Mesh Remote Mesh Point FIPS AP configuration, a wireless client can create a connection to the module using WPA2 and access wireless network access services. 4.1.1 Crypto Officer Authentication In each of FIPS approved modes, the Aruba Mobility Controller implements the Crypto Officer role. Connections between the module and the mobility controller are protected using IPSec.
Authentication Mechanism Mechanism Strength RSA Certificate based authentication (CO role) The module supports 2048-bit RSA keys. RSA 2048 bit keys correspond to 112 bits of security. Assuming the low end of that range, the associated probability of a successful random attempt is 1 in 2^112, which is less than 1 in 1,000,000 required by FIPS 140-2. ECDSA-based authentication (IKEv2) ECDSA signing and verification is used to authenticate to the module during IKEv2.
Service Description CSPs Accessed (see section 6 Creation/use of secure management session between module and CO The module supports use of IPSec for securing the management channel. 14, 21, 22, 23, 24 (read) Creation/use of secure mesh channel The module requires secure connections between mesh points using 802.11i 25 (read) System Status CO may view system status information through the secured management channel See creation/use of secure management session above.
Use of WPA pre-shared key for establishment of IEEE 802.11i keys When the module is in advanced Remote AP configuration, the links between the module and the wireless client are secured with 802.11i. This is authenticated with a shared secret only. Wireless bridging services The module bridges traffic between the wireless client and the wired network. 25 (read) None 4.2.4 Unauthenticated Services The module provides the following unauthenticated services, which are available regardless of role.
5 Cryptographic Algorithms FIPS-approved cryptographic algorithms have been implemented in hardware and firmware. The firmware supports the following cryptographic implementations in each FIPS approved mode. ArubaOS OpenSSL Module implements the following FIPS-approved algorithms: o AES (Cert. #2680) o CVL (Cert. #152) o DRBG (Cert. #433) o ECDSA (Cert. #469) o HMAC (Cert. #1666) o KBKDF (Cert. #16) o RSA (Cert. #1379) o SHS (Cert. #2249) o Triple-DES (Cert. #1607) o RSA (Cert.
FIPS186-2: ALG[ANSIX9.31]: Key(gen)(MOD: 1024 PubKey Values: 65537) ALG[RSASSA-PKCS1_V1_5]: SIG(gen): 1024, SHS: SHA-1/SHA-256/SHA384/SHA-512, 2048, SHS: SHA-1 o ArubaOS AP Kernel Crypto implements the following FIPS-approved algorithms in each FIPS approved mode: o ECDSA (Cert. #466; non-compliant with the functions from the CAVP Historical ECDSA List) FIPS186-2: SIG(gen): CURVES(P-256 P-384), SHS: SHA-1 AES (Cert.
6 Critical Security Parameters The following Critical Security Parameters (CSPs) are used by the module: Table 10 - Critical Security Parameters # Name CSPs type Generation Storage and Zeroization Use 1 Key Encryption Key (KEK) Triple-DES 168-bit key Hardcoded during manufacturing Stored in Flash. Zeroized by using command ‘ap wipe out flash’ Encrypts IKEv1/IKEv2 Preshared key, ECDSA private key and configuration parameters.
7 RNG seed key FIPS 186-2 RNG Seed key (512 bits) Derived using NONFIPS approved HW RNG Stored in plaintext in volatile memory. Zeroized on reboot. Seed 186-2 General purpose (x-change Notice); SHA-1 RNG 8 Diffie-Hellman private key Diffie-Hellman private key (224 bits) Generated internally during Diffie-Hellman Exchange Stored in the volatile memory. Zeroized after the session is closed.
14 IKEv1/IKEv2 Preshared key 8-64 character preshared key CO configured Stored encrypted in Flash with the KEK. Zeroized by changing (updating) the preshared key through the User interface. 15 skeyid HMAC-SHA1/256/384 (160/256/384 bits) Established during IKEv1 negotiation Stored in plaintext in Key agreement in volatile memory. IKEv1 Zeroized when session is closed.
21 RSA Private Key RSA 2048 bits private key Generated at time of manufacturing by the TPM. Stored in non-volatile memory (Trusted Platform Module). Zeroized by physical destruction of the module. 22 RSA public key RSA 2048 bits public key Generated at time of manufacturing by the TPM. Stored in non-volatile Used by memory. Zeroized by IKEv1/IKEv2 for physical destruction of device authentication the module.
29 802.11i Group Master Key (GMK) 256-bit secret used to derive GTK Generated from approved RNG Stored in plaintext in volatile memory; zeroized on reboot Used to derive Group Transient Key (GTK) 30 802.
7 Self-Tests The module performs the following Power-Up Self-Tests (regardless the mode of operation) and Conditional Tests (in each FIPS approved mode of operation). In the event of a test fails, the module enters an error state, logs the error, and reboots automatically.
o RSA Pairwise Consistency Test ArubaOS Crypto Module o o o CRNG Test to Approved RNG (FIPS 186-2 RNG) ECDSA Pairwise Consistency Test RSA Pairwise Consistency Test ArubaOS Uboot BootLoader Module o Firmware Load Test - RSA PKCS#1 v1.5 (2048 bits) signature verification CRNG tests to non-Approved RNGs These self-tests are run for the Atheros hardware cryptographic implementation as well as for the Aruba OpenSSL and ArubaOS cryptographic module implementations.
8 Secure Operation The module can be configured to be in the following FIPS approved modes of operations via corresponding Aruba Mobility Controllers that have been certificated to FIPS level 2: • Remote AP FIPS mode – When the module is configured as a Remote AP, it is intended to be deployed in a remote location (relative to the Mobility Controller). The module provides cryptographic processing in the form of IPSec for all traffic to and from the Mobility Controller.
6. Select Remote APs managed by a Mobility Controller from the drop down menu. 7. Enter the IP address of the mobility controller. 8. Click Convert Now to complete the conversion 9. The RAP will reboot and begin operating in unprovisioned RAP mode. Note: the pre-configuration steps convert each RAP into an unprovisioned RAP mode (nonapproved mode). After that, the CO shall follow the steps in the next section to enable FIPS mode. 8.2 Configuring Remote AP FIPS Mode 1.
8.3 Configuring CPSec protected AP FIPS mode 1. Apply TELs according to the directions in section 3.2 2. Log into the administrative console of the staging controller 3. Configure the staging controller with CPSec under Configuration > Controller > Control Plane Security tab. AP will authenticate to the controller using certificate based authentication (IKEv2) to establish IPSec. The AP is configured with an RSA key pair at manufacturing.
3. Deploying the AP in Remote Mesh Portal mode, create the corresponding Mesh Profiles on the controller as described in detail in Section “Mesh Profiles” of Chapter “Secure Enterprise Mesh” of the Aruba OS User Manual. a. For mesh configurations, configure a WPA2 PSK which is 16 ASCII characters or 64 hexadecimal digits in length; generation of such keys is outside the scope of this policy. 4. Enable FIPS mode on the controller.
3. Deploying the AP in Remote Mesh Point mode, create the corresponding Mesh Profiles on the controller as described in detail in Section “Mesh Points” of Chapter “Secure Enterprise Mesh” of the Aruba OS User Manual. a. For mesh configurations, configure a WPA2 PSK which is 16 ASCII characters or 64 hexadecimal digits in length; generation of such keys is outside the scope of this policy. 4. Enable FIPS mode on the controller.
2. Verify that the module is connected to the Mobility Controller 3. Verify that the module has FIPS mode enabled by issuing command “show ap ap-name config” 4.