Bridge GUI Guide: Security Configuration
118
all networked environments that are not required to comply
with FIPS.
NOTE:
Contact
your Fortress rep-
resentative for up-to-
date information on the
Bridge’s FIPS validation
status.
As of this writing, FIPS operating mode in the current version of
Bridge software is in the process of being validated as
compliant with FIPS 140-2 Security Level 2. These Federal
standards enforce security measures beyond those of
Normal
operating mode, the most significant of which include:
Only a designated
Crypto Officer
, as defined by FIPS, may
perform administrative functions on the Bridge and its
Secure Clients. (The preconfigured
admin
,
Administrator
-
level, account corresponds to the FIPS
Crypto Officer
role;
If the Bridge encounters a FIPS Error condition, it shuts
down and reboots, running FIPS self-tests as a normal part
of boot-up. If FIPS self-tests pass, the Bridge will return to
normal operation. If FIPS self-tests fail, before any
interfaces are accessible, the Bridge will again reboot. If the
Bridge is unable to pass power-on self-tests, it will cycle
perpetually through this reboot process. In this case, you
must return the Bridge to your vendor for service or
replacement.
DH-512 and DH-1024 key establishment (Section 4.1.3)
are no longer FIPS 140-2-compliant and are therefore not
compatible with FIPS operating mode.
NOTE:
Only devic-
es configured on
the Bridge to pass clear
text on encrypted inter-
faces are permitted to
do so, even when
Clear-
text Traffic
is enabled.
Regardless of the current operating mode, the Bridge can be
configured to allow unencrypted data on encrypted interfaces
by enabling
Cleartext Traffic
(refer to Section 4.1.10). In FIPS
terminology, this indicates that the Bridge is in
Bypass Mode
(BPM)
, as selectively permitted clear text can pass, along with
any encrypted traffic, on encrypted interfaces (Ethernet ports or
radio BSSs on which
Fortress Security
is
Enabled
).
The Bridge GUI displays the current operating
Mode
and
Cleartext
traffic setting in the status fields in the upper left,
above the main menu (refer to Section 5.1).
4.1.2
MSP Encryption Algorithm
The Bridge supports the strong, AES encryption standard at
these user-specified key lengths:
AES-256 (default)
AES-192
AES-128
All Secure Clients (and other Fortress controller devices)
connecting to the Bridge must be configured to use the same
encryption algorithm as the Bridge. For information on setting
encryption algorithms on Fortress Secure Clients, refer to that
product’s user guide.