Hewlett Packard Enterprise Aruba 7 Series, Manual, Page: 42 / 44

Share

27 pages before
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

Page: 42 / 44

Hewlett Packard Enterprise Aruba 7 Series Manual Download Page 42

Applying TELs

The Crypto Officer should employ TELs as follows:

•

Before applying a TEL, make sure the target surfaces are clean and dry.

•

Do not cut, trim, punch, or otherwise alter the TEL.

•

Apply the wholly intact TEL firmly and completely to the target surfaces.

•

Press down firmly across the entire label surface, making several back-and-forth passes to ensure that the label

securely adheres to the chassis.

•

Ensure that TEL placement is not defeated by simultaneous removal of multiple modules.

•

Allow 24 hours for the TEL adhesive seal to completely cure.

•

Record the position and serial number of each applied TEL in a security log.

Once the TELs are applied, the Crypto Officer (CO) should perform initial setup and configuration as described in the next
chapter.

Ongoing Management

The Aruba 7XXX Controllers meet FIPS 140-2 Level 2 requirements. The information below describes how to keep the
controller in FIPS-approved mode of operation. The Crypto Officer must ensure that the controller is kept in a FIPS-
approved mode of operation.

Crypto Officer Management

The Crypto Officer must ensure that the controller is always operating in a FIPS-approved mode of operation. This can be
achieved by ensuring the following:

•

FIPS mode must be enabled on the controller before Users are permitted to use the controller (see

“Enabling FIPS

Mode” on page 37

)

•

The admin role must be root.

•

Passwords must be at least eight characters long.

•

VPN services can only be provided by IPsec or L2TP over IPsec.

•

Access to the controller Web Interface is permitted only using HTTPS over a TLS tunnel. Basic HTTP and HTTPS
over SSL are not permitted.

•

Only SNMP read-only may be enabled.

•

Only FIPS-approved algorithms can be used for cryptographic services (such as HTTPS, L2, AES-CBC, SSH, and
IKEv1/IKEv2-IPSec), which include AES, Triple-DES, SHA-1, HMAC SHA-1, and RSA signature and verification.

•

TFTP can only be used to load backup and restore files. These files are: Configuration files (system setup
configuration), the WMS database (radio network configuration), and log files. (FTP and TFTP over IPsec can be used
to transfer configuration files.)

•

The controller logs must be monitored. If a strange activity is found, the Crypto Officer should take the controller off
line and investigate.

•

The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering.

•

When installing expansion or replacement modules for the Aruba 7200, use only FIPS-approved modules, replace
TELs affected by the change, and record the reason for the change, along with the new TEL locations and serial
numbers, in the security log.

•

The Crypto Officer shall not configure the Diffie-Hellman algorithm with 768-bits (Group 1) in FIPS mode for
IKEv1/IKEv2-IPSec and SSHv2.

42

|

Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy

«
...
40
41
42
43
44
»

Summary of Contents for Aruba 7 Series

Page 1: ...Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non Proprietary Security Policy FIPS 140 2 Level 2 Version 1 17 June 2016 Aruba 7200 Series Controllers FIPS 140 2 Level 2 Security Policy...

Page 2: ...forms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and i...

Page 3: ...ation Mechanisms 18 Unauthenticated Services 19 Non Approved Services 19 Cryptographic Key Management 19 Implemented Algorithms 19 Critical Security Parameters 22 Alternating Bypass State 30 Installin...

Page 4: ...ting Up Your Controller 43 Enabling FIPS Mode 43 Enabling FIPS Mode with the WebUI 43 Enabling FIPS Mode with the CLI 43 Disabling the LCD 44 Disallowed FIPS Mode Configurations 44 4 Aruba 7XXX Series...

Page 5: ...les details the U S Government requirements for cryptographic modules More information about the FIPS 140 2 standard and validation program is available on the National Institute of Standards and Tech...

Page 6: ...ctions IPv4 and IPv6 services the Aruba Policy Enforcement Firewall with AppRF Technology Aruba Adaptive Radio Management and Aruba RFprotect spectrum analysis and wireless intrusion protection The Ar...

Page 7: ...graphic boundary of the module The cryptographic boundary is defined as encompassing the top front left right rear and bottom surfaces of the chassis Figure 1 The Aruba 7005 controller Figure 1 shows...

Page 8: ...actor Pluggable SFP Uplink ports Two Type A USB ports LINK ACT and Status LEDs Management Status LED LCD Panel Navigation Buttons Functionally disabled in FIPS mode Console Connections RJ 45 and Mini...

Page 9: ...ns RJ 45 and Mini USB Disabled in FIPS mode by TELs Figure 4 The Aruba 7030 controller chassis Figure 4 shows the front of the Aruba 7030 Controller and illustrates the following Eight 10 100 1000 Eth...

Page 10: ...tatus LED LCD Panel Navigation Buttons Functionally disabled in FIPS mode Console Connections RJ 45 and Mini USB Disabled in FIPS mode by TELs Intended Level of Security The 7XXX Controller and associ...

Page 11: ...ident Labels TELs to allow the detection of the opening of the chassis cover and to block the Serial console port To protect the Aruba 7XXX Controller from any tampering with the product TELs should b...

Page 12: ...ing functionality of the modules Control input consists of manual control inputs for power and reset through the power and reset switch It also consists of all of the data that is entered into the con...

Page 13: ...PS mode the serial port is disabled Web Interface The Crypto Officer can use the Web Interface as an alternative to the CLI The Web Interface provides a highly intuitive graphical interface for a comp...

Page 14: ...guration data 32 33 read 34 delete Configuring Module Platform Define the platform subsystem firmware of the module by entering Bootrom Monitor Mode File System fault report message logging and other...

Page 15: ...atus of certificates commands and configuration 15 16 17 18 write delete HTTPS over TLS Secure browser connection over Transport Layer Security acting as a Crypto Officer service web management interf...

Page 16: ...ith APs using IPSec and issue self signed certificates to APs Commands and configuration data IKEv1 IKEv2 inputs and data IPSec inputs commands and data Status of commands IKEv1 IKEv2 outputs status a...

Page 17: ...ata 29 30 31 delete EAP TLS termination Provide EAP TLS termination EAP TLS inputs commands and data EAP TLS outputs status and data 29 30 31 read delete 802 11i Shared Key Mode Access the module s 80...

Page 18: ...32 x 52 251 595 800 Therefore the associated probability of a successful random attempt during a one minute period is approximate 1 in 251 596 800 which is less than 1 in 100 000 required by FIPS 140...

Page 19: ...024 bit moduli DES HMAC MD5 and MD5 SSHv1 using RC4 Please note that all CSPs will be zeroized automatically when switching from FIPS mode to non FIPS mode or from non FIPS mode to FIPS mode Cryptogra...

Page 20: ...g FIPS Approved Algorithms o AES Cert 2884 o SP800 135rev1 KDF CVL Cert 314 1 o ECDSA Cert 519 o HMAC Cert 1818 o RSA Cert 1518 o SHS Cert 2425 o Triple DES Cert 1720 ArubaOS UBOOT Bootloader library...

Page 21: ...ss than 112 bits of encryption strength HMAC MD5 MD5 RC4 NOTE IKEv1 IKEv2 TLS SSH and SNMP protocols have not been reviewed or tested by the CAVP and CMVP Aruba 7XXX Series Controllers FIPS 140 2 Leve...

Page 22: ...ed Stored in SDRAM memory plaintext Zeroized by rebooting the module 3 DRBG seed SP 800 90a CTR_DRBG 384 bits Input to the DRBG that determines the internal state of the DRBG Generated using DRBG deri...

Page 23: ...red in SDRAM memory plaintext Zeroized by rebooting the module 9 EC Diffie Hellman private key EC Diffie Hellman Curves P 256 or P 384 Generated internally by calling FIPS approved DRBG cert 528 durin...

Page 24: ...ate key This key is generated by calling FIPS approved DRBG cert 528 in the module Used for IKEv1 IKEv2 TLS OCSP signing OCSP messages and EAP TLS peers authentication Stored in Flash memory plaintext...

Page 25: ...to IKE peers It was established via key derivation function defined in SP800 135 KDF IKEv1 Used for deriving other keys in IKE protocol implementation Stored in SDRAM memory plaintext Zeroized by rebo...

Page 26: ...tion keys Triple DES 192 bits AES and AES GCM 128 192 256 bits The IPsec IKE phase II encryption key This key is derived via a key derivation function defined in SP800 135 KDF IKEv1 IKEv2 Used for IPS...

Page 27: ...aintext Zeroized by rebooting the module 31 TLS session authentication key HMAC SHA 1 256 384 160 256 384 bits This key is derived via a key derivation function defined in SP800 135 KDF TLS Used for T...

Page 28: ...s Stored in SDRAM plaintext Zeroized by rebooting the module 37 802 11i Pairwise Transient Key PTK Shared secret 512 bits This key is used to derive 802 11i session key by using the KDF defined in SP8...

Page 29: ...HMAC SHA512 KAT o RSA sign KAT o RSA verify KAT o ECDSA Pairwise Consistency Test ArubaOS Uboot BootLoader library Firmware o Firmware Integrity Test RSA PKCS 1 v1 5 2048 bits signature verification...

Page 30: ...dated AES256 HMAC SHA1 hash failed AES256 Encrypt failed AES256 Decrypt Failed 3DES HMAC SHA1 hash failed 3DES Encrypt failed 3DES Decrypt Failed DES HMAC SHA1 hash failed DES Encrypt failed DES Decry...

Page 31: ...onent even when the power supplies have been turned off unplugged or removed Main power is fully disconnected from the controller only by unplugging all power cords from their power outlets For safety...

Page 32: ...nts The product carton should include the following 7XXX Controller Rack mounting kit optional Aruba User Documentation CD Tamper Evident Labels 32 Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Sec...

Page 33: ...he tamper evident labels shall be installed for the module to operate in a FIPS Approved mode of operation Aruba Provides double the required amount of TELs If a customer requires replacement TELs ple...

Page 34: ...o labels spanning the RJ 45 and mini USB serial ports as shown in figure 8 Press down on this label to ensure that it adheres to a sufficient area of the front bezel The RJ 45 port is raised relative...

Page 35: ...3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in Figure 10 Press down on this label to ensure that it adheres to a sufficien...

Page 36: ...ure 10 Required TELs for the Aruba 7010 Mobility Controller Front Figure 11 Required TELs for the Aruba 7010 Mobility Controller Bottom 36 Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Security Pol...

Page 37: ...l port and one spanning the mini USB port label 2 as shown in Figure 14 and 15 labels 2 3 Press down on this label to ensure that it adheres to a sufficient area of the front bezel The RJ 45 port is r...

Page 38: ...the bottom and the chassis lid as shown in Figures 16 and 18 Labels 3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in figure 1...

Page 39: ...gure 16 Required TELs for the Aruba 7030 Mobility Controller Top Figure 17 Required TELs for the Aruba 7030 Mobility Controller Front Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Security Policy 3...

Page 40: ...e bottom and the chassis lid as shown in Figures 19 and 21 Labels 3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in Figure 20...

Page 41: ...7205 Mobility Controller Top Figure 20 Required TELs for the Aruba 7205 Mobility Controller Front Figure 21 Required TELs for the Aruba 7205 Mobility Controller Bottom Aruba 7XXX Series Controllers F...

Page 42: ...use the controller see Enabling FIPS Mode on page 37 The admin role must be root Passwords must be at least eight characters long VPN services can only be provided by IPsec or L2TP over IPsec Access...

Page 43: ...t Guide Enabling FIPS Mode For FIPS compliance users cannot be allowed to access the controller until the CO changes the mode of operation to FIPS mode There are two ways to enable FIPS mode Use the W...

Page 44: ...led To disable the LCD screen enter the Enable mode and use the following CLI commands host configure terminal host config lcd menu host lcd menu disable menu Disallowed FIPS Mode Configurations When...

Reviews:

No comments