Hewlett Packard Enterprise Aruba 7 Series Скачать руководство пользователя страница 16 | Manualshive

Страница: 16 / 44

Hewlett Packard Enterprise Aruba 7 Series Скачать руководство пользователя страница 16

Table 3 Crypto-Officer Services

Self-Test

Perform FIPS start-up tests on
demand

None

Error messages
logged if a failure
occurs

None

Configuring
Bypass Operation

Configure bypass operation on
the module

Commands and
configuration data

Status of
commands and
configuration data

None

Updating
Firmware

Updating firmware on the module

Commands and
configuration data

Status of
commands and
configuration data

None

Configuring Online
Certificate Status
Protocol (OCSP)
Responder

Configuring OCSP responder
functionality

OCSP inputs,
commands, and data

OCSP outputs,
status, and data

27, 28, 29, 30 (read)

Configuring
Control Plane
Security (CPSec)

Configuring Control Plane
Security mode to protect
communication with APs using
IPSec and issue self signed
certificates to APs

Commands and
configuration data,
IKEv1/IKEv2 inputs and
data; IPSec inputs,
commands, and data

Status of
commands, IKEv1/
IKEv2 outputs,
status, and data;
IPSec outputs,
status, and data
and configuration
data, self signed
certificates

12 and 19
(read/write/delete)
20, 21, 23, 22, 24, 25
and 26 (write/delete)

Zeroization

The cryptographic keys stored in
SDRAM memory can be zeroized
by rebooting the module. The
cryptographic keys (IKEv1 Pre-
shared key and 802.11i Pre-
Shared Key) stored in the flash
can be zeroized by using
command ‘ap wipe out flash’ or
by overwriting with a new secret.
The other keys/CSPs (KEK,
RSA/ECDSA public key/private
key and certificate) stored in
Flash memory can be zeroized by
using command ‘write erase all.

Command

Progress
information

All CSPs will be
destroyed.

16

|

Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy

«
...
14
15
16
17
18
...
»

Содержание Aruba 7 Series

Страница 1: ...Aruba 7XXX Series Controllers with ArubaOS FIPS Firmware Non Proprietary Security Policy FIPS 140 2 Level 2 Version 1 17 June 2016 Aruba 7200 Series Controllers FIPS 140 2 Level 2 Security Policy...

Страница 2: ...forms and software by all individuals or corporations to terminate other vendors VPN client devices constitutes complete acceptance of liability by that individual or corporation for this action and i...

Страница 3: ...ation Mechanisms 18 Unauthenticated Services 19 Non Approved Services 19 Cryptographic Key Management 19 Implemented Algorithms 19 Critical Security Parameters 22 Alternating Bypass State 30 Installin...

Страница 4: ...ting Up Your Controller 43 Enabling FIPS Mode 43 Enabling FIPS Mode with the WebUI 43 Enabling FIPS Mode with the CLI 43 Disabling the LCD 44 Disallowed FIPS Mode Configurations 44 4 Aruba 7XXX Series...

Страница 5: ...les details the U S Government requirements for cryptographic modules More information about the FIPS 140 2 standard and validation program is available on the National Institute of Standards and Tech...

Страница 6: ...ctions IPv4 and IPv6 services the Aruba Policy Enforcement Firewall with AppRF Technology Aruba Adaptive Radio Management and Aruba RFprotect spectrum analysis and wireless intrusion protection The Ar...

Страница 7: ...graphic boundary of the module The cryptographic boundary is defined as encompassing the top front left right rear and bottom surfaces of the chassis Figure 1 The Aruba 7005 controller Figure 1 shows...

Страница 8: ...actor Pluggable SFP Uplink ports Two Type A USB ports LINK ACT and Status LEDs Management Status LED LCD Panel Navigation Buttons Functionally disabled in FIPS mode Console Connections RJ 45 and Mini...

Страница 9: ...ns RJ 45 and Mini USB Disabled in FIPS mode by TELs Figure 4 The Aruba 7030 controller chassis Figure 4 shows the front of the Aruba 7030 Controller and illustrates the following Eight 10 100 1000 Eth...

Страница 10: ...tatus LED LCD Panel Navigation Buttons Functionally disabled in FIPS mode Console Connections RJ 45 and Mini USB Disabled in FIPS mode by TELs Intended Level of Security The 7XXX Controller and associ...

Страница 11: ...ident Labels TELs to allow the detection of the opening of the chassis cover and to block the Serial console port To protect the Aruba 7XXX Controller from any tampering with the product TELs should b...

Страница 12: ...ing functionality of the modules Control input consists of manual control inputs for power and reset through the power and reset switch It also consists of all of the data that is entered into the con...

Страница 13: ...PS mode the serial port is disabled Web Interface The Crypto Officer can use the Web Interface as an alternative to the CLI The Web Interface provides a highly intuitive graphical interface for a comp...

Страница 14: ...guration data 32 33 read 34 delete Configuring Module Platform Define the platform subsystem firmware of the module by entering Bootrom Monitor Mode File System fault report message logging and other...

Страница 15: ...atus of certificates commands and configuration 15 16 17 18 write delete HTTPS over TLS Secure browser connection over Transport Layer Security acting as a Crypto Officer service web management interf...

Страница 16: ...ith APs using IPSec and issue self signed certificates to APs Commands and configuration data IKEv1 IKEv2 inputs and data IPSec inputs commands and data Status of commands IKEv1 IKEv2 outputs status a...

Страница 17: ...ata 29 30 31 delete EAP TLS termination Provide EAP TLS termination EAP TLS inputs commands and data EAP TLS outputs status and data 29 30 31 read delete 802 11i Shared Key Mode Access the module s 80...

Страница 18: ...32 x 52 251 595 800 Therefore the associated probability of a successful random attempt during a one minute period is approximate 1 in 251 596 800 which is less than 1 in 100 000 required by FIPS 140...

Страница 19: ...024 bit moduli DES HMAC MD5 and MD5 SSHv1 using RC4 Please note that all CSPs will be zeroized automatically when switching from FIPS mode to non FIPS mode or from non FIPS mode to FIPS mode Cryptogra...

Страница 20: ...g FIPS Approved Algorithms o AES Cert 2884 o SP800 135rev1 KDF CVL Cert 314 1 o ECDSA Cert 519 o HMAC Cert 1818 o RSA Cert 1518 o SHS Cert 2425 o Triple DES Cert 1720 ArubaOS UBOOT Bootloader library...

Страница 21: ...ss than 112 bits of encryption strength HMAC MD5 MD5 RC4 NOTE IKEv1 IKEv2 TLS SSH and SNMP protocols have not been reviewed or tested by the CAVP and CMVP Aruba 7XXX Series Controllers FIPS 140 2 Leve...

Страница 22: ...ed Stored in SDRAM memory plaintext Zeroized by rebooting the module 3 DRBG seed SP 800 90a CTR_DRBG 384 bits Input to the DRBG that determines the internal state of the DRBG Generated using DRBG deri...

Страница 23: ...red in SDRAM memory plaintext Zeroized by rebooting the module 9 EC Diffie Hellman private key EC Diffie Hellman Curves P 256 or P 384 Generated internally by calling FIPS approved DRBG cert 528 durin...

Страница 24: ...ate key This key is generated by calling FIPS approved DRBG cert 528 in the module Used for IKEv1 IKEv2 TLS OCSP signing OCSP messages and EAP TLS peers authentication Stored in Flash memory plaintext...

Страница 25: ...to IKE peers It was established via key derivation function defined in SP800 135 KDF IKEv1 Used for deriving other keys in IKE protocol implementation Stored in SDRAM memory plaintext Zeroized by rebo...

Страница 26: ...tion keys Triple DES 192 bits AES and AES GCM 128 192 256 bits The IPsec IKE phase II encryption key This key is derived via a key derivation function defined in SP800 135 KDF IKEv1 IKEv2 Used for IPS...

Страница 27: ...aintext Zeroized by rebooting the module 31 TLS session authentication key HMAC SHA 1 256 384 160 256 384 bits This key is derived via a key derivation function defined in SP800 135 KDF TLS Used for T...

Страница 28: ...s Stored in SDRAM plaintext Zeroized by rebooting the module 37 802 11i Pairwise Transient Key PTK Shared secret 512 bits This key is used to derive 802 11i session key by using the KDF defined in SP8...

Страница 29: ...HMAC SHA512 KAT o RSA sign KAT o RSA verify KAT o ECDSA Pairwise Consistency Test ArubaOS Uboot BootLoader library Firmware o Firmware Integrity Test RSA PKCS 1 v1 5 2048 bits signature verification...

Страница 30: ...dated AES256 HMAC SHA1 hash failed AES256 Encrypt failed AES256 Decrypt Failed 3DES HMAC SHA1 hash failed 3DES Encrypt failed 3DES Decrypt Failed DES HMAC SHA1 hash failed DES Encrypt failed DES Decry...

Страница 31: ...onent even when the power supplies have been turned off unplugged or removed Main power is fully disconnected from the controller only by unplugging all power cords from their power outlets For safety...

Страница 32: ...nts The product carton should include the following 7XXX Controller Rack mounting kit optional Aruba User Documentation CD Tamper Evident Labels 32 Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Sec...

Страница 33: ...he tamper evident labels shall be installed for the module to operate in a FIPS Approved mode of operation Aruba Provides double the required amount of TELs If a customer requires replacement TELs ple...

Страница 34: ...o labels spanning the RJ 45 and mini USB serial ports as shown in figure 8 Press down on this label to ensure that it adheres to a sufficient area of the front bezel The RJ 45 port is raised relative...

Страница 35: ...3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in Figure 10 Press down on this label to ensure that it adheres to a sufficien...

Страница 36: ...ure 10 Required TELs for the Aruba 7010 Mobility Controller Front Figure 11 Required TELs for the Aruba 7010 Mobility Controller Bottom 36 Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Security Pol...

Страница 37: ...l port and one spanning the mini USB port label 2 as shown in Figure 14 and 15 labels 2 3 Press down on this label to ensure that it adheres to a sufficient area of the front bezel The RJ 45 port is r...

Страница 38: ...the bottom and the chassis lid as shown in Figures 16 and 18 Labels 3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in figure 1...

Страница 39: ...gure 16 Required TELs for the Aruba 7030 Mobility Controller Top Figure 17 Required TELs for the Aruba 7030 Mobility Controller Front Aruba 7XXX Series Controllers FIPS 140 2 Level 2 Security Policy 3...

Страница 40: ...e bottom and the chassis lid as shown in Figures 19 and 21 Labels 3 4 5 and 6 To Detect Access to Restricted Ports One label label 2 spanning the RJ 45 and mini USB serial ports as shown in Figure 20...

Страница 41: ...7205 Mobility Controller Top Figure 20 Required TELs for the Aruba 7205 Mobility Controller Front Figure 21 Required TELs for the Aruba 7205 Mobility Controller Bottom Aruba 7XXX Series Controllers F...

Страница 42: ...use the controller see Enabling FIPS Mode on page 37 The admin role must be root Passwords must be at least eight characters long VPN services can only be provided by IPsec or L2TP over IPsec Access...

Страница 43: ...t Guide Enabling FIPS Mode For FIPS compliance users cannot be allowed to access the controller until the CO changes the mode of operation to FIPS mode There are two ways to enable FIPS mode Use the W...

Страница 44: ...led To disable the LCD screen enter the Enable mode and use the following CLI commands host configure terminal host config lcd menu host lcd menu disable menu Disallowed FIPS Mode Configurations When...

Отзывы:

Нет отзывов