Hewlett Packard Enterprise Aruba AP-325 Скачать руководство пользователя страница 1

Страница: 1 / 58

Aruba IAP-3XX Wireless Access Points with Aruba Instant Firmware FIPS 140-2 Level 2 Security Policy

Aruba IAP-303H, IAP-304, IAP-305,

IAP-314, IAP-315, IAP-324, AP-325,

IAP-334, and IAP-335 Wireless

Access Points

with Aruba Instant Firmware

Non-Proprietary Security Policy

FIPS 140-2 Level 2

Version 4.9

February 2021

Содержание Aruba AP-325

Страница 1: ...Firmware FIPS 140 2 Level 2 Security Policy Aruba IAP 303H IAP 304 IAP 305 IAP 314 IAP 315 IAP 324 AP 325 IAP 334 and IAP 335 Wireless Access Points with Aruba Instant Firmware Non Proprietary Securi...

Страница 2: ...esser General Public License LGPL or other Open Source Licenses The Open Source code used can be found at this site http www arubanetworks com open_source Legal Notice The use of Aruba switching platf...

Страница 3: ...2 4 IAP 320 Series 18 2 4 1 Physical Description 19 2 4 2 Dimensions Weight 19 2 4 3 Environmental 19 2 4 4 Interfaces 19 2 5 IAP 330 Series 21 2 5 1 Physical Description 22 2 5 2 Dimensions Weight 22...

Страница 4: ...Applying TELs 54 12 4 Inspection Testing of Physical Security Mechanisms 54 13 User Guidance 55 13 1 Crypto Officer Management 55 13 2 Configuring FIPS Approved Mode 55 13 3 Full Documentation 56 14...

Страница 5: ...View of IAP 334 with TELs 52 Figure 35 Bottom View of IAP 334 with TELs 52 Figure 36 Top View of IAP 335 with TELs 53 Figure 37 Bottom View of IAP 335 with TELs 53 Tables Table 1 IAP 303H Status Indi...

Страница 6: ...e of Standards and Technology NIST website at https csrc nist gov projects cryptographic module validation program In addition in this document the Aruba IAP 303H IAP 304 IAP 305 IAP 314 IAP 315 IAP 3...

Страница 7: ...r ECO External Crypto Officer EMC Electromagnetic Compatibility EMI Electromagnetic Interference FE Fast Ethernet GE Gigabit Ethernet GHz Gigahertz HMAC Hashed Message Authentication Code Hz Hertz IKE...

Страница 8: ...n this document Only the versions that explicitly appear on the certificate however are formally validated The CMVP makes no claim as to the correct operation of the module or the security strengths o...

Страница 9: ...y encloses the complete set of hardware and software components and represents the cryptographic boundary of the module The IAP 303H Access Point configuration validated during the cryptographic modul...

Страница 10: ...802 11a b g n ac two internal antenna USB 2 0 host interface Type A connector Bluetooth Low Energy BLE radio Bluetooth up to 4 dBm transmit power class 2 and 93 dBm receive sensitivity Figure 2 Aruba...

Страница 11: ...mber Solid Device ready power save mode 802 3af PoE Single radio USB disabled Green or Amber Flashing Device ready restricted mode Uplink negotiated in sub optimal speed or Radio in non high throughpu...

Страница 12: ...2 Level 2 validation It describes the purpose of the IAP 304 and IAP 305 APs their physical attributes and their interfaces Figure 6 Aruba IAP 304 Figure 7 Aruba IAP 305 These compact and cost effecti...

Страница 13: ...oints configuration validated during the cryptographic modules testing included IAP 304 HW IAP 304 US TAA HPE SKU JX944A IAP 305 HW IAP 305 US TAA HPE SKU JX950A 2 2 2 Dimensions Weight The IAP 300 Se...

Страница 14: ...nsole interface proprietary optional adapter cable available disabled in FIPS mode by TEL Table 3 IAP 300 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered of...

Страница 15: ...2 validation It describes the purpose of the IAP 314 and IAP 315 APs their physical attributes and their interfaces Figure 9 Aruba IAP 314 Figure 10 Aruba IAP 315 These compact and cost effective dua...

Страница 16: ...W IAP 315 US TAA HPE SKU JW814A 2 3 2 Dimensions Weight The IAP 310 Series have the following physical dimensions unit excluding mount accessories Dimensions 182 mm W x 180 mm D x 48 mm H Weight 650 g...

Страница 17: ...ED Type Color State Meaning System Status Left Off AP powered off Green Amber Alternating Device booting not ready Green Solid Device ready Amber Solid Device ready power save mode 802 3af PoE Single...

Страница 18: ...Aruba IAP 324 Figure 13 Aruba IAP 325 With a maximum concurrent data rate of 1 733 Mbps in the 5 GHz band and 600 Mbps in the 2 4 GHz band for an aggregate peak data rate of 2 3Gbps the IAP 320 Serie...

Страница 19: ...have the following physical dimensions unit excluding mount accessories Dimensions 203mm W x 203mm D x 57mm H 8 0 W x 8 0 D x 2 2 H Weight 950 g 34 oz 2 4 3 Environmental Operating o Temperature 0 C...

Страница 20: ...5 IAP 320 Series Status Indicator LEDs LED Type Color State Meaning System Status Left Off AP powered off Green Amber Alternating Device booting not ready Green Solid Device ready Amber Solid Device r...

Страница 21: ...a best in class next generation 802 11ac Wi Fi infrastructure that is ideal for lecture halls auditoriums public venues and high density office environments The high performance and high density 802...

Страница 22: ...al antennas through four N type female connectors for external antennas for the IAP 334 or twelve integrated omni directional downtilt internal antennas for the IAP 335 The case physically encloses th...

Страница 23: ...tory reset during device power up Serial console interface standard RJ 45 female connector disabled in FIPS mode by TEL Table 6 IAP 330 Series Status Indicator LEDs LED Type Color State Meaning System...

Страница 24: ...Points and associated modules are intended to meet overall FIPS 140 2 Level 2 requirements as shown in the following table Table 7 Intended Level of Security Section Section Title Security Level 1 Cry...

Страница 25: ...ational environment is non modifiable The control plane Operating System OS is Linux a real time multi threaded operating system that supports memory protection between processes Access to the underly...

Страница 26: ...fic over the network ports by analyzing the packets header information and contents 7 Roles Authentication and Services 7 1 Roles The module supports role based authentication There are two roles in t...

Страница 27: ...Therefore the associated probability of a successful random attempt during a one minute period is 60 000 3 5e23 which is less than 1 in 100 000 required by FIPS 140 2 Pre shared key based authenticati...

Страница 28: ...two modes of operation listed in section 13 Table 10 Crypto Officer Services Service Description Input Output CSP Access SSH v2 0 Provide authenticated and encrypted remote management sessions while u...

Страница 29: ...ryptographic officer may use CLI show or view WebUI via TLS to view the module configuration routing tables and active sessions view health temperature memory status voltage and packet statistics revi...

Страница 30: ...reless client role Table 11 User Services Service Description Input Output CSP Access 802 11i Shared Key Mode Access the module s 802 11i services in order to secure network traffic 802 11i inputs com...

Страница 31: ...d services which are available regardless of role System status module LEDs Reboot module by removing replacing power Self test and initialization at power on Internet Control Message Protocol ICMP se...

Страница 32: ...Below are the detailed lists for the FIPS approved algorithms and the associated certificates implemented by each algorithm implementation Table 12 Aruba Instant VPN Module CAVP Certificates Aruba In...

Страница 33: ...nly encryption only 128 192 256 Data Encryption Decryption C565 CVL SSH TLS4 SP800 135 Rev1 TLS SSH TLS SHA 256 SHA 384 SSH SHA 1 SHA 256 SHA 384 SHA 512 Key Derivation for SSH TLS EAP TLS C565 DRBG S...

Страница 34: ...l Signature Verification only C563 SHS FIPS 180 4 SHA 1 SHA 256 160 256 Message Digest Note o Only Firmware signed with SHA 256 is permitted in the Approved mode Digital signature verification with SH...

Страница 35: ...DRNG entropy source used solely for seeding the SP 800 90A approved DRBG RSA key wrapping key establishment methodology provides 112 bits of encryption strength Triple DES used with the KEK no securit...

Страница 36: ...Zeroized on reboot DRBG 4 DRBG V SP800 90A 440 bits Generated per SP800 90A Stored in plaintext in volatile memory Zeroized on reboot DRBG 5 Diffie Hellman Private Key Diffie Hellman Group 14 224 bit...

Страница 37: ...LS Master Secret Secret 48 bytes This key is derived via the key derivation function defined in SP800 135 KDF TLS using the TLS Pre Master Secret Stored in SDRAM memory plaintext Zeroized by rebooting...

Страница 38: ...plaintext Zeroized by rebooting the module Used for 802 11i encryption 22 Factory CA Public Key RSA 2048 bits This is an RSA public key Loaded into the module during manufacturing Stored in Flash and...

Страница 39: ...ncryption Key AES CBC 128 256 bits Derived in the module using SP800 135 KDF during IKEv2 service implementation Stored in plaintext in volatile memory Zeroized when session is closed IKEv2 payload en...

Страница 40: ...entropy calculation of 215 04 bits so Aruba has included the following entropy caveat The module generates cryptographic keys whose strengths are modified by available entropy 10 Self Tests The modul...

Страница 41: ...during operation o SP800 90A Section 11 3 Health Tests for HASH_DRBG Instantiate Generate and Reseed ArubaInstant UBOOT BootLoader Module Firmware Load Test RSA PKCS 1 v1 5 2048 bits signature verifi...

Страница 42: ...reless Access Point components A mount kit compatible with the AP and mount surface sold separately A compatible Category 5 UTP Ethernet cable External antennas when using the IAP 304 IAP 314 IAP 324...

Страница 43: ...act any device cable object or person attached to a different electrical ground Also never connect the device to external storm grounding sources Installation or removal of the device or any module mu...

Страница 44: ...operate in a FIPS Approved mode of operation Aruba Networks provides double the required amount of TELs If a customer requires replacement TELs please call customer support and Aruba Networks will pro...

Страница 45: ...reless Access Points Refer to the next section for guidance on applying the TELs 12 2 1 TELs Placement on the IAP 303H The IAP 303H requires 3 TELs one on each side and bottom edge labels 1 and 2 to d...

Страница 46: ...lacement on the IAP 304 The IAP 304 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 47: ...lacement on the IAP 305 The IAP 305 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 48: ...lacement on the IAP 314 The IAP 314 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 49: ...lacement on the IAP 315 The IAP 315 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 50: ...lacement on the IAP 324 The IAP 324 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 51: ...lacement on the IAP 325 The IAP 325 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 52: ...lacement on the IAP 334 The IAP 334 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 53: ...lacement on the IAP 335 The IAP 335 requires 3 TELs one on each side edge labels 1 and 2 to detect opening the device and one covering the console port label 3 to detect access to a restricted port Se...

Страница 54: ...t TELS please call Aruba Networks customer support and request FIPS Kit part number 4011570 01 HPE SKU JY894A Once the TELs are applied the Crypto Officer CO should perform initial setup and configura...

Страница 55: ...trange activity is found the Crypto Officer should take the Wireless Access Point offline and investigate The Tamper Evident Labels TELs must be regularly examined for signs of tampering Refer to Tabl...

Страница 56: ...aging BLE Beacons pages 403 405 for setting BLE Operation Mode to disabled 10 Via the logging facility of the IAP ensure that the IAP is successfully provisioned with firmware and configuration 11 Ter...

Страница 57: ...n about the client that is connected to the Instant network to find the operating system that the client is running on to allow Identifying rogue clients Helps to identify clients that are running on...

Страница 58: ...generate ARP packets on the wired network to contain wireless attacks from Rogue Instant APs with invalid MAC addresses Instant APs can attempt to disconnect all clients that are connected or attempt...

Результаты поиска

Содержание Aruba AP-325

Отзывы:

Похожие инструкции для Aruba AP-325

Бренды по названию

Популярные бренды

Hewlett Packard Enterprise Aruba AP-325, Руководство пользователя

Результаты поиска

Содержание Aruba AP-325

Отзывы:

Похожие инструкции для Aruba AP-325

Бренды по названию

Популярные бренды