Aruba NetworksメーカーFIPS 140-2の使用説明書/サービス説明書
ページ先へ移動 of 36
FIPS 140-2 Non-Proprietary Security Policy for Aruba AP-12 0 Series and De ll W- A P120 Seri es Wireless A cces s Points Version 1. 4 February 20 12 Aruba Networks™ 1322 Crossman Ave.
.
1 INTRODUCTION .................................................................................................................................. 5 1.1 A RUBA D ELL R ELATI ONSHIP .......................................................................
4 4.2.2 User Service s ............................................................................................................................ 27 4.2.3 Wireless Clien t Services ................................................................ ...
1 Introduction This document constitutes t he non-prop rietary Cryptographic Mod ule Security Policy for the AP -120 series Wireless Access Points with FIPS 140 -2 Level 2 validation fro m Aruba Networks.
6 LAN Local Area Net work LED Light Emitting Diode SHA Secure Hash Algorithm SNMP Simple Network Management P rotocol SPOE Serial & Po w er O ver Ethernet TEL Tamper-Evident Label TFTP T rivial Fi.
7 2 Product O v er view This section i ntroduces the var ious Aruba Wireless Access P oints, providing a brief overview and sum mary of the physical features of eac h model covered b y this FIPS 140 -2 security polic y.
8 2.1.1.1 Dimensions/Weight The AP has the follo wing physical dimensions: 4.9” x 5.13” x 2.0 ” (124mm x 130mm x 51mm) 15oz (0.42 Kgs) 2.
9 Label Function Action Status Flashing 2.4GHz Air monitor WLAN 5Ghz 5GHz Radio Status Off 5GHz radio disabled On - Amber 5GHz radio enabled in WLAN mode On – Green 5GHz radio enabled in 802.
10 3 Module Objecti v es This section d escribes the assurance le vels for each of the areas describ ed in the FIPS 140 -2 Standard. In addition, it pro vides information on placin g the module in a FIPS 1 40 -2 approved configuration.
11 3.2.2 A r uba AP -12 4 TEL Placement This sectio n d isplays all the TEL locatio ns o n the Aruba AP -124. The AP124 requires a minimum o f 3 TELs to be applied as follows: 3.2.2.1 To detect openin g of the chassis cover: 1. Spanning the left chassis cove r and the top and bo ttom chassis covers 2.
12 Figure 2: AP -124 Back view Figure 3: AP -124 Left view Figure 4: AP -124 Right view Figure 5: AP -124 Top view.
13 Figure 6: AP -124 Bottom view 3.2.3 A r uba AP -12 5 TEL Placement This sectio n d isplays all the TEL locatio ns o n the Aruba AP -125. The AP125 requires a minimum o f 3 TELs to be applied as follows: 3.2.3.1 To detect openin g of the chassis cover: 1.
14 Figure 7: AP -125 Front view Figure 8: AP -125 Back view Figure 9: AP -125 Left view.
15 Figure 10: AP -125 Right view Figure 11: AP -125 Top view.
16 Figure 12: AP -125 Bottom view 3.2.4 Inspection/Testing of Physical Security Mechanisms Physical Security M echanism Recommended Te st Frequency Guidance Tamper-evident labels (T ELs) Once per month Examine for any sign of removal, replacement, tearing, etc.
17 3.3 Modes of Operat ion The module has the following FIPS ap proved modes of operations: • Remote AP ( RAP) FIP S mode – When the module is co nfigured as a Remote AP, it is intended to be deplo yed in a remote location (relative to the Mobilit y Controller).
18 5. Enable FIP S mode o n the AP. This accomplished b y going to the Configuration > Wireless > AP Configuration > AP Group p age. There, you click the E dit button for the appropriate AP group, and then select AP > AP Syste m Profile. Then, check the “Fips Enable” bo x, check “ Apply”, and save the configuration.
19 6. If the staging controller does not pr ovide PoE, either ens ure the presence of a P oE injector for the LAN co nnection between the module and the controller , o r ens ure the prese nc e o f a D C po wer supply appropriate to the particular model of the module 7.
20 represents the o nly exception. That is, nothing o ther than a P oE injector should be present between the module and the sta ging controller. 8. Once the module is connected to the controller by the Ethernet cable, navigate to the Configuration > Wireless > AP Installa tion page, where you sho uld see an entry for the AP.
21 select AP > AP Syste m Profile. Then, check the “Fips Enable” bo x, check “ Apply”, and save the configuration. 6. If the staging controller does not pr ovide PoE, either ens ure the pre.
22 Linux impleme ntation is not provided d irectly. O nly Aruba-pro vided Crypto O fficer interfaces ar e used. There is no user interface p rovided. 3.5 Logical Interfaces The physical interfaces are divided into logical interface s defi ned b y FIP S 14 0 -2 as described in the following table.
23 4 Roles, Authentication and Ser vices 4.1 Roles The module supports the roles of Cr ypto Officer, User, and Wireless Client; no add itional roles (e.g., Maintenance) are supported . Administrative oper ations car ried out b y the Aruba Mobility Controller map to the Crypto O fficer role.
24 4.1.2 User Authentication Authentication for the User role depends on the module co nfiguration. When the module is configured as a Mesh AP , the User role is authenticated via the WP A2 preshared key.
25 Authentication Mechanis m Mechanis m Strengt h Wireless Client WPA2-PSK (Wireless Client Role) For WPA2 -PSK there are at least 95^1 6 (=4.4 x 10^31 ) possible combinations. In order to test a guessed key, the attac ker must complete the 4-way handshake with the AP.
26 4.2 Services The module provides vario us services depending o n role. These are described below. 4.2.1 Crypto Officer Services The CO role in each of FIP S modes defi ned in section 3.
27 Service Description CSPs Accessed (see sectio n 6 below for complete descriptio n of CSPs) Creation/use of secure management session bet ween module and CO The module supports use of IPSec for securing the management channel.
28 Service Description CSPs Accessed (see sectio n 6 below for complete d escription of CSPs) 802.11i AES-C CM key 802.11i GMK 802.11i GTK Use of WPA preshared ke y for establishment of IEEE 802.11i keys When the module is i n mesh configuration, the inter -module mesh links are secured with 802.
29 4.2.4 Unauthenticated Serv ices The module pr ovides the foll owing unauthenticated services, which are available regardless o f ro le. No CSPs are accessed b y these services. System status – SYSLOG and module LEDs 802.11 a/b/g/n FTP TFTP NTP GRE tunneling of 802 .
30 5 Cryp tographic A l gorithms FIPS-approved cryptographic algorithms have bee n implemented in hard w are and firmware. The firmware suppo rts the following cryptographic imple mentations. ArubaOS OpenSSL AP Module implements the follo wing FIPS -appr oved algorithms: o AES (Cert.
31 6 Critical Securit y Parameters The following Critical Sec urity Parameters (CSPs) are used by the module: CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE Key E ncryption Key (KEK) Triple-DES 168 -bits key Hard-coded Stored in flash, zeroized b y the ‘ ap wipe out flash’ command.
32 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE IKEv1/IKEv2 Diffie - Hellman Private key 1024 -bit Diffie- Hellman private key Generated internall y during IKEv1/IKEv2 negotiation Stored in pl.
33 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE WPA2 PSK 16 - 64 character shared secret used to authenticate mesh connections and in remote AP advanced configuration CO configured Encrypted in flash using the KEK; zeroized by updating through administrative in terface, or b y the ‘ap wipe out flash’ command.
34 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE 802.11i Gro up Master Key (GMK) 256 -bit secret used to derive GTK Generated from appro ved RNG Stored in plaintext in volatile memory; zeroized o n reboot Used to derive Group Transient Key (GTK) 802.
35 7 Self T ests The module performs the following Self Tests after being configured into either Remote AP mode or Remote Mesh P ortal mode. The module perfor ms both po wer-up and conditio nal self -tests. In the eve nt any se lf -test fails, t he module enters an error state, logs the error, and reb oots automatically.
36 For an ArubaOS OpenSS L AP module and ArubaOS c ryptographic module KAT failure: AP rebooted [DATE][TIME] : Restarting System, SW FIPS KAT failed For an AES Cavium har dware POST failure: Starting HW SHA1 KAT ...Completed HW SHA1 AT Starting HW HMAC-SHA1 KAT .
デバイスAruba Networks FIPS 140-2の購入後に(又は購入する前であっても)重要なポイントは、説明書をよく読むことです。その単純な理由はいくつかあります:
Aruba Networks FIPS 140-2をまだ購入していないなら、この製品の基本情報を理解する良い機会です。まずは上にある説明書の最初のページをご覧ください。そこにはAruba Networks FIPS 140-2の技術情報の概要が記載されているはずです。デバイスがあなたのニーズを満たすかどうかは、ここで確認しましょう。Aruba Networks FIPS 140-2の取扱説明書の次のページをよく読むことにより、製品の全機能やその取り扱いに関する情報を知ることができます。Aruba Networks FIPS 140-2で得られた情報は、きっとあなたの購入の決断を手助けしてくれることでしょう。
Aruba Networks FIPS 140-2を既にお持ちだが、まだ読んでいない場合は、上記の理由によりそれを行うべきです。そうすることにより機能を適切に使用しているか、又はAruba Networks FIPS 140-2の不適切な取り扱いによりその寿命を短くする危険を犯していないかどうかを知ることができます。
ですが、ユーザガイドが果たす重要な役割の一つは、Aruba Networks FIPS 140-2に関する問題の解決を支援することです。そこにはほとんどの場合、トラブルシューティング、すなわちAruba Networks FIPS 140-2デバイスで最もよく起こりうる故障・不良とそれらの対処法についてのアドバイスを見つけることができるはずです。たとえ問題を解決できなかった場合でも、説明書にはカスタマー・サービスセンター又は最寄りのサービスセンターへの問い合わせ先等、次の対処法についての指示があるはずです。