Hewlett Packard Enterprise Aruba 7 Series Manual de usuario
Aruba 7XXX Series Controllers
with ArubaOS FIPS Firmware
Non-Proprietary Security Policy
FIPS 140-2 Level 2
Version 1.17
June 2016
Aruba 7200 Series Controllers FIPS 140-2 Level 2 Security Policy
Copyright
© 2016 Hewlett Packard Enterprise Company. Hewlett Packard Enterprise Company trademarks include,
Aruba Networks®, Aruba Wireless Networks®, the registered Aruba the Mobile Edge Company logo, Aruba Mobility Management
System®, Mobile Edge Architecture®, People Move. Networks Must Follow®, RFprotectrotect®, Green Island®. All rights reserved. All
other trademarks are the property of their respective owners. Open Source Code
Certain Hewlett Packard Enterprise Company products include Open Source software code developed by third parties, including
software code subject to the GNU General Public License (GPL), GNU Lesser General Public License (LGPL), or other Open Source
Licenses. The Open Source code used can be found at this site:
http://www.arubanetworks.com/open_source
Legal Notice
The use of Aruba. switching platforms and software, by all individuals or corporations, to terminate other vendors’ VPN client devices
constitutes complete acceptance of liability by that individual or corporation for this action and indemnifies, in full, Aruba. from any and
all legal actions that might be taken against it with respect to infringement of copyright on behalf of those vendors.
Warranty
This hardware product is protected by the standard Aruba warranty of one year parts/labor. For more information, refer to the
ARUBACARE SERVICE AND SUPPORT TERMS AND CONDITIONS.
Altering this device (such as painting it) voids the warranty.
Copyright
© 2016 Hewlett Packard Enterprise Company. Hewlett Packard Enterprise Company trademarks include, Aruba Networks®, Aruba
Wireless Networks®,the registered Aruba the Mobile Edge Company logo, and Aruba Mobility Management System®.
www.arubanetworks.com
1344 Crossman Avenue
Sunnyvale, California 94089
Phone: 408.227.4500
Fax 408.227.4550
2|Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy
Contents
Contents............................................................................................................................................................................. 3
Preface............................................................................................................................................................................... 5
Purpose of this Document............................................................................................................................................... 5
Related Documents ......................................................................................................................................................... 5
Additional Product Information ......................................................................................................................5
Overview............................................................................................................................................................................ 6
Cryptographic Module Boundaries................................................................................................................7
Intended Level of Security ............................................................................................................................................ 10
Physical Security............................................................................................................................................................ 11
Operational Environment .............................................................................................................................................. 11
Logical Interfaces........................................................................................................................................................... 12
Roles and Services........................................................................................................................................................ 13
Crypto Officer Role......................................................................................................................................13
Authentication Mechanisms.........................................................................................................................18
Unauthenticated Services............................................................................................................................19
Non-Approved Services...............................................................................................................................19
Cryptographic Key Management ................................................................................................................................. 19
Implemented Algorithms..............................................................................................................................19
Critical Security Parameters........................................................................................................................22
Alternating Bypass State............................................................................................................................................... 30
Installing the Controller ........................................................................................................................................................ 31
Pre-Installation Checklist............................................................................................................................................... 31
Precautions ..................................................................................................................................................................... 31
Product Examination ...................................................................................................................................31
Package Contents.......................................................................................................................................32
Tamper-Evident Labels................................................................................................................................................. 33
Reading TELs..............................................................................................................................................33
Required TEL Locations..............................................................................................................................34
Applying TELs .............................................................................................................................................42
Ongoing Management .......................................................................................................................................................... 42
Crypto Officer Management.......................................................................................................................................... 42
Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy|3
User Guidance................................................................................................................................................................ 43
Setup and Configuration................................................................................................................................................ 43
Setting Up Your Controller............................................................................................................................................ 43
Enabling FIPS Mode...................................................................................................................................................... 43
Enabling FIPS Mode with the WebUI..........................................................................................................43
Enabling FIPS Mode with the CLI................................................................................................................43
Disabling the LCD........................................................................................................................................44
Disallowed FIPS Mode Configurations ....................................................................................................................... 44
4|Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy
Preface
This security policy document can be copied and distributed freely.
Purpose of this Document
This release supplement provides information regarding the Aruba 7XXX Controllers with FIPS 140-2 Level 2 validation
from Aruba Networks. The material in this supplement modifies the general Aruba hardware and firmware documentation
included with this product and should be kept with your Aruba product documentation.
This supplement primarily covers the non-proprietary Cryptographic Module Security Policy for the Aruba Controller. This
security policy describes how the controller meets the security requirements of FIPS 140-2 Level 2 and how to place and
maintain the controller in a secure FIPS 140-2 mode. This policy was prepared as part of the FIPS 140-2 Level 2
validation of the product.
FIPS 140-2 (Federal Information Processing Standards Publication 140-2, Security Requirements for Cryptographic
Modules) details the U.S. Government requirements for cryptographic modules. More information about the FIPS 140-2
standard and validation program is available on the National Institute of Standards and Technology (NIST) website at:
http://csrc.nist.gov/groups/STM/cmvp/index.html
Related Documents
The following items are part of the complete installation and operations documentation included with this product:
•Aruba 7XXX Mobility Controller Installation Guide
•Aruba 7XXX- series Mobility Controller Installation Guide
•ArubaOS 6.5 User Guide
•ArubaOS 6.5 CLI Reference Guide
•ArubaOS 6.5 Quick Start Guide
•ArubaOS 6.5 Upgrade Guide
•Aruba AP Installation Guides
Additional Product Information
More information is available from the following sources:
•The Aruba Networks Web-site contains information on the full line of products from Aruba Networks:
http://www.arubanetworks.com
•The NIST Validated Modules Web-site contains contact information for answers to technical or sales-related
questions for the product:
http://csrc.nist.gov/groups/STM/cmvp/index.html
Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy|5
Overview
Aruba 7XXX series Mobility Controllers are optimized for 802.11ac and mobile app delivery. Fully
application-aware, the 7XXX series prioritizes mobile apps based on user identity and offers exceptional
scale for BYOD transactions and device densities.
With a new central processor employing eight CPU cores and four virtual cores, the 7XXX series supports
over 32,000 wireless devices and performs stateful firewall policy enforcement at speeds up to 40 Gbps –
plenty of capacity for BYOD and 802.11ac devices.
New levels of visibility, delivered by Aruba AppRF on the controller, allow IT to see applications by user,
including top web-based applications like Facebook and Box.
The 7XXX series also manages authentication, encryption, VPN connections, IPv4 and IPv6 services, the
Aruba Policy Enforcement Firewall™ with AppRF Technology, Aruba Adaptive Radio Management™,
and Aruba RFprotect™ spectrum analysis and wireless intrusion protection.
The Aruba controller configurations validated during the cryptographic module testing included:
•Aruba 7005-F1
•Aruba 7005-USF1
•Aruba 7010-F1
•Aruba 7010-USF1
•Aruba 7024-F1
•Aruba 7024-USF1
•Aruba 7030-F1
Aruba 7030-USF1
Aruba 7205-F1
Aruba 7205-USF1
FIPS Kit: 4011570-01 (Part number for Tamper Evident Labels)
The firmware versions validated are ArubaOS 6.4.4-FIPS and ArubaOS 6.5.0-FIPS
Note: For radio regulatory reasons, part numbers ending with -USF1 are to be sold in the US only. Part
numbers ending with -F1 are considered ‘rest of the world’ and must not be used for deployment in the
United States. From a FIPS perspective, both -USF1 and -F1 models are identical and fully FIPS
compliant.
6|Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy
Physical Description
Cryptographic Module Boundaries
For FIPS 140-2 Level 2 validation, the Controller has been validated as a multi-chip standalone
cryptographic module. The opaque hard plastic (Aruba 7005 Controller only) or metal chassis physically
encloses the complete set of hardware and firmware components and represents the cryptographic
boundary of the module. The cryptographic boundary is defined as encompassing the top, front, left, right,
rear, and bottom surfaces of the chassis.
Figure 1 - The Aruba 7005 controller
Figure 1 shows the front of the Aruba 7005 Controller, and illustrates the following:
•Four Gigabit Ethernet ports
•One Type A USB port
•LINK/ACT and Status LEDs
•Management/Status LED
•Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs)
Figure 2 - The Aruba 7010 controller
Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy|7
Figure 2 shows the front of the Aruba 7010 Controller, and illustrates the following:
•Sixteen 10/100/1000 Ethernet ports
•Two Small Form-Factor Pluggable (SFP) Uplink ports
•Two Type A USB ports
•LINK/ACT and Status LEDs
•Management/Status LED
•LCD Panel
•Navigation Buttons (Functionally disabled in FIPS mode)
•Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs)
Figure 3 - The Aruba 7024 controller
8|Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy
Figure 3 shows the front of the Aruba 7024 Controller, and illustrates the following:
•Twenty-four 10/100/1000 Ethernet ports
•Two Enhanced Small Form-Factor Pluggable (SFP+) Uplink ports
•One Type A USB ports
•LINK/ACT and Status LEDs
•Management/Status LED
•LCD Panel
•Navigation Buttons (Functionally disabled in FIPS mode)
•Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs)
Figure 4 - The Aruba 7030 controller chassis
Figure 4 shows the front of the Aruba 7030 Controller, and illustrates the following:
•Eight 10/100/1000 Ethernet ports
•Eight Small Form-Factor Pluggable (SFP) Uplink ports
•One Type A USB port
•LINK/ACT and Status LEDs
•Management/Status LED
•LCD Panel
•Navigation Buttons (Functionally disabled in FIPS mode)
•Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs)
Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy|9
Figure 5 - The Aruba 7205 controller chassis
Figure 5 shows the front of the Aruba 7205 Controller, and illustrates the following:
•Four 10/100/1000 Ethernet ports
•Four Small Form-Factor Pluggable (SFP) Uplink ports
•Two Dual-Purpose Gigabit Uplink Ports
•Two Type A USB ports (one is on the front and one is on the back)
•LINK/ACT and Status LEDs
•Management/Status LED
•LCD Panel
•Navigation Buttons (Functionally disabled in FIPS mode)
•Console Connections - RJ-45 and Mini-USB (Disabled in FIPS mode by TELs)
Intended Level of Security
The 7XXX Controller and associated modules are intended to meet overall FIPS 140-2 Level 2
requirements as shown in Table 1.
Table 1 Intended Level of Security
Section Section Title Level
1 Cryptographic Module Specification 2
2 Cryptographic Module Ports and Interfaces 2
3 Roles, Services, and Authentication 2
10|Aruba 7XXX Series Controllers FIPS 140-2 Level 2 Security Policy
Este manual sirve para los siguientes modelos
1
Tabla de contenidos
Otros manuales de Controladores de Hewlett Packard Enterprise
