Benutzeranleitung / Produktwartung W-AP135 des Produzenten Dell
Zur Seite of 35
1 FIPS 140-2 Non-Proprietary Security Policy for Aruba AP-13 4, AP -135 and Dell W- AP 134, W - A P1 35 Wireless A ccess Points Version 1.2 February 20 12 Aruba Networks™ 1322 Crossman Ave.
2.
3 1 INTRODUCTION .................................................................................................................................. 5 1.1 A RUBA D ELL R ELATIONSHIP ......................................................................
4 4.1.3 Wireless Clien t Authenticatio n ................................................................................................. 23 4.1.4 Strength of Authentication Mech anisms ................................................................
5 1 Introduction This document constitutes t he non-prop rietary Cryptographic Mod ule Security Policy for the AP - 134 , AP- 135 Wireless Access Points with FIP S 140 -2 Level 2 validation fro m Aruba Networks.
6 SHA Secure Hash Algorithm SN MP Sim ple Network Management Protocol SPOE Serial & Power Over Ethernet TEL Tamper-Evident Label TFTP Trivial File Transfer Proto col WLAN Wireless Local Area Netwo.
7 2 Product O v er v iew This section i ntroduces the var ious Aruba Wireless Access P oin ts, providing a brief overview and sum mary of the physical features of eac h model covered b y this FIPS 140 -2 security polic y. 2.1 AP - 134 This section introduces t he Aruba AP- 134 Wireless Access Po int (AP) with FIPS 140 -2 Level 2 validation.
8 The module provides the foll owing po wer interfaces: 48V DC 802.3af or 80 2.3at or P oE + interoperable Po w er -over-Ethernet (Po E) with i ntelli-source PSE sourcing intelligence 12V DC for external AC s upplied power (adapter so ld separately) 2.
9 2.2 AP -1 35 This section introduces t he Aruba AP- 13 5 W ireless Access P oint (AP) with FIPS 140 -2 Level 2 validation. It describes the purp ose of the AP, its physical a ttributes, and its interfaces. The Aruba AP- 13 5 is hi gh-performance 802.
10 5V DC for external AC supplied power (adapter sold separately) 2.2.1.3 Indicator LEDs There are 5 b icolor (power, ENET and WLAN) LEDs which oper ate as follows: Table 2- AP -1 35 Indicator LED.
11 3 Module Objecti v es This section d escribes th e a ssurance level s for each o f the areas described in the FIPS 140 -2 Standar d. In addition, it pro vides information on placing the module i n a FIPS 140 -2 approved configuration.
12 3.2.2 AP - 134 TEL Placement This section displays all the TEL locations of the Aruba AP -134. T he A P-134 requires a minimum o f 5 TELs to be applied as follo ws: 3.2.2.1 To detect openin g of the chassis cover: 1. Spanning the bottom and top chassis covers and placed in the front left corner 2.
13 Figure 4 : AP -134 Top View Figure 5: AP -134 Right View Figure 6: AP -134 Bottom View 3.2.3 AP - 135 TEL Placement This section displays all the T EL locations of the Aruba A P- 135 . The A P-134 requires a m inimum of 5 TELs to be applied as follows: 3.
14 2. Spanning the bottom and top chassis covers and placed in the back left corner 3. Spanning the chassis scre w on the botto m left corner 4. Spanning the chassis screw on the botto m right corner 3.
15 Figure 11: AP -135 Top view Figure 12: AP - 135 Bottom View 3.2.4 Inspection/Testing of Physical Security Mechanisms Physical Security M echanism Recommended Te st Frequency Guidance Tamper-evident labels (T ELs) Once per month Examine for any sign of remo val, replacement, tearing, etc.
16 3.3 Modes of Operat ion The module has the following FIP S approved modes of operations: • Remote AP (RAP) FIPS mode – W hen the module is configured as a Remote AP, it is intended to be deploy ed in a remote location (relative to the Mobility Controller ).
17 6. If the staging contro ller does not p rovide PoE, either ensure the presence of a P oE injector for the LAN connection bet ween the module and the co ntroller, or ensure t he presence o f a DC po wer supply appropriate to the particular model of the module.
18 7. Connect the module via an Ethernet cable to the sta ging controller; no te that this should b e a direc t connection, with no intervening net work or devices; i f Po E is being supplied by an inj ector, th is represents the o nly exception.
19 Section “ Pr ovisioning an Indi vidual AP ” o f Chapter “ The Basic User-Centric Net works ” o f the Aruba OS User Guide. Click “Apply and Reboot” to complete the provisioning pro cess.
20 represents the o nly exception. That is, nothing o ther than a P oE injector should b e present b etween the module and the sta ging controller. 8. Once t he module is co nnected to the co ntroller by the Ethernet cable, navigate to the Configuration > Wireless > AP Installation page, where you sho uld see an entr y for the AP.
21 3.5 Logical Interfaces The ph ysical interfaces are d ivided into logical interface s defined b y FIP S 140 -2 as described in the following table. FI PS 140-2 Logical Interface Module Physical Interfa ce Data Input Interface 10/100/1000 Ethernet P orts 802.
22 4 Roles, A u thentication an d Services 4.1 Roles The module s upports the roles of Cr ypto Officer, User , and Wireless Client; no additio nal roles ( e.g., Maintenance) are suppo rted. Ad ministrative op erations car ried out by the Aruba Mobility C ontroller map to the Crypto Officer role.
23 4.1.2 User Authentication Authentication for the User role depends on the module configuration. When the module is configured as a Remote Mesh Portal FIP S mode and Re mote Mesh P oint FIP S mode, the U ser role is authenticated via t he WPA2 p re-shared ke y.
24 Authentication Mechanis m Mechanis m Strength Wireless Client WPA2-PSK (Wireless Client role) For WPA2 -PSK there are at least 95^1 6 (=4.4 x 10^31) possible combinations. In order to test a guessed key, the attac ker must complete the 4-way handshake with the AP.
25 4.2 Services The module provides vario us services depending o n role. These are descr ib ed below. 4.2.1 Crypto Officer Services The CO role in each of FIP S modes defi ned in section 3.
26 Service Description CSPs Accessed ( see secti on 6 below for complete descrip tion of CSPs) Creation/use of secure management session bet ween module and CO The module supports use of IPSec for securing the management channel.
27 Service Description CSPs Accessed ( see secti on 6 below for complete descrip tion of CSPs) 802.11i AES-C CM key 802.11i GMK 802.11i GTK Use of WPA pre -shared key for establishment of IEEE 802.11i keys When the module is i n mesh configuration, the inter -module mesh links are secured with 802.
28 System status – SYSLOG and module LEDs 802.11 a/b/g/n FTP TFTP NTP GRE tunneling of 802 .11 wireless user frames ( when acting as a “Local AP”) Reboot module b y r.
29 5 Cryptographic Algorith ms FIPS-approved cryptographic algorithms have bee n implemented in hard w are and firmware. The firmware suppo rts the following cryptographic imple mentations. ArubaOS OpenSSL AP Module implements the follo wing FIPS -app roved algorithms: o AES (Cert.
30 6 Critical Securit y Parameters The following Critical Sec urity Parameters (CSPs) are used by the module: CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE Key Encryption Ke y (KEK) Triple-DES 168 -bits key Hard-coded Stored in flash, zeroized b y th e ‘ap wipe out flash’ command.
31 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE IKEv1/IKEv2 Diffie - Hellman Private key 1024 -bit Diffie- Hellman private key Generated internall y during IKEv1/IKEv2 negotiation Stored in pl.
32 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE WPA2 PSK 16 - 64 character shared secret used to authenticate mesh connections and in remote AP advanced configuration CO configured Encrypted in flash using the KEK; zeroized by updating through administrative interface, or by the ‘ap wipe out flash’ command.
33 CSP CSP TYPE GENERATION STORAGE And ZEROIZATI ON USE 802.11i Gro up Master Key (GMK) 256 -bit secret used to derive GTK Generated from appro ved RNG Stored in plaintext in volatile memory; zeroized o n reboot Used to derive Group Transient Key (GTK) 802.
34 7 Self T es t s The module perfor ms the follo wing Self Tests af ter being config ured into either Re mote AP mode or Remote Mesh P ortal mode. The module perfor ms both po wer-up and co nditional self -tests. In t he event an y self-test fails, the module enters an error state, lo gs the error, and reboo ts automatically.
35 Self-test results are written to the serial console. In the event of a K ATs failure, the AP logs different messages, dep ending on the error. For an ArubaOS OpenSS L AP module and ArubaOS c ryptog.
Ein wichtiger Punkt beim Kauf des Geräts Dell W-AP135 (oder sogar vor seinem Kauf) ist das durchlesen seiner Bedienungsanleitung. Dies sollten wir wegen ein paar einfacher Gründe machen:
Wenn Sie Dell W-AP135 noch nicht gekauft haben, ist jetzt ein guter Moment, um sich mit den grundliegenden Daten des Produkts bekannt zu machen. Schauen Sie zuerst die ersten Seiten der Anleitung durch, die Sie oben finden. Dort finden Sie die wichtigsten technischen Daten für Dell W-AP135 - auf diese Weise prüfen Sie, ob das Gerät Ihren Wünschen entspricht. Wenn Sie tiefer in die Benutzeranleitung von Dell W-AP135 reinschauen, lernen Sie alle zugänglichen Produktfunktionen kennen, sowie erhalten Informationen über die Nutzung. Die Informationen, die Sie über Dell W-AP135 erhalten, werden Ihnen bestimmt bei der Kaufentscheidung helfen.
Wenn Sie aber schon Dell W-AP135 besitzen, und noch keine Gelegenheit dazu hatten, die Bedienungsanleitung zu lesen, sollten Sie es aufgrund der oben beschriebenen Gründe machen. Sie erfahren dann, ob Sie die zugänglichen Funktionen richtig genutzt haben, aber auch, ob Sie keine Fehler begangen haben, die den Nutzungszeitraum von Dell W-AP135 verkürzen könnten.
Jedoch ist die eine der wichtigsten Rollen, die eine Bedienungsanleitung für den Nutzer spielt, die Hilfe bei der Lösung von Problemen mit Dell W-AP135. Sie finden dort fast immer Troubleshooting, also die am häufigsten auftauchenden Störungen und Mängel bei Dell W-AP135 gemeinsam mit Hinweisen bezüglich der Arten ihrer Lösung. Sogar wenn es Ihnen nicht gelingen sollte das Problem alleine zu bewältigen, die Anleitung zeigt Ihnen die weitere Vorgehensweise – den Kontakt zur Kundenberatung oder dem naheliegenden Service.