Dell PowerConnect W-Series FIPS Dell PowerConnect W-600 Controller Series Secu - Page 39

Ongoing Management, Crypto Officer Management, User Guidance

Get Dell PowerConnect W-Series FIPS PDF manuals and user guides View all Dell PowerConnect W-Series FIPS manuals
Add to My Manuals
Save this manual to your list of manuals

Page 39 highlights

Chapter 4 Ongoing Management The Aruba 620 and 650 Mobility Controllers meet FIPS 140-2 Level 2 requirements. The information below describe how to keep the switch in FIPS-approved mode of operation. The Crypto Officer must ensure that the switch is kept in a FIPS-approved mode of operation. Crypto Officer Management The Crypto Officer must ensure that the switch is always operating in a FIPS-approved mode of operation. This can be achieved by ensuring the following:  FIPS mode must be enabled on the switch before Users are permitted to use the switch (see "Enabling FIPS Mode" on page 39)  The admin role must be root.  Passwords must be at least six characters long.  VPN services can only be provided by IPsec or L2TP over IPsec.  Access to the switch Web Interface is permitted only using HTTPS over a TLS tunnel. Basic HTTP and HTTPS over SSL are not permitted.  Only SNMP read-only may be enabled.  Only FIPS-approved algorithms can be used for cryptographic services (such as HTTPS, L2, AES-CBC, SSH, and IKEv1/IKEv2-IPSec), which include AES, Triple-DES, SHA-1, HMAC SHA-1, and RSA signature and verification.  TFTP can only be used to load backup and restore files. These files are: Configuration files (system setup configuration), the WMS database (radio network configuration), and log files. (FTP and TFTP over IPsec can be used to transfer configuration files.)  The switch logs must be monitored. If a strange activity is found, the Crypto Officer should take the switch off line and investigate.  The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering.  The Crypto Officer shall not configure the Diffie-Hellman algorithm with 768-bits (Group 1) in FIPS mode for IKEv1/IKEv2-IPSec and SSH. User Guidance The User accesses the switch VPN functionality as an IPsec client. The user can also access the switch 802.11i functionality as an 802.11 client. Although outside the boundary of the switch, the User should be directed to be careful not to provide authentication information and session keys to others parties. Aruba 620, 650 and Dell W-620, W-650 | FIPS 140-2 Level 2 Release Supplement Ongoing Management | 37

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
Aruba 620, 650 and Dell W-620, W-650
|
FIPS 140-2 Level 2 Release Supplement
Ongoing Management
|
37
Chapter 4
Ongoing Management
The Aruba 620 and 650 Mobility Controllers meet FIPS 140-2 Level 2 requirements. The information below
describe how to keep the switch in FIPS-approved mode of operation. The Crypto Officer must ensure that
the switch is kept in a FIPS-approved mode of operation.
Crypto Officer Management
The Crypto Officer must ensure that the switch is always operating in a FIPS-approved mode of operation.
This can be achieved by ensuring the following:
FIPS mode must be enabled on the switch before Users are permitted to use the switch (see
“Enabling
FIPS Mode” on page 39
)
The admin role must be root.
Passwords must be at least six characters long.
VPN services can only be provided by IPsec or L2TP over IPsec.
Access to the switch Web Interface is permitted only using HTTPS over a TLS tunnel. Basic HTTP and
HTTPS over SSL are not permitted.
Only SNMP read-only may be enabled.
Only FIPS-approved algorithms can be used for cryptographic services (such as HTTPS, L2, AES-CBC,
SSH, and IKEv1/IKEv2-IPSec), which include AES, Triple-DES, SHA-1, HMAC SHA-1, and RSA signature
and verification.
TFTP can only be used to load backup and restore files. These files are: Configuration files (system
setup configuration), the WMS database (radio network configuration), and log files. (FTP and TFTP
over IPsec can be used to transfer configuration files.)
The switch logs must be monitored. If a strange activity is found, the Crypto Officer should take the
switch off line and investigate.
The Tamper-Evident Labels (TELs) must be regularly examined for signs of tampering.
The Crypto Officer shall not configure the Diffie-Hellman algorithm with 768-bits (Group 1) in FIPS
mode for IKEv1/IKEv2-IPSec and SSH.
User Guidance
The User accesses the switch VPN functionality as an IPsec client. The user can also access the switch
802.11i functionality as an 802.11 client. Although outside the boundary of the switch, the User should be
directed to be careful not to provide authentication information and session keys to others parties.