01-06-2013 01:09 PM - edited 01-06-2013 01:35 PM
I was posed a question by a customer recently; what makes the Aruba solution "FIPS 140-2 and Department of Defense (DoD) Directive 8100.2 ?
The potential customer is a small Indian reservation casino. They're required to follow specific gaming laws of which requires FIPS 140-2 for wireless communications. I know Aruba is the only out of the box wireless FIPS 140-2 solution. As part of my RFP response I would like to provide additional Aruba specs, specific to FIPS. I've worked on other casino projects in the past but the projects were sub systems and not directly connected to the casino network, which did not require the FIPS 140-2 certification.
If there are any supporing Aruba documents specific to Casino and Gaming that would be helpful ..
Can anyone point me to specific documentation to answer this ?
01-06-2013 06:52 PM
Two parts to this answer - FIPS and DoD 8100.2. For FIPS 140-2, you would be required to:
- Purchase specific FIPS models of controllers, and possibly APs. These part numbers are similar to the standard part numbers, but end in F1. There are specific hardware and firmware differences in these products from the standard versions which were required for FIPS compliance. In addition, -F1 products are TAA compliant (made in USA, or made in Singapore) which is a requirement for many government customers.
- Run the FIPS software versions, which you can find on the support site. Only specific versions of software are FIPS validated. You can find the complete list at http://csrc.nist.gov/groups/STM/cmvp/documents/140
-1/140val-all.htm (search for Aruba). For recent AOS software, version 188.8.131.52-FIPS is on the list. The next version will be 184.108.40.206-FIPS (highly recommended over 220.127.116.11).
- Operate the software in FIPS mode. This is a configuration knob in the software which disables all non-FIPS approved encryption algorithms.
Without using the correct hardware and software together, with the software in FIPS mode, the solution is not considered FIPS validated. All three are required together.
You MAY not need to purchase the FIPS model of APs. If your customer needs TAA compliant hardware, then you'll want the -F1 variant. If TAA is not important, and you plan to operate the APs with centralized encryption (the standard mode of operation for Aruba) then FIPS validated APs are technically not required, since the AP doesn't participate in encryption.
Second, DoD 8100.2. If you need a copy of the actual memo, it's here: https://acc.dau.mil/CommunityBrowser.aspx?id=18141. It doesn't take too long to read. Basically, it requires that you use encryption, and that the encryption must be FIPS 140-2 validated. Connections must be authenticated using a personally-identifiable credential (i.e. you can trace the session back to a specific user). And you must use a wireless IDS to detect DoS attacks and to detect unauthorized devices. Other requirements in the document are less obvious - you must be in compliance with DoD 8500.2 and 5200.40 which deal with certification and accreditation (this is more of an installation/deployment requirement than a product requirement, although it does want you to use products that are Common Criteria certified and are listed on the UC-APL, both of which Aruba has).
The more important DoD directive for WLAN is 8420.01. This is a newer document than 8100.2 and in many ways supersedes it. It was published in 2009, when the WLAN industry was much more mature than in 2004 when the first one came out. There's a very key requirement in there:
Validated Physical Security. APs used in unclassified WLANs should not be installed in unprotected environments due to an increased risk of tampering and/or theft. If installed in unprotected environments, APs that store plaintext cryptographic keying information shall be protected with added physical security to mitigate risks. DoD Components may choose products that meet FIPS 140-2 Overall Level 2, or higher, validation (to ensure that the AP provides validated tamper evidence, at a minimum). Alternatively, DoD Components may physically secure APs by placing them inside of securely mounted, pick-resistant, lockable enclosures.
This means that if you use an AP that does encryption/decryption, the AP must be inside a tamper-resistent enclosure. In addition, you must have an inspection schedule where each AP is checked every 30 days to make sure nobody tampered with it - that means comparing the tamper label on the unit with the recorded serial number, etc etc etc. It's a huge operational pain. With Aruba, using centralized encryption, the APs are OUTSIDE the security boundary and this is not applicable, since the APs contain no cleartext crypto keys.
So.. summary of advantages:
1. Certifications and accreditations (FIPS 140-2, Common Criteria EAL4, and UC-APL listing)
2. Centralized encryption
3. Integrated wireless IDS
More government information and materials at http://www.arubanetworks.com/solutions/government/. Unfortunately, I don't believe there's much on casinos, although we do have a number of customers in that industry. Maybe one of them will read this thread and reply.
Jon Green, ACMX, CISSP