Two parts to this answer - FIPS and DoD 8100.2. For FIPS 140-2, you would be required to:
- Purchase specific FIPS models of controllers, and possibly APs. These part numbers are similar to the standard part numbers, but end in F1. There are specific hardware and firmware differences in these products from the standard versions which were required for FIPS compliance. In addition, -F1 products are TAA compliant (made in USA, or made in Singapore) which is a requirement for many government customers.
- Run the FIPS software versions, which you can find on the support site. Only specific versions of software are FIPS validated. You can find the complete list at http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140val-all.htm (search for Aruba). For recent AOS software, version 6.1.2.3-FIPS is on the list. The next version will be 6.1.4.1-FIPS (highly recommended over 6.1.2.3).
- Operate the software in FIPS mode. This is a configuration knob in the software which disables all non-FIPS approved encryption algorithms.
Without using the correct hardware and software together, with the software in FIPS mode, the solution is not considered FIPS validated. All three are required together.
You MAY not need to purchase the FIPS model of APs. If your customer needs TAA compliant hardware, then you'll want the -F1 variant. If TAA is not important, and you plan to operate the APs with centralized encryption (the standard mode of operation for Aruba) then FIPS validated APs are technically not required, since the AP doesn't participate in encryption.
Second, DoD 8100.2. If you need a copy of the actual memo, it's here: https://acc.dau.mil/CommunityBrowser.aspx?id=18141. It doesn't take too long to read. Basically, it requires that you use encryption, and that the encryption must be FIPS 140-2 validated. Connections must be authenticated using a personally-identifiable credential (i.e. you can trace the session back to a specific user). And you must use a wireless IDS to detect DoS attacks and to detect unauthorized devices. Other requirements in the document are less obvious - you must be in compliance with DoD 8500.2 and 5200.40 which deal with certification and accreditation (this is more of an installation/deployment requirement than a product requirement, although it does want you to use products that are Common Criteria certified and are listed on the UC-APL, both of which Aruba has).
The more important DoD directive for WLAN is 8420.01. This is a newer document than 8100.2 and in many ways supersedes it. It was published in 2009, when the WLAN industry was much more mature than in 2004 when the first one came out. There's a very key requirement in there:
Validated Physical Security. APs used in unclassified WLANs should not be installed in unprotected environments due to an increased risk of tampering and/or theft. If installed in unprotected environments, APs that store plaintext cryptographic keying information shall be protected with added physical security to mitigate risks. DoD Components may choose products that meet FIPS 140-2 Overall Level 2, or higher, validation (to ensure that the AP provides validated tamper evidence, at a minimum). Alternatively, DoD Components may physically secure APs by placing them inside of securely mounted, pick-resistant, lockable enclosures.
This means that if you use an AP that does encryption/decryption, the AP must be inside a tamper-resistent enclosure. In addition, you must have an inspection schedule where each AP is checked every 30 days to make sure nobody tampered with it - that means comparing the tamper label on the unit with the recorded serial number, etc etc etc. It's a huge operational pain. With Aruba, using centralized encryption, the APs are OUTSIDE the security boundary and this is not applicable, since the APs contain no cleartext crypto keys.
So.. summary of advantages:
1. Certifications and accreditations (FIPS 140-2, Common Criteria EAL4, and UC-APL listing)
2. Centralized encryption
3. Integrated wireless IDS
More government information and materials at http://www.arubanetworks.com/solutions/government/. Unfortunately, I don't believe there's much on casinos, although we do have a number of customers in that industry. Maybe one of them will read this thread and reply.
---
Jon Green, ACMX, CISSP
Aruba Networks Government Solutions