The network element must protect wireless access to the system using Federal Information Processing Standard (FIPS)-validated Advanced Encryption Standard (AES) block cipher algorithms with an approved confidentiality mode.
Overview
| Finding ID | Version | Rule ID | IA Controls | Severity |
| V-266560 | ARBA-NT-000130 | SV-266560r1040170_rule | Medium |
| Description |
| Allowing devices and users to connect to the system without first authenticating them allows untrusted access and can lead to a compromise or attack. Because wireless communications can be intercepted, encryption must be used to protect the confidentiality of information in transit. Wireless technologies include, for example, microwave, packet radio (UHF/VHF), 802.11x, and Bluetooth. Wireless networks use authentication protocols (e.g., Extensible Authentication Protocol (EAP)/Transport Layer Security (TLS) and Protected EAP [PEAP]), which provide credential protection and mutual authentication. This requirement applies to operating systems that control wireless devices. A block cipher mode is an algorithm that features the use of a symmetric key block cipher algorithm to provide an information service, such as confidentiality or authentication. AES is the FIPS-validated cipher block cryptographic algorithm approved for use in the DOD. For an algorithm implementation to be listed on a FIPS 140-2/140-3 cryptographic module validation certificate as an approved security function, the algorithm implementation must meet all the requirements of FIPS 140-2/140-3 and must successfully complete the cryptographic algorithm validation process. Currently, the National Institute of Standards and Technology (NIST) has approved the following confidentiality modes to be used with AES: ECB, CBC, OFB, CFB, CTR, XTS-AES, FF1, FF3, CCM, GCM, KW, KWP, and TKW. Satisfies: SRG-NET-000070, SRG-NET-000151 |
| STIG | Date |
| HPE Aruba Networking AOS Wireless Security Technical Implementation Guide | 2024-10-29 |
Details
| Check Text (C-70484r1040168_chk) |
| Verify the AOS configuration with the following commands: show fips show ap system-profile For each configured ap system profile: show ap system-profile <profile-name> | include FIPS If FIPS is not enabled, this is a finding. |
| Fix Text (F-70387r1040169_fix) |
| Configure AOS with the following command: configure terminal For each ap system-profile, run the following commands: ap system-profile <profile-name> fips-enable exit fips enable write memory reload |