Filter
Top Products
In particular, the WPA2-WPA transition mode is NOT FIPS 140-2 compliant. Only networks
exclusively using WPA2 (AES-CCMP) encryption comply.
The current security settings for the device may be observed by logging into the unit web server
and navigating to the network security page, which will show the currently active and configured
values for the above parameters (and others). The settings may also be observed with the
configuration console command SHOW NW. This should be done after configuration and before
use to verify that the device is properly configured for the intended target environment.
The SX-500 is validated at level 1, which means it has no physical security beyond the physical
protection of its metal case, and is presumed to be used in a secure environment. If the unit is to
be left unused in an unsecured area, or is to be transported to a new location via unsupervised
means, it is recommended that the Cryptographic Officer zeroize the device. This is done with
the configuration console command ZEROKEYS. After zeroization the unit will need to be re-
configured before wireless communication in FIPS compliant mode are possible.
The Cryptographic Officer must be aware that all configuration program inputs are in
plaintext for purposes of FIPS 140-2 compliance regardless of the transport encoding
used. The only FIPS 140-2 cryptographic protection claimed for this module is for the
wireless link between the unit and an associated Access Point.
If WPA2-PSK mode is being used, the PSK must be entered by the Cryptographic officer
on an isolated network with the machine containing Cryptographic Officer’s web browser
directly connected to the SX-500 and not connected via a LAN. The same is true for entry
of externally generated RSA private keys/public certificates.
The Crypographic officer must zeroize the module when transitioning the device configur-
ation from a FIPS-140-2 approved mode to a non-approved mode. The Cryptographic Of-
ficer should zeroize the module before resetting the configuration to factory defaults. If
this is impossible, because the reason for resetting is the connection to the unit is im-
possible, the unit must be zeroized after the configuration reset is complete and connec-
tion has been restored.
There are two types of bypass states possible with the module (non-approved modes).
The first is to use any wireless encryption/authentication combination not specified above
as being FIPS 140-2 compliant and then reset the unit. The second is to configure the unit
to not be in Ethernet to Wireless mode, plug in a wired Ethernet cable, and then reset the
unit.
If WPA2-PSK mode is being used, the PSK must be entered by the Cryptographic officer on an
isolated network with the machine containing Cryptographic Officer’s web browser directly
connected to the SX-500 and not connected via a LAN. The same is true for entry of externally
generated RSA private keys/public certificates.
In addition to the wireless security settings above, the following settings must be made for
operation in FIPS 140-2 mode:
Item Required Setting
HTTPS Disabled (factory default)
S-Telnet Disabled (factory default)
TCP data service SSL Disabled (factory default)
Serial port console mode string NULL (disabled – factory default)
Serial port filter TRAP (factory default)
Introduction Silex Page 6
Part Number 140-00188-210A