Linux WiFi array certified FIPS 140-2
Jan 17, 2008 — by Eric Brown — from the LinuxDevices Archive — 61 viewsA provider of Linux-based WiFi arrays announced certification by the National Institute for Standards and Technology (NIST). The cyptographic module in Xirrus's 802.11a/b/g-compliant “WiFi Arrays” has received Federal Information Processing Standards (FIPS) 140-2 validation,… says the company, opening the door to more U.S. government markets.
FIPS 140 (Federal Information Processing Standard 140) is a formal testing program for encryption modules comprised of both hardware and software. Xirrus's WiFi Arrays are based on PowerPC-based control-plane processors, and appear to have cryptographic modules comprised of Linux middleware and a “re-programmable” hardware component implemented on a dedicated FPGA (field-programmable gate array).
FIPS 140-2 is the current version of the standard, having replaced the older FIPS-1 in 2001. A FiPS 140-3 version is currently under development. In order to receive FIPS 140-2 certification, crypto module vendors must submit their products to an independent lab for testing, as depicted below.
FIPS 140-2 certification process flow
(Source: NIST. Click to enlarge)
The Xirrus WiFi Arrays are positioned as wireless replacements for managed Ethernet workgroup switches. Whereas most WiFi arrays use centralized controllers, the Xirrus arrays use mesh networking to place intelligence, processing, and encryption power at the edge of the network, according to the company.
Xirrus claims its Arrays offer the industry's highest level of AES/WPA2 encryption processing, on a per radio basis. The Arrays are also touted as the only FIPS-certified, multi-mode mesh WiFi repeaters capable of Fast and Gigabit Ethernet-like performance.
Each Array unit integrates 4-16 radios, with each radio serving as a dedicated backhaul to another array. The high-end, 16-radio Array is claimed to support coverage areas of up to 125,000 square feet, and bandwidths of up to 864Mbps — equivalent to a 24-port managed Fast Ethernet Switch, Xirrus suggests. Xirrus also offers Array models with eight and four radios.
(L-R) Xirrus's 16-radio XS-3900, 8-radio XS-3700, and 4-radio XS-3500
(Click any to enlarge)
Additional Array hardware features include dual load-balanced Gigabit Ethernet uplinks, a console port, and PCI-X expansion slots. (For more hardware details, see below.)
The Xirrus arrays run a custom Linux implementation called “ArrayOS.” The OS offers a Web interface and a console shell (optionally accessible via ssh). It supports both FIPS and non-FIPS compliant protocols, including:
- FIPS 140-2 compliant
- AES ECB, CBC 128-bit (encryption)
- AES CCM
- HMAC
- SHA-1
- RSA
- Non-FIPS compliant:
- RC4 for encryption/decryption in TKIP and WEP
- MD5
- Software RNG (/dev/urandom)
For convenience, admins can issue the command Xirrus_Wi-Fi_Array(config}# fips on
when FIPS compliance is required. Issuing fips off
then reverts the device to its previous configuration. Alternatively, they can verify the settings depicted in the following screenshots of the web interface, when FIPS mode is required:
Putting a Xirrus Array in FIPS mode
(Click to enlarge)
Additional touted software features of Array OS include:
- Dedicated WiFi threat sensor
- Rules-based “stateful” firewall
- Payment Card Industry (PCI) security compliance
- Spectrum analyzer for DoS attacks and RF analysis
- Policy-based user groups and RADIUS/802.1x authentication
- Captive web portals for guest-user authentication and control
- Self-monitoring for high availability
Xirrus Array architecture
(Source: Xirrus; all rights reserved. Click to enlarge)
Looking beneath the casing of a WiFi Array (see image above), one can see the CompactFlash boot and storage device sitting side by side with the PowerPC processor, with system and packet RAM located farther off to the left and right, respectively. The PCI-X slot sits to the right of the packet RAM. Surrounding the main board are four radio modules that can be removed like slices of a pie. The modules link up to “a” antennas interspersed with “a/b/g” antennas, plus 3 antenna extensions. The threat-sensor chip sits off to the edge. Elements of the WiFi Array hardware design are covered by US Patent D526,973 S, Xirrus said, with other patents pending.
Additional specs for the WiFi Arrays include:
- Processor — 825MHz PowerPC
- Three FPGAs, one for 802.11 MAC, one for encryption, and the other for queuing and translation
- Memory — 768MB RAM (expandable); 128MB Flash
- Bandwidth — 864Mbps aggregate
- Coverage — 125,000 square feet
- Interfaces — 2 x GigE; 1 x 10/100; 1 RS232
- Antennas — 12 6dBi 60-degrees 802.11a; 4 3dBi 180-degree 802.11a/b/g; 1 internal 2dBi 360-degree omnidirectional
- Dimensions — 18.65 diameter x 3.87 height (473.6 x 98.3mm)
- Weight — 10 pounds
Xirrus is beta-testing a software update that, along with new radio modules, adds support for 802.11n. Now due for completion by the IEEE in September, the long-delayed, much debated 802.11n standard is expected to offer about twice the range of 802.11g, with far greater bandwidth: from 300- to 600Mbps depending on the configuration. In November, Xirrus announced a research collaboration with Carnegie Mellon University (CMU) around 802.11n WiFi. Xirrus will help the Pittsburgh-based university deploy campus-wide 802.11abgn WiFi, with CMU helping to tune Xirrus's Linux-based “ArrayOS.”
The FIPS 140-2 certification document available here suggests that Xirrus's cryptographic module was the 895th to receive FIPS certification. The certification covers the module found in Xirrus Models XS-3900, XS-3700, XS-3500, WFX-3900, WFX-3700, WFX-3500, XS16, XS8, and XS4.
This article was originally published on LinuxDevices.com and has been donated to the open source community by QuinStreet Inc. Please visit LinuxToday.com for up-to-date news and articles about Linux and open source.