| Linux WiFi array certified FIPS 140-2 |
Jan. 17, 2008
 A provider of Linux-based WiFi arrays announced certification by the National Institute for Standards and Technology (NIST). The cyptographic module in Xirrus's 802.11a/b/g-compliant "WiFi Arrays" has received Federal Information Processing Standards (FIPS) 140-2 validation, says the company, opening the door to more U.S. government markets.
FIPS 140 (Federal Information Processing Standard 140) is a formal testing program for encryption modules comprised of both hardware and software. Xirrus's WiFi Arrays are based on PowerPC-based control-plane processors, and appear to have cryptographic modules comprised of Linux middleware and a "re-programmable" hardware component implemented on a dedicated FPGA (field-programmable gate array).
FIPS 140-2 is the current version of the standard, having replaced the older FIPS-1 in 2001. A FiPS 140-3 version is currently under development. In order to receive FIPS 140-2 certification, crypto module vendors must submit their products to an independent lab for testing, as depicted below.
FIPS 140-2 certification process flow
(Source: NIST. Click to enlarge)
The Xirrus WiFi Arrays are positioned as wireless replacements for managed Ethernet workgroup switches. Whereas most WiFi arrays use centralized controllers, the Xirrus arrays use mesh networking to place intelligence, processing, and encryption power at the edge of the network, according to the company.
Xirrus claims its Arrays offer the industry's highest level of AES/WPA2 encryption processing, on a per radio basis. The Arrays are also touted as the only FIPS-certified, multi-mode mesh WiFi repeaters capable of Fast and Gigabit Ethernet-like performance.
Each Array unit integrates 4-16 radios, with each radio serving as a dedicated backhaul to another array. The high-end, 16-radio Array is claimed to support coverage areas of up to 125,000 square feet, and bandwidths of up to 864Mbps -- equivalent to a 24-port managed Fast Ethernet Switch, Xirrus suggests. Xirrus also offers Array models with eight and four radios.
  
(L-R) Xirrus's 16-radio XS-3900, 8-radio XS-3700, and 4-radio XS-3500
(Click any to enlarge)
Additional Array hardware features include dual load-balanced Gigabit Ethernet uplinks, a console port, and PCI-X expansion slots. (For more hardware details, see below.)
The Xirrus arrays run a custom Linux implementation called "ArrayOS." The OS offers a Web interface and a console shell (optionally accessible via ssh). It supports both FIPS and non-FIPS compliant protocols, including:- FIPS 140-2 compliant
- AES ECB, CBC 128-bit (encryption)
- AES CCM
- HMAC
- SHA-1
- RSA
- Non-FIPS compliant:
- RC4 for encryption/decryption in TKIP and WEP
- MD5
- Software RNG (/dev/urandom)
For convenience, admins can issue the command Xirrus_Wi-Fi_Array(config}# fips on when FIPS compliance is required. Issuing fips off then reverts the device to its previous configuration. Alternatively, they can verify the settings depicted in the following screenshots of the web interface, when FIPS mode is required:
    
Putting a Xirrus Array in FIPS mode
(Click to enlarge)
Additional touted software features of Array OS include:- Dedicated WiFi threat sensor
- Rules-based "stateful" firewall
- Payment Card Industry (PCI) security compliance
- Spectrum analyzer for DoS attacks and RF analysis
- Policy-based user groups and RADIUS/802.1x authentication
- Captive web portals for guest-user authentication and control
- Self-monitoring for high availability
Xirrus Array architecture
(Source: Xirrus; all rights reserved. Click to enlarge)
Looking beneath the casing of a WiFi Array (see image above), one can see the CompactFlash boot and storage device sitting side by side with the PowerPC processor, with system and packet RAM located farther off to the left and right, respectively. The PCI-X slot sits to the right of the packet RAM. Surrounding the main board are four radio modules that can be removed like slices of a pie. The modules link up to "a" antennas interspersed with "a/b/g" antennas, plus 3 antenna extensions. The threat-sensor chip sits off to the edge. Elements of the WiFi Array hardware design are covered by US Patent D526,973 S, Xirrus said, with other patents pending.
Additional specs for the WiFi Arrays include:- Processor -- 825MHz PowerPC
- Three FPGAs, one for 802.11 MAC, one for encryption, and the other for queuing and translation
- Memory -- 768MB RAM (expandable); 128MB Flash
- Bandwidth -- 864Mbps aggregate
- Coverage -- 125,000 square feet
- Interfaces -- 2 x GigE; 1 x 10/100; 1 RS232
- Antennas -- 12 6dBi 60-degrees 802.11a; 4 3dBi 180-degree 802.11a/b/g; 1 internal 2dBi 360-degree omnidirectional
- Dimensions -- 18.65 diameter x 3.87 height (473.6 x 98.3mm)
- Weight -- 10 pounds
Xirrus is beta-testing a software update that, along with new radio modules, adds support for 802.11n. Now due for completion by the IEEE in September, the long-delayed, much debated 802.11n standard is expected to offer about twice the range of 802.11g, with far greater bandwidth: from 300- to 600Mbps depending on the configuration. In November, Xirrus announced a research collaboration with Carnegie Mellon University (CMU) around 802.11n WiFi. Xirrus will help the Pittsburgh-based university deploy campus-wide 802.11abgn WiFi, with CMU helping to tune Xirrus's Linux-based "ArrayOS."
The FIPS 140-2 certification document available here suggests that Xirrus's cryptographic module was the 895th to receive FIPS certification. The certification covers the module found in Xirrus Models XS-3900, XS-3700, XS-3500, WFX-3900, WFX-3700, WFX-3500, XS16, XS8, and XS4.
Related Stories:
(Click here for further information)
|
|
|
7 Advantages of D2D Backup
For decades, tape has been the backup medium of choice. But, now, disk-to-disk (D2D) backup is gaining in favor. Learn why you should make the move in this whitepaper.
4 Legal Reasons to Control Internet Access
The Internet is obviously a valuable resource for many organizations. However, many are exposed to legal liability concerns because they fail to control Internet access. Learn if you're safe in this white paper.
Rapidly Resolve J2EE Application Problems
Whether you are in the process of building J2EE applications or have J2EE applications already running in production, you must ensure that they deliver the expected ROI. Learn how in this white paper.
Load Testing 2.0 for Web 2.0
There are many unknowns in stress testing Web 2.0 applications. Find out how to test the performance of Web 2.0 in this white paper.
Build Better Games Online
For the game infrastructure providers, life is complex. Making money from games has become more complicated. Why? Find out in this white paper.
Building a Virtual Infrastructure from Servers to Storage
This white paper discusses the virtual storage solutions that reduce cost, increase storage utilization, and address the challenges of backing up and restoring Server environments.
Gaining Faster Wireless Connections with WiMAX
Welcome to what is quickly becoming the hyperconnected world where anything that would benefit from being connected to the network will be connected. Learn more in this white paper.
Is Your Desktop a Security Threat?
The new wave of sophisticated crimeware not only targets specific companies, but also targets desktops and laptops as backdoor entryways into those business’ operations and resources. Learn how to stay safe in this white paper.
Increasing SAN Reliability by 100 Percent
Storage area networks (SAN) are a strong part of storage plans. Learn how to increase your reliability and uptime by 100 percent in this case study.
|
|
|
|
|
news feed