Views:
Operational Support:
TippingPoint devices support the following levels of FIPS 140-2 Level 1 operation.
DisabledNo FIPS-compliant actions or restrictions are active in the device.
Crypto Only
  1. Only the connection between the SSH client and the SMS server is affected by this mode.
  2. When a connection is made from an SSH client to the SMS server, the SSH client negotiates connections using only FIPS 140-2 approved algorithms.
  3. You must reboot the device for the system to operate in FIPS Cryptography mode.
Full-FIPS
(certain models only)		Devices operate in a manner that fully complies with the FIPS 140-2 publication.
 
TippingPoint devices support FIPS 140-2 Level 1.
DeviceCrypto-ModeFIPS-Mode
Security Management System (SMS)XX
Virtual Security Management System (vSMS)X 
Threat Protection System (TPS) X

 

 
WARNING: Transitioning a device to operate in FIPS mode implements changes to core elements. The transition:
  • Deletes all existing device users.
  • Removes all device snapshots stored on the device.
  • Regenerates SSH and HTTPS security keys.

Because security must be tightened while the device is operating in FIPS mode, the following restrictions are in effect:

  • Snapshots created on devices with FIPS mode enabled are not compatible with other devices that have FIPS mode disabled, or vice versa.
  • The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
  • You cannot roll back to a previous TOS version if the device is currently in Full-FIPS mode and the previous TOS version was not.
  • The password recovery option is no longer available. In case of a password failure, a "Factory Reset" will have to be performed.
  • The user password security is restricted to a minimum level of 1.
  • Both RADIUS and TACACS+ authentication use protocols that are not FIPS-compliant. Do not enable FIPS mode if you have remote authentication configured.
  • Stand-alone devices in FIPS mode require manual installation of an authorized SSL key package that will enable TMC access. Each package is unique to each customer. SMS devices will automatically download the SSL key package, which can then be applied to any FIPS-supporting devices that are managed by the SMS.

Enable FIPS on a TPS device.

 
NOTE: When enabling FIPS mode on the device, review all the warning messages that are displayed on the SMS.
  1. On the SMS, select Devices > All Devices > device, and then click Device Configuration.
  2. Select FIPS Settings.
  3. Select FIPS Mode Enabled
  4. Click OK

Verify that the device is in Full FIPS mode by doing any of the following:

  • Enter sh fips on the CLI or from the SMS UI, select the Device Configuration for your device, and view the FIPS Mode status under Management Services.
    • If you see a Socket Closed SMS error message when adding an IPS in FIPS mode, run the fips restore-ssl command from the IPS CLI.
    • After running this command, navigate to the System > Update > Install Package on the device LSM to reinstall the FIPS key package. This ensures that the IPS will use keys that meet FIPS strength requirements.
Keywords: FIPS Mode, IPS/TPS