The Federal Information Processing Standard (FIPS) Publication 140-2, is a U.S. government computer security standard used to accredit cryptographic modules. The FIPS 140-2 publication coordinates requirements and standards for cryptography modules that include both hardware and software components. United States federal agencies and departments may require its software, including the SMS, to comply with the 140-2 standards.
|Operational Support: |
TippingPoint devices support the following levels of FIPS 140-2 Level 1 operation.
|Disabled||No FIPS-compliant actions or restrictions are active in the device.|
(certain models only)
|Devices operate in a manner that is fully compliant with the FIPS 140-2 publication.|
|TippingPoint devices support FIPS 140-2 Level 1.|
|660N, 1400N, 2500N, 5100N, 6100N||X||X|
|2600NX, 5200NX, 6200NX, 7100NX, 7500NX||X||X|
|Security Management System (SMS)||X||X|
|Virtual Security Management System (vSMS)||X|
|Threat Protection System (TPS/vTPS)||X|
CAUTION: Transitioning a device to operate in FIPS mode implements changes to core elements. The transition:
- Deletes all existing device users.
- Removes all device snapshots stored on the device.
- Regenerates SSH and HTTPS security keys.
Because security must be tightened while the device is operating in FIPS mode, the following restrictions are in effect:
- Snapshots created on devices with FIPS mode enabled are not compatible with other devices that have FIPS mode disabled, or vice versa.
- The SSH terminal will only negotiate connections utilizing FIPS 140-2 approved algorithms.
- You cannot roll back to a previous TOS version if the device is currently in Full-FIPS mode and the previous TOS version was not.
- The password recovery option is no longer available. In case of a password failure, a "Factory Reset" will have to be performed.
- The user password security is restricted to a minimum level of 1.
- Both RADIUS and TACACS+ authentication use protocols that are not FIPS-compliant. Do not enable FIPS mode if you have remote authentication configured.
- Stand-alone devices in FIPS mode require manual installation of an authorized SSL key package that will enable TMC access. Each package is unique to each customer. SMS devices will automatically download the SSL key package, which can then be applied to any FIPS-supporting devices that are managed by the SMS.
Enable FIPS on an IPS device
Note: Before you can enable FIPS on a managed device, you must make sure that FIPS mode is disabled on the SMS. If the SMS does have FIPS mode enabled, enable FIPS on the device using the IPS CLI command fips-mode-enable.
- On the SMS, select Devices> All Devices > device, and then click Device Configuration.
- Select FIPS Settings.
- For FIPS Mode, select the Full radio button, and then click OK.
- Click Next when the Changing FIPS Mode wizard is displayed.
- Enter a username, enter and confirm your password, and then click Next.
- Review your choices and click Finish.
- If the SMS can communicate with the TMC, it will download and install the FIPS key package.
- If the SMS cannot communicate with the TMC, an error message instructs you to manually rekey the device:
- Close the message and download the FIPS key package from the TMC to your computer.
- After the device completes rebooting, navigate to System > Update > Install Package on the device LSM.
- In Step 4 of the Install Package page, browse to your FIPS key package and click Install Package.
- If you receive an error message, click OK, manually reboot the device, and repeat the previous two steps. The IPS should accept this second attempt to install the FIPS key package.
Verify that the device is in Full FIPS mode by doing any of the following:
- Enter sh fips on the CLI, or from the SMS UI, select the Device Configuration for your device and view the FIPS Mode status under Management Services.
- If you see a Socket Closed SMS error message when trying to add an IPS in FIPS mode, run the fips restore-ssl command from the IPS CLI.
After running this command, navigate to the System > Update > Install Package on the device LSM to reinstall the FIPS key package. This ensures that the IPS will use keys that meet FIPS strength requirements.
Enable FIPS on a TPS device
Note: When enabling FIPS mode on the device, review all the warning messages that display on the SMS.
- On the SMS, select Devices > All Devices > device, and then click Device Configuration.
- Select FIPS Settings.
- Select FIPS Mode Enabled
- Click OK