- Table of Contents
-
- 10-Security Configuration Guide
- 00-Preface
- 01-AAA Configuration
- 02-802.1X Configuration
- 03-MAC Authentication Configuration
- 04-Portal Configuration
- 05-Password Control Configuration
- 06-Public Key Configuration
- 07-IPsec Configuration
- 08-SSH Configuration
- 09-Packet-Filter Firewall Configuration
- 10-ALG Configuration
- 11-Session Management Configuration
- 12-TCP and ICMP Attack Protection Configuration
- 13-IP Source Guard Configuration
- 14-ARP Attack Protection Configuration
- 15-URPF Configuration
- 16-COPS Configuration
- 17-FIPS Configuration
- 18-PKI Configuration
- Related Documents
-
Title | Size | Download |
---|---|---|
17-FIPS Configuration | 64.98 KB |
FIPS overview
The Federal Information Processing Standard (FIPS) 140-2, developed by the National Institute of Standard and Technology (NIST) of the United States, specifies the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. The device supports Level 2.
Unless otherwise noted, FIPS in the document refers to FIPS 140-2.
Configuring FIPS
After you enable FIPS mode, the system has strict security requirements, and performs self-test on cryptography modules to make sure that they work normally.
Prerequisites
Before enabling FIPS mode, complete the following tasks:
· Configure the login username and password.
The password must comprise no less than 6 characters and must contain uppercase and lowercase letters, digits, and special characters.
· Delete all MD5-based digital certificates.
· Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
Enabling FIPS mode
After enabling FIPS mode, you must restart the device to validate the configuration.
To enable FIPS mode:
Step |
Command |
Remarks |
1. Enter system view. |
system-view |
N/A |
2. Enable FIPS mode |
fips mode enable |
Not enabled by default |
Settings changed by enabling FIPS mode
After you enable FIPS mode and restart the device, the following changes occur:
· The FTP/TFTP server is disabled.
· The Telnet server is disabled.
· The HTTP server is disabled.
· SNMP v1 and SNMP v2c are disabled. Only SNMP v3 is available.
· The SSL server only supports TLS1.0.
· The SSH server does not support SSHv1 clients
· Generated RSA/DSA key pairs have a modulus length from 1024 to 2048 bits.
· SSH, SNMPv3, IPsec and SSL do not support DES, RC4, or MD5.
FIPS self-tests
When the device works in FIPS mode, it has self-test mechanisms, including power-up self-tests and conditional self-tests, to ensure the normal operation of cryptography modules. If either type of tests fails, the device restarts.
Power-up self-tests
Power-up self-tests, also called “known-answer tests”, check the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the known-answer test fails.
Power-up self-tests check the following cryptographic algorithms: DSA (signature and authentication), RSA (signature and authentication), RSA (encryption and decryption), AES, 3DES, SHA1, HMAC-SHA1, and random number generator algorithms.
Conditional self-tests
Conditional self-tests are run when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following:
· Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails.
· Continuous random number generator test—This test is run when a random number is generated. If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test is also run when a DSA/RSA asymmetrical key pair is generated.
Triggered self-test
To verify whether the cryptography modules operate normally, use this command to trigger a self-test on the password algorithms. The triggered self-test is the same as the power-up self-test when the device starts up.
If the self-test fails, the device automatically reboots.
To trigger a self-test:
Task |
Command |
Trigger a self-test. |
fips self-test |
Displaying and maintaining FIPS
Task |
Command |
Remarks |
Display FIPS state. |
display fips status |
Available in any view |