Login
- Table of Contents
-
- 11-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Password Control Configuration
- 07-Public Key Configuration
- 08-IPsec Configuration
- 09-SSH Configuration
- 10-Blacklist Configuration
- 11-TCP and ICMP Attack Protection Configuration
- 12-IP Source Guard Configuration
- 13-ARP Attack Protection Configuration
- 14-ND Attack Defense Configuration
- 15-URPF Configuration
- 16-PKI Configuration
- 17-SSL Configuration
- 18-FIPS Configuration
- 19-Attack Detection and Protection Configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 18-FIPS Configuration | 86.62 KB |
Contents
Overview
The Federal Information Processing Standard (FIPS) 140-2, developed by the National Institute of Standard and Technology (NIST) of the United States, specifies the security requirements for cryptographic modules. FIPS 140-2 defines four levels of security, simply named "Level 1" to "Level 4" from low to high. The device supports Level 2.
Unless otherwise noted, FIPS in the document refers to FIPS 140-2.
FIPS self-tests
When the device works in FIPS mode, it has self-test mechanisms, including the power-up self-test and conditional self-tests, to ensure the normal operation of cryptography modules. You can also trigger a self-test. If a self-test fails, the device restarts.
Power-up self-test
The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the known-answer test fails.
The power-up self-test examines the following cryptographic algorithms: DSA (signature and authentication), RSA (signature and authentication), RSA (encryption and decryption), AES, 3DES, SHA1, SHA256, SHA512, HMAC-SHA1, and random number generator algorithms.
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types:
· Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails.
· Continuous random number generator test—This test is run when a random number is generated. If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test is also run when a DSA/RSA asymmetrical key pair is generated.
Triggering self-tests
To examine whether the cryptography modules operate correctly, you can use a command to trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test.
To trigger a self test:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Trigger a self-test. |
fips self-test |
Configuring FIPS
After you enable FIPS mode, the system has strict security requirements, and performs self-test on cryptography modules to make sure that they work correctly. For Common Criteria (CC) evaluation in FIPS mode, the switch also works in an operating mode that complies with the CC standard.
Before enabling FIPS mode, complete the following tasks:
· Configure the login username and password.
The password must comprise no less than 8 characters and must contain uppercase and lowercase letters, digits, and special characters.
· Delete all MD5-based digital certificates.
· Delete all key pairs.
To configure FIPS, complete the following tasks:
1. Enable the FIPS mode.
2. Enable the password control function.
3. Configure local user attributes (including local username, service type, and password) on the switch.
4. Save the configuration.
5. Restart the switch to enter FIPS mode.
Enabling FIPS mode
|
Step |
Command |
Remarks |
|
3. Enter system view. |
system-view |
N/A |
|
4. Enable FIPS mode. |
fips mode enable |
Not enabled by default. |
After you enable FIPS mode and restart the switch, the following changes occur:
· FTP/TFTP is disabled.
· Telnet is disabled.
· HTTP is disabled.
· SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
· SSL only supports TLS1.0.
· SSH does not support SSHv1 clients.
· SSH only supports RSA.
· Generated RSA key pairs must have a modulus length of 2048 bits. Generated DSA key pairs must have a modulus of at least 1024 bits.
· SSH, SNMPv3, IPsec, and SSL do not support DES, 3DES, RC4, or MD5.
Displaying and maintaining FIPS
|
Task |
Command |
Remarks |
|
Display FIPS state. |
display fips status |
Available in any view. |
FIPS configuration example
Network requirements
Configure the switch to work in FIPS mode and create a local user for the PC so that PC can log in to the switch in FIPS mode.
Figure 1 Network diagram
Configuration procedure
Configuring the switch
|
|
CAUTION: After you enable the FIPS mode, be sure to create a local user and its password before you reboot the switch. Otherwise, you cannot log in to the switch. To log into the switch, you must reboot the switch without loading the configuration file (by ignoring or removing the configuration file). |
# Enable the FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Change the configuration to meet FIPS mode requirements, save the configuration
to the next-startup configuration file, and then reboot to enter FIPS mode.
# Enable the password control function.
[Sysname] password-control enable
# Create a local user named test, and set its service type as terminal, privilege level as 3, and password as AAbbcc1234%. The password must contain both uppercase and lowercase letters, digits, and special characters.
[Sysname] local-user test
[Sysname-luser-test] service-type terminal
[Sysname-luser-test] authorization-attribute level 3
[Sysname-luser-test] password
Password:***********
Confirm :***********
Updating user(s) information, please wait...........
[Sysname-luser-test] quit
# Save the configuration.
[Sysname] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[flash:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
flash:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait..........................
Saved the current configuration to mainboard device successfully.
Configuration is saved to device successfully.
[Sysname] quit
# Reboot the switch.
<Sysname> reboot
Verifying the configuration
After the switch reboots, enter the username test and password AAbbcc1234%. The system prompts that your first login is successful, and asks you to enter a new password. Enter a new password which has at least four characters different than the previous one and confirm the password. Then, the system displays the <Sysname> prompt.
User interface aux0 is available.
Please press ENTER.
Login authentication
Username:test
Password:
Info: First logged in. For security reasons you will need to change your password.
Please enter your new password.
Password:**********
Confirm :**********
Updating user(s) information, please wait...........
<Sysname>
# Display the current FIPS mode. The output shows that the FIPS mode is enabled.
<Sysname> display fips status
FIPS mode is enabled
