How FIPS works

You place a device in FIPS mode by entering the fips enable command on the management station while the station is connected to the device console port with a serial cable. After you enter the fips enable command, the device is administratively in FIPS mode and by default runs in strict FIPS-compliant mode upon reload.

In addition, you can configure an optional set of FIPS policy commands, and then use the fips zeroize all command to zero out the shared secrets used by various networking protocols, including the host access passwords, and the SSH and HTTPS host and client keys based on the configured FIPS security policy. After you issue the fips zeroize all command, use the write memory command, and then place the device in FIPS operational mode by reloading the device.

The default FIPS policy is for the system to run in a strict mode that fully supports FIPS 140-2 specifications. However, the device allows you the flexibility to configure a modified FIPS policy according to your network requirements. Refer to Modifying the FIPS policy.

Note

A FIPS policy that varies from the default policy weakens the intent of the FIPS 140-2 specifications; when implemented, the device is not operating in full compliance with these specifications.

The default FIPS approved mode enables the following actions for strict FIPS compliance:

• The SCP
• HTTPS TLS v1.1 and TLS v1.2

Note

Use of the debug command violates the Security Policy of the module and it deems the module non-compliant in the FIPS mode.

The default FIPS approved mode disables the following actions for strict FIPS compliance:

• Telnet access including the telnet server command.
• AAA authentication for the console using enable aaa console command is temporarily disabled to allow console access to configure SSH parameters. This command can be enabled after SSH is confirmed operational.
• The ip ssh scp disable command.
• The TFTP access.
• SNMPv3 access to Critical Security Parameters (CSP) specific MIB objects.
• Access to all commands that allows debugging memory content within the monitor mode.
• HTTP access including the web-management http command.
• The HTTPS SSL 3.0 access.
• The web-management allow-no-password command.
• TACACS which is a UDP based protocol

The default FIPS approved mode clears the following actions for strict FIPS compliance:

• Protocol shared secret and host passwords
• HTTPS RSA host keys and certificate

The FIPS mode zeroizes shared secrets and passwords.

Note

Users are expected to explicitly enter the fips zeroize all command to zeroize shared secrets, passwords, and host keys before placing the device in FIPS mode.

Note

Note that Group 14, Group 19, and Group 20 parameters are allowed in IKEv2/IPsec protocols in FIPS mode.

The HTTPS server allows the following ciphers:

• CIPHERSUITE_RSA_WITH_AES_128_CBC_SHA
• CIPHERSUITE_RSA_WITH_AES_256_CBC_SHA
• CIPHERSUITE_DHE_RSA_WITH_AES_128_CBC_SHA
• CIPHERSUITE_DHE_RSA_WITH_AES_256_CBC_SHA
• CIPHERSUITE_RSA_WITH_AES_128_CBC_SHA256
• CIPHERSUITE_RSA_WITH_AES_256_CBC_SHA256
• CIPHERSUITE_DHE_RSA_WITH_AES_128_CBC_SHA256
• CIPHERSUITE_DHE_RSA_WITH_AES_256_CBC_SHA256

After defining the FIPS policy, save the configuration, and restart the device. While the device is restarting, several tests are run to ensure the device is FIPS-compliant.

Some of these tests include several FIPS self-tests such as Known Answer Tests (KATs) and conditional tests that are run to ensure that the cryptographic engine is FIPS-compliant.

After these tests are run successfully, the device reloads and is operationally in FIPS mode. All the optional FIPS policy commands are provided to perform various non-approved FIPS operations when FIPS is enabled. Note that if any of these policy commands are configured, then the module does not operate in the approved FIPS mode.

Note

Execution of the self-test command in FIPS operational or administration modes may result in the device restarting as per the FIPS criteria if any of the algorithm self-tests fails.