You can enable Common Criteria mode on a device with the following command.
device(config)# fips enable common-criteria
Syntax: [no] fips enable common-criteria
The device prompt displays the detailed banner information shown in the following example.
Device(config)#fips enable common-criteria
WARNING: This will enable FIPS and Common Criteria on this device. Please refer
: to the NetIron Federal Information Processing Standards Guide for
: more details. Also, be advised that Software/Firmware Integrity checks
: will always be performed on this device on subsequent reloads, even
: if FIPS or Common Criteria is disabled in the future.
Are you sure? (enter 'y' or 'n'): y
This device is now running in CC administrative mode.
At this time you can alter this system's CC default security policy
and then enter CC operational mode.
Note: Making changes to the default CC security policy weakens
the security of the device and makes the device non-compliant
with CC and FIPS 140-2 Level 2, design assurance Level 3.
The default security policy defined in the FIPS
Security Policy Document ensures that the device complies with all
FIPS 140-2 specifications. Commands to alter the default security policy
are available to the crypto-officer; however, Extreme does not recommend
making changes to the default security policy at any time.
=====================================
To enter CC mode, complete the following steps:
1. Optionally, configure FIPS policy commands that meets your network
requirements. You must explicitly configure the following services if you
want to use them when the device is operational in CC mode:
- Allow TFTP access.
Current status: Enabled
- Allow SNMP Access to the Critical Security Parameter (CSP) MIB objects.
Current status: Disabled
- Allow access to all commands within the monitor mode.
Current status: Disabled
- Allow cleartext password display in some commands.
Current status: Disabled
- Retention of shared secret keys for all protocols and the host passwords.
Current status: Retain
- Retention of SSH RSA host keys.
Current status: Retain
2. Enter the "fips zeroize all" command, which zeroes out the shared secrets
used by various networking protocols, including the host access passwords,
SSH and HTTPS host-keys with the digital signature based on the configured
FIPS Security Policy.
3. Save the running configuration.
4. Reload the device.
5. Enter the "fips show" command to verify that the device entered
FIPS or CC operational mode.
=====================================
In FIPS mode, the system will disable the following services or commands after
reload:
FIPS. Telnet server will be disabled.
The "telnet server" command will be removed.
FIPS. SSL Client will be enabled.
FIPS. TLS version 1.0 will be disabled.
FIPS. SCP will be enabled.
The "ip ssh scp disable" command will be removed.
FIPS. SNMP server will change as follows:
-SNMP support for v1 and v2c versions will be disabled.
-For SNMPv3 version authentication and privacy is mandatory,
and MD5 authentication key and DES privacy password will be disabled.
FIPS. NTP md5 authentication will be disabled.
FIPS. HTTP Client will be disabled.
FIPS. For SSH Key Exchange, only diffie-hellman-group-exchange-sha256
algorithm is allowed.
FIPS. Passwords/Keys which don't comply with FIPS standards will be removed
on reload.
FIPS. Please see FIPS config guide for complete details.
FIPS. Configuration "enable aaa console" will be disabled temporarily to
allow console access to configure SSH parameters. It can be
re-enabled after SSH is confirmed operational
Current status of "enable aaa console" is: Disabled
=====================================
Additionally, in CC operational mode, following are the restrictions
on system services or commands after reload:
CC. Syslog servers need to use TLS encapsulation(see exception below in VPNGW).
CC. TACACS+ servers need to use TLS encapsulation(see exception below in VPNGW).
CC. All versions of SNMP will be disabled.
CC. DSA keys will be deleted from configuration, and will be disabled.
CC. RSA key sizes will be restricted to 2048 and above in the configuration.
CC. RADIUS servers must be used over TLS (see exception below in VPNGW).
CC. For SSH Key Exchange, only diffie-hellman-group14-sha1 algorithm is allowed.
In CC VPN Gateway mode, since all traffic must be tunneled within IPSec
using the in-band ports, here are the guidelines:
VPNGW. Management port should not be used since management module does
not have IPSec stack
VPNGW. Syslog servers could be configured to use UDP. TLS encapsulation is not
mandatory since IPsec encapsulation is present.
VPNGW. TACACS+ servers could be configured to use TCP. TLS encapsulation is not
mandatory since IPsec encapsulation is present.
VPNGW. RADIUS servers could be configured to use UDP. TLS encapsulation is not
mandatory since IPsec encapsulation is present.
VPNGW. The required logging needs to be separately enabled:
"logging enable ikev2 extended"
"logging enable pki pki-extended"
VPNGW. The NAT-T needs to be separately enabled:
"ikev2 nat-enable"
===================