The US National Institute of Standards and Technology (NIST) publishes the FIPS (Federal Information Processing Standard Publication 140-2) series of standards and administers certification.
FIPS is both a US government technical standard and worldwide de facto standard for the implementation of cryptographic modules. It certifies software has been hardened against cryptographic attacks.
Operating the Opengear device's OpenSSL module in FIPS mode may be required for US government and military deployments. For general deployments, FIPS mode may not be significantly advantageous where other best practice security hardening measures have been followed, including appropriate configuration of VPN, firewall and authentication systems.
Like any security feature, FIPS mode must not be considered a silver bullet – rather, it may comprise part of sound, layered network security model.
Enabling FIPS mode
By default, the Opengear device's OpenSSL module is not configured to use FIPS mode. When in FIPS mode, all OpenSSL clients (such as HTTPS web browsers) must also be configured to use FIPS-approved algorithms, or connections will fail.
For a list of Opengear services using OpenSSL, refer to this article. For a concise summary of FIPS-approved algorithms, refer to this document from NIST, for a full list refer to the security policy document.
Note: When booting in FIPS mode, the additional OpenSSL validation performed may prolong startup by several minutes.
To toggle FIPS mode from the UI:
- Login to the Opengear device web UI as root or an admin group user
- Click System -> Administration
- Scroll down and check or uncheck FIPS Mode
- Check Reboot
- Click Apply
- When FIPS mode is enabled, the web UI banner displays: FIPS Mode: Enabled
To toggle FIPS mode from the CLI:
- Login to the Opengear device CLI as root or an admin group user
- To enable, run:
config -s config.system.fips=on -s config.system.reboot=on -r reboot
- To disable, run:
config -d config.system.fips -s config.system.reboot=on -r reboot
- When FIPS mode is enabled, the following file will exist in the filesystem: /etc/config/FIPS
Opengear partnered with OSSI and the OpenSSL Software Foundation project to sponsor an extension of the existing OpenSSL FIPS Object Module to meet the FIPS 140-2 standards for ARM processors.