Articles in this section

See more

FIPS Compliance

Robert Waldie
  • Updated
Follow

Selection_147.png

Opengear IM, ACM and CM7100 families all use an embedded OpenSSL cryptographic module that has been validated to meet the FIPS 140-2 standards and has received certificate #2473.

FIPS background

The US National Institute of Standards and Technology (NIST) publishes the FIPS (Federal Information Processing Standard Publication 140-2) series of standards and administers certification.

FIPS is both a US government technical standard and worldwide de facto standard for the implementation of cryptographic modules. It certifies software has been hardened against cryptographic attacks.

Operating the Opengear device's OpenSSL module in FIPS mode may be required for US government and military deployments.  For general deployments, FIPS mode may not be significantly advantageous where other best practice security hardening measures have been followed, including appropriate configuration of VPN, firewall and authentication systems.

Like any security feature, FIPS mode must not be considered a silver bullet – rather, it may comprise part of sound, layered network security model.

Enabling FIPS mode

By default, the Opengear device's OpenSSL module is not configured to use FIPS mode. When in FIPS mode, all OpenSSL clients (such as HTTPS web browsers) must also be configured to use FIPS-approved algorithms, or connections will fail.

For a list of Opengear services using OpenSSL, refer to this article.  For a concise summary of FIPS-approved algorithms, refer to this document from NIST, for a full list refer to the security policy document.

Note: When booting in FIPS mode, the additional OpenSSL validation performed may prolong startup by several minutes.

To toggle FIPS mode from the UI:

  • Login to the Opengear device web UI as root or an admin group user
  • Click System -> Administration
  • Scroll down and check or uncheck FIPS Mode
  • Check Reboot
  • Click Apply

Screen_Shot_2017-02-22_at_16.32.28.png

  • When FIPS mode is enabled, the web UI banner displays: FIPS Mode: Enabled

Screen_Shot_2017-02-22_at_16.54.59.png

To toggle FIPS mode from the CLI:

  • Login to the Opengear device CLI as root or an admin group user
  • To enable, run:
config -s config.system.fips=on -a
config -s config.system.reboot=on -a
  • To disable, run:
config -d config.system.fips -a
config -s config.system.reboot=on -a
  • When FIPS mode is enabled, the following file will exist in the filesystem: /etc/config/FIPS

OpenSSL sponsorship

Opengear partnered with OSSI and the OpenSSL Software Foundation project to sponsor an extension of the existing OpenSSL FIPS Object Module to meet the FIPS 140-2 standards for ARM processors.

Related articles

Comments

0 comments

Article is closed for comments.

Powered by Zendesk