Cisco MDS 9000 Series Configuration Manual page 25

Configuring FIPS
The Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for
Cryptographic Modules, details the U.S. government requirements for cryptographic modules. FIPS 140-2
specifies that a cryptographic module should be a set of hardware, software, firmware, or some combination
that implements cryptographic functions or processes, including cryptographic algorithms and, optionally,
key generation, and is contained within a defined cryptographic boundary.
FIPS specifies certain crypto algorithms as secure, and it also identifies which algorithms should be used if
a cryptographic module is to be called FIPS compliant.
Note Cisco MDS SAN-OS Release 3.1(1) and NX-OS Release 4.1(1b) or later implements FIPS features and is
currently in the certification process with the U.S. government, but it is not FIPS compliant at this time.
This chapter includes the following sections:
•
•
•
•
Configuration Guidelines
Follow these guidelines before enabling FIPS mode:
• Make your passwords a minimum of eight characters in length.
• Disable Telnet. Users should log in using SSH only.
• Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be
• Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for SNMPv3
• Disable VRRP.
• Delete all IKE policies that either have MD5 for authentication or DES for encryption. Modify the policies
• Delete all SSH Server RSA1 keypairs.
Configuration Guidelines, on page 7
Enabling FIPS Mode, on page 8
Displaying FIPS Status, on page 8
FIPS Self-Tests, on page 8
authenticated.
should be configured only with SHA for authentication and AES/3DES for privacy.
so they use SHA for authentication and 3DES/AES for encryption.
C H A P T E R
Cisco MDS 9000 Series Security Configuration Guide, Release 8.x
3
7