Manualshelf

Administrator Guide

ManualsBrandsDell ManualsserversDell Force10 MXL Blade
311312313314315316317318319320
18
FIPS Cryptography
Federal information processing standard (FIPS) cryptography is supported on the MXL switch platform.
This chapter describes how to enable FIPS cryptography requirements on Dell Networking platforms. This feature provides
cryptographic algorithms conforming to various FIPS standards published by the National Institute of Standards and Technology
(NIST), a non-regulatory agency of the US Department of Commerce. FIPS mode is also validated for numerous platforms to meet
the FIPS-140-2 standard for a software-based cryptographic module.
NOTE: The FIPS mode included in this release is the OpenSSL FIPS Object Module v2.0, which has been validated to
meet FIPS-140-2 requirements, per certicate #1747. The MXL switch platform is not one of the validated platforms. Dell
Networking has contracted with the OpenSSL Foundation to complete a Change Letter validation of the MXL switch
platform for this FIPS mode. A patch release will be available after that Change Letter validation has been completed.
NOTE: For the Dell Networking OS version 8.3.12.0, only the SSH and SCP copy features use FIPS Cryptographic mode
to secure management interface user sessions and le transfers. Other features that use cryptographic algorithms do
not, or cannot, use FIPS mode. You must congure the management interfaces to limit access to/from the system to
SSH alone.
Preparing the System
Before you enable FIPS mode, Dell Networking recommends making the following changes to your system.
1. Disable the Telnet server (only use secure shell [SSH] to access the system).
2. Disable the FTP server (only use secure copy [SCP] to transfer les to and from the system).
3. Attach a secure, standalone host to the console port for the FIPS conguration to use.
Enabling FIPS Mode
To enable or disable FIPS mode, use the console port.
Secure the host attached to the console port against unauthorized access. Any attempts to enable or disable FIPS mode from a
virtual terminal session are denied.
When you enable FIPS mode, the following actions are taken:
If enabled, the SSH server is disabled.
All open SSH and Telnet sessions, as well as all SCP and FTP le transfers, are closed.
Any existing host keys (both RSA and RSA1) are deleted from system memory and NVRAM storage.
FIPS mode is enabled.
If you enable the SSH server when you enter the fips mode enable command, it is re-enabled for version 2 only.
If you re-enable the SSH server, a new RSA host key-pair is generated automatically. You can also manually create this key-
pair using the crypto key generate command.
316
FIPS Cryptography