Help us improve your experience.

Let us know what you think.

Do you have time for a two-minute survey?

 
 

FIPS 140-2 Support

FIPS 140-2 Level 1 ensures that Apstra uses approved cryptographic algorithms, providing basic security without requiring advanced physical protections.

Overview of FIPS 140-2

FIPS 140-2 is a U.S. government standard that specifies security requirements for cryptographic modules. Implementing Level 1 ensures that Apstra uses approved cryptographic algorithms, providing basic security without requiring advanced physical protections.

Why FIPS 140-2 is Needed

Apstra handles sensitive data that must comply with regulatory standards for some users. Implementing FIPS 140-2 Level 1 ensures that our cryptographic operations meet these security requirements, giving users confidence in our data protection.

Default FIPS Mode

By default, Apstra operates with FIPS mode disabled to minimize disruption. You can manually enable FIPS mode using the CLI.

Enabling and Managing FIPS 140-2

You can manage FIPS mode with the following commands:

  • aos_fips enable – Enables FIPS mode on the Apstra VM.

  • aos_fips disable – Disables FIPS mode on the Apstra VM.

  • aos_fips status – Reports the status of FIPS mode, checking configurations such as Apstra config, SSH configuration, NGINX config, Docker containers, and OpenSSL settings.

Example Command:

To check the FIPS status, run:

aos_fips status

Sample output indicates whether FIPS mode is activated and which components are FIPS-enabled.

Cluster Setup:

For clustered environments, FIPS mode must be enabled or disabled on all Apstra VMs in the cluster using the aos_fips enable or aos_fips disable command. The order of execution across VMs doesn't matter.

Upgrade Process

During an upgrade, the FIPS setting is preserved. The aos_fips enable command automatically runs post-upgrade to maintain FIPS mode, ensuring ongoing compliance.

FIPS 140-2 Implementations

Apstra has implemented FIPS 140-2 compliance across several components:

  • ZTP Server VM: Ensures secure cryptographic operations during device initialization in the Zero Touch Provisioning process.

  • Apstra Controller VM: Manages network orchestration, policy management, and device configuration securely, adhering to FIPS 140-2 standards for all cryptographic functions.

  • Apstra Worker VM: Handles secure data processing and communication tasks, ensuring all cryptographic operations meet FIPS 140-2 requirements.

  • Off-box Device Agents: Manages external devices with FIPS-compliant cryptographic communication between the agent and both the devices and the Controller VM.

  • On-box Device Agents:Operates directly on network devices, securing configurations and communications. Note that this compliance applies only to the agent; Apstra doesn't enable FIPS on the network operating system itself.

Note:

The underlying host operating system for these VMs and agents is not FIPS-140 enabled. This means the specific cryptographic modules within Apstra components are compliant, but the overall system security depends on the host environment.