FIPS 140-2 Support
FIPS 140-2 Level 1 ensures that Apstra uses approved cryptographic algorithms, providing basic security without requiring advanced physical protections.
Overview of FIPS 140-2
FIPS 140-2 is a U.S. government standard that specifies security requirements for cryptographic modules. Implementing Level 1 ensures that Apstra uses approved cryptographic algorithms, providing basic security without requiring advanced physical protections.
Why FIPS 140-2 is Needed
Apstra handles sensitive data that must comply with regulatory standards for some users. Implementing FIPS 140-2 Level 1 ensures that our cryptographic operations meet these security requirements, giving users confidence in our data protection.
Default FIPS Mode
By default, Apstra operates with FIPS mode disabled to minimize disruption. You can manually enable FIPS mode using the CLI.
Enabling and Managing FIPS 140-2
You can manage FIPS mode with the following commands:
-
aos_fips enable
– Enables FIPS mode on the Apstra VM. -
aos_fips disable
– Disables FIPS mode on the Apstra VM. -
aos_fips status
– Reports the status of FIPS mode, checking configurations such as Apstra config, SSH configuration, NGINX config, Docker containers, and OpenSSL settings.
Example Command:
To check the FIPS status, run:
aos_fips status
Sample output indicates whether FIPS mode is activated and which components are FIPS-enabled.
admin@aos-server:~$ aos_fips status Checking aos.config... FIPS mode is activated Checking Docker Compose settings... effective config is FIPS enabled Checking OpenSSL effective config on host... effective config is FIPS enabled Checking Docker containers... [5109bea58085][aos-uninstall-onbox-30e49774-10.28.212.15-j2] FIPS activated [2295b59992c6][aos-uninstall-onbox-54b69f7d-10.28.212.13-j2] FIPS activated [f6e3b4993c33][ aos_nginx_1] FIPS activated [104caaddaf9c][ aos_controller_1] FIPS activated [ebf916a27b15][ aos_sysdb_1] FIPS activated [b11a6723bc26][ aos_auth_1] FIPS activated [b893a2fb8c54][ aos_license_1] FIPS activated [95c281aca3ee][ aos_metadb_1] FIPS activated Checking SSH server settings... FIPS config found Checking SSH client settings... FIPS config found Host smoke test... FIPS is activated Checking NGINX config... effective config is FIPS enabled Overall status: ENABLED
Cluster Setup:
For clustered environments, FIPS mode must be enabled or disabled on all Apstra VMs in the
cluster using the aos_fips enable
or aos_fips disable
command. The order of execution across VMs doesn't matter.
Upgrade Process
During an upgrade, the FIPS setting is preserved. The aos_fips enable
command automatically runs post-upgrade to maintain FIPS mode, ensuring ongoing
compliance.
FIPS 140-2 Implementations
Apstra has implemented FIPS 140-2 compliance across several components:
-
ZTP Server VM: Ensures secure cryptographic operations during device initialization in the Zero Touch Provisioning process.
-
Apstra Controller VM: Manages network orchestration, policy management, and device configuration securely, adhering to FIPS 140-2 standards for all cryptographic functions.
-
Apstra Worker VM: Handles secure data processing and communication tasks, ensuring all cryptographic operations meet FIPS 140-2 requirements.
-
Off-box Device Agents: Manages external devices with FIPS-compliant cryptographic communication between the agent and both the devices and the Controller VM.
-
On-box Device Agents:Operates directly on network devices, securing configurations and communications. Note that this compliance applies only to the agent; Apstra doesn't enable FIPS on the network operating system itself.
The underlying host operating system for these VMs and agents is not FIPS-140 enabled. This means the specific cryptographic modules within Apstra components are compliant, but the overall system security depends on the host environment.