S e n d d o c u m e n t a t i o n c o m m e n t s t o m d s f e e d b a c k - d o c @ c i s c o . c o m
Configuring FIPS
The Federal Information Processing Standards (FIPS) Publication 140-2, Security Requirements for
Cryptographic Modules, details the U.S. government requirements for cryptographic modules. FIPS
140-2 specifies that a cryptographic module should be a set of hardware, software, firmware, or some
combination that implements cryptographic functions or processes, including cryptographic algorithms
and, optionally, key generation, and is contained within a defined cryptographic boundary.
FIPS specifies certain crypto algorithms as secure, and it also identifies which algorithms should be used
if a cryptographic module is to be called FIPS compliant.
Note
Cisco MDS SAN-OS Release 3.1(1) and NX-OS Release 4.1(1b) or later implements FIPS features and
is currently in the certification process with the U.S. government, but it is not FIPS compliant at this
time.
This chapter includes the following sections:
•
•
•
Configuration Guidelines
Follow these guidelines before enabling FIPS mode:
•
•
•
•
•
•
•
OL-18084-01, Cisco MDS NX-OS Release 4.x
Configuration Guidelines, page 31-1
Enabling FIPS Mode, page 31-2
FIPS Self-Tests, page 31-2
Make your passwords a minimum of eight characters in length.
Disable Telnet. Users should log in using SSH only.
Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be
authenticated.
Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for
SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.
Disable VRRP.
Delete all IKE policies that either have MD5 for authentication or DES for encryption. Modify the
policies so they use SHA for authentication and 3DES/AES for encryption.
Delete all SSH Server RSA1 key-pairs.
C H A P T E R
Cisco MDS 9000 Family CLI Configuration Guide
31
31-1