Login
- Table of Contents
-
- 07-Security Configuration Guide
- 00-Preface
- 01-Security Overview
- 02-AAA Configuration
- 03-802.1X Configuration
- 04-MAC Authentication Configuration
- 05-Portal Configuration
- 06-Port Security Configuration
- 07-User Profile Configuration
- 08-Password Control Configuration
- 09-Public Key Configuration
- 10-PKI Configuration
- 11-SSH Configuration
- 12-SSL Configuration
- 13-SSL VPN Configuration
- 14-TCP Attack Protection Configuration
- 15-ARP Attack Protection Configuration
- 16-IPsec Configuration
- 17-ALG Configuration
- 18-Firewall Configuration
- 19-Session Management Configuration
- 20-Web Filtering Configuration
- 21-User Isolation Configuration
- 22-Source IP Address Verification Configuration
- 23-FIPS Configuration
- 24-Protocol Packet Rate Limit Configuration
- 25-Attack detection and protection configuration
- Related Documents
-
| Title | Size | Download |
|---|---|---|
| 23-FIPS Configuration | 63.20 KB |
Configuring FIPS
Support for this feature depends on the device model. For more information, see About the H3C Access Controllers Configuration Guides.
Overview
Federal Information Processing Standards (FIPS) was developed by the National Institute of Standard and Technology (NIST) of the United States. FIPS specifies the requirements for cryptographic modules. FIPS 140-2 defines four levels of security, named "Level 1" to "Level 4" from low to high. The device supports Level 2.
Unless otherwise noted, in this document the term "FIPS" refers to FIPS 140-2.
FIPS self-tests
|
|
CAUTION: If the device reboots repeatedly, it might be caused by software failures or hardware damages. Contact H3C Support to upgrade the software or repair the damaged hardware. |
When the device operates in FIPS mode, it has self-test mechanisms, including power-up self-test and conditional self-test, to ensure the correct operation of cryptography modules.
Power-up self-tests
The power-up self-test, also called "known-answer test", examines the availability of FIPS-allowed cryptographic algorithms. A cryptographic algorithm is run on data for which the correct output is already known. The calculated output is compared with the known answer. If they are not identical, the known-answer test fails.
The power-up self-test examines the cryptographic algorithms listed in Table 1.
Table 1 Power-up self-test list
|
Type |
Operations |
|
Cryptographic algorithm self-test |
Tests the following algorithms: · DSA (signature and authentication) · RSA (signature and authentication) · RSA (encryption and decryption) · AES · 3DES · SHA1 · SHA256 · SHA512 · HMAC-SHA1 · Random number generator algorithms |
|
Cryptographic engine self-test |
Tests the following algorithms used by cryptographic engines: · DSA (signature and authentication) · RSA (signature and authentication) · RSA (encryption and decryption) · AES · 3DES · SHA1 · HMAC-SHA1 · Random number generator algorithms |
Conditional self-tests
A conditional self-test runs when an asymmetrical cryptographic module or a random number generator module is invoked. Conditional self-tests include the following types:
· Pair-wise consistency test—This test is run when a DSA/RSA asymmetrical key-pair is generated. It uses the public key to encrypt a plain text, and uses the private key to decrypt the encrypted text. If the decryption is successful, the test succeeds. Otherwise, the test fails.
· Continuous random number generator test—This test is run when a random number is generated. If two consecutive random numbers are different, the test succeeds. Otherwise, the test fails. This test can also be run when a DSA/RSA asymmetrical key-pair is generated.
Triggering self-tests
To examine whether the cryptography modules operate correctly, you can trigger a self-test on the cryptographic algorithms. The triggered self-test is the same as the power-up self-test. If the self-test fails, the device automatically reboots.
To trigger a self-test:
|
Step |
Command |
|
1. Enter system view. |
system-view |
|
2. Trigger a self-test. |
fips self-test |
Configuration considerations
To enter FIPS mode, follow these steps:
1. Enable FIPS mode.
2. Enable the password control function.
3. Configure the username and password to log in to the device in FIPS mode. The password must include at least 10 characters and must contain uppercase and lowercase letters, digits, and special characters.
4. Delete all MD5-based digital certificates.
5. Delete the DSA key pairs that have a modulus length of less than 1024 bits and all RSA key pairs.
6. Save the configuration.
Enabling FIPS mode
Follow these guidelines when you enable FIPS mode:
· If you must enable both FIPS mode and the password control function, enable FIPS mode first.
· If you must disable both FIPS mode and the password control function, disable password control first.
· After FIPS mode is enabled, delete the FIPS 140-2-incompliant local user service type Telnet, HTTP, or FTP before you reboot the device.
To enable FIPS mode:
|
Step |
Command |
Remarks |
|
1. Enter system view. |
system-view |
N/A |
|
2. Enable FIPS mode. |
fips mode enable |
By default, the FIPS mode is disabled. |
Configuration changes in FIPS mode
After you enable FIPS mode and reboot the device, the following system changes occur:
· The FTP/TFTP server is disabled.
· The Telnet server is disabled.
· The HTTP server is disabled.
· SNMPv1 and SNMPv2c are disabled. Only SNMPv3 is available.
· The SSL server only supports TLS1.0.
· The SSH server does not support SSHv1 clients.
· Generated RSA key pairs must have a modulus length of 2048 bits, and DSA key pairs have a modulus length from 1024 to 2048 bits.
· SSH, SNMPv3, IPsec, and SSL do not support DES, RC4, or MD5.
Displaying and maintaining FIPS
|
Task |
Command |
Remarks |
|
Display FIPS mode state. |
display fips status |
Available in any view. |
FIPS configuration example
Network requirements
As shown in Figure 1, Host connects to AC through a console port. Configure AC to operate in FIPS mode, and create a local user for Host so that Host can log in to AC.
Configuration procedure
|
|
CAUTION: After you enable FIPS mode, you must create a local user and its password before you reboot the device. Otherwise, you cannot log in to the device. To log in to the device, reboot the device without the configuration file (by ignoring or removing the configuration file) so that the device operates in non-FIPS mode, and then make correct configurations. |
# Enable the FIPS mode.
<Sysname> system-view
[Sysname] fips mode enable
FIPS mode change requires a device reboot. Continue?[Y/N]:y
Modify the configuration to be fully compliant with FIPS mode, save the configuration to the next-startup configuration file, and then reboot to enter FIPS mode.
# Enable the password control function.
[Sysname] password-control enable
# Create a local user named test, and set its service type as terminal, privilege level as 3, and password as AAbbcc1234%. The password is a string of at least 10 characters by default, and must contain both uppercase and lowercase letters, digits, and special characters. (Use an interactive way to configure the password for the local user. Enter password in local user view and follow the prompts to enter the password.)
[Sysname] local-user test
[Sysname-luser-test] service-type terminal
[Sysname-luser-test] authorization-attribute level 3
[Sysname-luser-test] password
Password:***********
Confirm :***********
Updating user(s) information, please wait...........
[Sysname-luser-test] quit
[Sysname] save
The current configuration will be written to the device. Are you sure? [Y/N]:y
Please input the file name(*.cfg)[cfa0:/startup.cfg]
(To leave the existing filename unchanged, press the enter key):
cfa0:/startup.cfg exists, overwrite? [Y/N]:y
Validating file. Please wait....
Configuration is saved to device successfully.
# Reboot the device.
<Sysname> reboot
Verifying the configuration
After the device reboots, enter the username test and the password AAbbcc1234%. The system prompts that your first login is successful, and requires you to enter a new password. Enter a new password which has at least four characters different than the previous one and confirm the password. Then, the system displays the <Sysname> prompt.
User interface con0 is available.
Please press ENTER.
Login authentication
Username:test
Password:
Info: First logged in. For security reasons you will need to change your password.
Please enter your new password.
Password:**********
Confirm :**********
Updating user(s) information, please wait...........
<Sysname>
# Display the current FIPS mode.
<Sysname> display fips status
FIPS mode is enabled
