SBC releases 5.1, 6.2, and 7.2 are officially FIPS-compliant.
You must reconfigure snmpv3 before enabling FIPs mode. Failure to do so could cause the SBC to crash due to excessive trap generation. Perform the following steps to reconfigure snmpv3:
All trap targets with authPriv/authNoPriv securityLevel must be disabled. Example:
admin@sbc1% show oam snmp trapTarget EMS_-10.54.71.176 ipAddress 10.54.71.176; port 162; trapType v3; targetUsername emstrapuser; targetSecurityLevel authPriv; state enabled; admin@sbc1% set oam snmp trapTarget EMS_-10.54.71.176 state disabled admin@sbc1% commit
The SBC Core supports FIPS 140-2 level 1 certification for its cryptographic modules. It implements FIPS 140-2 Level 1 validated cryptographic hardware modules and software tool kits and operates this module in FIPS 140-2 approved mode for all cryptographic operations.
The following changes have been made to achieve FIPS 140-2 certification:
Self-Tests- The SBC implements cryptographic algorithms using software firmware and hardware and the modules perform various self-tests (power-up self-test, conditional self-test, and critical function self-test) to verify their functionality and correctness. If any of the tests fail, the module goes into “Critical Error” state and it disables all access to cryptographic functions and Critical Security Parameters (CSPs). The management interfaces do not respond to any commands until the module is operational. The Crypto Officer must reboot the modules to clear the error and return to normal operational mode.
Self-tests are performed only when the system is running in FIPS 140-2 mode.
The various self-tests are as follows:
FIPS Finite State Model- The following diagram demonstrates the SBC states and state transitions that occur within the SBC:
The ability to change the FIPS 140-2 mode is reserved only for users having Administrator permissions; Administrator is a role in the SBC that may be assigned to a Crypto Officer in a FIPS-compliant system.
TLS v1.1 and v1.2 support for EMA/PM and SIP/TLS- TLS v1.1 and v1.2 provide resistance to certain known attacks (e.g. the BEAST attack affecting TLS v1.0) against earlier TLS versions and offer additional cipher suites not supported with TLS v1.0.
Although TLS v1.0 and v1.2 are enabled by default, Ribbon recommends disabling v1.0 (if possible) in favor of the more-secure TLS v1.2, if browser support (for EMA/PM) and SIP peer interoperability (for SIP/TLS) considerations permit.
FIPS compliant operating mode is a mode of system operation that is fully compliant with FIPS-140-2 at security level 1+. Putting the system in FIPS-140-2 operating mode requires enabling the fips-140-2 mode
parameter as well as configuring other parameters.
In Admin, select the name of the SBC system. The Edit Fips-140-2 options open.
Parameter | Description |
---|---|
Mode
| Once Fips-140-2 mode has been enabled, it cannot be 'disabled' through configuration. A fresh software install that discards all prior state is required to set the FIPS-140-2 mode to 'disabled'. The options are:
|
admin@sbc1% set oam snmp users emstrapuser authKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d admin@sbc1% set oam snmp users emstrapuser privKey Xd:aa:1f:09:75:6e:f6:da:NN:NN:NN:NN:NN:0d admin@sbc1% commit
2. Enable authPriv/authNoPriv trap targets:
admin@sbc1% set oam snmp trapTarget <trap_target_IP> state enabled