Skip to main content
FlexPod

FlexPod Cisco networking and FIPS 140-2

Contributors
PDFs

Cisco MDS

Cisco MDS 9000 series platform with software 8.4.x is FIPS 140-2 compliant. Cisco MDS implements cryptographic modules and the following services for SNMPv3 and SSH.

  • Session establishment supporting each service

  • All underlying cryptographic algorithms supporting each services key derivation functions

  • Hashing for each service

  • Symmetric encryption for each service

Before you enable FIPS mode, complete the following tasks on the MDS switch:

  1. Make your passwords a minimum of eight characters in length.

  2. Disable Telnet. Users should log in using SSH only.

  3. Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be authenticated.

  4. Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.

  5. Disable VRRP.

  6. Delete all IKE policies that either have MD5 for authentication or DES for encryption. Modify the policies so they use SHA for authentication and 3DES/AES for encryption.

  7. Delete all SSH Server RSA1 keypairs.

To enable FIPS mode and to display FIPS status on the MDS switch, complete the following steps:

  1. Show the FIPS status.

    MDSSwitch# show fips status
FIPS mode is disabled
MDSSwitch# conf
Enter configuration commands, one per line.  End with CNTL/Z.

  2. Set up the 2048 bits SSH key.

    MDSSwitch(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
MDSSwitch(config)# no ssh key
MDSSwitch(config)# show ssh key
**************************************
could not retrieve rsa key information
bitcount: 0
**************************************
could not retrieve dsa key information
bitcount: 0
**************************************
no ssh keys present. you will have to generate them
**************************************
MDSSwitch(config)# ssh key
dsa   rsa
MDSSwitch(config)# ssh key rsa 2048 force
generating rsa key(2048 bits).....
...
generated rsa key

  3. Enable FIPS mode.

    MDSSwitch(config)# fips mode enable
FIPS mode is enabled
System reboot is required after saving the configuration for the system to be in FIPS mode
Warning: As per NIST requirements in 6.X, the minimum RSA Key Size has to be 2048

  4. Show the FIPS status.

    MDSSwitch(config)# show fips status
FIPS mode is enabled
MDSSwitch(config)# feature ssh
MDSSwitch(config)# show feature | grep ssh
sshServer            1        enabled

  5. Save the configuration to the running configuration.

    MDSSwitch(config)# copy ru st
[########################################] 100%
exitCopy complete.
MDSSwitch(config)# exit

  6. Restart MDS switch

    MDSSwitch# reload
This command will reboot the system. (y/n)?  [n] y

  7. Show the FIPS status.

    Switch(config)# fips mode enable
Switch(config)# show fips status

For more information, see Enabling FIPS Mode.

Cisco Nexus

Cisco Nexus 9000 series switches (version 9.3) are FIPS 140-2 compliant. Cisco Nexus implements cryptographic modules and the following services for SNMPv3 and SSH.

  • Session establishment supporting each service

  • All underlying cryptographic algorithms supporting each services key derivation functions

  • Hashing for each service

  • Symmetric encryption for each service

Before you enable FIPS mode, complete the following tasks on the Cisco Nexus switch:

  1. Disable Telnet. Users should log in using Secure Shell (SSH) only.

  2. Disable SNMPv1 and v2. Any existing user accounts on the device that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.

  3. Delete all SSH server RSA1 key-pairs.

  4. Enable HMAC-SHA1 message integrity checking (MIC) to use during the Cisco TrustSec Security Association Protocol (SAP) negotiation. To do so, enter the sap hash-algorithm HMAC-SHA-1 command from the cts-manual or cts-dot1x mode.

To enable FIPS mode on the Nexus switch, complete the following steps:

  1. Set up 2048 bits SSH key.

    NexusSwitch# show fips status
FIPS mode is disabled
NexusSwitch# conf
Enter configuration commands, one per line.  End with CNTL/Z.

  2. Set up the 2048 bits SSH key.

    NexusSwitch(config)# no feature ssh
XML interface to system may become unavailable since ssh is disabled
NexusSwitch(config)# no ssh key
NexusSwitch(config)# show ssh key
**************************************
could not retrieve rsa key information
bitcount: 0
**************************************
could not retrieve dsa key information
bitcount: 0
**************************************
no ssh keys present. you will have to generate them
**************************************
NexusSwitch(config)# ssh key
dsa   rsa
NexusSwitch(config)# ssh key rsa 2048 force
generating rsa key(2048 bits).....
...
generated rsa key

  3. Enable FIPS mode.

    NexusSwitch(config)# fips mode enable
FIPS mode is enabled
System reboot is required after saving the configuration for the system to be in FIPS mode
Warning: As per NIST requirements in 6.X, the minimum RSA Key Size has to be 2048
Show fips status
NexusSwitch(config)# show fips status
FIPS mode is enabled
NexusSwitch(config)# feature ssh
NexusSwitch(config)# show feature | grep ssh
sshServer            1        enabled
Save configuration to the running configuration
NexusSwitch(config)# copy ru st
[########################################] 100%
exitCopy complete.
NexusSwitch(config)# exit

  4. Restart the Nexus switch.

    NexusSwitch# reload
This command will reboot the system. (y/n)?  [n] y

  5. Show the FIPS status.

    NexusSwitch(config)# fips mode enable
NexusSwitch(config)# show fips status

Additionally, Cisco NX OS software supports the NetFlow feature that enables enhanced detection of network anomalies and security. NetFlow captures the metadata of every conversation on the network, the parties involved in the communication, the protocol being used, and the duration of the transaction. After the information is aggregated and analyzed, it can provide insight into normal behavior. The collected data also allows identification of questionable patterns of activity, such as malware spreading across the network, which might otherwise go unnoticed. NetFlow uses flows to provide statistics for network monitoring. A flow is a unidirectional stream of packets that arrives on a source interface (or VLAN) and has the same values for the keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define the unique keys for your flow. You can export the data that NetFlow gathers for your flows by using a flow exporter to a remote NetFlow collector, such as Cisco Stealthwatch. Stealthwatch uses this information for continuous monitoring of the network and provides real-time threat detection and incident response forensics if a ransomware outbreak occurs.

Next: FlexPod NetApp ONTAP storage and FIPS 140-2.