Skip to main content
FlexPod

FlexPod Cisco networking and FIPS 140-2

Contributors

Cisco MDS

Cisco MDS 9000 series platform with software 8.4.x is FIPS 140-2 compliant. Cisco MDS implements cryptographic modules and the following services for SNMPv3 and SSH.

  • Session establishment supporting each service

  • All underlying cryptographic algorithms supporting each services key derivation functions

  • Hashing for each service

  • Symmetric encryption for each service

Before you enable FIPS mode, complete the following tasks on the MDS switch:

  1. Make your passwords a minimum of eight characters in length.

  2. Disable Telnet. Users should log in using SSH only.

  3. Disable remote authentication through RADIUS/TACACS+. Only users local to the switch can be authenticated.

  4. Disable SNMP v1 and v2. Any existing user accounts on the switch that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.

  5. Disable VRRP.

  6. Delete all IKE policies that either have MD5 for authentication or DES for encryption. Modify the policies so they use SHA for authentication and 3DES/AES for encryption.

  7. Delete all SSH Server RSA1 keypairs.

To enable FIPS mode and to display FIPS status on the MDS switch, complete the following steps:

  1. Show the FIPS status.

    MDSSwitch# show fips status
    FIPS mode is disabled
    MDSSwitch# conf
    Enter configuration commands, one per line.  End with CNTL/Z.
  2. Set up the 2048 bits SSH key.

    MDSSwitch(config)# no feature ssh
    XML interface to system may become unavailable since ssh is disabled
    MDSSwitch(config)# no ssh key
    MDSSwitch(config)# show ssh key
    **************************************
    could not retrieve rsa key information
    bitcount: 0
    **************************************
    could not retrieve dsa key information
    bitcount: 0
    **************************************
    no ssh keys present. you will have to generate them
    **************************************
    MDSSwitch(config)# ssh key
    dsa   rsa
    MDSSwitch(config)# ssh key rsa 2048 force
    generating rsa key(2048 bits).....
    ...
    generated rsa key
  3. Enable FIPS mode.

    MDSSwitch(config)# fips mode enable
    FIPS mode is enabled
    System reboot is required after saving the configuration for the system to be in FIPS mode
    Warning: As per NIST requirements in 6.X, the minimum RSA Key Size has to be 2048
  4. Show the FIPS status.

    MDSSwitch(config)# show fips status
    FIPS mode is enabled
    MDSSwitch(config)# feature ssh
    MDSSwitch(config)# show feature | grep ssh
    sshServer            1        enabled
  5. Save the configuration to the running configuration.

    MDSSwitch(config)# copy ru st
    [########################################] 100%
    exitCopy complete.
    MDSSwitch(config)# exit
  6. Restart MDS switch

    MDSSwitch# reload
    This command will reboot the system. (y/n)?  [n] y
  7. Show the FIPS status.

    Switch(config)# fips mode enable
    Switch(config)# show fips status

For more information, see Enabling FIPS Mode.

Cisco Nexus

Cisco Nexus 9000 series switches (version 9.3) are FIPS 140-2 compliant. Cisco Nexus implements cryptographic modules and the following services for SNMPv3 and SSH.

  • Session establishment supporting each service

  • All underlying cryptographic algorithms supporting each services key derivation functions

  • Hashing for each service

  • Symmetric encryption for each service

Before you enable FIPS mode, complete the following tasks on the Cisco Nexus switch:

  1. Disable Telnet. Users should log in using Secure Shell (SSH) only.

  2. Disable SNMPv1 and v2. Any existing user accounts on the device that have been configured for SNMPv3 should be configured only with SHA for authentication and AES/3DES for privacy.

  3. Delete all SSH server RSA1 key-pairs.

  4. Enable HMAC-SHA1 message integrity checking (MIC) to use during the Cisco TrustSec Security Association Protocol (SAP) negotiation. To do so, enter the sap hash-algorithm HMAC-SHA-1 command from the cts-manual or cts-dot1x mode.

To enable FIPS mode on the Nexus switch, complete the following steps:

  1. Set up 2048 bits SSH key.

    NexusSwitch# show fips status
    FIPS mode is disabled
    NexusSwitch# conf
    Enter configuration commands, one per line.  End with CNTL/Z.
  2. Set up the 2048 bits SSH key.

    NexusSwitch(config)# no feature ssh
    XML interface to system may become unavailable since ssh is disabled
    NexusSwitch(config)# no ssh key
    NexusSwitch(config)# show ssh key
    **************************************
    could not retrieve rsa key information
    bitcount: 0
    **************************************
    could not retrieve dsa key information
    bitcount: 0
    **************************************
    no ssh keys present. you will have to generate them
    **************************************
    NexusSwitch(config)# ssh key
    dsa   rsa
    NexusSwitch(config)# ssh key rsa 2048 force
    generating rsa key(2048 bits).....
    ...
    generated rsa key
  3. Enable FIPS mode.

    NexusSwitch(config)# fips mode enable
    FIPS mode is enabled
    System reboot is required after saving the configuration for the system to be in FIPS mode
    Warning: As per NIST requirements in 6.X, the minimum RSA Key Size has to be 2048
    Show fips status
    NexusSwitch(config)# show fips status
    FIPS mode is enabled
    NexusSwitch(config)# feature ssh
    NexusSwitch(config)# show feature | grep ssh
    sshServer            1        enabled
    Save configuration to the running configuration
    NexusSwitch(config)# copy ru st
    [########################################] 100%
    exitCopy complete.
    NexusSwitch(config)# exit
  4. Restart the Nexus switch.

    NexusSwitch# reload
    This command will reboot the system. (y/n)?  [n] y
  5. Show the FIPS status.

    NexusSwitch(config)# fips mode enable
    NexusSwitch(config)# show fips status

Additionally, Cisco NX OS software supports the NetFlow feature that enables enhanced detection of network anomalies and security. NetFlow captures the metadata of every conversation on the network, the parties involved in the communication, the protocol being used, and the duration of the transaction. After the information is aggregated and analyzed, it can provide insight into normal behavior. The collected data also allows identification of questionable patterns of activity, such as malware spreading across the network, which might otherwise go unnoticed. NetFlow uses flows to provide statistics for network monitoring. A flow is a unidirectional stream of packets that arrives on a source interface (or VLAN) and has the same values for the keys. A key is an identified value for a field within the packet. You create a flow using a flow record to define the unique keys for your flow. You can export the data that NetFlow gathers for your flows by using a flow exporter to a remote NetFlow collector, such as Cisco Stealthwatch. Stealthwatch uses this information for continuous monitoring of the network and provides real-time threat detection and incident response forensics if a ransomware outbreak occurs.