Enabling FIPS security for NFM-P network management
Description
|
CAUTION Management Disruption |
Enabling FIPS may prevent the management of some SNMPv3 NEs, or prevent clients from connecting to the NFM-P, if the NEs or clients do not support one of the FIPS 140-2 ciphers or algorithms that the NFM-P offers.
Ensure that all managed NEs, and all GUI and OSS clients, support the FIPS 140-2 standard before you consider enabling FIPS.
The NFM-P supports enabling Federal Information Processing Standards, or FIPS, security for NE management. Enabling FIPS mode reduces the number of ciphers and encryption algorithms that the NFM-P uses for NE management and client communication. Clients and NEs require FIPS-compatible ciphers and algorithms in order to communicate with the NFM-P.
For example, the 7750 SR family of devices supports FIPS security. When NFM-P FIPS mode is enabled, each such managed NE must be FIPS-compliant. For example, an NE that uses MD5/DES or SHA/DES encryption cannot be managed by an NFM-P system in FIPS mode, as FIPS does not support DES encrypition.
SSH connectivity to NEs from an NFM-P system in FIPS mode also requires that the NEs comply with the FIPS security framework.
Note: FIPS mode applies only to SNMPv3-managed NEs, and does not affect NEs managed using SNMPv1 or v2
NFM-P FIPS implementation
By default, FIPS mode is disabled in the NFM-P, and is to be enabled only if all clients and NEs are compatible with the FIPS 140-2 encryption ciphers and algorithms.
FIPS mode is supported on NFM-P main servers and auxiliary servers.
The following document includes general TLS implementation guidelines for FIPS:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
See this link for the FIPS 140-2 cryptography security requirements.
OSS considerations
NFM-P JMS clients must meet the following requirements if FIPS mode is enabled.