Enabling FIPS security for NFM-P network management

Description
CAUTION 

CAUTION

Management Disruption

Enabling FIPS may prevent the management of some SNMPv3 NEs, or prevent clients from connecting to the NFM-P, if the NEs or clients do not support one of the FIPS 140-2 ciphers or algorithms that the NFM-P offers.

Ensure that all managed NEs, and all GUI and OSS clients, support the FIPS 140-2 standard before you consider enabling FIPS.

The NFM-P supports enabling Federal Information Processing Standards, or FIPS, security for NE management. Enabling FIPS mode reduces the number of ciphers and encryption algorithms that the NFM-P uses for NE management and client communication. Clients and NEs require FIPS-compatible ciphers and algorithms in order to communicate with the NFM-P.

For example, the 7750 SR family of devices supports FIPS security. When NFM-P FIPS mode is enabled, each such managed NE must be FIPS-compliant. For example, an NE that uses MD5/DES or SHA/DES encryption cannot be managed by an NFM-P system in FIPS mode, as FIPS does not support DES encrypition.

SSH connectivity to NEs from an NFM-P system in FIPS mode also requires that the NEs comply with the FIPS security framework.

Note: FIPS mode applies only to SNMPv3-managed NEs, and does not affect NEs managed using SNMPv1 or v2

NFM-P FIPS implementation

By default, FIPS mode is disabled in the NFM-P, and is to be enabled only if all clients and NEs are compatible with the FIPS 140-2 encryption ciphers and algorithms.

FIPS mode is supported on NFM-P main servers and auxiliary servers.

The following document includes general TLS implementation guidelines for FIPS:

https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf

See this link for the FIPS 140-2 cryptography security requirements.

OSS considerations

NFM-P JMS clients must meet the following requirements if FIPS mode is enabled.