topic I stumbled upon the same in Web Security

FIPS question on Ironport WSA

tahequivoice — Wed, 25 Mar 2015 13:19:05 GMT

What is it used for and what happens when it is enabled? What is the impact to users and is there anything else in the network that has to be done for it to not impact users? From what I have read so far, it is an encryption mode, but for what and how does it work for the Web Security?

I stumbled upon the same

kvdocsc — Thu, 26 Mar 2015 15:22:58 GMT

I stumbled upon the same question. The FIPS mode seems to limit which cipher suites and which ssl protocol versions are used when connecting to remote webservers (https).

Detailed information is missing....

https://supportforums.cisco.com/discussion/12448041/configure-cipher-suites-and-ssltls-version-used-wsa-807

Regards, Thomas

FIPS is Federal Information

Handy Putra — Sun, 29 Mar 2015 03:14:44 GMT

FIPS is Federal Information Processing Standards that specify requirements for cryptographic modules that are used by all government agencies to protect sensitive but unclassified information. FIPS help ensure compliance with federal security and data privacy requirements. FIPS, developed by the National Institute for Standards and Technology (NIST), are to use when no voluntary standards exist to meet federal requirements.

FIPS mode requires that all enabled encryption services on the Web Security appliance use a FIPS-compliant certificate. This applies to the following encryption services:

• HTTPS Proxy

• Authentication

• Identity Provider for SaaS

• Appliance Management HTTPS Service

Note The Appliance Management HTTPS Service must be enabled before FIPS mode can be enabled. The other encryption services need not be enabled.

A FIPS-compliant certificate must meet these requirements:

Certificate	Algorithm	Bit Key Size	Signature Algorithm	Notes
X509	RSA	1024, 2048, 3072, or 4096	sha1WithRSAEncryption	Cisco recommends a bit key size of 1024 for best decryption performance and sufficient security. A larger bit size will increase security, but impact decryption performance.
	DSA	1024	dsaWithSHA1