Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1787
Views
0
Helpful
1
Replies

FIPS Compliant verification

onslaught99
Level 1
Level 1

‎04-06-2017 08:34 PM - edited ‎03-12-2019 02:11 AM

Hello,

I am in need to verify that I have configured our ipsec tunnel to be FIPS compliant. Here is a sample that I created to make sure I am good:

crypto ipsec ikev2 ipsec-proposal testing
 protocol esp encryption aes-256 aes-192
 protocol esp integrity sha-512 sha-384 sha-256
crypto ipsec ikev2 ipsec-proposal testing2
 protocol esp encryption aes-256 aes-192
 protocol esp integrity sha-512 sha-384 sha-256

I read the following document:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2176.pdf

I am not sure if I am reading it correctly but didn't know if I could get some sort of consensus with the pros.

Thanks

Labels:
0 Helpful
1 Reply 1

lewislampkin
Level 1
Level 1

‎04-17-2017 07:21 AM

DISCLAIMER: I'm just a user of this site, not an admin, and not a Cisco representative. Take everything I write here with a grain of salt and a pound of skepticism.

The proposals look OK (if not identical), but there are two issues:

(1 of 2) There is not enough information to tell if the tunnel is compliant

Section 3.2.6, "Configure the security appliances such that only FIPS-approved algorithms are used for IPSec tunnels," requires review of proposal, policy, crypto map, show crypto output, etc.

For example, one cannot tell what Diffie-Hellman group is used, but the linked document states that 1, 2, and 5 are not FIPS 140-2 compliant. Please see Table 5, "Crytographic keys and CSPs."

(2 of 2) More information is required to confirm FIPS 140-2 secure operations.

This question seems to only be about 3.2.6, "Configure the security appliances such that only FIPS-approved algorithms are used for IPSec tunnels."

Per the linked document, one has to complete the following steps to confirm "Secure Operations"

3.1 Crypto Officer Guidance - System Initialization, steps 1-14.

3.2 Crypto Officer Guidance - System Configuration, steps 1-13.

3.3 Identifying Router Operation in an Approved Mode, steps 1-3.

The rationale is that if the tunnel is configured in a compliant manner, but all other requirements are not met, the device is still not compliant with FIPS 140-2. 

Hope this helps!

Reference:

http://csrc.nist.gov/groups/STM/cmvp/documents/140-1/140sp/140sp2176.pdf

http://www.cisco.com/c/en/us/td/docs/security/asa/asa97/configuration/vpn/asa-97-vpn-config/vpn-site2site.html

http://www.cisco.com/c/en/us/support/docs/security-vpn/ipsec-negotiation-ike-protocols/117337-config-asa-router-00.html

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/I-R/cmdref2/p3.html#pgfId-2175641

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card